Unless otherwise is indicated in the patch description these fixes is
included in the current nightly Squid-2.5 snapshots and is scheduled to
be included in the next Squid-2.5.STABLE release.
Note to binary package maintainers: Patches to the current STABLE release
represents work in progress and has not yet undergone full quality checks.
The developer team reserves the right to update these at any time to fix
problems found during quality checking. For this reason package maintainers
are discouraged from using such patches, and only use this page to backport
changes from published releases to earlier releases if your QA policy does
not allow upgrading your package to the current STABLE release. If there
is any questions regarding this policy please contact
squid-dev@squid-cache.org.
These issues have been identified as important to be fixed for the next Squid-2.5 version, listed in priority order.
1500 diskd related memory corruption under heavy load
See also Open bug reports pending to be fixed in Squid-2.5
This is a list of shortcomings known to exists in Squid-2.5. At this stage there is no plans on addressing these in Squid-2.5. Some may be addressed in the Squid-3.0 release.
- Bug #1059 mime.conf and referenced icons must be within chroot
- Bug #692 tcp_outgoing_address using an ident ACL does not work
- Bug #581 acl max_user_ip and multiple authentication schemes
- Bug #528 miss_access fails on slow acl types such as dst
- Bug #513 squid -F is starting server sockets to early
- Bug #457 does not handle swap.state corruption properly
- Bug #410 unstable if runs out of disk space
- Bug #355 diskd may appear slow on low loads
- Bug #219 delay_pools stops working on -k reconfigure
See also Open bug reports for Squid-2.5
Patches released after the 2.5.STABLE14 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
| synopsis |
The patch for Bug #1504 forgot to account for persistent connections,
causing NONE/- to be logged in the hierarchy field when using a persistent
peer connection.
A workaround is to set "server_persistent_connections off" |
| severity |
Cosmetic |
| date |
2006-06-21 12:25 |
| bugzilla |
#1605 |
| versions |
squid-2.5.STABLE13 and later |
| patch |
squid-2.5.STABLE14-hierarchy_tag.patch |
| synopsis |
assertion failed: HttpReply.c:105: "rep"
The patch for Bug #1511 "Some 206 responses logged incorrectly" was slightly
broken and could cause the above assert. |
| severity |
Major |
| date |
2006-06-02 22:00 |
| bugzilla |
#1606 |
| versions |
squid-2.5.STABLE13 and later |
| patch |
squid-2.5.STABLE14-httpReplyDestroy.patch |
Patches released after the 2.5.STABLE13 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
| synopsis |
On some systems POSIX AIO functions are in libaio |
| severity |
Minor |
| date |
2006-05-12 19:35 |
| versions |
squid-2.5.STABLE13 and earlier |
| patch |
squid-2.5.STABLE13-libaio-2.patch |
| synopsis |
Memory leak in header processing related to external_acl or custom log formats |
| severity |
Medium |
| date |
2006-05-12 16:17 |
| bugzilla |
#1564 |
| versions |
squid-2.5.STABLE13 and earlier |
| patch |
squid-2.5.STABLE13-header_leak.patch |
| synopsis |
Mime icons are not displayed when viewing ftp sites when
visible_hostname is a short hostname (without domain). |
| severity |
Minor |
| date |
2006-05-12 15:57 |
| bugzilla |
#1532 |
| versions |
squid-2.5.STABLE13 and earlier |
| patch |
squid-2.5.STABLE13-icons.patch |
| synopsis |
SQUIDHOSTNAMELEN issues
cosmetic cleanup to get rid of remaining SQUIDHOSTNAMELEN magics which
may cause issues for very long hostnames. |
| severity |
Cosmetic |
| date |
2006-05-12 15:54 |
| bugzilla |
#1434 |
| versions |
squid-2.5.STABLE13 and earlier |
| patch |
squid-2.5.STABLE13-hostnamelen.patch |
Patches released after the 2.5.STABLE12 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
| synopsis |
The error message returned when DNS lookup of a peer name fails
seemed to indicate it was the requested host name which could not
be found when it was the peer which could not be found. |
| severity |
Cosmetic |
| date |
2006-03-10 23:17 |
| bugzilla |
#1504 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-peer_dns_error.patch |
| synopsis |
Failed to properly parse FTP file or directory names with
" -> " in their name |
| severity |
Cosmetic |
| date |
2006-02-26 00:06 |
| bugzilla |
#1508 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-ftpsymlink.patch |
| workaround |
Open the directory as a "plain" directory by adding ;type=d after
the URL. |
| synopsis |
A harmless typo in ftp.c could cause the ftp directory parser to
incorrectly think it successfully parsed certain "odd" lines not
automatically enabling the "plain directory" option link. |
| severity |
Cosmetic |
| date |
2006-02-26 00:06 |
| bugzilla |
#1507 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-ftpdates.patch |
| workaround |
Manually add ;type=d after the URL if encountering a FTP server
where this problem is seen. The Squid developers does not know
of any FTP server giving out directory listings which would trigger
this. |
| synopsis |
- New GCC triggering on a few minor things related to variable aliasing
- New OpenLDAP depreated the common LDAP C-API simple bind functions |
| severity |
Minor |
| date |
2006-02-26 00:06 |
| bugzilla |
#1492 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-fc5.patch |
| synopsis |
Squid hangs at 100% CPU while starting helpers if /dev/null
can not be opened (non-existing or bad permissions). |
| severity |
Cosmetic |
| date |
2006-02-26 00:06 |
| bugzilla |
#1484 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-devnull.patch |
| workaround |
Make sure /dev/null exists and is world read/writeable. |
| synopsis |
The patch adds a new persistent_connection_after_error directive
enabling/disabling the use of persistent connections after error. If set to off
then it behaves very close to Squid-2.4 even if you have persistent connections
enabled. |
| severity |
Cosmetic |
| date |
2006-02-26 00:06 |
| bugzilla |
#1482 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-persistent_connection_after_error.patch |
| synopsis |
Delay pools assigned too much traffic credit after "squid -k
reconfigure" (first time double the amount, second time three times
the amount etc..) |
| severity |
Medium |
| date |
2006-02-26 00:06 |
| bugzilla |
#1481 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-delay_pool_reconfigure.patch |
| workaround |
Restart Squid instead of using "-k reconfigure", or don't allow for
any bandwidth credit in your delay pools. |
| synopsis |
FTP uploads fails if the upload takes longer than read_timeout
to complete. |
| severity |
Medium |
| date |
2006-02-26 00:06 |
| bugzilla |
#1459 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-ftp_upload.patch |
| workaround |
Set read_timeout high, but be warned that this combined with
"half_closed_clients on" (default) may cause servere filedescriptor
shortage. |
| synopsis |
Some clients is capable of using NTLM authentication even if they
do not negotiate persistent connections on the initial request. |
| severity |
Minor |
| date |
2006-02-26 00:06 |
| bugzilla |
#1447 |
| versions |
Squid-2.5.STABLE12 |
| platforms |
All |
| patch |
squid-2.5.STABLE12-ntlm_nonpersistent.patch |
| workaround |
Allow basic authentcation to be used by these clients |
| synopsis |
Ident access lists don't work in delay_access statements |
| severity |
Minor |
| date |
2006-02-26 00:06 |
| bugzilla |
#1428 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-ident_acl.patch |
| synopsis |
Segmentation fault on empty proxy_auth ACLs |
| severity |
Cosmetic |
| date |
2006-02-26 00:06 |
| bugzilla |
#1414 |
| versions |
Squid-2.5.STABLE8 to 2.5.STABLE12 |
| platforms |
All |
| patch |
squid-2.5.STABLE12-empty_proxy_auth_acl.patch |
| workaround |
Make sure your configuration is correct with no empty
proxy_auth ACLs defined. |
| synopsis |
Range processing still failed on objects >2GB. This could be triggered
either by range_offset_limit, or by enabling cacheing of such large
objects. |
| severity |
Minor |
| date |
2006-03-04 03:30 |
| bugzilla |
#437 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-range2GB-2.patch |
| workaround |
range_offset_limit 0 KB (default), maximum_object_size below 2 GB (default 4096 KB which is safe). |
| synopsis |
This patch adds an HttpReply *reply member to clientHttpRequest. This
reply will be used to generate the client-side reply header and will
stay in memory until the end of the transaction so the correct status
code may be logged. |
| severity |
Minor |
| date |
2006-03-04 03:07 |
| bugzilla |
#1511 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-log_206-2.patch |
| synopsis |
On 64 bit Irix systems the declaration of timezone is different
from 32 bit and the build fails. |
| severity |
Minor |
| date |
2006-01-22 17:28 |
| bugzilla |
#1479 |
| versions |
Squid-2.5 and earlier |
| platforms |
SGI Irix (64 bit systems only) |
| patch |
squid-2.5.STABLE12-irix_timezone.patch |
| workaround |
Manually remove the 'timezone' declaration from lib/rfc1123.c. |
| synopsis |
A minor error in the patch to allow coredumps on linux. Not
harmful today, but maybe in future if these unused arguments
is used for something.. |
| severity |
Cosmetic |
| date |
2006-01-15 01:23 |
| bugzilla |
#1483 |
| versions |
Squid-2.5.STABLE11 |
| platforms |
All |
| patch |
squid-2.5.STABLE12-prctl_args.patch |
| synopsis |
When accessing Async IO Function Counters from the Cachemgr interface, if aufs
is not in use, Squid could segfaults.
This happens only when Squid is build with aufs and aufs's number of threads is
set with the --enable-async-io configure option. |
| severity |
Minor |
| date |
2005-12-26 16:41 |
| bugzilla |
#1464 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-asyncio_counters.patch |
| workaround |
Specify during configure only the store FS that will be used. |
| synopsis |
wbinfo -n output was changed in Samba 3.0.21, adding a SID description after the
SID value:
giove:~# wbinfo -n Staff
S-1-5-21-682003330-854245398-1708537768-1123 Domain Group (2)
So a little change in the wbinfo_group.pl parsing is needed. |
| severity |
Minor |
| date |
2005-12-24 11:02 |
| bugzilla |
#1472 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-wbinfo_group.patch |
| workaround |
None. |
| synopsis |
The SMB NTLM authentication helper doesn't work as expected when
using the --enable-ntlm-fail-open configure option because
credentials are not fetched correctly (username is missing).
This problem is triggered only when using the --enable-ntlm-fail-open configure
option and the helper was not able to validate the user. |
| severity |
Minor |
| date |
2005-12-11 10:52 |
| bugzilla |
#1022 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-SMB_BadFetch.patch |
| workaround |
Don't use the --enable-ntlm-fail-open configure option. |
| synopsis |
Added WebDAV REPORT method to know HTTP methods list |
| severity |
Cosmetic |
| date |
2006-02-26 14:47 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-REPORT.patch |
| workaround |
extension_methods REPORT |
| synopsis |
Squid-2.5.STABLE12 assumes the OS provides a setenv() function,
causing compilation to fail on platforms not providing such function. |
| severity |
Minor |
| date |
2005-10-26 20:31 |
| bugzilla |
#1435 |
| versions |
Squid-2.5.STABLE12 |
| platforms |
Solaris and other platforms not having a setenv() function |
| patch |
squid-2.5.STABLE12-setenv.patch |
| workaround |
Back out squid-2.5.STABLE11-HOME-2.patch |
Patches released after the 2.5.STABLE11 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
| synopsis |
The individual pools for network 255 in a class 3 pool was handled
wrongly, causing clients with ip X.X.255.X to hang after downloading
a few bytes. |
| severity |
Minor |
| date |
2005-10-20 17:42 |
| bugzilla |
#1431 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE11-delaypool_3_255.patch |
| workaround |
Don't assign clients in network 255 to a class 3 pool. Use a class 2 pool
for this network alone. |
| synopsis |
In certain odd FTP server responses Squid may crash with a segmentation
fault in rfc1738_do_escape. |
| severity |
Major |
| date |
2005-10-18 15:48 |
| bugzilla |
#1426 |
| versions |
Squid-2.5.STABLE11 |
| platforms |
All |
| patch |
squid-2.5.STABLE11-rfc1738_do_escape.patch |
| workaround |
deny access to the ftp protocol via the proxy |
| synopsis |
In sertain situations involving cache refreshes of 302 responses
Set-Cookie headers may be lost. |
| severity |
Minor |
| date |
2005-10-18 15:47 |
| bugzilla |
#1419 |
| versions |
Squid-2.5.STABLE9 to 2.5.STABLE11 |
| platforms |
All |
| patch |
squid-2.5.STABLE11-setcookie.patch |
| workaround |
Use the no_cache directive to deny the cache to be used on the affected
URLs (if identified). |
| synopsis |
If a redirector attempted to return a 302 redirect in response
to a CONNECT method Squid responded with an error. |
| severity |
Minor |
| date |
2005-10-18 15:47 |
| bugzilla |
#1412 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE11-redirect-CONNECT.patch |
| synopsis |
Due to a long standing misunderstanding of HEAD requests it
has not been possible to revalidate the cache on a HEAD request. Since
2.5.STABLE7 this have had the sideeffect that the cache hit ratio
for applications using HEAD has been very low. |
| severity |
Minor |
| date |
2005-10-18 15:47 |
| bugzilla |
#1411 |
| versions |
SquId-2.5 and earlier, made more visible in 2.5.STABLE7 and later |
| platforms |
All |
| patch |
squid-2.5.STABLE11-IMS-HEAD.patch |
| synopsis |
netdb excahnges failure when peering with a 2.5.STABLE11 configured as
an transparently intercepting proxy |
| severity |
Minor |
| date |
2005-10-18 15:47 |
| bugzilla |
#1410 |
| versions |
Squid-2.5.STABLE11 |
| platforms |
All |
| patch |
squid-2.5.STABLE11-httpd_accel-internal.patch |
| workaround |
Set the first http_port to 80 (same as httpd_accel_port). |
| synopsis |
The wrong TTL was seleced on certain CNAME based DNS responses
such as used in certain load balancing methods etc. |
| severity |
Minor |
| date |
2005-09-28 21:52 |
| bugzilla |
#1404 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE11-CNAME.patch |
| workaround |
Don't set dns_positive_ttl too high. This directive puts an upper
bound on the DNS cache time to live compensating for this error. |
| synopsis |
configure accepts a number of parameters as input in environment
variables and setting CACHE_HTTP_PORT is meant to define the default
port where Squid listen. This was however only half-way implemented. |
| severity |
Cosmetic |
| date |
2005-09-28 21:16 |
| bugzilla |
#1403 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE11-CACHE_HTTP_PORT.patch |
| workaround |
edit the http_port section in src/cf.data.pre in adition to defining
CACHE_HTTP_PORT. |
| synopsis |
Persistent connections did not work proper in accelerator mode using
httpd_accel_single_host, causing a lot of connections to build up to
the backend web server. |
| severity |
Minor |
| date |
2005-09-28 21:07 |
| bugzilla |
#1402 |
| versions |
Squid-2.5 and earlier(?) |
| platforms |
All |
| patch |
squid-2.5.STABLE11.accel_single_host_pconn.patch |
| workaround |
server_persistent_connections off, or disable persistent connection support
on the web server. |
| synopsis |
The environment variable $HOME is not set properly when Squid is
started as root, causing problems for some helpers to find their
configuration details. For example LDAP helpers finding their .ldaprc
configuration data.
This patch sets $HOME to the home of cache_effective_user. |
| severity |
Cosmetic |
| date |
2005-09-28 21:42 |
| bugzilla |
#1401 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE11-HOME-2.patch |
| workaround |
Set $HOME appropriately when starting Squid, or wrap the helper
needing this in a small script setting $HOME. |
| synopsis |
This patch adds some additional tracing to squid_ldap_auth hopefully
making it easier to isolate squid_ldap_auth configuration errors.
The patch also corrects a small but important error in one of the
examples in how to connect to Microsoft Active Directory. |
| severity |
Cosmetic |
| date |
2005-09-28 21:07 |
| bugzilla |
#1395 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE11-ldap_auth.patch |
| workaround |
None needed |
| synopsis |
The tcp_outgoin_address and tcp_outgoing_tos directives is evaluated
when a new outgoing connection is set up and not changed if the same
connection is later reused for a completely different requests.
This patch clarifies this limitation. |
| severity |
Cosmetic |
| date |
2005-09-28 21:07 |
| bugzilla |
#454 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE11-tcp_outgoing_xxx.patch |
| workaround |
Set server_persistent_connections off when using these directives to set
the outgoing address/tos depending on the requesting client or similar. |
| synopsis |
A small but critical error has been found in the patch for Bug #500
causing responses to get truncated when using delay pools. |
| severity |
Major |
| date |
2005-09-27 22:29 |
| bugzilla |
#1405 |
| versions |
Squid-2.5.STABLE11 only |
| platforms |
All |
| patch |
squid-2.5.STABLE11-delaypools_truncated.patch |
| workaround |
Disable the use of delay pools |
Patches released after the 2.5.STABLE10 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
| synopsis |
New configure option to make life easier for people needing to
build a binary supporting a higher number of filedescriptors
than the user they build Squid as is allowed to open. |
| severity |
Cosmetic |
| date |
2005-09-19 15:50 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-maxfd.patch |
| workaround |
Squid FAQ 11.4 Running out of filedescriptors |
| synopsis |
Instead of always being false the dst acl match was using the
address 255.255.255.255 if no IP could be found for the requested
host. Apart from being slightly odd and unexpected this made it
hard to differentiate uknown hosts from badly registered hosts. |
| severity |
Minor |
| date |
2005-09-16 21:58 |
| bugzilla |
#1394 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-dst_unknown.patch |
| workaround |
none needed |
| synopsis |
pipeline_prefetch is incompatible with NTLM authentication, but Squid
failed to detect this if pipeline_prefetch was set after the auth_param
ntlm directive. |
| severity |
Cosmetic |
| date |
2005-09-16 21:49 |
| bugzilla |
#1396 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE10-ntlm-pipeline_prefetch.patch |
| workaround |
Leave pipeline_prefetch at it's default "off" setting |
| synopsis |
Squid may crash with the above error when given certain request sequences. |
| severity |
Major |
| date |
2005-09-16 11:10 |
| bugzilla |
#1391 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE10-NTLM-scheme_assert-2.patch |
| workaround |
Disable ntlm authentication |
| synopsis |
If Squid is configured with "pipeline_prefetch on" then odd results
and instability may be seen on pipelined CONNECT requests. |
| severity |
Medium |
| date |
2005-09-15 09:56 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-pipeline-CONNECT.patch |
| workaround |
"pipeline_prefetch off" in squid.conf. (the default setting). |
| synopsis |
On NetBSD and maybe others, when using Ipfilter 4.x, opening of the NAT device fails.
On Solaris the following message can appear in cache.log:
parseHttpRequest: NAT lookup failed: ioctl(SIOCGNATL): (22) Invalid argument
This patch adds the usage of ipfobj structure for IP Filter 4.0alpha27 and later. |
| severity |
Minor |
| date |
2005-09-13 03:22 |
| bugzilla |
#1378 |
| versions |
Squid-2.5 and earlier |
| platforms |
NetBSD, Solaris and maybe others |
| patch |
squid-2.5.STABLE10-NetBSD_IPFilter-3.patch |
| synopsis |
Clients may bypass delay pool settings by carefully constructing
the request making it look like a cache hit. |
| severity |
Medium |
| date |
2005-09-11 01:53 |
| bugzilla |
#500 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-delay_pools.patch |
| synopsis |
Linux and other operating systems by default prevent saving of
core dumps on fatal application errors if the application has
changed user ID since it was started. |
| severity |
Cosmetic |
| date |
2005-09-16 21:16 |
| bugzilla |
#1335 |
| versions |
Squid-2.5 and earlier |
| platforms |
Linux (maybe others) |
| patch |
squid-2.5.STABLE10-allow_coredump-2.patch |
| workaround |
Start Squid as your cache_effective_user |
| synopsis |
The header_id enum was misused assuming compilers would compile
the type equivalent to an signed integer, while the enum was only
defined with positive values allowing compilers to select an
unsigned integer data type to store the enum. |
| severity |
Cosmetic |
| date |
2005-09-11 01:21 |
| bugzilla |
#1343 |
| versions |
Squid-2.5 and earlier |
| platforms |
Some compilers on some platforms |
| patch |
squid-2.5.STABLE10-header_id_enum.patch |
| synopsis |
Incorrect store dir selection debug message on objects >2G |
| severity |
Cosmetic |
| date |
2005-09-11 01:21 |
| bugzilla |
#1343 |
| versions |
Squid-2.5.STABLE10 (earlier versions could not handle such large objects at all) |
| platforms |
All |
| patch |
squid-2.5.STABLE10-storedir_objsize_debug.patch |
| synopsis |
Due to a logics error in squid-2.5.STABLE9-LDAP_SUN_SDK.patch
TLS could not be activated when using the OpenLDAP SDK. |
| severity |
Minor |
| date |
2005-09-11 00:57 |
| bugzilla |
#1389 |
| versions |
Squid-2.5.STABLE10 |
| platforms |
All |
| patch |
squid-2.5.STABLE10-LDAP_TLS.patch |
| synopsis |
The e-mail sent when the cache dies use as "From:" field the Squid internal
appname "squid".
This "From:" address is invalid for the majority of antispam filters because
doesn't contains a valid domain name.
This patch adds the 'mail_from' directive to squid.conf, allowing to specify the
from e-mail address and change the default to use 'appname@unique_hostname'. |
| severity |
Minor |
| date |
2005-09-03 09:41 |
| bugzilla |
#1380 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-mail_from.patch |
| workaround |
Define special rules into antispam configuration. |
| synopsis |
On Solaris Ipfilter include files use a SOLARIS2 define defined
only in the ipfilter makefile at ipfilter build time.
When building applications like Squid that use ipfilter include files, this
define must be defined according to the Solaris minor version:
On solaris 8: #define SOLARIS2 8
On solaris 10 #define SOLARIS2 10
Another minor problem is that getconf during configure remove the 'sun'
define used from ipfilter to recognize the Solaris platform. |
| severity |
Minor |
| date |
2005-09-13 02:59 |
| bugzilla |
#1374 |
| versions |
Squid-2.5 and earlier |
| platforms |
Solaris Sparc and x86 |
| patch |
squid-2.5.STABLE10-Solaris_IPFilter-2.patch |
| workaround |
Manually define SOLARIS2 before running configure. |
| synopsis |
snmp cacheClientTable fails to return any information for "long" IP
addresses. Clients with IP xxx.xxx.xxx.xx or shorter works, but
xxx.xxx.xxx.xxx does not work. |
| severity |
Minor |
| date |
2005-09-01 22:57 |
| bugzilla |
#1375 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-cacheClientTable.patch |
| synopsis |
Squid crashes with the above assertion failure in certain conditions
involving aborted requests. |
| severity |
Major |
| date |
2005-09-01 22:44 |
| bugzilla |
#1368 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-STORE_PENDING.patch |
| synopsis |
Greek translation of the Squid error messages, kindly provided by
George Papamichelakis. |
| severity |
Cosmetic |
| date |
2005-09-01 22:39 |
| bugzilla |
#1351 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-Greek.patch |
| synopsis |
Some off FTP servers mistakenly responds with a 250 code where 226
is expected, making Squid mistakenly think something went wrong with
the transfer |
| severity |
Minor |
| date |
2005-09-01 22:31 |
| bugzilla |
#1348 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-ftp_250.patch |
| synopsis |
Squid fails to compile if glibc -D_FORTIFY_SOURCE=2 is ued (used by
Fedora Core 4 and others). This due to the way -D_FORTIFY_SOURCE=2
is implemented in the glibc headers, redefining vprintf and a number
of other functions as preprocessor macros, causing problems for
applications like Squid reusing the same name as structure members. |
| severity |
Cosmetic |
| date |
2005-09-01 22:26 |
| bugzilla |
#1344 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-FORTIFY_SOURCE.patch |
| workaround |
Don't use -D_FORTIFY_SOURCE=2 |
| synopsis |
In certain error conditions on requests forwarded to a peer proxy the
URL in the error message could look a bit strange (NONE://10.72.43.56:8181http://www.abcd.com/)
and a number of inconsistences in what %xx error page components may be used where |
| severity |
Cosmetic |
| date |
2005-09-01 22:18 |
| bugzilla |
#1342 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-errmsg.patch |
| synopsis |
Issues with reading mime.conf and a few other files when using chroot_dir
and issuing a "squid -k reconfigure". |
| severity |
Minor |
| date |
2005-09-01 22:09 |
| bugzilla |
#1331 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-chroot_dir.patch |
| workaround |
Make sure the chroot path exists within the chroot as well.. |
| synopsis |
One slightly oddly done sanity check in Squid may trigger compiler bugs
on certain platforms. |
| severity |
Medium |
| date |
2005-09-01 21:56 |
| bugzilla |
#1325 |
| versions |
Squid-2.5 and earlier |
| platforms |
Some (compiler dependent) |
| patch |
squid-2.5.STABLE10-statHistAssert.patch |
| workaround |
Probably works fine if optimizations is disabled |
| synopsis |
After certain slightly odd requests Squid crashes with a segmentation
fault in sslConnectTimeout |
| severity |
Major |
| date |
2005-09-01 20:27 |
| bugzilla |
#1355 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE10-sslConnectTimeout.patch |
| synopsis |
Workaround needed to allow the build of both ipfilter and ARP acl
support on Solaris x86.
Some defines, like
#define free +
are used in squid.h to block misuse of standard malloc routines
where the Squid versions should be used. This pollutes the C/C++
token namespace crashing any structures or classes having members
of the same names. |
| severity |
Minor |
| date |
2005-08-19 09:31 |
| bugzilla |
#199 |
| versions |
Squid-2.5 and earlier |
| platforms |
Solaris x86 and may be Solaris Sparc |
| patch |
squid-2.5.STABLE10-arp_ipfilter-2.patch |
| synopsis |
This patch adds new 'mail_program' configuration option in squid.conf.
This option allow to specify the mailer program name that squid will use to
send fatal reports by mail and related command line options. |
| severity |
Cosmetic |
| date |
2005-08-14 17:05 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-mail_program.patch |
| synopsis |
The new --with-build-environment=... configure option added in
STABLE10 doesn't work other than the "default" case. |
| severity |
Cosmetic |
| date |
2005-07-11 00:46 |
| versions |
Squid-2.5.STABLE10 |
| platforms |
All |
| patch |
squid-2.5.STABLE10-buildenv.patch |
| workaround |
Specify the needed CFLAGS etc as environment variables when
running configure. |
| synopsis |
This patch allow wb_ntlm_auth to run more silent:
- Don't try to open /dev/urandom if it's not available.
- Changed the level of the "target domain" message from warn to debug. |
| severity |
Cosmetic |
| date |
2005-07-09 08:58 |
| bugzilla |
#518 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-wb_ntlm_auth_silent.patch |
| synopsis |
This patch fixes many warnings during build on HP Tru64 Unix:
- assert() must test logical expressions, not pointers
- STATUS define conflict in parse.c (snmplib)
- Warnings in winbind, winbind_group, SMB, fakeauth and MSNT helpers
- Warnings in net_db.c |
| severity |
Cosmetic |
| date |
2005-07-03 08:24 |
| bugzilla |
#1316 |
| versions |
Squid-2.5 and earlier |
| platforms |
HP Tru64 and probably some other 64 bit platforms |
| patch |
squid-2.5.STABLE10-64bit_cleanup.patch |
| synopsis |
wbinfo_group.pl only looks into the first group specified, while
all other group helpers allows a list of groups to look for |
| severity |
Minor |
| date |
2005-06-29 20:36 |
| bugzilla |
#1333 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE10-wbinfo_groups.patch |
| workaround |
use one acl per group |
| synopsis |
This patch changes the directory cleanup to use relative URLs rather
than BASE HREF when a directory is requested without trailing / |
| severity |
Minor |
| date |
2005-06-21 22:28 |
| bugzilla |
#1204 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-ftp_basehref.patch |
| workaround |
Make sure to end the ftp:// URL in / when requestign a diretory |
| synopsis |
The squid-2.5.STABLE8-html_high_chars patch was a little too agressive
messing up URLs having characters which was intentionally encoded such
as / as used for the UNIX root directory. |
| severity |
Cosmetic |
| date |
2005-06-22 10:46 |
| bugzilla |
#1220 |
| versions |
Squid-2.5.STABLE9 and 10 |
| platforms |
All |
| patch |
squid-2.5.STABLE10-ftp_title-2.patch |
| synopsis |
This quick patch fixes the SNMP GETNEXT search when given an OID outside
the Squid MIB. This allows proper integration of Squid into proxy SNMP
agents. |
| severity |
Minor |
| date |
2005-06-19 21:03 |
| bugzilla |
#1317 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-snmp_getnext.patch |
| synopsis |
Failed to detect if the type of an existing cache_dir was changed,
calling the parser function of the new type with the internal data of
the existing one..
This patch detects this and logs to cache.log (and the console) that a
restart is required. |
| severity |
Minor |
| date |
2005-06-19 09:39 |
| bugzilla |
#1308 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-cache_dir_change.patch |
| workaround |
Restart Squid whenever changing the type of an existing cache_dir. |
| synopsis |
Due to an internal error httpd_accel_single_host was incompatible
with redirection. |
| severity |
Minor |
| date |
2005-06-13 22:55 |
| bugzilla |
#1314 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-redirect_flags.patch |
| synopsis |
Abnormal crash if Squid was built with --enable-ipf-transparent
but access to the NAT device was denied. |
| severity |
Minor |
| date |
2005-06-30 08:49 |
| bugzilla |
#1313 |
| versions |
Squid-2.5.STABLE10 |
| platforms |
All |
| patch |
squid-2.5.STABLE10-transparent-2.patch |
| workaround |
Properly configure your OS to grant Squid access to the NAT device
when using --enable-ipf-transparent |
| synopsis |
Due to a slight confusion about paths when using the chroot directive
"squid -k" could fail to find the pid file. |
| severity |
Minor |
| date |
2005-06-27 21:24 |
| bugzilla |
#1307 |
| versions |
Squid-2.5.STABLE10 |
| platforms |
All |
| patch |
squid-2.5.STABLE10-chroot-2.patch |
| workaround |
Use symlinks to make the pid file appear in the same location both
within and outside the chroot. |
| synopsis |
The Date header on internal icons always showed the date when Squid
was started, causing slight cache problems for client and second-level
non-squid proxies. |
| severity |
Minor |
| date |
2005-06-09 08:01 |
| bugzilla |
#1275 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-internal_date.patch |
| workaround |
None needed. |
| synopsis |
Updated Spanish error messages with translation for the ERR_INVALID_RESP
page and numerous minor corrections in other pages. |
| severity |
Cosmetic |
| date |
2005-06-06 21:38 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE10-spanish.patch |
| synopsis |
There is quite many web servers out there with broken banner engines
forgetting to delete the original content-length after adding the
banner. Currently these are (rightfully) rejected by Squid.
Instead of rejecting we could select the biggest content-length header
found and remove the other. This should fix up these replies while not
allowing for attacks. |
| severity |
Cosmetic |
| date |
2005-05-25 23:01 |
| bugzilla |
#1305 |
| versions |
Squid-2.5.STABLE8 to STABLE10 |
| platforms |
All |
| patch |
squid-2.5.STABLE10-content_length.patch |
| workaround |
The proper fix to this problem is to work with the site operators to
have their web servers corrected. |
Patches released after the 2.5.STABLE9 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
| synopsis |
There has been a lot of questions about always_direct. This patch
tries to answer the most common questions on what always_direct does
and it's relations to other directives. |
| severity |
Cosmetic |
| date |
2005-05-10 23:11 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-always_direct_documentation.patch |
| synopsis |
A race window in the 2GB patch could make Squid abort with the above
assertion error |
| severity |
Medium |
| date |
2005-05-10 22:33 |
| bugzilla |
#1301 |
| versions |
Squid-2.5.STABLE9+2GB patch |
| platforms |
All |
| patch |
squid-2.5.STABLE9-2GB_assert.patch |
| synopsis |
Malicious users may spoof DNS lookups if the DNS client UDP port
(random, assigned by OS at startup) is unfiltered and your network
is not protected from IP spoofing. |
| severity |
Security issue |
| date |
2005-05-10 22:24 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-dns_query-2.patch |
| workaround |
Firewall your Squid server to not allow spoofed DNS responses
to reach the server. |
| synopsis |
This patch extends the dstdomain and dstdom_regex acls to also
allow matching of numeric host names (IP addresses) in the requested
URLs. |
| severity |
Minor |
| date |
2005-05-09 01:51 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-dstdomain_ip.patch |
| workaround |
In prior versions only url_regex could be used for matching these,
and then with rather complex patterns.. |
| synopsis |
Cosmetic improvements to arp ACL code:
- Fixed a build warning on FreeBSD
- Added documentation info in squid.conf
- Fixed dump format of arp ACL configuration in cachemgr |
| severity |
Cosmetic |
| date |
2005-05-08 14:01 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-arpacl.patch |
| synopsis |
This patch corrects two minor issues in the SNMP agent. The first
ignored all but the first OID in GETNEXT/GETBULK requests. The second
is that Squid always responded with a SNMPv1 response even when the
request was a SNMPv2(c) request, causing the requestor to ignore the
response sent by Squid. |
| severity |
Minor |
| date |
2005-05-04 18:09 |
| bugzilla |
#1298, #1299 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-snmp.patch |
| workaround |
Use SNMPv1 and only request one OID at a time |
| synopsis |
This patch align labels and expand OPS and SUCCESS fields of DISKD cachemgr stats |
| severity |
Cosmetic |
| date |
2005-05-01 10:58 |
| bugzilla |
#1267 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-diskd.patch |
| synopsis |
This patch corrects a problem with the squid-2.5.STABLE9-2GB patch
where the hot object cache showed a very poor hit ratio and also
sporadic aborts with assertion failed: store_swapin.c: e->mem_status == NOT_IN_MEMORY. |
| severity |
Medium |
| date |
2005-04-30 12:58 |
| bugzilla |
#1055 |
| versions |
Squid-2.5.STABLE9+2GB patch |
| platforms |
All |
| patch |
squid-2.5.STABLE9_2GB-hot_cache.patch |
| synopsis |
- Currently internal thread request counters are increased at every request, but they don't are displayable in cachemgr. This patch adds in the "Async IO Function Counters" cachemgr page thread request counters.
- Usage of FD_READ_METHOD/FD_WRITE_METHOD instead of read()/write() int the async-io completion event for better portability. |
| severity |
Cosmetic |
| date |
2005-04-25 16:36 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-aufs_improvement.patch |
| synopsis |
This patch adds access controls to the cachemgr.cgi script, preventing
it from being abused to reach other servers than allowed in a local
configuration file. |
| severity |
Minor Security |
| date |
2005-04-26 04:30 |
| bugzilla |
#1094 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-cachemgr_conf.patch |
| workaround |