The Squid HTTP Proxy team is very pleased to announce the
availability of the Squid-3.1.11 release!
This release brings several bug fixes and some further HTTP/1.1
improvements into 3.1.
Bug 3140: A small but cumulative memory leak was found and fixed in
error page generation.
Bug 3144: URL re-write/redirect programs are potentially vulnerable to
hanging while receiving very long URLs. Due to buffer overflow
protections truncating long URLs. This enables trusted clients to
perform a DoS on the Squid server, possibly via loading web links in a
malicious website.
Popular scripting helpers appear not to be vulnerable to this DoS
effect, but will produce errors or truncated URL output instead.
Helpers which depend on and wait for receiving the API documented
newline terminator are all vulnerable.
Squid will now catch these and produce a 414 status code error instead.
Bug 2959: We have removed the use of environment variable SAMBAPREFIX
during build. Instead the helpers which previously used it to locate the
Samba tools require those tools (nmblookup, smbclient, wbinfo) to be
available in the system $PATH. This allows several helpers to be build
on systems without Samba as long as it is present when they are run.
* Build scripts should be forward-compatible since the Squid build
simply ignores the variable now.
* Run-time scripts may need a check and update to ensure the above
mentioned Samba tools are in the system $PATH now.
Bug 3149: eCAP was not updating the object state correctly on altered
bodies. Causing them not to be cacheable. This was particularly
noticable in the compression eCAP adapter as reduced efficiency and
slower transfers.
HTTP/1.1 support has been boosted slightly with:
* extension of deny_info to send 307 status when appropriate instead
of always sending 302. This will allow some browsers to start safely
displaying the error page in response to HTTPS rejections.
* removal of an old limit on agents using the "Mozilla/3.0" string.
This will allow more download agents to gain the benefits of persistent
connections.
* addition of support for the "Cache-Control: stale-if-error=N" option
from RFC 5861. There is no Squid configuration required.
NP: The paired stale-while-revalidate is much more complex and not
supported in 3.1.
* pipeline_prefetch auto-disabled under several authentication schemes.
Pipelining is one of the standard HTTP features which clashes and breaks
badly when NTLM or Negotiate/Kerberos TCP connection authentication are
performed. Squid will now produce a warning message and disable
pipelining cleanly if those authentication methods are configured in Squid.
The default setting for pipelining is OFF. Configurations receiving
that waring should remove the pipeline_prefetch directive from their
squid.conf.
WARNING: the current Squid will not produce this notice if NTLM or
Negotiate/Kerberos are simply passed through Squid to an origin server.
If you are aware of such traffic needing to pass through your Squid it
is up to you to ensure pipelining remains OFF.
See the ChangeLog for the list of other minor changes in this release.
All users of Squid-3 are urged to upgrade as soon as possible.
Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.1/RELEASENOTES.html
when you are ready to make the switch to Squid-3.1
This new release can be downloaded from our HTTP or FTP servers
http://www.squid-cache.org/Versions/v3/3.1/
ftp://ftp.squid-cache.org/pub/squid/
ftp://ftp.squid-cache.org/pub/archive/3.1/
or the mirrors. For a list of mirror sites see
http://www.squid-cache.org/Download/http-mirrors.dyn
http://www.squid-cache.org/Download/mirrors.dyn
If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/
Amos Jeffries
Received on Sat Feb 12 2011 - 22:49:16 MST
This archive was generated by hypermail 2.2.0 : Sun Feb 13 2011 - 12:00:02 MST