[squid-announce] Squid 3.5.7 is available

Amos Jeffries squid3 at treenet.co.nz
Thu Aug 6 04:47:33 UTC 2015 

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.7 release!


This release is a bug fix release resolving several issues found in the
the prior Squid releases.


The major changes to be aware of:


* Regression Bug 4227: assertions in AuthUserHashPointer

This bug showed up as occasional (or not so occasional) crashes when
Squid is cleaning up the username cache that sits behind HTTP Basic and
Digest authentication. It also affected NTLM and Negotiate which
populate the cache entries but do not use them directly.



* Bug 4251: incorrect instance name for memory segments in /dev/shm

This was an omitted part of the named services feature added in 3.5
which rendered it unusable in previous releases.

Now this is resolved Squid-3.5 instances should be fully multi-tenant /
multi-instance capable as documented in the Release Notes.



* Bug 3345: 'any available user name' format code for external ACLs.

This is a long requested feature port from Squid-2.8 (2.HEAD).

The %un format code can be used in place of %LOGIN to provide a user
name from any available source of credentials. However, it does not
trigger HTTP authentication in the absence of credentials.

The resulting user value is generated as documented for the identical
%un logformat code. Exact contents may vary depending on what details
are available at the time the ACL is tested.



* SSL certificate database corruption

The ssl_crtd helper occasionally discovers that its backend disk store
has become corrupted. A number of potential reasons have been identified
for this.

Some of those reasons have been fully solved. Extra validation checks
and automatic recovery procedures are added to resolve others.

The problem may remain for some installations but this release should be
a lot more resilient for most using the ssl_crtd helper.

Work is ongoing with this set of problems. Please stay in touch about
ssl_crtd issues in this or later releases.



* TLS: Splice to origin cache_peer.

When ssl-bump splice action is selected Squid can now relay the traffic
to a cache_peer configured with the 'originserver' option.

SNI and other certificate information received from the client is sent
to the peer exactly as it would have been on a DIRECT origin connection.



* TLS: HTTP error reponses served using invalid certificates when
  dealing with SSL server errors.

When ssl-bump bump action is performed this bug would cause cryptic
certificate errors to be presented to users. A Squid-generated error
"page" to be sent over a secure connection would be sent with an
incorrect Squid-generated server certificate.



* IPv6: improve BCP 177 compliance

Since early 2012 it has been mandatory for new or upgraded Internet
connected machinery and software to support IPv6 ad use it in preference
over IPv4.

Squid IPv6 behaviour has followed these practices since well before the
guidelines became a BCP. Over the years it has also grown into a
well-tested and widely used feature.

The --disable-ipv6 build option is now deprecated. It is long past time
to fix whatever network brokenness you may have that made it look
attractive in past years.

Squid-3.5.7 and later will perform IPv6 availability tests on startup in
all builds.

 - Where IPv6 is unavailable Squid will continue exactly as it would
have had the build option not been used.

   These Squid can have the build option removed now.

 - Where IPv6 is detected but --disable-ipv6 prevents use Squid will log
"WARNING: BCP 177 violation".

    Please test whether you can rebuild with IPv6 enabled.



* Perl pod2man is now optional

Several of the perl based helpers bundled with Squid have previously
been requiring the pod2man documentation generator before they will build.

Since it is only used to create documentation that tool is not optional
and these helpers may be built and installed on any system containing
just a Perl installation.



* basic_smb_auth issues with Samba 4

The basic_smb_auth helper has been identified as having several issues
authenticating with Samba 4 smbclient or any networks containing WINS
servers. Those are now fixed.




 All users of Squid are urged to upgrade to this release as soon as
possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

More information about the squid-announce mailing list