[squid-announce] Squid 4.0.22 beta is available

Amos Jeffries squid3 at treenet.co.nz
Sun Dec 10 05:39:14 UTC 2017


The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.22 release!


This release is a bug fix release resolving several issues found in the
prior Squid releases.


The major changes to be aware of:

* Regression: Relay peer CONNECT error status line and headers to clients

Our CVE-2015-5400 fix was aggressive -- it hid all peer errors behind a 
generic 502 (Bad Gateway) response. The intent was never to have that 
situation be permanent.

Subsequent changes to the CONNECT handling now allow us to safely relay 
client response status and header - but not yet the message payloads. 
The clients TCP connection will continue to be closed immediately after 
the initial message headers are delivered, allowing clients to safely 
detect the missing response payload (if any) as a connection error in 
addition to any HTTP error indicated by the response status.

This should resolve a lot of client issues


* Bug 4767: SMP breaks IPv6 SNMP and cache manager queries

This rather nasty bug appears as a Squid with SMP workers crashing 
whenever SNMP or cache manager queries are received over IPv6.


* Bug 4648: object revalidation for HTTPS scheme

Previous Squid have not been performing cache revalidation for responses 
to https:// URL requests. As can be expected with the increased use of 
revalidation in HTTP/1.1 this leads to rather low caching efficiency and 
extra bandwidth consumption on a lot of traffic.


* Bug 4616: store_client.cc:92: "mem" assertion

This crash occurs primarily when Collapsed Forwarding was used, though 
may also occur at other rare times.


* Bug 2821: ignore Content-Range in non-206 responses

Squid used to honor Content-Range header in HTTP 200 OK (and possibly 
other non-206) responses, truncating (and possibly enlarging) some 
response bodies. RFC 7233 declares Content-Range meaningless for 
standard HTTP status codes other than 206 and 416. Squid now relays 
meaningless Content-Range as is, without using its value on these responses.


* TLS: certificate validation improvements


The experimental auto-download feature for missing CA certificates has 
now been optimized to skip downloading if the CA certificate has 
previously been downloaded, or can be validated using another issuer CA.

Also, when Squid or its helper could not validate a downloaded 
intermediate certificate (or the root certificate), Squid error page 
contained '[Not available]' instead of the broken certificate details, 
and '-1' instead of depth of broken certificate in logs.


* TLS: certificate generator improvements

SSL-Bump was found to be ignoring some origin server certificate changes 
or differences, incorrectly using the previously cached fake certificate 
(mimicking now-stale properties or properties of a slightly different 
certificate). Also, Squid was not detecting key collisions inside 
certificate caches.


* Fix backwards compatibility for Squid-3.5 external_acl_type formats

Previous Squid-4 releases omitted support for several external_acl_type 
format codes available in Squid-3. This has now been resolved and 
Squid-3 external_acl_type format configurations should remain working 
across an upgrade.


* Do not die silently when dying early

Squid previously could terminate silently- no log entries in cache.log 
nor syslog. If the reason for termination was due to some environment 
condition and discovered during the process environment setup. Squid 
should now catch these types of issues and deliver an error to the best 
available log output - usually that would syslog or the OS 'messages' 
log due to cache.log not being setup. If -X command line parameter is 
used stderr will be used instead.


* Docs: update translation files

As we are closing in on the final bug fixes for Squid-4 the i18n 
translation texts have been updated. This and other routine 
documentation additions form the majority of the size of this release 
difference from the previous release.


  All users of Squid-4.x are encouraged to upgrade to this release as
soon as possible.

  All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.


  See the ChangeLog for the full list of changes in this and earlier
  releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v4/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries


More information about the squid-announce mailing list