From squid3 at treenet.co.nz Fri Jul 7 12:35:37 2017 From: squid3 at treenet.co.nz (Amos Jeffries) Date: Sat, 8 Jul 2017 00:35:37 +1200 Subject: [squid-announce] Squid 4.0.21 beta is available Message-ID: The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-4.0.21 release! This release is a bug fix release resolving several issues found in the prior Squid releases. The major changes to be aware of: * Regression Bug 4492: Chunk extension parser is too pedantic With this fix Squid is back to ignoring some unusual message whitespace padding that senders should not have been doing, but which are generally harmless to the protocol. It is a regression specific to the Squid-4 release series, not affecting any other installations. * Bug 1961 partial: Redesign urlParse API The core changes for redesign work is largely finished now. As a result this release should have much lower memory use on url_rewrite API lookups which choose not to rewrite the URL. * Collapse security_file_certgen requests This helper API now collapses identical parallel lookups into a single helper message to reduce load, latency and as a result reduce pressure on the system crypto services. It still has some issues, but should now cope a lot better with sudden load peaks as seen from Browsers starting up. * SSL-Bump: tproxy does not spoof spliced connections This release now performs TPROXY spoofing properly when SSL-Bump logic selects splice action. Prior SSL-Bump would behave as if NAT intercept was being used, by replacing the sender IP as Squid one. * Add a basic apparmour profile This release bundles a basic apparmour profile contributed by Ubuntu developers. As with init system scripts this profile is not installed by default, packagers wishing to use it should pull the file from the sources during packaging. Several major bug fixes shared with the future Squid-3.5.27 release are also worth mentioning: * Bug 4464: Reduce "!Comm::MonitorsRead(serverConnection->fd)" assertions. In Squid-3 this bug appeared as "fd_table[conn->fd].halfClosedReader != NULL" assertions. Admin who have used the various config workarounds or patches to suppress those assertions will need to re-asses those temporary measures after upgrading to this release. * Bug 2833: collapsed forwarding doesn't work with NOT MODIFIED response The security fix for CVE-2016-10003 had a negative effect on collapsed forwarding. All "private" entries were considered automatically non-shareable among collapsed clients. However this is not true: there are many situations when collapsed forwarding should work despite of "private" (non-cacheable) entry status: 304/5xx responses are good examples of that. This release adds a mechanism to mark some non-cached responses as being able to share with collapsed forwarding. These changes also involved fixing incorrect delivery of 304 responses to a client when Squid was the agent performing revalidation instead of the client. * Bug 4112: ssl_engine does not accept cryptodev This directive has been broken for quite a long time, failing to recognize any of the default OpenSSL engines. This release restores support for the OpenSSL engines feature. * Fix SMP query handoff to Coordinator. Several issues related to SMP messages to the coordinator process have been fixed. Some of these are likely to have been resulting in hung connections for SNMP and mgr transactions. Others were resulting in garbage messages arriving at the coordinator. All users of Squid-4.x are encouraged to upgrade to this release as soon as possible. All users of Squid-3 are encouraged to test this release out and plan for upgrades where possible. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v4/RELEASENOTES.html when you are ready to make the switch to Squid-4 This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v4/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/4/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries