[squid-announce] Squid 4.0.21 beta is available

Amos Jeffries squid3 at treenet.co.nz
Fri Jul 7 12:35:37 UTC 2017 

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.21 release!


This release is a bug fix release resolving several issues found in the
prior Squid releases.


The major changes to be aware of:

* Regression Bug 4492: Chunk extension parser is too pedantic

With this fix Squid is back to ignoring some unusual message whitespace 
padding that senders should not have been doing, but which are generally 
harmless to the protocol. It is a regression specific to the Squid-4 
release series, not affecting any other installations.


* Bug 1961 partial: Redesign urlParse API

The core changes for redesign work is largely finished now. As a result 
this release should have much lower memory use on url_rewrite API 
lookups which choose not to rewrite the URL.


* Collapse security_file_certgen requests

This helper API now collapses identical parallel lookups into a single 
helper message to reduce load, latency and as a result reduce pressure 
on the system crypto services. It still has some issues, but should now 
cope a lot better with sudden load peaks as seen from Browsers starting up.


* SSL-Bump: tproxy does not spoof spliced connections

This release now performs TPROXY spoofing properly when SSL-Bump logic 
selects splice action. Prior SSL-Bump would behave as if NAT intercept 
was being used, by replacing the sender IP as Squid one.


* Add a basic apparmour profile

This release bundles a basic apparmour profile contributed by Ubuntu 
developers. As with init system scripts this profile is not installed by 
default, packagers wishing to use it should pull the file from the 
sources during packaging.


Several major bug fixes shared with the future Squid-3.5.27 release are 
also worth mentioning:

* Bug 4464: Reduce "!Comm::MonitorsRead(serverConnection->fd)" assertions.

In Squid-3 this bug appeared as "fd_table[conn->fd].halfClosedReader != 
NULL" assertions.

Admin who have used the various config workarounds or patches to 
suppress those assertions will need to re-asses those temporary measures 
after upgrading to this release.


* Bug 2833: collapsed forwarding doesn't work with NOT MODIFIED response

The security fix for CVE-2016-10003 had a negative effect on collapsed 
forwarding. All "private" entries were considered automatically 
non-shareable among collapsed clients. However this is not true: there 
are many situations when collapsed forwarding should work despite of 
"private" (non-cacheable) entry status: 304/5xx responses are good 
examples of that.

This release adds a mechanism to mark some non-cached responses as being 
able to share with collapsed forwarding.

These changes also involved fixing incorrect delivery of 304 responses 
to a client when Squid was the agent performing revalidation instead of 
the client.


* Bug 4112: ssl_engine does not accept cryptodev

This directive has been broken for quite a long time, failing to 
recognize any of the default OpenSSL engines. This release restores 
support for the OpenSSL engines feature.


* Fix SMP query handoff to Coordinator.

Several issues related to SMP messages to the coordinator process have 
been fixed. Some of these are likely to have been resulting in hung 
connections for SNMP and mgr transactions. Others were resulting in 
garbage messages arriving at the coordinator.



  All users of Squid-4.x are encouraged to upgrade to this release as
soon as possible.

  All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.


  See the ChangeLog for the full list of changes in this and earlier
  releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

  http://www.squid-cache.org/Versions/v4/
  ftp://ftp.squid-cache.org/pub/squid/
  ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

  http://www.squid-cache.org/Download/http-mirrors.html
  http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

More information about the squid-announce mailing list