[squid-users] [squid-announce] Squid 3.5.3 is available
squid3 at treenet.co.nz
Mon Mar 30 11:18:36 UTC 2015
The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.3 release!
This release is a bug fix release resolving several issues found in
the prior Squid releases.
The major changes to be aware of:
* Regression Bug #4206: connection close on Expect:100-continue
It was found that large POST and PUT requests using Expect:100-continue
to a Squid-3.5.1 or 3.5.2 would reset the TCP connection instead of
allowing the upload to proceed. The working Squid-3.4 behaviour has now
* Regression Bug #4213: negotiate_kerberos_auth segmentation faults
After Squid-3.5.2 updates to the Kerberos support it was found that this
helper was frequently, but not always, encountering a segmentation
fault. That is now fully resolved.
Also fixed in this release is support for the latest Heimdal libraries
and some unused Kerberos related code is no longer built.
* Bug #2907: high CPU usage on CONNECT when using Delay Pools
When Delay Pools was enabled Squid CONNECT handling tunnel code could
quickly empty the available pool bandwidth and would then also not wait
for it to be replenished, but repeatedly attempt to keep sending. While
this is not quite an "infinite loop" problem it is very similar in
effect, with CPU consumption reaching 100% and service through the proxy
slowing down dramatically.
While this is very old bug, it is starting to make itself felt more as
the quantity of HTTPS CONNECT requests increases.
* Bug #3805: support shared memory on MacOS X
This bug completely prevented using SMP support on MacOS X. As of this
release it should now be possible to use workers, shared memory cache
and rock storage on MacOS X.
* Bug #4204: ./configure abort when required helpers cannot be built
Previously the Squid ./configure script would treat a user-supplied list
of helpers as an optional list to attempt building, ignoring helpers
that were available but not listed. Being an optional list it would also
only warn if some of the list entries could not be built.
It is now treated as a list of required helpers - with a hard failure if
any cannot be built. This prevents automated build systems going through
a long build process only to find missing binaries at the install phase.
* basic_nis_auth and basic_getpwnam_auth updated
Other software has recently been awarded CVE allocation for bad handling
of crypt() system call failures resulting in Denial of Service. These
two Squid helpers were performing very similar operations and might
encounter the same failures. Fortunately these Squid helpers are fairly
isolated and Basic auth in Squid contains mechanisms that make it very
difficult to affect more than one client.
This is a proactive security update to prevent any future issues that
could appear as a result.
All users of Squid-3.5 with SMP features are urged to upgrade to this
release as soon as possible.
All users of Delay Pools are urged to upgrade to this release as soon
All users of basic_nis_auth or basic_getpwnam_auth are urged to upgrade
to this release as soon as possible.
All users of Squid are urged to upgrade to this release as soon as
See the ChangeLog for the full list of changes in this and earlier
Please refer to the release notes at
when you are ready to make the switch to Squid-3.5
"squid -k parse" is starting to display even more
useful hints about squid.conf changes.
This new release can be downloaded from our HTTP or FTP servers
or the mirrors. For a list of mirror sites see
If you encounter any issues with this release please file a bug report.
squid-announce mailing list
squid-announce at lists.squid-cache.org
More information about the squid-users