[squid-announce] Squid 5.4 is available

Wed Feb 9 08:53:29 UTC 2022

The Squid HTTP Proxy team is very pleased to announce the
availability of the Squid-5.4 release!

This release is a bug fix release resolving several issues
found in the prior Squid-5 releases.

The major changes to be aware of:

  * Bug 5190: Preserve configured order of intermediate CA
    certificate chain

  Previous Squid-5 releases inverted the CA certificate chain order
  when delivering the server handshake. Breaking clients which are
  unable to reorder the chain. This release once again conforms with
  TLS specification requirements.

  * Bug 5187: Properly track (and mark) truncated store entries

  Squid used an error-prone approach to identifying truncated responses:
  The response is treated as whole unless somebody remembers to mark
  it as truncated. This dangerous default naturally resulted in bugs
  where truncated responses are treated as complete under various
  conditions.

  This change reverses that approach: Responses not explicitly marked as
  whole are treated as truncated. This change affects all Squid-server
  FwdState-dispatched communications: HTTP, FTP, Gopher, and WHOIS. It
  also affects responses received from the adaptation services.

  Transactions that failed due to origin server or peer timeout (a common
  source of truncation) are now logged with a _TIMEOUT %Ss suffix and
  ERR_READ_TIMEOUT/WITH_SRV %err_code/%err_detail.

  Transactions prematurely canceled by Squid during client-Squid
  communication (usually due to various timeouts) now have WITH_CLT
  default %err_detail. This detail helps distinguish otherwise
  similarly-logged problems that may happen when talking to the client or
  to the origin server/peer.

  * Bug 5134: assertion failed: Transients.cc:221: "old == e"

  This bug appears when caching is enabled and a worker dies and
  is automatically restarted. The SMP cache management was missing
  some necessary cross-checks on hash collision before updating
  stored objects. The worker recovery logic detected the hash collision
  better and would abort with the given error.

  * Bug 5132: Close the tunnel if to-server conn closes after client

  This bug has been present since 5.0.4 and shows up as a growing number
  of open (aka "hung") TCP connections used by Squid regardless of client
  traffic levels.

  It can be expected to affect on all HTTPS traffic, and proxy using
  SSL-Bump features. With the problem being worse the more CONNECT
  tunnels are handled.

  * Bug 5188: Fix reconfiguration leaking tls-cert=... memory

  This bug was found investigating other issues. Installations which
  are reconfiguring often may have been seeing sub-optimal memory
  usage. It has otherwise a minimal impact.

   All users of Squid-5 are encouraged to upgrade as soon as
   possible.

See the ChangeLog for the full list of changes in this and
earlier releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v5/RELEASENOTES.html
when you are ready to make the switch to Squid-5

This new release can be downloaded from our HTTP or FTP servers

   http://www.squid-cache.org/Versions/v5/
   ftp://ftp.squid-cache.org/pub/squid/
   ftp://ftp.squid-cache.org/pub/archive/5/

or the mirrors. For a list of mirror sites see

   http://www.squid-cache.org/Download/http-mirrors.html
   http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug
report.
   https://bugs.squid-cache.org/

Amos Jeffries