| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
* Add one more offcial patch:
- 2005-04-05 23:05 (Cosmetic) should syslog to daemon facility not local4
* One patch updated, so update DIST_SUBDIR through DIST_STAMP change.
* Add aufs to --enable-storeio configuration.
TODO: use <bsd.options.mk> frame work and allow to use
--enable-pf-transparent which is mutual exclusive parameter
with --enable-ipf-transparent.
|
|
use different sub directory and bump package revision.
|
|
|
|
* 2005-04-04 00:19 (Medium)
Fails to process requests for files larger than 2GB in size
Since the name of the patch file is the same as before, DIST_SUBDIR has
been udpated via DIST_STAMP.
Bump PKGREVISION.
|
|
Add these official patches:
* 2005-03-30 22:51 (Cosmetic)
external acls requiring authentication does not request new
credentials on access denials like proxy_auth does.
* 2005-03-29 09:52 (Cosmetic)
New cachemgr pending_objects and client_objects actions
* 2005-03-26 23:53 (Minor) rename() related cleanup
* 2005-03-30 22:51 (Medium)
Fails to process requests for files larger than 2GB in size
* 2005-03-19 23:57 (Cosmetic)
aufs warning about open event filedescriptors on shutdown
* 2005-03-19 01:35 (Minor) --disable-hostname-checks not working
* 2005-03-19 01:11 (Cosmetic) LDAP helpers fails to compile with SUN LDAP SDK
* 2005-03-21 20:44 (Minor)
CONNECT requests truncated if client side disconnects first
assertion failed: comm.c:430: "ntohs(address->sin_port) != 0"
* 2005-03-19 00:25 (Minor)
Basic authentication fails with very long logins or password
* 2005-03-29 08:45 (Minor) Several minor aufs issues
* 2005-03-09 15:46 (Cosmetic)
Extend relaxed_header_parser to work around "excess data from"
errors from many major web servers.
* 2005-03-09 15:46 (Cosmetic)
Duplicate content-length headers logged as conflicting with
relaxed_header_parser off
* 2005-03-09 15:46 (Cosmetic)
Defer digest fetch if the peer is not allowed to be used
* 2005-03-10 23:38 (Minor) Incorrect use of ctype functions
* 2005-03-15 04:27 (Minor) compile warnings due to pid_t not being an int
* 2005-03-09 15:46 (Minor)
bzero is a non-standard function not available on all platforms
* 2005-03-09 15:46 (Cosmetic)
Check several squid.conf directives for int overflows
* 2005-03-09 15:46 (Cosmetic) Clarify delay_access function
* 2005-03-09 15:46 (Minor)
reload_into_ims fails to revalidate negatively cached entries
* 2005-03-09 15:46 (Minor) Handle odd date formats
|
|
* 2005-03-04 22:48 (Cosmetic Security)
Unexpected access control results on configuration errors
* 2005-03-04 11:55 (Minor)
Links in FTP listings without / fails due to missing BASE HREF
* 2005-03-04 11:55 (Minor)
Fails to parse the EPLF FTP directory format
* 2005-03-03 02:26 (Minor Security)
Race condition related to Set-Cookie header
|
|
There is no runtime change from 2.5.8nb3.
- Fix for a wrong configure warning on Solaris 9 x86 when enabling ARP
ACl support: The effective host type is i386-pc-solaris2.9.
- Documentation update for squid 2.5.STALBE9.
|
|
* 2005-02-23 00:11 (Medium) Should not automatically retry request on 403
and other server errors
* 2005-02-21 17:02 (Minor) fqdn lookups with spaces may confuse redirectors
* 2005-02-21 03:38 (Cosmetic) Display FTP URLs in decoded format to allow for
sane display of national characters etc
* 2005-02-21 02:58 (Minor) Peer related memory leaks on "squid -k reconfigure"
* 2005-02-21 01:38 (Cosmetic) Doesn't work specifying the AR variable to
configure
|
|
|
|
Add new two patches:
* 2005-02-20 19:11 (Cosmetic) GCC4 warnings
* 2005-02-20 10:47 (Minor) Relax header parsing slightly again to work
around broken web servers
Reflect update of one patch:
* 2005-02-20 11:03 (Cosmetic) Cross-platform format fixes
Update DIST_SUBDIR.
|
|
Apply four official fixes.
* 2005-02-15 02:14 (Cosmetic) FTP URL cleanups
* 2005-02-15 01:07 (Cosmetic) Allow high characters in generated FTP and
Gopher directory listings
* 2005-02-15 00:03 (Cosmetic) Cross-platform format fixes
* 2005-02-13 05:58 (Major) Assertion failure on certain odd DNS responses
Fixes PR pkg/29412 from Mike M. Volokhov.
|
|
Most of these changes are already included in previous squid-2.5.7nb12.
But last one is really new one.
Changes to squid-2.5.STABLE8 (11 Feb 2005)
- [Minor] 100% CPU usage on half-closed PUT/POST requests (Bug #354,
#1096)
- [Cosmetic] Document -v (protocol version) option to LDAP helpers
- [Minor] The new req_header and resp_header acls segfaults
immediately on parse of squid.conf (Bug #961)
- [Minor] Failure to shut down busy helpers on -k rotate/reconfigure
(Bug #1118)
- [Minor] Don't use O_NONBLOCK on disk files. (Bug #1102)
- [Minor] Squid fails to close TCP connection after blank HTTP
response (Bug #1116)
- [Minor security] Random error messages in response to malformed
host name (Bug #1143)
- [Minor] PURGE should not be able to delete internal objects
(Bug #1112)
- [Minor] httpd_accel_port 0 (virtual) not working correctly (Bug
#1121)
- [Minor] cachemgr vm_objects segfault (Bug #1149)
- [Minor security] Confusing results on empty acl declarations (Bug
#1166)
- [Minor] Don't close all "other" filedescriptors on startup (Bug
#1177)
- [Minor] fakeauth_auth memory leak and NULL pointer access (Bug
#1183)
- [Security] buffer overflow bug in gopherToHTML() (Bug #1189)
- [Medium security] Denial of service with forged WCCP messages
(Bug #1190)
- [Minor] DNS related memory leak on certain malformed DNS responses
(Bug #1197)
- [Minor] Internal DNS sometimes truncates host names in reverse
(PTR) lookups (Bug #1136)
- [Minor Security] Add sanity checks on LDAP user names (Bug #1187)
- [Security] Harden Squid agains HTTP request smuggling attacks
- [Minor] Icon URLs fails in non-anonymous FTP directory listings is
short_icon_urls is on (Bug #1203)
- [Security] Harden Squid agains HTTP response splitting attacks
(Bug #1200)
- [Medium security] Buffer overflow in WCCP recvfrom() call
(Bug #1217)
- [Security] Properly handle oversized reply headers (Bug #1216)
- [Minor] LDAP helpers search fixed to properly ask for no attributes
- [Minor] A sporadic segmentation fault when using ntlm authentication
fixed (Bug #1127)
- [Major] Segmentation fault on failed PUT/POST requests (Bug #1224)
- [Medium] Persistent connection mismatch on failed PUT/POST request
(Bug #1122)
- [Minor] WCCP easily disturbed by forged packets (Bug #1225)
- [Minor] Password management in ftp:// gatewaying improved (Bug #1226)
- [Major] HTTP reply data corruption in certain situations involving
reply headers split over multiple packets (Bug #1233)
|
|
Adding several official patches which fix security and critical problem.
o 2005-02-06 00:57 (Cosmetic)
Improve password handling in FTP gatewaying of ftp://user@host URLs
o 2005-02-04 11:41 (Minor) WCCP easily disturbed by forged packets
o 2005-02-04 00:33 (Medium)
Persistent connection trouble on failed PUT/POST requests
o 2005-02-04 00:12 (Major) Segmentation fault on failed PUT/POST request
o 2005-02-03 23:27 (Minor)
Sporadic segmentation fault when using ntlm authentication
o 2005-02-03 23:17 (Minor)
LDAP helpers sends slightly malformed search requests
o 2005-01-31 22:50 (Security issue)
Correct handling of oversized reply headers
|
|
Noted by salo@ first and PR pkg/29181 later.
|
|
squid-2.5.STABLE7-response_splitting.patch was updated, so update distinfo
and DIST_SUBDIR. It seems that a patch to one more file was added.
* 2005-01-31 01:50 (Security issue)
Strengthen Squid from HTTP response splitting cache pollution attack
|
|
* 2005-01-28 23:16 (Security issue) Buffer overflow in WCCP recvfrom() call
Bump PKG_REVISION and now squid-2.5.7nb10.
|
|
security fix.
o 2005-01-21 12:10 (Minor)
Disable Path-MTU discovery on intercepted requests
o 2005-01-21 12:43 (Security issue)
Strengthen Squid from HTTP response splitting cache pollution attack
Bump package revision.
|
|
o 2005-01-21 12:43 (Security issue)
Strengthen Squid from HTTP response splitting cache pollution attack
o 2005-01-21 12:10 (Minor)
Icons fails to load on non-anonymous FTP when using
short_icons_url directive
o 2005-01-21 12:10 (Minor)
FTP data connection fails on some FTP servers when requesting
directory without a trailing slash
One patch has problem to apply and hold to apply
o 2005-01-21 12:10 (Minor) Disable Path-MTU discovery on intercepted requests
Bump package revision.
|
|
o 2005-01-17 04:29 (Minor Secuity issue) Sanity check usernames in squid_ldap_auth
o 2005-01-17 02:52 (Minor) FQDN names truncated on compressed DNS responses
o 2005-01-17 02:52 (Minor) Internal DNS memory leak on malformed responses
Bump package revision; squid-2.5.7nb7.
|
|
o 2005-01-12 17:21 (Security issue) Denial of service with forged WCCP messages
o 2005-01-12 17:19 (Security issue) buffer overflow bug in gopherToHTML()
o 2005-01-08 03:13 (Medium) fakeauth_auth memory leak and NULL pointer access
Bump package revision.
|
|
were changed their size.
|
|
|
|
* 2004-12-28 12:55 (Minor) Don't close "other" filedescriptors on startup
* 2004-12-27 18:54 (Minor Security) Confusing results on empty acl declarations
Bump package revision.
|
|
* Apply official three patches.
- 2004-12-08 01:03 (Minor) cachemgr vm_objects segfault
- 2004-12-08 00:47 (Minor) httpd_accel_port 0 (virtual) not working correctly
- 2004-12-07 23:45 (Cosmetic / Minor Security issue) Random error messages
in response to malformed host name
* use VARBASE for data directory.
* better handling data directory and user and group for squid with
bsd.pkg.install.mk.
|
|
* 2004-11-07 23:37 (Minor) Squid fails to close TCP connection after
blank HTTP response
* 2004-11-06 21:42 (Minor) 100% CPU on startup on new/experimental Linux
kernels due to O_NONBLOCK
* 2004-11-06 15:28 (Minor) Failure to shut down busy helpers on -k
rotate/reconfigure
* 2004-10-20 23:23 (Minor) The new req_header and resp_header acls segfaults
immediately on parse of squid.conf
* 2004-10-19 10:09 (Cosmetic) Document -v (protocol version) option to LDAP
helpers
* 2004-10-14 22:48 (Minor) 100% CPU usage on half-closed PUT/POST requests
Bump package revision.
|
|
This includes security problem with SNMP support which enabled by default.
<http://www.idefense.com/application/poi/display?id=152&type=vulnerabilities>
* pkgsrc changes:
- Don't use PKGNAME within DIST_SUBDIR. Instead, date based DIST_STAMP.
This change prevent extra DIST_SUBDIR change asked by kim@.
- Remove setproctitle(3) hack for dnsserver helper program since use of
dnsserver itself is problematic with huge size of squid process.
* Changes to squid-2.5.STABLE7 (11 Oct 2004)
- [Medium] No objects cached in ufs cache_dir type in some
configurations. Issue introduced in 2.5.STABLE6 by the patch for
Bug #676. (Bug #1011)
- [Minor] LDAP helpers update to correct LDAP connection management
and add support for literal password compare instead of binding
- [Minor] A large number of queued DNS lookups for the same domain
(Bug #852)
- [Cosmetic] request_header_max_size configuration partly ignored
(Bug #899)
- [Minor] Partial hit results in TCP_HIT, not TCP_MISS. (Bug #1001)
- Bug #1012: [Cosmetic] HEAD requests may return stale information
(Bug #1012)
- [Cosmetic] Warn if cache_dir ufs can not create files. (Bug #918)
- [Minor] case insensitive authentication (Bug #431)
- [Cosmetic] Add delay pools information to active_requests. (Bug
#882)
- [Minor] Apparent memory leak in client_db (Bug #833)
- [Minor] NTLM authentication truncated causing failures. (Bug
#1016)
- [Cosmetic] Grammatical corrections in squid.conf.default
- [Cosmetic] Unknown %X errorpage codes incorrectly quoted. (Bug
#1030)
- [Medium] Segfaults and other strange crashes when using heap
policies. (Bug #1009)
- [Minor] Supplementary group memberships not set (Bug #1021)
- [Cosmetic] ERR_TOO_BIG Portugese translation
- [Minor] external_acl does not handle newlines (Bug #1038)
- [Major] NTLM authentication denial of service when using msnt_auth
or fake_auth (Bug #1045)
- [Medium] Memory leaks when using NTLM authentication without
challenge reuse. (Bug #994)
- [Minor] Temporary NTLM memory leak with challenge reuse enabled
(Bug #910)
- [Minor] assertion failed: "n_ufs_dirs <=
Config.cacheSwap.n_configured". (Bug #1053)
- [Minor] Segfault in authenticateDigestHandleReply. (Bug #1031)
- [Minor] acl time fails to parse multiple time specifications
(Bug #1060)
- [Minor] cachemgr config dumps mixed up Range and Request-Range
headers in http_header_access & replace directives. (Bug #1056)
- [Minor] Content-Disposition added as a well known header (Bug #961)
- [Cosmetic] Don't warn about arp acls not being supported on FreeBSD
(Bug #1074)
- [Cosmetic] Limit internal send/receive buffer sizes (Bug #1075)
- [Medium] New acl types to match arbitrary HTTP headers. In addition
the http_header_access & replace directivess now support arbitrary
headers and not only the well known ones. (Bug #961)
- [Cosmetic] ncsa_auth now accepts Window formatted password files
(Bug #1078)
- [Cosmetic] Support the --program-prefix/suffix options or other
configure program name transforms (Bug #1019)
- [Minor] Fix race condition in CONNECT and also handle aborts of
CONNECT requests in a more graceful manner. (Bug #859)
- [Minor] New balance_on_multiple_ip directive to work around certain
broken load balancers and optimized ipcache on reload requests
(Bug #1058)
- [Medium] New reply_header_max_size directive (Bug #874)
- [Minor] Suspected instability on aborted PUT/POST requests (Bug #1089)
- [Security] SNMP Denial of Service fix (CAN-2004-0918)
|
|
changed.
-+ debug(49, 1) ("clientdbGC: Removed %d entries\n", cleanup_removed);
++ debug(49, 2) ("clientdbGC: Removed %d entries\n", cleanup_removed);
|
|
- Add 9 official patches.
Bump package revision, squid-2.5.6nb3.
* 2004-09-30 09:28 (Minor) CARP ignores cache_peer_domain/cache_peer_access
* 2004-09-27 18:23 (Minor) balance_on_multiple_ip squid.conf directive
* 2004-09-27 18:10 (Minor) Race window and poor responsiveness to aborted
CONNECT requests
* 2004-09-25 21:42 (Cosmetic) Support the --program-prefix and other program
name transforms
* 2004-09-25 21:08 (Cosmetic) Document the caseinsensitive basic auth option
* 2004-09-25 20:57 (Cosmetic) ncsa_auth is sensitive on line ending format
* 2004-09-25 12:00 (Medium) Add support for arbitrary headers acess controls
* 2004-09-26 21:22 (Minor) Limit internal send/receive buffers
* 2004-09-25 09:55 (Cosmetic) arp acls is supported on FreeBSD these days..
|
|
* 2004-09-01 13:59 (Minor)
Squid does not recognise Content-Disposition header
* 2004-09-01 13:09 (Cosmetic)
cachemge config dumps mixed up Range and Request-Range headers
* 2004-09-01 12:25 (Minor)
acl time fails to parse multiple time specifications correctly
* 2004-08-28 22:46 (Minor)
Segfault in CvtBin / authenticateDigestHandleReply
* 2004-08-25 21:11 (Minor)
assertion failed: comm.c:430: "n_ufs_dirs <= Config.cacheSwap.n_configured"
* 2004-08-25 20:30 (Minor)
Temporary NTLM memory leak with challenge reuse enabled
* 2004-08-25 20:30 (Medium)
Memory leaks when using NTLM authentication without challenge reuse
Bump PKGREVISION.
|
|
Squid 2.5.STABLE5 to 2.5.STABLE6:
* Several "Assertion error" bugs fixed
* Several "Segmentation fault" bugs fixes
* Corrects a security issue in the old ntlm_auth NTLM helper used in transparent NTLM authentication to a NT domain without using samba.
* Processing of Vary: * and Vary on error messages corrected
* a large number of minor and cosmetic bugfixes. See the list of squid-2.5.STABLE5 patches and the ChangeLog file for details.
2.5.STABLE56 official patches:
* 2004-08-20 08:18 (Major) NTLM authentication denial of service
* 2004-08-14 21:07 (Minor) external_acl does not handle newlines
* 2004-08-09 14:03 (Minor) Supplementary group memberships not set
* 2004-08-05 20:33 (Medium) Segfaults and other strange crashes when using heap policies
* 2004-08-06 11:05 (Cosmetic) Unknown %X errorpage codes incorrectly quoted
* 2004-08-17 12:22 (Cosmetic) Grammatical corrections in squid.conf.default
* 2004-07-27 21:52 (Minor) NTLM authentication truncated
* 2004-07-17 22:43 (Minor) Memory leak in client_db
* 2004-07-17 20:11 (Cosmetic) Add delay pools information to active_requests
* 2004-07-17 19:57 (Minor) case insensitive authentication
* 2004-07-17 19:48 (Cosmetic) Warn if cache_dir ufs can not create files
* 2004-07-17 16:33 (Cosmetic) HEAD requests may return stale information
* 2004-07-17 16:33 (Minor) Partial hit results in TCP_HIT, not TCP_MISS
* 2004-07-17 16:33 (Cosmetic) request_header_max_size configuration option doesn't work correctly
* 2004-07-29 13:29 (Minor) A large number of queued DNS lookups for the same domain
* 2004-08-10 09:40 (Minor) LDAP helpers update
* 2004-07-14 16:29 (Medium) storeCreate: no valid swapdirs for this object
|
|
(Current squid package dosen't build sasl_auth module.)
|
|
support making sasl_auth module. (I think it is better to create
separate packages for those authentication modules.)
Bump package revision.
|
|
pkgsrc change:
o set DIST_SUBR to ${PKGNAME}.
Changes:
o 2004-06-07 21:25 (Cosmetic) Negative size in access.log on long
running CONNECT requests
o 2004-06-08 11:01 (Major) Segmentation fault after
"Likely proxy abuse detected"
o 2004-06-18 17:39 (Security issue) Overflow bug in Squid's ntlm_auth helper.
Note: currently below patch isn't applied since it is broken and I'm
not sure how it shold be corrected. I wish it would fixed
before tagging pkgsrc-2004Q2.
o 2004-06-08 11:42 (Minor) sasl_auth doesn't compile with SALS2
|
|
checksum change.
|
|
|
|
|
|
Bug #753: va_copy required
Bug #995: segfault on long URLs (bug in previous patch to Bug #753)
And reduce offset from pkgsrc's patches.
Bump package revision.
|
|
|
|
* 2004-06-01 08:38 (Medium) Segfault in memBufVPrintf on certain
architectures requiring va_copy
* 2004-06-01 00:00 (Cosmetic) msnt_auth documentation update
* 2004-05-31 23:37 (Cosmetic) dns_servers should default to localhost
if no resolv.conf
* 2004-05-31 23:37 (Cosmetic) FTP directory listing HTML DOCTYPE misread
by some tools
* 2004-06-01 08:26 (Minor) fix compilation on OpenBSD/m88k
* 2004-05-31 22:59 (Cosmetic) Show client ip in cache.log debug output
* 2004-05-31 22:43 (Minor) cacheCurrentUnlinkRequests should be a counter,
not gauge
* 2004-05-31 22:08 (Minor) store_dir_select_algorithm least-load doesn't
work for ufs cache_dir type
* 2004-05-31 21:32 (Cosmetic) Very large cache_mem values reported wrongly
in cache.log
|
|
o 2004-03-11 15:29 (Cosmetic)
Helper queue warnings inprecice on the number of helpers required
o 2004-03-12 10:13 (Cosmetic)
Add pkg-config support for finding correct OpenSSL compile flags
o 2004-03-19 09:02 (Medium) "Vary: *" is ignored
o 2004-03-19 09:12 (Minor) 100% CPU usage on Linux-2.2
o 2004-03-19 09:17 (Cosmetic)
Version number includes -CVS if autoconf is run
o 2004-03-29 09:47 (Minor)
deny_info redirection with requested URL escaped wrongly
o 2004-03-29 10:02 (Minor) CONNECT timeout should produce a 504 or 503
o 2004-04-03 13:54 (Cosmetic)
cache_swap_log documentation referred to swap.state by it's old
swap.log name
o 2004-04-06 14:12 (Cosmetic)
ntlm/auth_ntlm.c(683): warning #187: use of "=" where "==" may
have been intended
o 2004-04-11 09:19 (Medium) rfc1035NameUnpack: Assertion (*off) < sz failed
o 2004-04-18 01:33 (Major)
Segment violation when using a blank user name in digest authentication
o 2004-04-18 23:46 (Medium)
assertion failed: errorpage.c:292: "mem->inmem_hi == 0"
o 2004-04-20 12:30 (Cosmetic)
Spelling corrections in configure and squid.conf.default
o 2004-04-20 12:38 (Cosmetic)
Clarify meaning of ERR in digest helper protocol
o 2004-04-20 12:38 (Cosmetic)
Spelling error in Turkish ERR_DNS_FAIL
o 2004-04-24 14:10 (Minor)
Negative cached 404 replies with VARY header never matches
o 2004-04-30 00:01 (Minor)
range_offset_limit -1 KB rejected as invalid syntax
|
|
|
|
Most of these changes from 2.5.STABLE4 to 2.5STABLE5 are already applied
in previous squid-2.5.4nb8 package.
Changes to squid-2.5.STABLE5 (1 Mar 2004):
- cache.log message on "squid -k reconfigure" was slightly confusing,
claiming Squid restarted when it just reread the configuration.
- Bug #787: digest auth never detects password changes
- Bug #789: login with space confuses redirector helpers
- Bug #791: FQDNcache discards negative responses when using
internal DNS
- pam_auth fails on Solaris when using pam_authtok_get. Persistent
PAM connections are unsafe and now disabled by default.
- auth_param documentation clarifications and added default realm
values making only the helper program a required attribute
- Bug #795: German ERR_DNS_FAIL correction
- Bug #803: Lithuantian error messages update
- Bug #806: Segfault if failing to load error page
- Bug #812: Mozilla/Netscape plugins mime type defined (.xpi)
- Bug #817: maximum_object_size too large causes squid not to cache
- Bug #824: 100% CPU loop if external_acl combined with separate
authentication acl in the same http_access line
- squid_ldap_group updated to version 2.12 with support for ldaps://
(LDAPv2 over SSL) and a numer of other improvements.
- Bug #799: positive_dns_ttl ignored when using internal DNS.
- Bug #690: Incorrect html on empty Gopher responses
- Bug #729: --enable-arp-acl may give warning about net/route.h
- Bug #14: attempts to establish connection may look like syn flood
attack if the contacted server is refusing connections
- errorpage README files included in the distribution again showing
who contributed which translation
- Bug #848: connect_timeout connect_timeout ends up twice the length.
forward_timeout option added to address this.
- Bug #849: DNS log error messages should report the failed query
- Bug #851: DNS retransmits too often
- Bug #862: Very frequently repeated POST requests may cause a
filedescriptor shortage due to persitent connections building up
- Bug #853: Sporatic segmentation faults on aborted FTP PUT requests
- Bug #571: Need to limit use of persistent connections when
filedescriptor usage is high
- Bug #856: FTP/Gopher Icon URLs are unneededly complex and often
does not work properly
- Bug #860: redirector_access does not handle "slow" acls such as
"dst" or "external" requiring a external lookup.
- Bug #865: Persistent connection usage too high after sudden burst
of traffic.
- Bug #867: cache_peer max-conn=.. option does not work
- Bug #868: refuses to start if pid_filename none is specified
- Bug #887: LDAP helper -Z (TLS) option does not work
- Bug #877: Squid doesn't follow telnet protocol on FTP control
connections
- Bug #908: Random auth popups and account lockouts when using ntlm
- Support for NTLM_NEGOTIATE exchanges with ntlm helpers
- Bug #585: cache_peer_access fails with NTLM authentication
- Bug #592: always/never_direct fails with NTLM authentication
- wbinfo_group update for Samba-3
- Bug #892: helpers/ntlm_auth/SMB/ fails to compile on FreeBSD 5.0
- Bug #924: miss_access restricts internal and cachemgr requests
even if these are local
- Bug #925: auth headers send by squidclient are mildly malformed
- Bug #922: miss_access and delay_access and several other
authentication related bug fixes.
- Bug #909: Added ARP acl support for FreeBSD
- Bug #926: deny_info with http_reply_access or miss_access
- Bug #872: reply_body_max_size problems when using NTLM auth
- Bug #825: random segmentation faults when using digest auth
- Bug #910: Partial fix for temporary memory leaks when using NTLM
auth. There is still problems if challenge reuse is enabled.
- ftp://anonymous@host/ now accepted without requiring a password
- Bug #594: several mime type updates (ftp:// related)
- url_regex enhanced to allow matching of %00
And two official patches' changes.
assertion failed: helper.c:323: "srv->flags.reserved"
synopsis If using ntlm authentication then Squid may
randomly abort with the above assertion
failure if a request is aborted while Squid
waits for a response from the domain controller
severity Medium
date 2004-03-01 23:55
bugzilla #937
versions Squid-2.5.STABLE5
platforms All
workaround half_closed_connections on (the default)
squid_ldap_auth can be confused by the use of reserved characters
synopsis squid_ldap_auth may be confused by the use of
reserved characters allowing the login name to
be masqueraded in different manners possibly
allowing the user to partially bypass certain
per-user restrictions or confuse third party
accounting packages.
Note that the user can not bypass the login
procedure as such. All he can do is to make
the login name look different than normal.
There is still full audit trails on who the
user is etc.
The patch also adds and documents a -d flag to
both squid_ldap_auth and squid_ldap_group to
allow for easier tracing of the operation of
these programs if results is not what is
expected.
severity Major
date 2004-03-04 09:37
bugzilla #935
versions Squid-2.5 and earlier
platforms All
configuration configurations where squid_ldap_auth is used
for authentication using a search filter (-f
option) and where squid_ldap_group is not used
to further restrict the valid usernames.
workaround Combine squid_ldap_auth with squid_ldap_group
to only allow valid logins who are member of a
certain group, or alternatively use a
proxy_auth_regex acl to deny the use of any
login using restricted characters.
acl bad_login proxy_auth_regex [()\\*]
http_access deny bad_login
|
|
Only change was in some html text in squid/errors/Lithuanian/ERR_INVALID_REQ
|
|
o Empty proxy_auth ACLs are silently accepted but lead to unpredictable ACL matching
synopsis If a proxy_auth acl is incorrectly defined with no members
then any http_access rules using this acl will give
unpredictable results depending on the results of earlier
acl lookups. This patch corrects both the reason to why
acl lookups became unpredictable and makes Squid reject
such incorrect acl definitions.
severity Medium
date 2004-01-15 07:44
bugzilla #893
versions Squid-2.5 and earlier
platforms All
workaround Make sure your proxy_auth acls are correctly defined. If
the acl should not match any users then don't declare the
acl at all.
o Squid doesn't follow telnet protocol on FTP control connections
synopsis Squid forgot to escape IAC characters (ascii code 255) in
FTP requests, causing problems to access files/directories
using this character in their name or to log in with this
character in the login or password.
severity Minor
date 2004-02-03 14:38
bugzilla #877
versions Squid-2.5 and earlier
platforms All
workaround Double any such characters in the input to Squid. (%ff%ff
instead of %ff)
o Random auth popups and account lockouts when using NTLM
synopsis When using NTLM authentication random auth popups and
account lockouts may be experienced.
severity Medium
date 2004-02-11 22:12
bugzilla #908
versions Squid-2.5
platforms All
workaround It may help to configure a lot of NTLM helpers but this is
not verified.
o squid_ldap_group -S option did not work
synopsis The -S and -E options in squid_ldap_group v2.12 was mixed
up, making the options somewhat hard to use.
severity Minor
date 2004-02-09 17:10
bugzilla #911
versions Squid-2.5.STABLE4 + ldap_group 2.12 patch
platforms All
workaround Specify -E instead of -S.
o Squid stuck at 100% CPU loop in ipcache_purgelru, or segfault in the same
synopsis The squid-2.5.STABLE4-connect_cleanup.patch was not
entirely correct and could cause memory corruption in
certain situations involving negative DNS replies (host not
found etc)
severity Major
date 2004-02-12 09:42
bugzilla #891
versions Squid-2.5.STABLE4-20031210 to 20040212
platforms All
|
|
some patch were added.)
|
|
Various HTTP workarounds and minor corrections
synopsis This patch works around certain broken HTTP servers
(reportedly IIS-5) who incorrectly signals the use of
persistent connections. It also corrects some minor
HTTP issues to make the Squid proxy more semantically
transparent.
severity Minor
date 2004-01-14 18:14
bugzilla #890
versions Squid-2.5 and earlier
platforms All
squid_ldap_group failure if specifying many or long group names
synopsis If the request to squid_ldap_group (login name + all
group names) exceed 256 characters then group lookups
fails or behaves erratically.
severity Minor
date 2004-01-08 19:08
versions Squid-2.5
platforms All
workaround Define multiple ACLs instead of listing many groups in
the same ACL
LDAP helpers TLS mode (-Z option) does not work
synopsis The TLS mode of the LDAP helpers did not work and
always reported "TLS Connection failed"
severity Minor
date 2004-01-05 12:05
bugzilla #887
versions Squid-2.5
platforms All
workaround Use the ldaps:// URI method instead, if your LDAP
server supports it.
|
|
- Remove --disable-internal-dns. It could be still enabled by adding to
SQUID_CONFIGURE_ARGS in /etc/mk.conf. It found that external dnsserver
has some problem, performance disadvantage on Solaris 8.
- Apply eight official patches.
o Incomplete objects may appear stuck in the cache
synopsis Under certain conditions incomplete objects
may appear stuck in the cache, not even reload
giving a new fresh copy.
severity Major
date 2003-12-23 01:23
bugzilla #876
versions Squid-2.5 and earlier
platforms All
workaround Compiling squid with --disable-http-violations
completely avoids the issue. Setting
"half_closed_clients off" and making
quick_abort as aggressively aborting as
possible by "quick_abort_min 0 KB" and
"quick_abort_max 0 KB" mostly hides the
problem.
o assertion failed: pinger.c:187: "icmp_pktsize <= MAX_PKT_SZ"
synopsis In Squids built with --enable-icmp the pinger
helper may exit with the above assertion
failure if Squid receives a request with a
very long host name.
severity Minor
date 2003-12-23 01:23
bugzilla #865
versions Squid-2.5 and earlier
platforms All
workaround Don't build squid with --enable-icmp. This is
generally recommended anyway unless you are
absolutely sure you want to ICMP PING random
sites all over the Internet to measure RTT
information even if this may trigger IDS
systems etc.
o 000 status code being logged for redirects (should be 302)
synopsis Redirects initiated by redirector helpers was
logged as TCP_MISS/000 instead of the expected
TCP_MISS/302. This patch corrects this and should
also correct log_mime_hdrs output for the same.
severity Minor
date 2003-12-21 16:21
bugzilla #869
versions Squid-2.5 and earlier
platforms All
o Update of Russian error pages
synopsis In a current version threre is a problem. The
absence of "yo" letter. ("e" with 2 dots ).
People prefer to write "E" instead "yo", that is
not quite correct, like "How r u" intstead "How
are you?"
severity Cosmetic
date 2003-12-21 15:21
bugzilla #864
versions Squid-2.5 and earlier
platforms All
o Added 'urllogin' ACL type
synopsis This is not a fix for a Squid bug. It is a new
feature to workaround an MSIE6 bug that uses
control characters to obfuscate the true origin
server hostname. You can use the 'urllogin' acl
TYPE to deny HTTP requests that contain certain
characters in the URL login field.
severity Medium
date 2003-12-19 16:19
versions Squid-2.5 and earlier
platforms All
workaround Patch MSIE6, if/when the patch becomes available.
o DNS resolver has too short MAXHOSTNAME
synopsis Squid would not process hostnames longer than 128
characters. This affects few hosts on the
internet, but with the growing use of iDNA it's
becoming an issue.
severity Minor
date 2003-12-18 01:18
bugzilla #842
versions Squid-2.5 and earlier
platforms All
workaround None.
o Squid refuses to start if "pid_filename none" is specified
synopsis Contrary to the documentation "pid_filename none"
is not accepted and Squid refuses to start.
severity Minor
date 2003-12-17 21:17
bugzilla #868
versions Squid-2.5 and earlier
platforms All
o cache_peer max-conn=.. option does not work
synopsis Due to the a accounting mismatch in the number of
open connections to peers the cache_peer
max-conn=.. option does not work. This issue is
also seen as very high numbers in the OPEN CONN
peer statistics via cachemgr.
severity Minor
date 2003-12-20 20:20
bugzilla #867
versions Squid-2.5 and earlier
platforms All
- Separate MESSAGE files into each platform.
|
|
o Repeated POST requests causes number of persistent connections to grow
synopsis If responses to POST or other non-indempotent
requests allows the connection to be kept
persistently open then this can lead to a
increased connection usage by Squid. This
patch changes the behaviour to keep the number
of connections stable by closing a persistent
connection before opening the new connection.
severity Minor
date 2003-12-13 16:13
bugzilla #862
versions Squid-2.5
platforms All
workaround Disable server-side persistent connections by
setting "server_persistent_connections off" in
squid.conf.
o Segmentation fault on aborted FTP PUT requests
synopsis If a FTP PUT request is aborted while Squid is
writing data to the server then Squid may
abort with a segmentation fault.
severity Major
date 2003-12-14 12:14
bugzilla #853
versions Squid-2.5 and earlier
platforms All
workaround If this plauges you a lot then you can deny
the use of FTP PUT until the server can be
patched. But please note that this will limit
the functionality of the proxy by not allowing
FTP uploads via the proxy.
acl FTP protocol FTP
acl PUT method PUT
http_access deny FTP PUT
o Limit use of persistent connections when filedescriptor usage is high
synopsis Under high usage a lot of filedescriptors may
be idle persistent connections, causing a
shortage of filedescriptors for handling new
requests.
severity Minor
date 2003-12-14 12:14
bugzilla #571
versions Squid-2.5 and earlier
platforms All
workaround Disable the use of persistent connections in
squid.conf. But pleae note that disabling
persistent connections will cause a networking
performance penalty unless you are actually
short on filedescriptors. Alternatively
rebuild Squid with support for more
filedescriptors.
o Icon URLs are uneededly complex
synopsis The URL syntax used by Squid for FTP/Gopher
icons are uneededly complex and often causes
problems. This patch adds a "short_icon_urls"
directive which can be used to enable a less
complex URL syntax for icons.
severity Cosmetic
date 2003-12-14 13:14
bugzilla #856
versions Squid-2.5 and earlier
platforms All
o redirector_access does not handle slow acls such as dst or external correctly
synopsis redirector_access was a "fast" acl lookup and
did not handle "slow" acls requiring external
lookups such as dst or external correcly.
severity Minor
date 2003-12-14 13:14
bugzilla #860
versions Squid-2.5 and earlier
platforms All
o Persistent connection usage too high after sudden burst of traffic
synopsis Persistent server connections are reused in a
round-robin fashion which may cause the number
of connections to stay artificially high after
a sudden burst of requests.
This patch changes persistent connection
management to use a LIFO order reusing the
most recently used connection first, thereby
allowing unneeded connections to close down by
idle timeout.
severity Minor
date 2003-12-15 23:15
bugzilla #865
versions Squid-2.5 and earlier
platforms All
workaround This usually is not a significant problem, but
if you are plauged by this you can try
disabling server-side persistent connections
in squid.conf.
|
|
was corrected.
- bump package revision.
|
|
Apply two offcial patches.
* FQDN lookups sometimes returns garbage
synopsis FQDN lookups sometimes give garbage after the result.
This can be seen as junk in access.log when using
log_fqdn or false access control results when using
dstdomain acl type and the user requests a URL by IP
address.
severity Minor
date 2003-12-04 10:04
bugzilla #846, #834, #433
versions Squid-2.5 and earlier
platforms All
workaround Don't use log_fqdn or alternatively compile Squid with
--disable-internal-dns
* Cleanup of connect & dns timeouts etc
synopsis Several minor errors related to how Squid finds a
connection where to forward requests. This patch
o Adds a new configuration parameter "forward_timeout"
to control how long Squid tries to find a method to
find a path where to forward the request before
giving up. Defaults to 2 minutes.
o The default connect_timeout tuned down from 2 minutes
to 1 minute to allow for two attempts to find a
suitable path within the forward_timeout
o fqdncache/ipcache restructured to allow for DNS code
to allow the queried name to be logged in cache.log
on errors.
o negative_dns_ttl now overloaded to also specify the
minimum ttl used when caching DNS responses, and
tuned down from 5 minutes to 1 minute.
o default dns_timeout tuned down from 5 minutes to
2 minutes
o some minor compilation warnings on
--disable-internal-dns corrected
o properly report DNS timeouts as timeouts and not just
"No DNS records"
severity Minor
date 2003-12-06 17:06
bugzilla #848, #849, #851, #852
versions Squid-2.5 and earlier
platforms All
|
