The Squid HTTP Proxy team is very pleased to announce the
availability of the Squid-3.1.11 release!


This release brings several bug fixes and some further HTTP/1.1 improvements into 3.1.


Bug 3140: A small but cumulative memory leak was found and fixed in error page generation.


Bug 3144: URL re-write/redirect programs are potentially vulnerable to hanging while receiving very long URLs. Due to buffer overflow protections truncating long URLs. This enables trusted clients to perform a DoS on the Squid server, possibly via loading web links in a malicious website. Popular scripting helpers appear not to be vulnerable to this DoS effect, but will produce errors or truncated URL output instead. Helpers which depend on and wait for receiving the API documented newline terminator are all vulnerable.
 Squid will now catch these and produce a 414 status code error instead.


Bug 2959: We have removed the use of environment variable SAMBAPREFIX during build. Instead the helpers which previously used it to locate the Samba tools require those tools (nmblookup, smbclient, wbinfo) to be available in the system $PATH. This allows several helpers to be build on systems without Samba as long as it is present when they are run. * Build scripts should be forward-compatible since the Squid build simply ignores the variable now. * Run-time scripts may need a check and update to ensure the above mentioned Samba tools are in the system $PATH now.


Bug 3149: eCAP was not updating the object state correctly on altered bodies. Causing them not to be cacheable. This was particularly noticable in the compression eCAP adapter as reduced efficiency and slower transfers.


HTTP/1.1 support has been boosted slightly with:

* extension of deny_info to send 307 status when appropriate instead of always sending 302. This will allow some browsers to start safely displaying the error page in response to HTTPS rejections.

* removal of an old limit on agents using the "Mozilla/3.0" string. This will allow more download agents to gain the benefits of persistent connections.

* addition of support for the "Cache-Control: stale-if-error=N" option from RFC 5861. There is no Squid configuration required. NP: The paired stale-while-revalidate is much more complex and not supported in 3.1.

 * pipeline_prefetch auto-disabled under several authentication schemes.
Pipelining is one of the standard HTTP features which clashes and breaks badly when NTLM or Negotiate/Kerberos TCP connection authentication are performed. Squid will now produce a warning message and disable pipelining cleanly if those authentication methods are configured in Squid. The default setting for pipelining is OFF. Configurations receiving that waring should remove the pipeline_prefetch directive from their squid.conf.

WARNING: the current Squid will not produce this notice if NTLM or Negotiate/Kerberos are simply passed through Squid to an origin server. If you are aware of such traffic needing to pass through your Squid it is up to you to ensure pipelining remains OFF.



See the ChangeLog for the list of other minor changes in this release.


All users of Squid-3 are urged to upgrade as soon as possible.


Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.1/RELEASENOTES.html
when you are ready to make the switch to Squid-3.1

This new release can be downloaded from our HTTP or FTP servers

      http://www.squid-cache.org/Versions/v3/3.1/
      ftp://ftp.squid-cache.org/pub/squid/
      ftp://ftp.squid-cache.org/pub/archive/3.1/

or the mirrors. For a list of mirror sites see

      http://www.squid-cache.org/Download/http-mirrors.dyn
      http://www.squid-cache.org/Download/mirrors.dyn

If you encounter any issues with this release please file a bug report.
      http://bugs.squid-cache.org/


Amos Jeffries

Reply via email to