Unless otherwise is indicated in the patch description these fixes is
included in the current nightly Squid-2.5 snapshots and is scheduled to
be included in the next Squid-2.5.STABLE release.
Note to binary package maintainers: Patches to the current STABLE release
represents work in progress and has not yet undergone full quality checks.
The developer team reserves the right to update these at any time to fix
problems found during quality checking. For this reason package maintainers
are discouraged from using such patches, and only use this page to backport
changes from published releases to earlier releases if your QA policy does
not allow upgrading your package to the current STABLE release. If there
is any questions regarding this policy please contact
[email protected].
These issues have been identified as important to be fixed for the next Squid-2.5 version, listed in priority order.
1500 diskd related memory corruption under heavy load
See also Open bug reports pending to be fixed in Squid-2.5
This is a list of shortcomings known to exists in Squid-2.5. At this stage there is no plans on addressing these in Squid-2.5. Some may be addressed in the Squid-3.0 release.
- Bug #1059 mime.conf and referenced icons must be within chroot
- Bug #692 tcp_outgoing_address using an ident ACL does not work
- Bug #581 acl max_user_ip and multiple authentication schemes
- Bug #528 miss_access fails on slow acl types such as dst
- Bug #513 squid -F is starting server sockets to early
- Bug #457 does not handle swap.state corruption properly
- Bug #410 unstable if runs out of disk space
- Bug #355 diskd may appear slow on low loads
- Bug #219 delay_pools stops working on -k reconfigure
See also Open bug reports for Squid-2.5
Patches released after the 2.5.STABLE14 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
| synopsis |
The patch for Bug #1504 forgot to account for persistent connections,
causing NONE/- to be logged in the hierarchy field when using a persistent
peer connection.
A workaround is to set "server_persistent_connections off" |
| severity |
Cosmetic |
| date |
2006-06-21 12:25 |
| bugzilla |
#1605 |
| versions |
squid-2.5.STABLE13 and later |
| patch |
squid-2.5.STABLE14-hierarchy_tag.patch |
| synopsis |
assertion failed: HttpReply.c:105: "rep"
The patch for Bug #1511 "Some 206 responses logged incorrectly" was slightly
broken and could cause the above assert. |
| severity |
Major |
| date |
2006-06-02 22:00 |
| bugzilla |
#1606 |
| versions |
squid-2.5.STABLE13 and later |
| patch |
squid-2.5.STABLE14-httpReplyDestroy.patch |
Patches released after the 2.5.STABLE13 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
| synopsis |
On some systems POSIX AIO functions are in libaio |
| severity |
Minor |
| date |
2006-05-12 19:35 |
| versions |
squid-2.5.STABLE13 and earlier |
| patch |
squid-2.5.STABLE13-libaio-2.patch |
| synopsis |
Memory leak in header processing related to external_acl or custom log formats |
| severity |
Medium |
| date |
2006-05-12 16:17 |
| bugzilla |
#1564 |
| versions |
squid-2.5.STABLE13 and earlier |
| patch |
squid-2.5.STABLE13-header_leak.patch |
| synopsis |
Mime icons are not displayed when viewing ftp sites when
visible_hostname is a short hostname (without domain). |
| severity |
Minor |
| date |
2006-05-12 15:57 |
| bugzilla |
#1532 |
| versions |
squid-2.5.STABLE13 and earlier |
| patch |
squid-2.5.STABLE13-icons.patch |
| synopsis |
SQUIDHOSTNAMELEN issues
cosmetic cleanup to get rid of remaining SQUIDHOSTNAMELEN magics which
may cause issues for very long hostnames. |
| severity |
Cosmetic |
| date |
2006-05-12 15:54 |
| bugzilla |
#1434 |
| versions |
squid-2.5.STABLE13 and earlier |
| patch |
squid-2.5.STABLE13-hostnamelen.patch |
Patches released after the 2.5.STABLE12 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
| synopsis |
The error message returned when DNS lookup of a peer name fails
seemed to indicate it was the requested host name which could not
be found when it was the peer which could not be found. |
| severity |
Cosmetic |
| date |
2006-03-10 23:17 |
| bugzilla |
#1504 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-peer_dns_error.patch |
| synopsis |
Failed to properly parse FTP file or directory names with
" -> " in their name |
| severity |
Cosmetic |
| date |
2006-02-26 00:06 |
| bugzilla |
#1508 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-ftpsymlink.patch |
| workaround |
Open the directory as a "plain" directory by adding ;type=d after
the URL. |
| synopsis |
A harmless typo in ftp.c could cause the ftp directory parser to
incorrectly think it successfully parsed certain "odd" lines not
automatically enabling the "plain directory" option link. |
| severity |
Cosmetic |
| date |
2006-02-26 00:06 |
| bugzilla |
#1507 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-ftpdates.patch |
| workaround |
Manually add ;type=d after the URL if encountering a FTP server
where this problem is seen. The Squid developers does not know
of any FTP server giving out directory listings which would trigger
this. |
| synopsis |
- New GCC triggering on a few minor things related to variable aliasing
- New OpenLDAP depreated the common LDAP C-API simple bind functions |
| severity |
Minor |
| date |
2006-02-26 00:06 |
| bugzilla |
#1492 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-fc5.patch |
| synopsis |
Squid hangs at 100% CPU while starting helpers if /dev/null
can not be opened (non-existing or bad permissions). |
| severity |
Cosmetic |
| date |
2006-02-26 00:06 |
| bugzilla |
#1484 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-devnull.patch |
| workaround |
Make sure /dev/null exists and is world read/writeable. |
| synopsis |
The patch adds a new persistent_connection_after_error directive
enabling/disabling the use of persistent connections after error. If set to off
then it behaves very close to Squid-2.4 even if you have persistent connections
enabled. |
| severity |
Cosmetic |
| date |
2006-02-26 00:06 |
| bugzilla |
#1482 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-persistent_connection_after_error.patch |
| synopsis |
Delay pools assigned too much traffic credit after "squid -k
reconfigure" (first time double the amount, second time three times
the amount etc..) |
| severity |
Medium |
| date |
2006-02-26 00:06 |
| bugzilla |
#1481 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-delay_pool_reconfigure.patch |
| workaround |
Restart Squid instead of using "-k reconfigure", or don't allow for
any bandwidth credit in your delay pools. |
| synopsis |
FTP uploads fails if the upload takes longer than read_timeout
to complete. |
| severity |
Medium |
| date |
2006-02-26 00:06 |
| bugzilla |
#1459 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-ftp_upload.patch |
| workaround |
Set read_timeout high, but be warned that this combined with
"half_closed_clients on" (default) may cause servere filedescriptor
shortage. |
| synopsis |
Some clients is capable of using NTLM authentication even if they
do not negotiate persistent connections on the initial request. |
| severity |
Minor |
| date |
2006-02-26 00:06 |
| bugzilla |
#1447 |
| versions |
Squid-2.5.STABLE12 |
| platforms |
All |
| patch |
squid-2.5.STABLE12-ntlm_nonpersistent.patch |
| workaround |
Allow basic authentcation to be used by these clients |
| synopsis |
Ident access lists don't work in delay_access statements |
| severity |
Minor |
| date |
2006-02-26 00:06 |
| bugzilla |
#1428 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-ident_acl.patch |
| synopsis |
Segmentation fault on empty proxy_auth ACLs |
| severity |
Cosmetic |
| date |
2006-02-26 00:06 |
| bugzilla |
#1414 |
| versions |
Squid-2.5.STABLE8 to 2.5.STABLE12 |
| platforms |
All |
| patch |
squid-2.5.STABLE12-empty_proxy_auth_acl.patch |
| workaround |
Make sure your configuration is correct with no empty
proxy_auth ACLs defined. |
| synopsis |
Range processing still failed on objects >2GB. This could be triggered
either by range_offset_limit, or by enabling cacheing of such large
objects. |
| severity |
Minor |
| date |
2006-03-04 03:30 |
| bugzilla |
#437 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-range2GB-2.patch |
| workaround |
range_offset_limit 0 KB (default), maximum_object_size below 2 GB (default 4096 KB which is safe). |
| synopsis |
This patch adds an HttpReply *reply member to clientHttpRequest. This
reply will be used to generate the client-side reply header and will
stay in memory until the end of the transaction so the correct status
code may be logged. |
| severity |
Minor |
| date |
2006-03-04 03:07 |
| bugzilla |
#1511 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-log_206-2.patch |
| synopsis |
On 64 bit Irix systems the declaration of timezone is different
from 32 bit and the build fails. |
| severity |
Minor |
| date |
2006-01-22 17:28 |
| bugzilla |
#1479 |
| versions |
Squid-2.5 and earlier |
| platforms |
SGI Irix (64 bit systems only) |
| patch |
squid-2.5.STABLE12-irix_timezone.patch |
| workaround |
Manually remove the 'timezone' declaration from lib/rfc1123.c. |
| synopsis |
A minor error in the patch to allow coredumps on linux. Not
harmful today, but maybe in future if these unused arguments
is used for something.. |
| severity |
Cosmetic |
| date |
2006-01-15 01:23 |
| bugzilla |
#1483 |
| versions |
Squid-2.5.STABLE11 |
| platforms |
All |
| patch |
squid-2.5.STABLE12-prctl_args.patch |
| synopsis |
When accessing Async IO Function Counters from the Cachemgr interface, if aufs
is not in use, Squid could segfaults.
This happens only when Squid is build with aufs and aufs's number of threads is
set with the --enable-async-io configure option. |
| severity |
Minor |
| date |
2005-12-26 16:41 |
| bugzilla |
#1464 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-asyncio_counters.patch |
| workaround |
Specify during configure only the store FS that will be used. |
| synopsis |
wbinfo -n output was changed in Samba 3.0.21, adding a SID description after the
SID value:
giove:~# wbinfo -n Staff
S-1-5-21-682003330-854245398-1708537768-1123 Domain Group (2)
So a little change in the wbinfo_group.pl parsing is needed. |
| severity |
Minor |
| date |
2005-12-24 11:02 |
| bugzilla |
#1472 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-wbinfo_group.patch |
| workaround |
None. |
| synopsis |
The SMB NTLM authentication helper doesn't work as expected when
using the --enable-ntlm-fail-open configure option because
credentials are not fetched correctly (username is missing).
This problem is triggered only when using the --enable-ntlm-fail-open configure
option and the helper was not able to validate the user. |
| severity |
Minor |
| date |
2005-12-11 10:52 |
| bugzilla |
#1022 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-SMB_BadFetch.patch |
| workaround |
Don't use the --enable-ntlm-fail-open configure option. |
| synopsis |
Added WebDAV REPORT method to know HTTP methods list |
| severity |
Cosmetic |
| date |
2006-02-26 14:47 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE12-REPORT.patch |
| workaround |
extension_methods REPORT |
| synopsis |
Squid-2.5.STABLE12 assumes the OS provides a setenv() function,
causing compilation to fail on platforms not providing such function. |
| severity |
Minor |
| date |
2005-10-26 20:31 |
| bugzilla |
#1435 |
| versions |
Squid-2.5.STABLE12 |
| platforms |
Solaris and other platforms not having a setenv() function |
| patch |
squid-2.5.STABLE12-setenv.patch |
| workaround |
Back out squid-2.5.STABLE11-HOME-2.patch |
Patches released after the 2.5.STABLE11 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
| synopsis |
The individual pools for network 255 in a class 3 pool was handled
wrongly, causing clients with ip X.X.255.X to hang after downloading
a few bytes. |
| severity |
Minor |
| date |
2005-10-20 17:42 |
| bugzilla |
#1431 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE11-delaypool_3_255.patch |
| workaround |
Don't assign clients in network 255 to a class 3 pool. Use a class 2 pool
for this network alone. |
| synopsis |
In certain odd FTP server responses Squid may crash with a segmentation
fault in rfc1738_do_escape. |
| severity |
Major |
| date |
2005-10-18 15:48 |
| bugzilla |
#1426 |
| versions |
Squid-2.5.STABLE11 |
| platforms |
All |
| patch |
squid-2.5.STABLE11-rfc1738_do_escape.patch |
| workaround |
deny access to the ftp protocol via the proxy |
| synopsis |
In sertain situations involving cache refreshes of 302 responses
Set-Cookie headers may be lost. |
| severity |
Minor |
| date |
2005-10-18 15:47 |
| bugzilla |
#1419 |
| versions |
Squid-2.5.STABLE9 to 2.5.STABLE11 |
| platforms |
All |
| patch |
squid-2.5.STABLE11-setcookie.patch |
| workaround |
Use the no_cache directive to deny the cache to be used on the affected
URLs (if identified). |
| synopsis |
If a redirector attempted to return a 302 redirect in response
to a CONNECT method Squid responded with an error. |
| severity |
Minor |
| date |
2005-10-18 15:47 |
| bugzilla |
#1412 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE11-redirect-CONNECT.patch |
| synopsis |
Due to a long standing misunderstanding of HEAD requests it
has not been possible to revalidate the cache on a HEAD request. Since
2.5.STABLE7 this have had the sideeffect that the cache hit ratio
for applications using HEAD has been very low. |
| severity |
Minor |
| date |
2005-10-18 15:47 |
| bugzilla |
#1411 |
| versions |
SquId-2.5 and earlier, made more visible in 2.5.STABLE7 and later |
| platforms |
All |
| patch |
squid-2.5.STABLE11-IMS-HEAD.patch |
| synopsis |
netdb excahnges failure when peering with a 2.5.STABLE11 configured as
an transparently intercepting proxy |
| severity |
Minor |
| date |
2005-10-18 15:47 |
| bugzilla |
#1410 |
| versions |
Squid-2.5.STABLE11 |
| platforms |
All |
| patch |
squid-2.5.STABLE11-httpd_accel-internal.patch |
| workaround |
Set the first http_port to 80 (same as httpd_accel_port). |
| synopsis |
The wrong TTL was seleced on certain CNAME based DNS responses
such as used in certain load balancing methods etc. |
| severity |
Minor |
| date |
2005-09-28 21:52 |
| bugzilla |
#1404 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE11-CNAME.patch |
| workaround |
Don't set dns_positive_ttl too high. This directive puts an upper
bound on the DNS cache time to live compensating for this error. |
| synopsis |
configure accepts a number of parameters as input in environment
variables and setting CACHE_HTTP_PORT is meant to define the default
port where Squid listen. This was however only half-way implemented. |
| severity |
Cosmetic |
| date |
2005-09-28 21:16 |
| bugzilla |
#1403 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE11-CACHE_HTTP_PORT.patch |
| workaround |
edit the http_port section in src/cf.data.pre in adition to defining
CACHE_HTTP_PORT. |
| synopsis |
Persistent connections did not work proper in accelerator mode using
httpd_accel_single_host, causing a lot of connections to build up to
the backend web server. |
| severity |
Minor |
| date |
2005-09-28 21:07 |
| bugzilla |
#1402 |
| versions |
Squid-2.5 and earlier(?) |
| platforms |
All |
| patch |
squid-2.5.STABLE11.accel_single_host_pconn.patch |
| workaround |
server_persistent_connections off, or disable persistent connection support
on the web server. |
| synopsis |
The environment variable $HOME is not set properly when Squid is
started as root, causing problems for some helpers to find their
configuration details. For example LDAP helpers finding their .ldaprc
configuration data.
This patch sets $HOME to the home of cache_effective_user. |
| severity |
Cosmetic |
| date |
2005-09-28 21:42 |
| bugzilla |
#1401 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE11-HOME-2.patch |
| workaround |
Set $HOME appropriately when starting Squid, or wrap the helper
needing this in a small script setting $HOME. |
| synopsis |
This patch adds some additional tracing to squid_ldap_auth hopefully
making it easier to isolate squid_ldap_auth configuration errors.
The patch also corrects a small but important error in one of the
examples in how to connect to Microsoft Active Directory. |
| severity |
Cosmetic |
| date |
2005-09-28 21:07 |
| bugzilla |
#1395 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE11-ldap_auth.patch |
| workaround |
None needed |
| synopsis |
The tcp_outgoin_address and tcp_outgoing_tos directives is evaluated
when a new outgoing connection is set up and not changed if the same
connection is later reused for a completely different requests.
This patch clarifies this limitation. |
| severity |
Cosmetic |
| date |
2005-09-28 21:07 |
| bugzilla |
#454 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE11-tcp_outgoing_xxx.patch |
| workaround |
Set server_persistent_connections off when using these directives to set
the outgoing address/tos depending on the requesting client or similar. |
| synopsis |
A small but critical error has been found in the patch for Bug #500
causing responses to get truncated when using delay pools. |
| severity |
Major |
| date |
2005-09-27 22:29 |
| bugzilla |
#1405 |
| versions |
Squid-2.5.STABLE11 only |
| platforms |
All |
| patch |
squid-2.5.STABLE11-delaypools_truncated.patch |
| workaround |
Disable the use of delay pools |
Patches released after the 2.5.STABLE10 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
| synopsis |
New configure option to make life easier for people needing to
build a binary supporting a higher number of filedescriptors
than the user they build Squid as is allowed to open. |
| severity |
Cosmetic |
| date |
2005-09-19 15:50 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-maxfd.patch |
| workaround |
Squid FAQ 11.4 Running out of filedescriptors |
| synopsis |
Instead of always being false the dst acl match was using the
address 255.255.255.255 if no IP could be found for the requested
host. Apart from being slightly odd and unexpected this made it
hard to differentiate uknown hosts from badly registered hosts. |
| severity |
Minor |
| date |
2005-09-16 21:58 |
| bugzilla |
#1394 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-dst_unknown.patch |
| workaround |
none needed |
| synopsis |
pipeline_prefetch is incompatible with NTLM authentication, but Squid
failed to detect this if pipeline_prefetch was set after the auth_param
ntlm directive. |
| severity |
Cosmetic |
| date |
2005-09-16 21:49 |
| bugzilla |
#1396 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE10-ntlm-pipeline_prefetch.patch |
| workaround |
Leave pipeline_prefetch at it's default "off" setting |
| synopsis |
Squid may crash with the above error when given certain request sequences. |
| severity |
Major |
| date |
2005-09-16 11:10 |
| bugzilla |
#1391 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE10-NTLM-scheme_assert-2.patch |
| workaround |
Disable ntlm authentication |
| synopsis |
If Squid is configured with "pipeline_prefetch on" then odd results
and instability may be seen on pipelined CONNECT requests. |
| severity |
Medium |
| date |
2005-09-15 09:56 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-pipeline-CONNECT.patch |
| workaround |
"pipeline_prefetch off" in squid.conf. (the default setting). |
| synopsis |
On NetBSD and maybe others, when using Ipfilter 4.x, opening of the NAT device fails.
On Solaris the following message can appear in cache.log:
parseHttpRequest: NAT lookup failed: ioctl(SIOCGNATL): (22) Invalid argument
This patch adds the usage of ipfobj structure for IP Filter 4.0alpha27 and later. |
| severity |
Minor |
| date |
2005-09-13 03:22 |
| bugzilla |
#1378 |
| versions |
Squid-2.5 and earlier |
| platforms |
NetBSD, Solaris and maybe others |
| patch |
squid-2.5.STABLE10-NetBSD_IPFilter-3.patch |
| synopsis |
Clients may bypass delay pool settings by carefully constructing
the request making it look like a cache hit. |
| severity |
Medium |
| date |
2005-09-11 01:53 |
| bugzilla |
#500 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-delay_pools.patch |
| synopsis |
Linux and other operating systems by default prevent saving of
core dumps on fatal application errors if the application has
changed user ID since it was started. |
| severity |
Cosmetic |
| date |
2005-09-16 21:16 |
| bugzilla |
#1335 |
| versions |
Squid-2.5 and earlier |
| platforms |
Linux (maybe others) |
| patch |
squid-2.5.STABLE10-allow_coredump-2.patch |
| workaround |
Start Squid as your cache_effective_user |
| synopsis |
The header_id enum was misused assuming compilers would compile
the type equivalent to an signed integer, while the enum was only
defined with positive values allowing compilers to select an
unsigned integer data type to store the enum. |
| severity |
Cosmetic |
| date |
2005-09-11 01:21 |
| bugzilla |
#1343 |
| versions |
Squid-2.5 and earlier |
| platforms |
Some compilers on some platforms |
| patch |
squid-2.5.STABLE10-header_id_enum.patch |
| synopsis |
Incorrect store dir selection debug message on objects >2G |
| severity |
Cosmetic |
| date |
2005-09-11 01:21 |
| bugzilla |
#1343 |
| versions |
Squid-2.5.STABLE10 (earlier versions could not handle such large objects at all) |
| platforms |
All |
| patch |
squid-2.5.STABLE10-storedir_objsize_debug.patch |
| synopsis |
Due to a logics error in squid-2.5.STABLE9-LDAP_SUN_SDK.patch
TLS could not be activated when using the OpenLDAP SDK. |
| severity |
Minor |
| date |
2005-09-11 00:57 |
| bugzilla |
#1389 |
| versions |
Squid-2.5.STABLE10 |
| platforms |
All |
| patch |
squid-2.5.STABLE10-LDAP_TLS.patch |
| synopsis |
The e-mail sent when the cache dies use as "From:" field the Squid internal
appname "squid".
This "From:" address is invalid for the majority of antispam filters because
doesn't contains a valid domain name.
This patch adds the 'mail_from' directive to squid.conf, allowing to specify the
from e-mail address and change the default to use 'appname@unique_hostname'. |
| severity |
Minor |
| date |
2005-09-03 09:41 |
| bugzilla |
#1380 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-mail_from.patch |
| workaround |
Define special rules into antispam configuration. |
| synopsis |
On Solaris Ipfilter include files use a SOLARIS2 define defined
only in the ipfilter makefile at ipfilter build time.
When building applications like Squid that use ipfilter include files, this
define must be defined according to the Solaris minor version:
On solaris 8: #define SOLARIS2 8
On solaris 10 #define SOLARIS2 10
Another minor problem is that getconf during configure remove the 'sun'
define used from ipfilter to recognize the Solaris platform. |
| severity |
Minor |
| date |
2005-09-13 02:59 |
| bugzilla |
#1374 |
| versions |
Squid-2.5 and earlier |
| platforms |
Solaris Sparc and x86 |
| patch |
squid-2.5.STABLE10-Solaris_IPFilter-2.patch |
| workaround |
Manually define SOLARIS2 before running configure. |
| synopsis |
snmp cacheClientTable fails to return any information for "long" IP
addresses. Clients with IP xxx.xxx.xxx.xx or shorter works, but
xxx.xxx.xxx.xxx does not work. |
| severity |
Minor |
| date |
2005-09-01 22:57 |
| bugzilla |
#1375 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-cacheClientTable.patch |
| synopsis |
Squid crashes with the above assertion failure in certain conditions
involving aborted requests. |
| severity |
Major |
| date |
2005-09-01 22:44 |
| bugzilla |
#1368 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-STORE_PENDING.patch |
| synopsis |
Greek translation of the Squid error messages, kindly provided by
George Papamichelakis. |
| severity |
Cosmetic |
| date |
2005-09-01 22:39 |
| bugzilla |
#1351 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-Greek.patch |
| synopsis |
Some off FTP servers mistakenly responds with a 250 code where 226
is expected, making Squid mistakenly think something went wrong with
the transfer |
| severity |
Minor |
| date |
2005-09-01 22:31 |
| bugzilla |
#1348 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-ftp_250.patch |
| synopsis |
Squid fails to compile if glibc -D_FORTIFY_SOURCE=2 is ued (used by
Fedora Core 4 and others). This due to the way -D_FORTIFY_SOURCE=2
is implemented in the glibc headers, redefining vprintf and a number
of other functions as preprocessor macros, causing problems for
applications like Squid reusing the same name as structure members. |
| severity |
Cosmetic |
| date |
2005-09-01 22:26 |
| bugzilla |
#1344 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-FORTIFY_SOURCE.patch |
| workaround |
Don't use -D_FORTIFY_SOURCE=2 |
| synopsis |
In certain error conditions on requests forwarded to a peer proxy the
URL in the error message could look a bit strange (NONE://10.72.43.56:8181http://www.abcd.com/)
and a number of inconsistences in what %xx error page components may be used where |
| severity |
Cosmetic |
| date |
2005-09-01 22:18 |
| bugzilla |
#1342 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-errmsg.patch |
| synopsis |
Issues with reading mime.conf and a few other files when using chroot_dir
and issuing a "squid -k reconfigure". |
| severity |
Minor |
| date |
2005-09-01 22:09 |
| bugzilla |
#1331 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-chroot_dir.patch |
| workaround |
Make sure the chroot path exists within the chroot as well.. |
| synopsis |
One slightly oddly done sanity check in Squid may trigger compiler bugs
on certain platforms. |
| severity |
Medium |
| date |
2005-09-01 21:56 |
| bugzilla |
#1325 |
| versions |
Squid-2.5 and earlier |
| platforms |
Some (compiler dependent) |
| patch |
squid-2.5.STABLE10-statHistAssert.patch |
| workaround |
Probably works fine if optimizations is disabled |
| synopsis |
After certain slightly odd requests Squid crashes with a segmentation
fault in sslConnectTimeout |
| severity |
Major |
| date |
2005-09-01 20:27 |
| bugzilla |
#1355 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE10-sslConnectTimeout.patch |
| synopsis |
Workaround needed to allow the build of both ipfilter and ARP acl
support on Solaris x86.
Some defines, like
#define free +
are used in squid.h to block misuse of standard malloc routines
where the Squid versions should be used. This pollutes the C/C++
token namespace crashing any structures or classes having members
of the same names. |
| severity |
Minor |
| date |
2005-08-19 09:31 |
| bugzilla |
#199 |
| versions |
Squid-2.5 and earlier |
| platforms |
Solaris x86 and may be Solaris Sparc |
| patch |
squid-2.5.STABLE10-arp_ipfilter-2.patch |
| synopsis |
This patch adds new 'mail_program' configuration option in squid.conf.
This option allow to specify the mailer program name that squid will use to
send fatal reports by mail and related command line options. |
| severity |
Cosmetic |
| date |
2005-08-14 17:05 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-mail_program.patch |
| synopsis |
The new --with-build-environment=... configure option added in
STABLE10 doesn't work other than the "default" case. |
| severity |
Cosmetic |
| date |
2005-07-11 00:46 |
| versions |
Squid-2.5.STABLE10 |
| platforms |
All |
| patch |
squid-2.5.STABLE10-buildenv.patch |
| workaround |
Specify the needed CFLAGS etc as environment variables when
running configure. |
| synopsis |
This patch allow wb_ntlm_auth to run more silent:
- Don't try to open /dev/urandom if it's not available.
- Changed the level of the "target domain" message from warn to debug. |
| severity |
Cosmetic |
| date |
2005-07-09 08:58 |
| bugzilla |
#518 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-wb_ntlm_auth_silent.patch |
| synopsis |
This patch fixes many warnings during build on HP Tru64 Unix:
- assert() must test logical expressions, not pointers
- STATUS define conflict in parse.c (snmplib)
- Warnings in winbind, winbind_group, SMB, fakeauth and MSNT helpers
- Warnings in net_db.c |
| severity |
Cosmetic |
| date |
2005-07-03 08:24 |
| bugzilla |
#1316 |
| versions |
Squid-2.5 and earlier |
| platforms |
HP Tru64 and probably some other 64 bit platforms |
| patch |
squid-2.5.STABLE10-64bit_cleanup.patch |
| synopsis |
wbinfo_group.pl only looks into the first group specified, while
all other group helpers allows a list of groups to look for |
| severity |
Minor |
| date |
2005-06-29 20:36 |
| bugzilla |
#1333 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE10-wbinfo_groups.patch |
| workaround |
use one acl per group |
| synopsis |
This patch changes the directory cleanup to use relative URLs rather
than BASE HREF when a directory is requested without trailing / |
| severity |
Minor |
| date |
2005-06-21 22:28 |
| bugzilla |
#1204 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-ftp_basehref.patch |
| workaround |
Make sure to end the ftp:// URL in / when requestign a diretory |
| synopsis |
The squid-2.5.STABLE8-html_high_chars patch was a little too agressive
messing up URLs having characters which was intentionally encoded such
as / as used for the UNIX root directory. |
| severity |
Cosmetic |
| date |
2005-06-22 10:46 |
| bugzilla |
#1220 |
| versions |
Squid-2.5.STABLE9 and 10 |
| platforms |
All |
| patch |
squid-2.5.STABLE10-ftp_title-2.patch |
| synopsis |
This quick patch fixes the SNMP GETNEXT search when given an OID outside
the Squid MIB. This allows proper integration of Squid into proxy SNMP
agents. |
| severity |
Minor |
| date |
2005-06-19 21:03 |
| bugzilla |
#1317 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-snmp_getnext.patch |
| synopsis |
Failed to detect if the type of an existing cache_dir was changed,
calling the parser function of the new type with the internal data of
the existing one..
This patch detects this and logs to cache.log (and the console) that a
restart is required. |
| severity |
Minor |
| date |
2005-06-19 09:39 |
| bugzilla |
#1308 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-cache_dir_change.patch |
| workaround |
Restart Squid whenever changing the type of an existing cache_dir. |
| synopsis |
Due to an internal error httpd_accel_single_host was incompatible
with redirection. |
| severity |
Minor |
| date |
2005-06-13 22:55 |
| bugzilla |
#1314 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-redirect_flags.patch |
| synopsis |
Abnormal crash if Squid was built with --enable-ipf-transparent
but access to the NAT device was denied. |
| severity |
Minor |
| date |
2005-06-30 08:49 |
| bugzilla |
#1313 |
| versions |
Squid-2.5.STABLE10 |
| platforms |
All |
| patch |
squid-2.5.STABLE10-transparent-2.patch |
| workaround |
Properly configure your OS to grant Squid access to the NAT device
when using --enable-ipf-transparent |
| synopsis |
Due to a slight confusion about paths when using the chroot directive
"squid -k" could fail to find the pid file. |
| severity |
Minor |
| date |
2005-06-27 21:24 |
| bugzilla |
#1307 |
| versions |
Squid-2.5.STABLE10 |
| platforms |
All |
| patch |
squid-2.5.STABLE10-chroot-2.patch |
| workaround |
Use symlinks to make the pid file appear in the same location both
within and outside the chroot. |
| synopsis |
The Date header on internal icons always showed the date when Squid
was started, causing slight cache problems for client and second-level
non-squid proxies. |
| severity |
Minor |
| date |
2005-06-09 08:01 |
| bugzilla |
#1275 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE10-internal_date.patch |
| workaround |
None needed. |
| synopsis |
Updated Spanish error messages with translation for the ERR_INVALID_RESP
page and numerous minor corrections in other pages. |
| severity |
Cosmetic |
| date |
2005-06-06 21:38 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE10-spanish.patch |
| synopsis |
There is quite many web servers out there with broken banner engines
forgetting to delete the original content-length after adding the
banner. Currently these are (rightfully) rejected by Squid.
Instead of rejecting we could select the biggest content-length header
found and remove the other. This should fix up these replies while not
allowing for attacks. |
| severity |
Cosmetic |
| date |
2005-05-25 23:01 |
| bugzilla |
#1305 |
| versions |
Squid-2.5.STABLE8 to STABLE10 |
| platforms |
All |
| patch |
squid-2.5.STABLE10-content_length.patch |
| workaround |
The proper fix to this problem is to work with the site operators to
have their web servers corrected. |
Patches released after the 2.5.STABLE9 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
| synopsis |
There has been a lot of questions about always_direct. This patch
tries to answer the most common questions on what always_direct does
and it's relations to other directives. |
| severity |
Cosmetic |
| date |
2005-05-10 23:11 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-always_direct_documentation.patch |
| synopsis |
A race window in the 2GB patch could make Squid abort with the above
assertion error |
| severity |
Medium |
| date |
2005-05-10 22:33 |
| bugzilla |
#1301 |
| versions |
Squid-2.5.STABLE9+2GB patch |
| platforms |
All |
| patch |
squid-2.5.STABLE9-2GB_assert.patch |
| synopsis |
Malicious users may spoof DNS lookups if the DNS client UDP port
(random, assigned by OS at startup) is unfiltered and your network
is not protected from IP spoofing. |
| severity |
Security issue |
| date |
2005-05-10 22:24 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-dns_query-2.patch |
| workaround |
Firewall your Squid server to not allow spoofed DNS responses
to reach the server. |
| synopsis |
This patch extends the dstdomain and dstdom_regex acls to also
allow matching of numeric host names (IP addresses) in the requested
URLs. |
| severity |
Minor |
| date |
2005-05-09 01:51 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-dstdomain_ip.patch |
| workaround |
In prior versions only url_regex could be used for matching these,
and then with rather complex patterns.. |
| synopsis |
Cosmetic improvements to arp ACL code:
- Fixed a build warning on FreeBSD
- Added documentation info in squid.conf
- Fixed dump format of arp ACL configuration in cachemgr |
| severity |
Cosmetic |
| date |
2005-05-08 14:01 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-arpacl.patch |
| synopsis |
This patch corrects two minor issues in the SNMP agent. The first
ignored all but the first OID in GETNEXT/GETBULK requests. The second
is that Squid always responded with a SNMPv1 response even when the
request was a SNMPv2(c) request, causing the requestor to ignore the
response sent by Squid. |
| severity |
Minor |
| date |
2005-05-04 18:09 |
| bugzilla |
#1298, #1299 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-snmp.patch |
| workaround |
Use SNMPv1 and only request one OID at a time |
| synopsis |
This patch align labels and expand OPS and SUCCESS fields of DISKD cachemgr stats |
| severity |
Cosmetic |
| date |
2005-05-01 10:58 |
| bugzilla |
#1267 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-diskd.patch |
| synopsis |
This patch corrects a problem with the squid-2.5.STABLE9-2GB patch
where the hot object cache showed a very poor hit ratio and also
sporadic aborts with assertion failed: store_swapin.c: e->mem_status == NOT_IN_MEMORY. |
| severity |
Medium |
| date |
2005-04-30 12:58 |
| bugzilla |
#1055 |
| versions |
Squid-2.5.STABLE9+2GB patch |
| platforms |
All |
| patch |
squid-2.5.STABLE9_2GB-hot_cache.patch |
| synopsis |
- Currently internal thread request counters are increased at every request, but they don't are displayable in cachemgr. This patch adds in the "Async IO Function Counters" cachemgr page thread request counters.
- Usage of FD_READ_METHOD/FD_WRITE_METHOD instead of read()/write() int the async-io completion event for better portability. |
| severity |
Cosmetic |
| date |
2005-04-25 16:36 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-aufs_improvement.patch |
| synopsis |
This patch adds access controls to the cachemgr.cgi script, preventing
it from being abused to reach other servers than allowed in a local
configuration file. |
| severity |
Minor Security |
| date |
2005-04-26 04:30 |
| bugzilla |
#1094 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-cachemgr_conf.patch |
| workaround |
Configure your web server to restrict which users may use
the cachemgr.cgi CGI program. |
| synopsis |
The PID file check gets somewhat confused when chrooting, writing
the pid within the chroot but trying to read it before chrooting. |
| severity |
Cosmetic |
| date |
2005-04-22 20:48 |
| bugzilla |
#1157 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-chroot_pidfile.patch |
| workaround |
Use symlinks to make sure the PID file can be read both within and
outside the chroot. |
| synopsis |
This patch extends the helper protocols for Basic and Digest to provide
some basig information in error responses, and makes use of the error
response already included in the NTLM helper protocol, making these
messages available as %m in error pages. Can be used if desired to
indicate why a login failed. The exact messages returned is helper
dependent. |
| severity |
Minor |
| date |
2005-04-24 16:35 |
| bugzilla |
#1223 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE9-authinfo.patch |
| synopsis |
This patch corrects forwarding of unrecognized cache-control
directives in forwarded requests. |
| severity |
Minor |
| date |
2005-04-22 20:21 |
| bugzilla |
#414 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-forwardcc.patch |
| synopsis |
The configuration parser sometimes misunderstood lines using the
DOS/Windows CRLF line terminator, causing the CR to be read as part
of the configured strings. This could be seen in auth_param realm
and a few other places. |
| severity |
Cosmetic |
| date |
2005-04-21 10:31 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-config_CRLF.patch |
| workaround |
Make sure your squid.conf is in proper UNIX format with only NL as
line terminator. |
| synopsis |
Unable to run "squid -k" when hostname cannot be determined |
| severity |
Minor |
| date |
2005-04-20 21:55 |
| bugzilla |
#1196 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-squid_k_nohostname.patch |
| workaround |
Set visible_hostname in squid.conf |
| synopsis |
The logics on how Squid should reconstruct the requested URL when
running as an transarently intercepting proxy was a bit muddled and
failed in some cases is Squid was listening on a different port
than the intercepted traffic. |
| severity |
Minor |
| date |
2005-04-20 21:55 |
| bugzilla |
#1193 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-transparent_port.patch |
| workaround |
Use one http_port directive per intercepted port |
| synopsis |
Some debug statements missing newlines causing cache.log debug output
to look somewhat odd. |
| severity |
Cosmetic |
| date |
2005-04-21 10:46 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-debug_newlines.patch |
| synopsis |
This patch adds support for the %a code in error page templates,
expanding into the authenticated user name or - if the request
was not authenticated. |
| severity |
Cosmetic |
| date |
2005-04-20 21:36 |
| bugzilla |
#798 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-errpage_user.patch |
| synopsis |
The syslog facility Squid logs as was hardcoded to "local4". This
patch changes it to the more appropriate "daemon", and adds a -l
command line option to specify the facility if another facility
is desired. |
| severity |
Cosmetic |
| date |
2005-04-26 04:42 |
| bugzilla |
#1227 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-syslog.patch |
| synopsis |
Squid normally has the logic that if an request was denied by an acl
requiring authentication then the user should be requested to provide
"better" login credentials. This patch extends this to also work on
external acls requiring authentication (%LOGIN) |
| severity |
Cosmetic |
| date |
2005-03-30 22:51 |
| bugzilla |
#1278 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE9-extaclauth.patch |
| workaround |
You get the same effect by using a "proxy_auth REQUIRED" acl last on
the http_access deny line, after the external acl. |
| synopsis |
This patch adds two new cachemgr actions to give access to two classes
of interesting ongoing objects:
pending_objects: Objects being retreived from the network
client_objects : Objects being sent to clients |
| severity |
Cosmetic |
| date |
2005-03-29 09:52 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-cachemgr_objects.patch |
| synopsis |
On Windows (both native and Cygwin ports) and OS/2 is not possible rename a file
over an existent one, so before the rename operation an unlink() is always needed.
Sometimes, after a squid crash, storeDirCloseTmpSwapLog() function family fails
because there is no target file to delete causing a fatal error.
This patch move the unlink() into xrename() like the native Windows port and
remove all no more needed unlink(). |
| severity |
Minor |
| date |
2005-03-26 23:53 |
| versions |
Squid-2.5 and earlier |
| platforms |
OS/2, Cygwin and native Windows |
| patch |
squid-2.5.STABLE9-rename_cleanup.patch |
| synopsis |
This rather intrusive patch makes Squid request forwarding 64-bit clean
on 32-bit platforms with support for long long, allowing Squid to process
requests for files larger than 2GB.
- squid_off_t type, defined to 64 bit in size when available. Used
everwhere where an object size is seen.
- cleaned up use of off_t / size_t / ssize_t.
- several invalid typecasts to int removed
- PRINTF_OFF_T macro for the proper printf format for squid_off_t
variables.
- --with-large-files option to enable large file support on UNIX
compatible platforms (writing of log files etc).
- --enable-large-cache-files option to enable caching of very large
files |
| severity |
Medium |
| date |
2005-04-20 14:59 |
| bugzilla |
#437 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-2GB.patch |
| synopsis |
This patch addresses the warning on shutdown about two open
event related filedescriptors on shutdown. It also contains
a microscopic performance enhancement by starting the I/O
threads early during the startup rather than on the first
I/O request. |
| severity |
Cosmetic |
| date |
2005-03-19 23:57 |
| bugzilla |
#671 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE9-aufs_shutdown.patch |
| synopsis |
The advertised --disable-hostname-checks could not be set, causing
Squid to always sanity check the hostnames even if this
configure option was used. |
| severity |
Minor |
| date |
2005-03-19 01:35 |
| bugzilla |
#1270 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE9-disable_hostname_checks.patch |
| synopsis |
The LDAP helpers fails to compile with SUN LDAP SDK |
| severity |
Cosmetic |
| date |
2005-04-19 22:46 |
| bugzilla |
#1258 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE9-LDAP_SUN_SDK.patch |
| workaround |
Compile the LDAP helpers towards OpenLDAP SDK |
| synopsis |
This mainly causes problems for applications abusing the CONNECT method
for tunneling other traffic than SSL via the proxy, for example some FTP
clients when uploading files.
The "problem" was introduced by squid-2.5.STABLE6-CONNECT.patch which
immediately disconnects from the server when seeing a client disconnect
not waiting for pending "upload" data to be sent first.
It is strongly recommended to not use the CONNECT method in this manner.
If you want a general purpose proxy then look into SOCKS which provides
much better support for this kind of proxying.
Or in the case of FTP use a FTP proxy. |
| severity |
Minor |
| date |
2005-03-21 20:44 |
| bugzilla |
#1269 |
| versions |
Squid-2.5.STABLE6 to 2.5.STABLE9 |
| platforms |
All |
| patch |
squid-2.5.STABLE9-CONNECT_truncated.patch |
| synopsis |
There was an artificial limit on the login+password to no more than 64
characters in total. |
| severity |
Minor |
| date |
2005-03-19 00:25 |
| bugzilla |
#1171 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-long_basic_auth.patch |
| synopsis |
- Enhance performance by zero-copy writes, enabled by making the mem
nodes reference counted.
- Implement ASYNC_CLOSE define, default to off.
- Correct ASYNC_WRITE logics if enabled (default to off)
- Correct a potential memory corruption error on queued write errors
- Remove unused aioFDWasClosed call |
| severity |
Minor |
| date |
2005-03-29 08:45 |
| bugzilla |
#671 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-aufs.patch |
| synopsis |
This patch extends "relaxed_header_parser on" to also quell warnings
about "excess data" due several major web server vendors not complying
proper with the HTTP specifications in some aspects. |
| severity |
Cosmetic |
| date |
2005-03-09 15:46 |
| bugzilla |
#1265 |
| versions |
Squid-2.5.STABLE9 |
| platforms |
All |
| patch |
squid-2.5.STABLE9-excess_data.patch |
| synopsis |
With relaxed_header_parser off duplicate content-length headers were
incorrecly logged as conflicting, not duplicates. In addition it
forgot to clean up the duplicate when relaxed-header_parser was
enabled (on/warn setting) |
| severity |
Cosmetic |
| date |
2005-03-09 15:46 |
| bugzilla |
#1262 |
| versions |
Squid-2.5.STABLE9 |
| platforms |
All |
| patch |
squid-2.5.STABLE9-dup_content_length.patch |
| synopsis |
The cache digest retreival should be deferred if the peer is
not allowed to be used for the request. |
| severity |
Cosmetic |
| date |
2005-03-09 15:46 |
| bugzilla |
#1261 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-defer_digest_fetch.patch |
| synopsis |
SOme parts of the code was found to make incorrect use of the
ctype functions, possibly causing problems with "high" characters. |
| severity |
Minor |
| date |
2005-03-10 23:38 |
| bugzilla |
#1259 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-ctype.patch |
| synopsis |
On some platforms Squid compiler warnings was seen about
pid_t not being an integer. But this could cause debug output
from the affected components to be somewhat garbled on the
affected platforms. |
| severity |
Minor |
| date |
2005-03-15 04:27 |
| bugzilla |
#1257 |
| versions |
Squid-2.5 and earlier |
| platforms |
mostly 64-bit platforms |
| patch |
squid-2.5.STABLE9-pid_t.patch |
| synopsis |
bzero is a non-standard function not available on all platforms.
The standard function for this is memset with a value of 0. |
| severity |
Minor |
| date |
2005-03-09 15:46 |
| bugzilla |
#1256 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-bzero.patch |
| synopsis |
Due to integer overflows several directives behaves differently
than expected if given values greater than 2^31. (2 GB). This
applies to maxiumum_object_size and several other directives. |
| severity |
Cosmetic |
| date |
2005-03-09 15:46 |
| bugzilla |
#1247 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-config_overflow.patch |
| workaround |
Keep the configuration specifications in values < 2 GB. |
| synopsis |
Clarify the wordign in the delay_access documentation to make
it clearer this directive is sorted per pool, not used in the
order specified. |
| severity |
Cosmetic |
| date |
2005-03-09 15:46 |
| bugzilla |
#1245 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-delay_access_doc.patch |
| workaround |
Read documentation carefully |
| synopsis |
If the reload_into_ims directive is used Squid may fail to revalidate
negatively cached entries on reload. |
| severity |
Minor |
| date |
2005-03-09 15:46 |
| bugzilla |
#1159 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-reload_into_ims.patch |
| workaround |
Don't use reload_into_ims. This is recommended as reload_into_ims
is a violation of the HTTP standards. |
| synopsis |
A number of different web servers sends dates in odd formats
outside the three "official" formats documented in RFC2616,
indirectly causing Squid to not cache objets from such sites. |
| severity |
Minor |
| date |
2005-03-09 15:46 |
| bugzilla |
#321 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-date.patch |
| synopsis |
On configuration errors involving wrongly defined or missing
acls the http_access results may be different than expected,
possibly allowing more access than intended.
This patch makes such configuration errors a fatal error,
preventing the service from starting until the access control
configuration errors have been corrected. |
| severity |
Cosmetic Security |
| date |
2005-03-04 22:48 |
| bugzilla |
#1255 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE9-acl_error.patch |
| workaround |
Verify your configuration with "squid -k parse" and correct
any errors reported before starting Squid. |
| synopsis |
Links in FTP directory listings when the requested URL is missing
the trailing / fails. |
| severity |
Minor |
| date |
2005-03-04 11:55 |
| bugzilla |
#1253 |
| versions |
Squid-2.5.STABLE9 |
| platforms |
All |
| patch |
squid-2.5.STABLE9-ftp_base_href.patch |
| workaround |
Request the directory with the trailing /. |
| synopsis |
The EPLF FTP directory parser failed to parse all attributes
of the files, showing everything as unknown files. |
| severity |
Minor |
| date |
2005-03-04 11:55 |
| bugzilla |
#1252 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE9-ftp_EPLF.patch |
| synopsis |
A race window has been discovered where Set-Cookie headers may leak
to another users if the requested server relies on the old obsolete
(since 1997) Netscape Set-Cookie specifications in how caches should handle
the Set-Cookie header on otherwise cacheable content. |
| severity |
Minor Security |
| date |
2005-03-03 02:26 |
| versions |
Squid-2.5.STABLE7 to 2.5.STABLE9 |
| platforms |
All |
| patch |
squid-2.5.STABLE9-setcookie.patch |
| workaround |
Not a workaround, but the proper fix to this issue is to convert the
server to send proper "Cache-Control: no-cache=Set-Cookie" when required
as per the official RFC2109 / RFC2965 specifications. |
Patches released after the 2.5.STABLE8 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
| synopsis |
Proxies should not automatically retry requests on 403 (Access Denied)
or other server errors. In the past Squid has done this to work around
problems with misconfigured/malfunctioning peers in complex cache
hierarchies. If you want to revert Squid back to the old behaviour of
aggressively retry failed requests then enable the new "retry_on_error"
squid.conf directive. |
| severity |
Medium |
| date |
2005-02-23 00:11 |
| bugzilla |
#1210 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE8-retry_on_error.patch |
| synopsis |
This patch makes Squid ignore fqdn DNS responses with spaces in the
returnedhostname. Spaces are not valid in internet hostnames. |
| severity |
Minor |
| date |
2005-02-21 17:02 |
| bugzilla |
#1222 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE8-fqdn_spaces.patch |
| synopsis |
FTP URLs was displayed in "raw" format, making them look very ugly
in precense of national characers or other characters outside of the
plain US-ASCII alphabet. |
| severity |
Cosmetic |
| date |
2005-02-21 03:38 |
| bugzilla |
#1220 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE8-ftp_url_display.patch |
| synopsis |
This patch corrects two peer related memory leaks on "squid -k
reconfigure", one related to digests the other related to
cache_peer_access. In addition it speeds up cancellation of
nullified events to make it easier to detect reconfigure related
memory leaks. |
| severity |
Minor |
| date |
2005-02-21 02:58 |
| bugzilla |
#1246 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE8-reconfigure_peer_leaks.patch |
| synopsis |
Due to a minor bug in automake it is not possible to specify the
archiver proram (AR) when running configure. |
| severity |
Cosmetic |
| date |
2005-02-21 01:38 |
| bugzilla |
#1243 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE8-ar.patch |
| workaround |
Specify the AR variable when running make |
| synopsis |
This patch makes Squid compile without warnings using GCC4. Purely cosmetic changes. |
| severity |
Cosmetic |
| date |
2005-02-20 19:11 |
| bugzilla |
#1211 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE8-gcc4.patch |
| workaround |
Use an older less picky GCC version |
| synopsis |
Squid-2.5.STABLE8 introduced a new stricter HTTP protocol parser
rejecting malformed HTTP responses. Due to the large number of
broken web servers this patch extends the relaxed_header_parser
directive to work around even more malformed HTTP responses than
it did in 2.5.STABLE8. |
| severity |
Minor |
| date |
2005-02-20 10:47 |
| bugzilla |
#1242 |
| versions |
Squid-2.5.STABLE8 |
| platforms |
All |
| patch |
squid-2.5.STABLE8-relaxed_header_parser.patch |
| workaround |
The correct fix to this problem is to have the malfunctioning web
servers corrected. |
| synopsis |
Some minor cleanups of FTP URLs, mainly to work better with Mozilla |
| severity |
Cosmetic |
| date |
2005-02-15 02:14 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE8-ftp_cleanup.patch |
| synopsis |
Squid translated all non-ASCII octets in generated HTML content
such as FTP or Gopher listings into entity codes. |
| severity |
Cosmetic |
| date |
2005-02-15 01:07 |
| bugzilla |
#1220 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE8-html_high_chars.patch |
| synopsis |
This patch fixes some cross-platform build format warnings. |
| severity |
Cosmetic |
| date |
2005-02-20 11:03 |
| versions |
Squid-2.5 and earlier |
| platforms |
Solaris, FreeBSD, Linux and maybe others |
| patch |
squid-2.5.STABLE8-format_fixes.patch |
| synopsis |
Squid may abort with "xstrndup: Asserton 'n' failed" or other
errors when receiving certain odd DNS responses |
| severity |
Major |
| date |
2005-02-13 05:58 |
| bugzilla |
#1234 |
| versions |
Squid-2.5.STABLE5 to 2.5.STABLE8 |
| platforms |
All |
| patch |
squid-2.5.STABLE8-dns_assert.patch |
| workaround |
The risk is reduced with "log_fqdn off" (the default setting) |
Patches released after the 2.5.STABLE7 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
| synopsis |
Under certain conditions involving HTTP headers split over multiple
reply packets the HTTP reply may be corrupted by Squid. Symptoms range
from hanging requests to corrupted data or error messages about the reply
sent to the clients (usually "httpProcessReplyHeader: Too large reply header") |
| severity |
Major |
| date |
2005-02-11 10:59 |
| bugzilla |
#1233 |
| versions |
Squid-2.5.STABLE7 |
| platforms |
All |
| patch |
squid-2.5.STABLE7-split_headers.patch |
| synopsis |
This patch improves handling of passwords in non-anonymous FTP requests
using ftp://user@host/ syntax slightly.
Note: Neither MSIE or Mozilla supports this URL syntax and only accepts
ftp://user:password@host/ |
| severity |
Cosmetic |
| date |
2005-02-06 00:57 |
| bugzilla |
#1226 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE7-ftp_password.patch |
| workaround |
Close your browser if you enter the wrong password |
| synopsis |
The WCCP control channel is easily disturbed if users sends forged
WCCP pakets to the Squid cache. |
| severity |
Minor |
| date |
2005-02-04 11:41 |
| bugzilla |
#1225 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE7-wccp_disturb.patch |
| workaround |
Firewall the WCCP port making sure only your WCCP router can send
WCCP packets to Squid. This is highly recommended even with this
patch due to the lack of security within the WCCP protocol. |
| synopsis |
Failed PUT/POST requests can cause the next request to the same
server to hang or behave oddly. Warnings about wrstate != NULL
may also be seen in cache.log. |
| severity |
Medium |
| date |
2005-02-04 00:33 |
| bugzilla |
#1122 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE7-server_post.patch |
| workaround |
server_persistent_connections off |
| synopsis |
An inconsistent state is entered on a failed PUT/POST request
making a high risk for segmentation faults or other strange errors |
| severity |
Major |
| date |
2005-02-04 00:12 |
| bugzilla |
#1224 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE7-post.patch |
| synopsis |
A race window in NTLM authentication and interactions with the
backend helper could cause Squid to abort with a segmentation
fault |
| severity |
Minor |
| date |
2005-02-03 23:27 |
| bugzilla |
#1127 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE7-ntlm_segfault.patch |
| synopsis |
The LDAP helpers sends slightly incorrect search requests when
looking for the user DN. |
| severity |
Minor |
| date |
2005-02-03 23:17 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE7-ldap_search.patch |
| workaround |
None needed. All known LDAP servers accepts the search query as-is. |
| synopsis |
This patch addresses a HTTP protocol mismatch related to
oversized reply headers. In addition it enhances the cache.log
reporting on reply header parsing failures to make it easier to
track down which sites are malfunctioning. |
| severity |
Security issue |
| date |
2005-01-31 22:50 |
| bugzilla |
#1216 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE7-oversize_reply_headers.patch |
| synopsis |
The length argument of the WCCP recvfrom() call is
larger than it should be. An attacker may send a
larger-than-normal WCCP packet and overflow a buffer. |
| severity |
Security issue |
| date |
2005-01-28 23:16 |
| bugzilla |
#1217 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE7-wccp_buffer_overflow.patch |
| synopsis |
This patch additionaly strengthens Squid from the HTTP response
splitting cache pollution attack described by Sanctum. |
| severity |
Security issue |
| date |
2005-01-31 01:50 |
| bugzilla |
#1200 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE7-response_splitting.patch |
| synopsis |
Icons fails to load on non-anonymous FTP when using short_icons_url directive |
| severity |
Minor |
| date |
2005-01-21 12:10 |
| bugzilla |
#1203 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE7-short_icons_urls.patch |
| workaround |
Leave short_icons_url in it's default "off" setting, and make sure clients
know how to fetch the icons by full URL to Squid. |
| synopsis |
Some FTP servers incorrectly drops already established data channel
connections after a failed command. This patch makes Squid work around
this by always opening a new FTP data channel before attempting to retreive
a directory listing or a file from the FTP server. |
| severity |
Minor |
| date |
2005-01-21 12:10 |
| bugzilla |
#1154 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE7-ftp_datachannel.patch |
| workaround |
Use the correct FTP URL for the resource in question |
| synopsis |
This patch adds a new configuration directive httpd_accel_no_pmtu_disc
directive to allow easy setup to disable path MTU discovery in certain
interception proxy environments (WCCP, Route maps etc where ICMP is not
redirected proper by the intercepting device) |
| severity |
Minor |
| date |
2005-01-21 12:10 |
| bugzilla |
#1154 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE7-httpd_accel_no_pmtu_disc.patch |
| workaround |
Use firewall rules to remove the DF flag on return traffic to your clients
on intercepted requests, or ask the users to configure the proxy settings. |
| synopsis |
This patch makes Squid considerably stricter while parsing the HTTP
protocol.
- A Content-length header should only appear once in a valid request
or response. Multiple Content-length headers, in conjunction with
specially crafted requests, may allow Squid's cache to be poisioned with
bad content in certain situations.
- CR characters is only allowed as part of the CR NL line terminator,
not alone. This to ensure that all involved agrees on the structure
of HTTP headers.
- Rejects requests/responses that have whitespace in an HTTP header
name.
The patch also adds a new relaxed_header_parser directive which
defaults to on. If set off Squid will become really strict about
CR characters and whitespace in header names, while in the default
on setting Squid will ignore (and automatically clean up) common
deviations from these parts of the HTTP specification. |
| severity |
Security issue |
| date |
2005-02-10 10:14 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE7-header_parsing.patch |
| workaround |
Disable client- and server-side persistent connections. This will
limit the impact of mismatches in HTTP protocol parsing somewhat,
but not fully. |
| synopsis |
LDAP is very forgiving about spaces in search filters and
this could be abused to log in using several variants of
the login name, possibly bypassing explicit access controls
or confusing accounting |
| severity |
Minor Secuity issue |
| date |
2005-01-17 04:29 |
| bugzilla |
#1187 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE7-ldap_spaces.patch |
| workaround |
Block logins with spaces
acl login_with_spaces proxy_auth_regex [:space:]
http_access deny login_with_spaces
|
| synopsis |
In certain conditions involving compressed DNS responses
returned host names could be truncated. This is most notably
seen in client hostnames when using log_fqdn, but can also
happen in the domain driven acls when the user requests a
site by IP. |
| severity |
Minor |
| date |
2005-01-17 02:52 |
| bugzilla |
#1136 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE7-fqdn_truncated.patch |
| workaround |
--disable-internal-dns |
| synopsis |
A slight memory leak in the processing of malformed DNS responses |
| severity |
Minor |
| date |
2005-01-17 02:52 |
| bugzilla |
#1197 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE7-dns_memleak.patch |
| workaround |
--disable-internal-dns |
| synopsis |
WCCP_I_SEE_YOU messages contain a 'number of caches' field
which should be between 1 and 32. Values outside that range
may crash Squid if WCCP is enabled, and if an attacker can
spoof UDP packets with the WCCP router's IP address. |
| severity |
Security issue |
| date |
2005-01-12 17:21 |
| bugzilla |
#1190 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE7-wccp_denial_of_service.patch |
| workaround |
WCCP is disabled by default. Make sure WCCP is enabled only
if you are really using it.
Make sure that your next-hop router does not allow
spoofed source address packets onto the network
where Squid runs. |
| synopsis |
A malicious gopher server may return a response with very
long lines that cause a buffer overflow in Squid. |
| severity |
Security issue |
| date |
2005-01-12 17:19 |
| bugzilla |
#1189 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE7-gopher_html_parsing.patch |
| workaround |
Since gopher is very obscure these days, do not allow
Squid to any gopher servers. Use an ACL rule like:
acl Gopher proto gopher
http_access deny Gopher |
| synopsis |
The NTLM fakeauth_auth helper has a memory leak that may
cause it to run out of memory under high load, or if it
runs for a very long time. Additionally, a malformed NTLM
type 3 message could cause a segmentation violation. |
| severity |
Medium |
| date |
2005-01-08 03:13 |
| bugzilla |
#1183 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE7-fakeauth_auth.patch |
| workaround |
The memory leak bug can be avoided by periodically restarting
Squid. |
| synopsis |
Previously, when Squid was started it forcibly closed all "other" filedescriptors
other than stdin/stdout/stderr. While this is a reasonable security precaution
to clean up filedescriptor leakage from the caller it crashes some SSL libraries
and possibly other functions which opens internal filedescriptors on startup or
while the configuration is parsed (syslog likely candidate)
The reasoning in removing this function from Squid is that if the one starting
Squid has other filedescriptors open and not closing them this is their problem,
not ours. |
| severity |
Minor |
| date |
2004-12-28 12:55 |
| bugzilla |
#1177 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE7-close_other.patch |
| workaround |
If you need earlier Squid versions to not forcibly close all filedescriptors
then start SQuid in
foreground mode (-N) with catching of signals disabled (-C).
To gain the functionality that all filedescriptors is closed on startup
after applying the patch wrap Squid in a small warpper binary which closes
all filedescriptors and then exec:s Squid. |
| synopsis |
The meaning of the access controls becomes somewhat confusing if any
of the referenced acls is declared empty, without any members. |
| severity |
Minor Security |
| date |
2004-12-27 18:54 |
| bugzilla |
#1166 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE7-empty_acls.patch |
| workaround |
Pay attention to warnings from "squid -k parse" and do not use
configurations where there are warnings about access controls in
production. |
| synopsis |
The cachemgr vm_objects operation occationally causes Squid to
crash with a segmentation fault. |
| severity |
Minor |
| date |
2004-12-08 01:03 |
| bugzilla |
#1149 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE7-cachemgr_vmobjects.patch |
| synopsis |
httpd_accel_port 0 did not work unless httpd_accel_host virtual
was also specified. |
| severity |
Minor |
| date |
2004-12-08 00:47 |
| bugzilla |
#1121 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE7-httpd_accel_vport.patch |
| workaround |
enable httpd_accel_host virtual if you need the virtual port
support. |
| synopsis |
this patch adds an access check to deny PURGE of internal objects,
to prevent the administrator from accidently deleting the icons or other
internal objects. |
| severity |
Minor |
| date |
2004-12-08 00:00 |
| bugzilla |
#1112 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE7-PURGE_internal.patch |
| workaround |
Make sure your http_access rules do not allow PURGE of the internal
objects. |
| synopsis |
In certain conditions Squid returns random data as error messages
in response to malformed host name, possibly leaking random internal
information which may come from other requests. |
| severity |
Cosmetic / Minor Security issue |
| date |
2004-12-07 23:45 |
| bugzilla |
#1143 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE7-dothost.patch |
| synopsis |
In certain malformed blank HTTP responses Squid fails to properly
close the client connection, causing a significant delay to the client |
| severity |
Minor |
| date |
2004-11-07 23:37 |
| bugzilla |
#1116 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE7-blank_response.patch |
| workaround |
client_persistent_connections off |
| synopsis |
O_NONBLOCK on disk files is not is not standardized, and results may be unexpected.
Linux now starts to add O_NONBLOCK support on disk files but the implementation is
far from complete yet and this bites Squid. |
| severity |
Minor |
| date |
2004-11-06 21:42 |
| bugzilla |
#1102 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE7-non_blocking_disk.patch |
| synopsis |
If a helper was busy at the time of helper shutdown (-k rotate/reconfigure)
then Squid could forget to shut down the helper and continues using it. |
| severity |
Minor |
| date |
2004-11-06 15:28 |
| bugzilla |
#1118 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE7-helper_shutdown.patch |
| synopsis |
The implementation of the new req_header and resp_header acls was not
complete, causing Squid to crash with a segmentation fault it one
attempted to configure these. In addition the configuration dump
on mgr:config showed incomplete data |
| severity |
Minor |
| date |
2004-10-20 23:23 |
| bugzilla |
#961 |
| versions |
Squid-2.5.STABLE7 |
| platforms |
All |
| patch |
squid-2.5.STABLE7_req_resp_header.patch |
| synopsis |
Since some time back the LDAP helpers have a -v option to specify
the LDAP protocol version, but this never got documented in the
manpage. |
| severity |
Cosmetic |
| date |
2004-10-19 10:09 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE7-LDAP_version_documentation.patch |
| synopsis |
Squid enters a 100% CPU usage condition when encountering a half-closed
PUT/POST requests. The situation persists until either the request times
out, or Squid succeeds in forwarding the request data to the server.
Apart from the 100% CPU usage there is no other illeffects of this bug,
and Squid continues processing requests like normal. |
| severity |
Minor |
| date |
2004-10-14 22:48 |
| bugzilla |
#354, #1096 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE7-half_closed_POST.patch |
| workaround |
half_closed_clients off |
Patches released after the 2.5.STABLE6 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
| synopsis |
If certain malformed SNMP request is received Squid restarts
with a Segmentation Fault error. |
| severity |
Security issue |
| date |
2004-09-29 21:23 |
| bugzilla |
CAN-2004-0918 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE6-SNMP_core_dump.patch |
| workaround |
SNMP support is by default not compiled into the binary. If your binary is
built with SNMP support you can temporarily disable the SNMP support by entering
"snmp_port 0" into squid.conf. |
| synopsis |
By default Squid-2.5.STABLE6 and ealier allows memory pools to grow
without bounds and never reclaims memory to the OS. This patch
adds a default limit of 5 MB unused memory. |
| severity |
Minor |
| date |
2004-10-08 17:46 |
| bugzilla |
#1095 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE6-memory_pools_limit.patch |
| workaround |
delay_pools_limit 5 MB |
| synopsis |
It is suspected there may be an instability on aborted POST/PUT
requests in certain conditions. This patch restructures and
strengthens the way Squid processes request entitites of POST/PUT
requests. |
| severity |
Medium |
| date |
2004-10-07 17:04 |
| bugzilla |
#1089 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE6-aborted_POST.patch |
| synopsis |
Squid behaves somewhat oddly if the server returns large HTTP headers.
This patch increases the header size Squid is capable of fully understanding
from 4KB to a new configurable reply_header_max_size parameter with default
of 20KB |
| severity |
Medium |
| date |
2004-10-05 21:38 |
| bugzilla |
#874 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE6-reply_header_max_size.patch |
| synopsis |
When using the CARP peer selection algorithm (not enabled by default)
Squid ignores the cache_peer_domain/cache_peer_access directives. |
| severity |
Minor |
| date |
2004-09-30 09:28 |
| bugzilla |
#1033 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| configuration |
CARP enabled Squids only (--enable-carp configure option) |
| patch |
squid-2.5.STABLE6-CARP-cache_peer_access.patch |
| workaround |
Do not build Squid with the CARP peer selection algorithm |
| synopsis |
This patch adds a new balance_on_multiple_ip squid.conf directive
which can be used to work around certain broken load balancing setups.
In addition it optimizes the DNS usage on reload requests and speeds
up recovery when encountering non-responding servers. |
| severity |
Minor |
| date |
2004-09-27 18:23 |
| bugzilla |
#1058 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE6-balance_on_multiple_ip.patch |
| synopsis |
The way Squid dealed with aborted CONNECT requests was sub-optimal
and could in some rare situations end up in a race window. |
| severity |
Minor |
| date |
2004-09-27 18:10 |
| bugzilla |
#859 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE6-CONNECT.patch |
| synopsis |
In certain specific installations it may be desireable to install Squid
using transformed programnames using the --program-prefix/suffix configure
options. |
| severity |
Cosmetic |
| date |
2004-09-25 21:42 |
| bugzilla |
#1019 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE6-program-prefix.patch |
| synopsis |
Correct the documentation of the caseinsensitive basic auth option
and include it in cachemgr config dumps |
| severity |
Cosmetic |
| bugzilla |
#431 |
| versions |
Squid-2.5.STABLE6 + case insensitive patch |
| platforms |
All |
| synopsis |
ncsa_auth is sensitive on the line ending format of the password
file and may fail to verify the passwords is the password file
is transferred between UNIX and Windows. |
| severity |
Cosmetic |
| date |
2004-09-25 20:57 |
| bugzilla |
#1078 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE6-ncsa_auth_lineendings.patch |
| workaround |
Make sure the password file is transferred in ASCII format when
moving it between systems. |
| synopsis |
This patch adds support for access controls on arbitrary HTTP
headers. http_header_access & replace extended to support
arbitrary HTTP headers, not only well known headers, and
adds two new acl types req_header and resp_header to match
content of arbitrary HTTP headers, useful for blocking certain
types of malware/spyware. |
| severity |
Medium |
| date |
2004-09-25 12:00 |
| bugzilla |
#961 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE6-arbitrary_headers.patch |
| synopsis |
In certain misguided OS configurations where the default TCP
windows sizes have been tuned very large Squid could fail to run
properly, crashing on the first request with no message explaining
why. |
| severity |
Minor |
| date |
2004-09-26 21:22 |
| bugzilla |
#1075 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE6-huge_tcp_windows.patch |
| workaround |
Do not configure your OS with overly large TCP windows. The defaults
is usually good or at least not totally out of range. |
| synopsis |
arp acls are supported on FreeBSD since Squid-2.5.STABLE6 but
configure still warned that it was not supported. |
| severity |
Cosmetic |
| date |
2004-10-10 02:38 |
| bugzilla |
#1074 |
| versions |
Squid-2.5 |
| platforms |
FreeBSD |
| patch |
squid-2.5.STABLE6-freebsd_arp_nowarning.patch |
| workaround |
None needed, just ignore the warning. |
| synopsis |
Squid does not recognise Content-Disposition header making it
impossible to use in http_header_access |
| severity |
Minor |
| date |
2004-09-01 13:59 |
| bugzilla |
#961 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE6-Content-Disposition.patch |
| synopsis |
Due to an internal error in httpHeaderNameById() configuration
dumps of http_header_* directives referring to Range or Request-Range
headers indicated the other header. |
| severity |
Cosmetic |
| date |
2004-09-01 13:09 |
| bugzilla |
#1056 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE6-http_header_range.patch |
| workaround |
Ignore the confusing cachemgr configuration dump output |
| synopsis |
"acl time 01:00-02:00 03:00-04:00" is parsed as if only the last
time 03:00-04:00 was specified. |
| severity |
Minor |
| date |
2004-09-01 12:25 |
| bugzilla |
#1060 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE6-acl_times.patch |
| workaround |
Split the acl definition to use one time per line, all using the
same acl name. |
| synopsis |
If the digest helper crashes or otherwise exits unexpectedly
Squid terminates with a segmentation fault. |
| severity |
Minor |
| date |
2004-08-28 22:46 |
| bugzilla |
#1031 |
| versions |
Squid-2.5 |
| platforms |
All |
| configuration |
Only if the digest authentication scheme is used (auth_param digest ...). |
| patch |
squid-2.5.STABLE6-digest_crash.patch |
| workaround |
If this problem plauges you a lot then you can temporary disable the digest authentication scheme
by commenting out the "auth_param digest program .." configuration directive in your squid.conf. |
| synopsis |
If a cache_dir or swap.state.clean file is not writeable then Squid
aborts with the above assertion error during "squid -k rotate", and
this before all log files have been rotated.
This patch makes this a soft error but clearly logged in cache.log,
giving the administrator a reasonable chance to clear up the error |
| severity |
Minor |
| date |
2004-08-25 21:11 |
| bugzilla |
#1053 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE6-rotate_error.patch |
| synopsis |
If challenge-reuse is enabled then NTLM authentication could
temporarily build up response cache information related to old
challenges until the user expires from the auth cache. This patch
discards old responses when the challenge becomes invalid (after
which it won't be used again). |
| severity |
Minor |
| date |
2004-08-25 20:30 |
| bugzilla |
#910 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE6-ntlm_challengereuse_leak.patch |
| synopsis |
The helper state was not properly freed between client
connections, causing a slow leak of memory for each challenge
issued with challenge reuse disabled. |
| severity |
Medium |
| date |
2004-08-25 20:30 |
| bugzilla |
#994 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE6-ntlm_noreuse_leak.patch |
| synopsis |
Certain malformed NTLMSSP packets could crash the NTLM helpers
provided by Squid. |
| severity |
Major |
| date |
2004-08-20 08:18 |
| bugzilla |
#1045 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE6-ntlm_fetch_string.patch |
| workaround |
Use ntlm_auth from Samba-3.X which is not affected by this issue, or disable
ntlm authentication by removing any "auth_param ntlm program ..." directives
from your squid.conf. |
| synopsis |
The external_acl helper protocol format does not handle newlines
in the embedded data. This patch adds support for quoting of newlines
as \n and also adds support for URL encoding of the data instead of
quoting. URL encoding will be the default in Squid-3.0 as this is
a well known format and generally easier to deal with than the quoting
used in Squid-2.5. |
| severity |
Minor |
| date |
2004-08-14 21:07 |
| bugzilla |
#1038 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE6-external_acl_newlines.patch |
| workaround |
Generally no workaround is needed as the need for newlines in
external_acl helpers is very rare. |
| synopsis |
cache_effective_user should gain the supplementary group memberships of
the specified user. This is required to be able to configure sane
permissions of several authentication backends such as pam_auth or winbind.
In addition cache_effective_group should not be ignored when not starting
Squid as root. If cache_effective_group is specified Squid should run
as this and only this group. |
| severity |
Minor |
| date |
2004-08-09 14:03 |
| bugzilla |
#1021 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE6-initgroups.patch |
| workaround |
Configure your system to only have Squid require a single effective
privileged group, or start Squid as a non-root user in which case
it preserves the same groups as the user starting Squid. When not
starting Squid as root make sure to not have any group permissions
yout Squid should not have. |
| synopsis |
A bug in the heap policy code in dealign with temporarily locked
objects could cause memory corruption, leading to segmentation
faults or other strange crashes. |
| severity |
Medium |
| date |
2004-08-05 20:33 |
| bugzilla |
#1009 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE6-heap_segfault.patch |
| workaround |
Use the default lru polic. |
| synopsis |
Squid is supposed to leave unknown %X errorpage codes untouched but
accidently HTML quoted them causing %" to end up as %" |
| severity |
Cosmetic |
| date |
2004-08-06 11:05 |
| bugzilla |
#1030 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE6-errorpage_quote.patch |
| workaround |
Use %% where you want a literal % in the resulting HTML code
in your error pages. This is the official syntax for % in Squid
error pages. Relying on today undefined %X codes such as %"
to be preserved is not very reliable as new codes may be defined
in later versions. |
| synopsis |
Several gramatical errors in the squid.conf.default documentation |
| severity |
Cosmetic |
| date |
2004-08-17 12:22 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE6-grammar.patch |
| workaround |
Ignore the poor english |
| synopsis |
A slight misunderstanding of the NTLM protocol caused Squid to sometimes truncate NTLM
authentication blobs, causing the login to consequently fail for some users/environments. |
| severity |
Minor |
| date |
2004-07-27 21:52 |
| bugzilla |
#1016 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE6-ntlmtruncated.patch |
| synopsis |
The client_db database was never cleaned from old entries causing
it to grow over time to eventually include every single IP address
ever accessing the proxy (allowed or not). This patch adds a slow
garbage collector throwing away old or otherwise uninteresting
entries from the client database. |
| severity |
Minor |
| date |
2004-12-20 15:27 |
| bugzilla |
#833 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE6-client_db_gc.patch |
| workaround |
If the proxy is publically accessible on the http_port (even if
then denied by http_access) make sure to set "client_db off" in
squid.conf to disable the collection of per client-ip statistics.
Note: the max_ip acl requires per-client ip statistics. |
| synopsis |
Most authentication backends are case insensitive on the user name, and
so should Squid. (with option for case sensitive operation). This
affects primarily the max_user_ip acl, but also processing of log
files etc. |
| severity |
Minor |
| date |
2004-09-25 21:08 |
| bugzilla |
#431 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE6-basic_auth_caseinsensitive-2.patch |
| workaround |
Make sure your backend user database is case sensitive if you use
max_user_ip or similar constructs |
| synopsis |
If the cache directory for some reason is now writeable
then Squid silently ignored the error until it no longer
could find any free file numbers. This patch adds a warning
in cache.log explaining the error. |
| severity |
Cosmetic |
| date |
2004-07-17 19:48 |
| bugzilla |
#918 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE6-ufs_create_error.patch |
| synopsis |
A slight misunderstanding of the HTTP RFC could cause Squid to
return stale information in response to a HEAD request. |
| severity |
Cosmetic |
| date |
2004-07-17 16:33 |
| bugzilla |
#1012 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE6-HEAD.patch |
| synopsis |
Partial hits on objectscurrently being retrieved results
in TCP_HIT, even when the requested data is not yet in
the cache. This patch logs these requests as TCP_MISS. |
| severity |
Minor |
| date |
2004-07-17 16:33 |
| bugzilla |
#1001 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE6-partial_hit_is_miss.patch |
| synopsis |
Squid accepted slightly larger request headers than set by the
request_header_max_size directive. |
| severity |
Cosmetic |
| date |
2004-07-17 16:33 |
| bugzilla |
#899 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE6-request_header_max_size.patch |
| synopsis |
This LDAP helper update corrects some errors in the documentation
and adds two new options to squid_ldap_auth to accomodate certain LDAP
directories with restrictions on how users may log in. |
| severity |
Minor |
| date |
2004-08-10 09:40 |
| bugzilla |
#1018, #1032 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE6-ldap_helpers.patch |
| synopsis |
In some configurations/environment the ufs store would refuse
caching of all files, always resulting in the above error message. |
| severity |
Medium |
| date |
2004-07-14 16:29 |
| bugzilla |
#1011 |
| versions |
Squid-2.5.STABLE6 |
| platforms |
All |
| patch |
squid-2.5.STABLE6-ufs_no_valid_dir.patch |
Patches released after the 2.5.STABLE5 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
| synopsis |
Users may be able to generate long passwords that overflow a
buffer in the ntlm_auth helper. See also Squid Advisory 2004:2 |
| severity |
Security issue |
| date |
2004-06-18 17:39 |
| versions |
Squid-2.5 up to STABLE5 |
| platforms |
All |
| patch |
squid-2.5.STABLE5-ntlm_auth_overflow.patch |
| workaround |
Use the ntlm_auth helper that comes with the Samba-3 package instead.
If that is not an option, stop using the ntlm_auth helper until you've
upgraded to Squid-2.5.STABLE6. |
| synopsis |
SASL2 uses a slightly different API and sasl_auth needs to be
adjusted slightly to work with both SASL1 and SASL2. |
| severity |
Minor |
| date |
2004-06-19 17:47 |
| bugzilla |
#981 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE5-sasl_auth_SASL2.patch |
| workaround |
Install SALS1 development libraries |
| synopsis |
Under certain conditions Squid crashes with a "Segmentation Fault"
after the above warning message has been printed in cache.log. |
| severity |
Major |
| date |
2004-06-08 11:01 |
| bugzilla |
#972 |
| versions |
Squid-2.5.STABLE5 |
| platforms |
All |
| patch |
squid-2.5.STABLE5-proxy_abuse.patch |
| synopsis |
Due to 2GB limitations of 32-but CPUs long running CONNECT requests
coult indicate a negative size in the access.log if more than 2GB
of data had been transferred.
This patch crops stops the counter at approximately 2GB and thereby
making sure very large CONNECT requests gets logged as 2GB rather than
negative. |
| severity |
Cosmetic |
| date |
2004-06-07 21:25 |
| bugzilla |
#941 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE5-CONNECT_log_size.patch |
| synopsis |
Certain platforms require the use of va_copy to duplicate a va_list
variable. On these platforms memBufVPrintf would crash if it needed
to allocate memory. |
| severity |
Medium |
| date |
2004-06-06 15:40 |
| bugzilla |
#753 |
| versions |
Squid-2.5 and earlier |
| platforms |
S390, maybe others |
| patch |
squid-2.5.STABLE5-va_copy.patch |
| synopsis |
msnt_auth basic authentication helper documentation update |
| severity |
Cosmetic |
| date |
2004-06-01 00:00 |
| bugzilla |
#717 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE5-msnt_auth_doc.patch |
| synopsis |
dns_servers should default to localhost if no resolv.conf |
| severity |
Cosmetic |
| date |
2004-05-31 23:37 |
| bugzilla |
#991 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE5-dns_localhost.patch |
| synopsis |
Certain thirt party tools misreads the HTML DOCTYPE indicated
by Squid in FTP directory listings. |
| severity |
Cosmetic |
| date |
2004-05-31 23:37 |
| bugzilla |
#969 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE5-ftp_html_doctype.patch |
| synopsis |
One earlier workaround for other m88k based systems caused trouble
for OpenBSD where this workaround is not needed. |
| severity |
Minor |
| date |
2004-06-01 08:26 |
| bugzilla |
#960 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE5-openbsd_m88k.patch |
| synopsis |
To make it easier to correlate cache.log debug output to client
requests include the client address information when accepting
a new client connection. |
| severity |
Cosmetic |
| date |
2004-05-31 22:59 |
| bugzilla |
#948 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE5-debug_client_ip.patch |
| synopsis |
The cacheCurrentUnlinkRequests SNMP variable is a counter, not
a gauge. |
| severity |
Minor |
| date |
2004-05-31 22:43 |
| bugzilla |
#946 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE5-cacheCurrentUnlinkRequests.patch |
| workaround |
Force your SNMP collector to read the SNMP variable as a counter
even if Squid indicates it is a gauge. |
| synopsis |
The ufs cache_dir type always indicated a load of 99.9% invalidating
the least-load cache_dir selection algorithm. This patch makes the
ufs cache_dir type return a load between 50% and 100% based on the
number of open filedescriptors. |
| severity |
Minor |
| date |
2004-05-31 22:08 |
| bugzilla |
#676 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE5-least-load.patch |
| workaround |
Use the round-robin algorithm instead |
| synopsis |
Very large cache_mem values may cause the amount of memory cache
to be reported negatively in cahce.log. |
| severity |
Cosmetic |
| date |
2004-05-31 21:32 |
| bugzilla |
#570 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE5-large_cache_mem.patch |
| workaround |
Make sure your cache_mem is specified smaller than 2 GB. |
| synopsis |
The fix for bug #817 broke "range_offset_limit -1 KB" which is
documented as a method of allowing Squid to always fetch full
objects in response to range requests. |
| severity |
Minor |
| date |
2004-04-30 00:01 |
| bugzilla |
#968 |
| versions |
Squid-2.5.STABLE5 |
| platforms |
All |
| patch |
squid-2.5.STABLE5-range_offset_limit.patch |
| workaround |
Specify a large object size (but not larger than 2000 MB) |
| synopsis |
Negatively cached objects with a Vary header never matches on
cache hits unless there is a positively cached object on the
same URL. |
| severity |
Minor |
| date |
2004-04-24 14:10 |
| bugzilla |
#616 |
| versions |
Squid-2.5.STABLE5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE5-vary_negatively.patch |
| synopsis |
Small spelling error in the Turkish ERR_DNS_FAIL error page |
| severity |
Cosmetic |
| date |
2004-04-20 12:38 |
| bugzilla |
#950 |
| versions |
Squid-2.5.STABLE5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE5-turkish_ERR_DNS_FAIL.patch |
| workaround |
None needed |
| synopsis |
This patch clarifies the meaning of the ERR keyword in the
digest helper protocol. |
| severity |
Cosmetic |
| date |
2004-04-20 12:38 |
| versions |
Squid-2.5.STABLE5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE5-digest_ERR.patch |
| workaround |
None needed |
| synopsis |
A few spelling errors and the like in configure and squid.conf.default |
| severity |
Cosmetic |
| date |
2004-04-20 12:30 |
| versions |
Squid-2.5.STABLE5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE5-spelling.patch |
| workaround |
Live with them. No negative impact. |
| synopsis |
In certain rare conditions invovling failed POST/PUT requests Squid
could abort with the above assertion failure. |
| severity |
Medium |
| date |
2004-04-18 23:46 |
| bugzilla |
#943 |
| versions |
Squid-2.5.STABLE5 |
| platforms |
All |
| patch |
squid-2.5.STABLE5-post_assert.patch |
| synopsis |
If using Digest authentication then users can crash Squid with
a segmentation fault simply by entering a blank user name |
| severity |
Major |
| date |
2004-04-18 01:33 |
| bugzilla |
#954 |
| versions |
Squid-2.5.STABLE5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE5-digest_blank.patch |
| workaround |
Disable the use of Digest authentication in your squid.conf
(not enabled by default) |
| synopsis |
Upon receiving truncated DNS replies Squid may abort with the above
assertion. |
| severity |
Medium |
| date |
2004-04-11 09:19 |
| bugzilla |
#962 |
| versions |
Squid-2.5.STABLE5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE5-rfc1035NameUnpack.patch |
| workaround |
Compile with --disable-internal-dns |
| synopsis |
A minor typo in the Squid sources spotted by new versions of GCC |
| severity |
Cosmetic |
| date |
2004-04-06 14:12 |
| bugzilla |
RedHat Bug 111254 |
| versions |
Squid-2.5.STABLE5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE5-ntlm_warning.patch |
| workaround |
Ignore the warning |
| synopsis |
swap.log was renamed to swap.state very many versions ago, but squid.conf
documentation still referred to the old "swap.log" name. |
| severity |
Cosmetic |
| date |
2004-04-03 13:54 |
| bugzilla |
#956 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE5-cache_swap_log.patch |
| synopsis |
Squid should send a "504 Gateway Timeout" or "503 Service
Unavailable" if the requested server in the CONNECT request is not
reachable, not just close the connection. |
| severity |
Minor |
| date |
2004-03-29 10:02 |
| bugzilla |
#495 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE5-CONNECT_timeout.patch |
| synopsis |
%s in deny_info escaped the URL wrongly, applying both HTML and URL
escaping to the original URL |
| severity |
Minor |
| date |
2004-03-29 09:47 |
| bugzilla |
#947 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE5-deny_info.patch |
| workaround |
Decode & etc manually in the receiving application |
| synopsis |
This patch is mostly intended for binary packagers which runs
autoconf (or the bootstrap.sh) script while building Squid. Due
to a minor error in our distribution scripts configure.in still
indicated a -CVS version in the stable distribution. This was
not our intention. |
| severity |
Cosmetic |
| date |
2004-03-19 09:17 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE5-version.patch |
| synopsis |
Due to a defiance in the poll() specification regarding POLL_HUP Squid
can end up in a temporary 100% CPU loop on half-closed connections. |
| severity |
Minor |
| date |
2004-03-19 09:12 |
| versions |
Squid-2.5 and earlier |
| platforms |
Linux-2.2 only |
| patch |
squid-2.5.STABLE5-lin22_poll.patch |
| workaround |
"half_closed_clients off" or --disable-poll configure option. |
| synopsis |
Squid-2.5 ignores "Vary: *" headers, possibly returning unacceptable
cache hits if such header is present. |
| severity |
Medium |
| date |
2004-03-19 09:02 |
| bugzilla |
#426 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE5-vary.patch |
| synopsis |
On some systems finding the correct flags for compiling applications
using OpenSSL is somewhat tricky. Fortunately some of these systems
provide the pkg-config tool which can be used to query what the
OpenSSL package (and many other) require. This patch adds automatic
support for using pkg-config if available. |
| severity |
Cosmetic |
| date |
2004-03-12 10:13 |
| bugzilla |
#940, #305 |
| versions |
Squid-2.5 |
| platforms |
All |
| configuration |
--enable-ssl |
| patch |
squid-2.5.STABLE5-pkgconfig.patch |
| workaround |
On most systems no workaround is needed, but where needed you manually
need to edit src/Makefile after running configure to provide the correct
compiler flags for compiling applications using OpenSSL. |
| synopsis |
The warning message when running out of helpers (redirectors,
authentication etc) was a little inprecise on the number of helpers
required. |
| severity |
Cosmetic |
| date |
2004-03-11 15:29 |
| versions |
Squid-2.5.STABLE5 |
| platforms |
All |
| patch |
squid-2.5.STABLE5-helper_warning.patch |
| synopsis |
squid_ldap_auth may be confused by the use of reserved characters
allowing the login name to be masqueraded in different manners possibly
allowing the user to partially bypass certain per-user restrictions
or confuse third party accounting packages.
Note that the user can not bypass the login procedure as such. All
he can do is to make the login name look different than normal. There
is still full audit trails on who the user is etc.
The patch also adds and documents a -d flag to both squid_ldap_auth
and squid_ldap_group to allow for easier tracing of the operation
of these programs if results is not what is expected. |
| severity |
Medium |
| date |
2004-03-04 09:37 |
| bugzilla |
#935 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| configuration |
configurations where squid_ldap_auth is used for authentication
using a search filter (-f option) and where squid_ldap_group is not
used to further restrict the valid usernames. |
| patch |
squid-2.5.STABLE5-ldap.patch |
| workaround |
Combine squid_ldap_auth with squid_ldap_group to only allow valid
logins who are member of a certain group, or alternatively use a
proxy_auth_regex acl to deny the use of any login using restricted
characters
acl bad_login proxy_auth_regex [()\\*]
http_access deny bad_login |
| synopsis |
If using ntlm authentication then Squid may randomly abort with
the above assertion failure if a request is aborted while Squid
waits for a response from the domain controller |
| severity |
Major |
| date |
2004-03-01 23:55 |
| bugzilla |
#937 |
| versions |
Squid-2.5.STABLE5 |
| platforms |
All |
| patch |
squid-2.5.STABLE5-ntlm_assert.patch |
| workaround |
half_closed_connections on (the default) |
Patches released after the 2.5.STABLE4 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
| synopsis |
This minor patch to tries to address a possible race condition
causing the above error. |
| severity |
Minor |
| date |
2003-11-06 14:51 |
| bugzilla |
#781 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE4-digest_refcount.patch |
| synopsis |
Squid "unescapes" URLs when performing certain ACL checks. This
means, for example, that the URL http://junk%[email protected]/
becomes just "http://junk" for the url_regex ACLs. Thus,
it may not match ACL entries that it should match. |
| severity |
Security issue |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| workaround |
Avoid regex-based ACL checks or upgrade to the current version. |
| synopsis |
A recently committed patch to aclCheckCleanup() duplicated
some lines and ends up calling authenticateAuthUserRequestUnlock()
twice, the second time with a NULL value. This bug only
happens if Squid is reconfigured while there is an outstanding
authentication transaction. |
| severity |
Major |
| date |
2004-02-28 14:09 |
| bugzilla |
#933 |
| versions |
2.5.STABLE4-CVS after 2004/02/24 |
| platforms |
All |
| patch |
squid-2.5.STABLE4-authenticateAuthUserRequestUnlock-assert.patch |
| workaround |
None |
| synopsis |
Mime types missing for .bz2 and several other file types, causing
slightly undesireable results when browsing ftp:// directories
(viewed in browser rather than downloaded).
The patch also make sure the download icon is always shown to
make downloading more obvious |
| severity |
Minor |
| date |
2004-02-26 20:27 |
| bugzilla |
#594 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-mime.patch |
| synopsis |
Some software incorrectly uses ftp://anonymous@server for anonymous
FTP when the correct format is simply ftp://server. |
| severity |
Cosmetic |
| date |
2004-02-24 23:34 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-anonymous_ftp.patch |
| workaround |
Use a redirector to remove anonymous@ from FTP URLs |
| synopsis |
The authfixes patch was incomplete and could still cause failures
when using authentication outside of http_access. |
| severity |
Medium |
| date |
2004-02-24 18:46 |
| bugzilla |
#872 |
| versions |
Squid-2.5.STABLE4 with authfixes patch |
| platforms |
All |
| patch |
squid-2.5.STABLE4-authfixes3.patch |
| synopsis |
There is a temporary auth_user_hash_pointer memory leak when using
NTLM authentication, causing a lot of auth_user_hash_pointer structures
to build up over time until the user expires from the auth cache
(authenticate_ttl parameter). This patch corrects the problem when
challenge reuses are disabled (the default). |
| severity |
Minor |
| date |
2004-02-19 13:30 |
| bugzilla |
#910 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE4-ntlm_auth_user_hash_pointer-leak.patch |
| workaround |
Set authenticate_ttl relatively short to have the memory reclaimed
in a reasonable time frame. |
| synopsis |
If a request was aborted while Squid was waiting for the digest
helper to return the H(A1) value for the user Squid crashes with
a segmentation fault. |
| severity |
Medium |
| date |
2004-02-19 12:44 |
| bugzilla |
#825 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE4-digest-abort.patch |
| synopsis |
Some instabilities have been observed while using ntlm authentication
in reply_body_max_size. |
| severity |
Medium |
| date |
2004-02-18 18:59 |
| bugzilla |
#872 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE4-reply_body_max_size.patch |
| synopsis |
This patch fixes yet two more authentication related issues
- segfault in basic auth if request aborted while evaluating the credentials
- memoryleak of clientHttpRequest is request aborted while evaluating the credentials |
| severity |
Medium |
| date |
2004-02-18 17:54 |
| bugzilla |
#922 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE4-authfixes2.patch |
| synopsis |
The deny_info directive fails to supply the configured error page
in case the request is denied by http_reply_access or miss_access. |
| severity |
Minor |
| date |
2004-02-18 13:48 |
| bugzilla |
#926 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-deny_info_reply.patch |
| workaround |
Deny access in http_access if you need to provide a custom errror
message, or edit the default error messages accordingly. |
| synopsis |
This patch fixes several authentication related issues
- miss_access and delay_access works with authentcation again
- some fixes related to basic auth. These issues was probably
introduced by the recent ntlm patch. |
| severity |
Medium |
| date |
2004-02-18 18:53 |
| bugzilla |
#922 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE4-authfixes.patch |
| synopsis |
If the proxy or web server authentication options of squidclient
is used then the HTTP headers sent in the request is slightly
malformed and may confuse other non-Squid software which is not
as tolerant on HTTP format. |
| severity |
Minor |
| date |
2004-02-18 03:50 |
| bugzilla |
#925 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-squidclient_auth.patch |
| synopsis |
The miss_access directive limits internal and cachemgr requests
even if these requests are actually local and not really misses |
| severity |
Minor |
| date |
2004-02-18 03:50 |
| bugzilla |
#924 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-miss_access_internal.patch |
| workaround |
Allow internal and cachemgr requests in miss_access if these
would otherwise be denied |
| synopsis |
helpers/ntlm_auth/SMB/ fails to compile on certain platforms,
failing on non-standard malloc.h header. |
| severity |
Minor |
| date |
2004-02-17 23:13 |
| bugzilla |
#892 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE4-SMB_ntlm_auth.patch |
| synopsis |
A minor syntax error in wbinfo_group.pl makes it fail to find
groups with Samba-3 |
| severity |
Minor |
| date |
2004-02-17 22:53 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE4-wbinfo_group.patch |
| synopsis |
cache_peer_access, always_direct, never_direct and a number
of other acl driven directives fails with NTLM authentication |
| severity |
Medium |
| date |
2004-02-12 16:27 |
| bugzilla |
#585, #592 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE4-cache_peer_access_ntlm.patch |
| workaround |
Use Basic or Digest authentication |
| synopsis |
The squid-2.5.STABLE4-connect_cleanup.patch was not entirely correct
and could cause memory corruption in certain situations involving
negative DNS replies (host not found etc) |
| severity |
Major |
| date |
2004-02-12 09:42 |
| bugzilla |
#891 |
| versions |
Squid-2.5.STABLE4-20031210 to 20040212 |
| platforms |
All |
| patch |
squid-2.5.STABLE4-ipcache_purge.patch |
| synopsis |
The -S and -E options in squid_ldap_group v2.12 was mixed up,
making the options somewhat hard to use. |
| severity |
Minor |
| date |
2004-02-09 17:10 |
| bugzilla |
#911 |
| versions |
Squid-2.5.STABLE4 + ldap_group 2.12 patch |
| platforms |
All |
| patch |
squid-2.5.STABLE4-ldap_group-S.patch |
| workaround |
Specify -E instead of -S. |
| synopsis |
When using NTLM authentication random auth popups and account
lockouts may be experienced. |
| severity |
Medium |
| date |
2004-02-11 22:12 |
| bugzilla |
#908 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE4-ntlm_auth_popups.patch |
| workaround |
It may help to configure a lot of NTLM helpers but this is
not verified. |
| synopsis |
Squid forgot to escape IAC characters (ascii code 255) in FTP
requests, causing problems to access files/directories using
this character in their name or to log in with this character
in the login or password. |
| severity |
Minor |
| date |
2004-02-03 14:38 |
| bugzilla |
#877 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-ftp_telnet.patch |
| workaround |
Double any such characters in the input to Squid. (%ff%ff
instead of %ff) |
| synopsis |
If a proxy_auth acl is incorrectly defined with no members
then any http_access rules using this acl will give unpredictable
results depending on the results of earlier acl lookups.
This patch corrects both the reason to why acl lookups became
unpredictable and makes Squid reject such incorrect acl definitions. |
| severity |
Medium |
| date |
2004-01-15 07:44 |
| bugzilla |
#893 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-empty_proxy_auth.patch |
| workaround |
Make sure your proxy_auth acls are correctly defined. If the acl
should not match any users then don't declare the acl at all. |
| synopsis |
This patch adds a new detect_broken_pconn squid.conf directive allowing
you to tenable a workaround to certain broken HTTP servers (reportedly IIS-5)
who incorrectly signals the use of persistent connections even if the reply
is not compatible with persistent connections. It also corrects some minor
HTTP issues to make the Squid proxy more semantically transparent. |
| severity |
Minor |
| date |
2004-01-30 23:11 |
| bugzilla |
#890 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-http_workarounds.patch |
| synopsis |
If the request to squid_ldap_group (login name + all group names)
exceed 256 characters then group lookups fails or behaves erratically. |
| severity |
Minor |
| date |
2004-01-08 19:54 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE4-ldap_group_bufsize.patch |
| workaround |
Define multiple ACLs instead of listing many groups in the same ACL |
| synopsis |
The TLS mode of the LDAP helpers did not work and always reported
"TLS Connection failed" |
| severity |
Minor |
| date |
2004-01-05 12:08 |
| bugzilla |
#887 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE4-ldap_tls.patch |
| workaround |
Use the ldaps:// URI method instead, if your LDAP server supports it. |
| synopsis |
Under certain conditions incomplete objects may appear stuck in
the cache, not even reload giving a new fresh copy. |
| severity |
Major |
| date |
2003-12-23 01:10 |
| bugzilla |
#876 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-partial_reload.patch |
| workaround |
Compiling squid with --disable-http-violations completely avoids
the issue. Setting "half_closed_clients off" and making
quick_abort as aggressively aborting as possible by
"quick_abort_min 0 KB" and "quick_abort_max 0 KB" mostly
hides the problem. |
| synopsis |
In Squids built with --enable-icmp the pinger helper may exit
with the above assertion failure if Squid receives a request with
a very long host name. |
| severity |
Minor |
| date |
2003-12-23 01:01 |
| bugzilla |
#835 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-pinger.patch |
| workaround |
Don't build squid with --enable-icmp. This is generally recommended
anyway unless you are absolutely sure you want to ICMP PING random
sites all over the Internet to measure RTT information even if this
may trigger IDS systems etc. |
| synopsis |
Redirects initiated by redirector helpers was logged as TCP_MISS/000
instead of the expected TCP_MISS/302. This patch corrects this and
should also correct log_mime_hdrs output for the same. |
| severity |
Minor |
| date |
2003-12-21 16:53 |
| bugzilla |
#869 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-redirlog.patch |
| synopsis |
In a current version threre is a problem. The absence of "yo" letter.
("e" with 2 dots ). People prefer to write "E" instead "yo", that is
not quite correct, like "How r u" intstead "How are you?" |
| severity |
Cosmetic |
| date |
2003-12-21 15:22 |
| bugzilla |
#864 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-russian.patch |
| synopsis |
This is not a fix for a Squid bug. It is a new feature to workaround
an MSIE6 bug that uses control characters to obfuscate the true
origin server hostname. You can use the 'urllogin' acl TYPE to
deny HTTP requests that contain certain characters in the URL login
field. |
| severity |
Medium |
| date |
2003-12-19 16:41 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-urllogin_acl.patch |
| workaround |
Patch MSIE6, if/when the patch becomes available. |
| synopsis |
Squid would not process hostnames longer than 128 characters.
This affects few hosts on the internet, but with the growing use
of iDNA it's becoming an issue. |
| severity |
Minor |
| date |
2003-12-18 01:41 |
| bugzilla |
#842 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-dns_namelength.patch |
| workaround |
None. |
| synopsis |
Contrary to the documentation "pid_filename none" is not accepted
and Squid refuses to start. |
| severity |
Minor |
| date |
2003-12-17 21:12 |
| bugzilla |
#868 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-pid_filename_none.patch |
| synopsis |
Due to the a accounting mismatch in the number of open connections
to peers the cache_peer max-conn=.. option does not work. This issue
is also seen as very high numbers in the OPEN CONN peer statistics
via cachemgr. |
| severity |
Minor |
| date |
2003-12-20 20:10 |
| bugzilla |
#867 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-cache_peer_maxconn.patch |
| synopsis |
Persistent server connections are reused in a round-robin fashion which
may cause the number of connections to stay artificially high after a sudden
burst of requests.
This patch changes persistent connection management to use a LIFO order
reusing the most recently used connection first, thereby allowing unneeded
connections to close down by idle timeout. |
| severity |
Minor |
| date |
2003-12-15 23:44 |
| bugzilla |
#865 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-pconn-lifo.patch |
| workaround |
This usually is not a significant problem, but if you are plauged by this
you can try disabling server-side persistent connections in squid.conf. |
| synopsis |
redirector_access was a "fast" acl lookup and did not handle
"slow" acls requiring external lookups such as dst or external
correcly |
| severity |
Minor |
| date |
2003-12-14 13:43 |
| bugzilla |
#860 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-redirector_access.patch |
| synopsis |
The URL syntax used by Squid for FTP/Gopher icons are uneededly
complex and often causes problems.
This patch adds a "short_icon_urls" directive which can be used
to enable a less complex URL syntax for icons. |
| severity |
Cosmetic |
| date |
2003-12-14 13:36 |
| bugzilla |
#856 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-icon_urls.patch |
| synopsis |
Under high usage a lot of filedescriptors may be idle persistent
connections, causing a shortage of filedescriptors for handling
new requests. |
| severity |
Minor |
| date |
2003-12-14 12:38 |
| bugzilla |
#571 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-pconn-load.patch |
| workaround |
Disable the use of persistent connections in squid.conf. But pleae
note that disabling persistent connections will cause a networking
performance penalty unless you are actually short on filedescriptors.
Alternatively rebuild Squid with support for more filedescriptors. |
| synopsis |
If a FTP PUT request is aborted while Squid is writing data to
the server then Squid may abort with a segmentation fault. |
| severity |
Major |
| date |
2003-12-14 12:25 |
| bugzilla |
#853 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-ftp_put.patch |
| workaround |
If this plauges you a lot then you can deny the use of FTP PUT
until the server can be patched. But please note that this will
limit the functionality of the proxy by not allowing FTP uploads
via the proxy.
acl FTP protocol FTP
acl PUT method PUT
http_access deny FTP PUT |
| synopsis |
If responses to POST or other non-indempotent requests allows the
connection to be kept persistently open then this can lead to
a increased connection usage by Squid. This patch changes the
behaviour to keep the number of connections stable by closing
a persistent connection before opening the new connection. |
| severity |
Minor |
| date |
2003-12-13 16:57 |
| bugzilla |
#862 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE4-pconn_post.patch |
| workaround |
Disable server-side persistent connections by setting
"server_persistent_connections off" in squid.conf. |
| synopsis |
Several minor errors related to how Squid finds a connection
where to forward requests. This patch
- Corrects DNS retransmission rate to decay like documented to avoid
flooding the DNS server with the same query.
- Adds a new configuration parameter "forward_timeout" to control how
long Squid tries to find a method to find a path where to forward the
request before giving up. Defaults to 2 minutes.
- The default connect_timeout tuned down from 2 minutes to 1 minute to
allow for two attempts to find a suitable path within the forward_timeout
- fqdncache/ipcache restructured to allow for DNS code to allow the
queried name to be logged in cache.log on errors.
- negative_dns_ttl now overloaded to also specify the minimum ttl used
when caching DNS responses, and tuned down from 5 minutes to 1 minute.
- default dns_timeout tuned down from 5 minutes to 2 minutes
- some minor compilation warnings on --disable-internal-dns corrected
- properly report DNS timeouts as timeouts and not just "No DNS records"
|
| severity |
Minor |
| date |
2003-12-09 21:52 |
| bugzilla |
#848, #849, #851 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-connect_cleanup.patch |
| synopsis |
FQDN lookups sometimes give garbage after the result. This can be seen
as junk in access.log when using log_fqdn or false access control results
when using dstdomain acl type and the user requests a URL by IP address. |
| severity |
Minor |
| date |
2003-12-04 10:16 |
| bugzilla |
#846, #834, #433 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-fqdn.patch |
| workaround |
Don't use log_fqdn or alternatively compile Squid with --disable-internal-dns |
| synopsis |
If the contacted server refuses connection then the repeated attempts
to connect to the server may look like a syn flood attack. This patch
makes Squid behave a little friendler in such case and
* Delays a little between the repeated attempts. Longer if the attempt was to
an origin server.
* Limits origin server attempts to 3 connection setup attempts or 2 request
forwarding attempts (was 10 on both which only makes sense in peering
relations)
* Changes the default for maximum_single_addr_tries to 1 as there is plenty of
reforwarding attempts done by Squid and at least 3 attempts to initiate the
request which makes this directive redundant.
* removes a redundant lock from commConnect*() (cbdata managed)
* Adds a small delay to commConnect() reconnection attempts when the contacted
destination has more than one IP address or maximum_single_addr_tries is used.
* Small cleanup in how/when digest considers a peer usable to not disturb the
peer probing.
* Cleanup of peer TCP probing to correct timeout management etc and to more
promptly recover after a failure. |
| severity |
Minor |
| date |
2003-11-29 18:58 |
| bugzilla |
#14 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-synflood.patch |
| synopsis |
On certain linux versions --enable-arp-acl may give a warning
in net/route.h that this file is not meant to be used outside the kernel. |
| severity |
Cosmetic |
| date |
2003-11-29 09:04 |
| bugzilla |
#729 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-netroute.patch |
| workaround |
Don't use --enable-arp-acl or ignore the warning. The use of MAC based
acls is overrated anyway and does not give any added security compared
to IP based acls. |
| synopsis |
If a gopher server returns an empty response then Squid may render
incorrect HTML in the gopher menu representation. In addition a
PRE endtag was often missing from gopher menus. |
| severity |
Cosmetic |
| date |
2003-11-29 08:43 |
| bugzilla |
#690 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-gopherhtml.patch |
| synopsis |
The positive_dns_ttl directive is not used by the internal dns
client (the default). This patch changes it to at least be used
as a upper limit on how long DNS data may be cached. |
| severity |
Cosmetic |
| date |
2003-11-28 19:41 |
| bugzilla |
#799 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-positive_dns_ttl.patch |
| synopsis |
This patch updates squid_ldap_group to the latest version, adding
support for ldaps://, corrected documentation, and allows specifying
the bind password via a file rather than on the command line for
increased security against local users on the proxy. |
| severity |
Cosmetic |
| date |
2003-11-21 17:14 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE4-squid_ldap_group.patch |
| synopsis |
If Squid is configured using external acls and a single http_access
line uses a authentication related acl after an external ACL
not using authentication then the authentication lookup gets stuck
continously querying the helper until the request is aborted. |
| severity |
Medium |
| date |
2003-11-19 16:58 |
| bugzilla |
#824 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE4-extacl_auth_loop.patch |
| synopsis |
Squid fails to detect invalid size based configurations where
the size is too large to fit in the internal variable. This patch
makes Squid detect many such cases and tell you when the
configuration is out of range. |
| severity |
Cosmetic |
| date |
2003-11-06 16:59 |
| bugzilla |
#817 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-size_overflow.patch |
| workaround |
Specify sane values in your configuration |
| synopsis |
Mozilla/Netscape uses a custom mime type for plugins, and as this
is not known to Squid installation of such plugins using FTP fails. |
| severity |
Cosmetic |
| date |
2003-11-06 16:36 |
| bugzilla |
#812 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-xpi_mime.patch |
| workaround |
Define the application/x-xpinstall mime type for .xpi files in mime.conf |
| synopsis |
If Squid fails to load a error page (builtin or deny_info defined)
then it segfaults instead of aborting with a "FATAL Error" message. |
| severity |
Cosmetic |
| date |
2003-11-06 16:36 |
| bugzilla |
#806 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-error_load_text.patch |
| synopsis |
The German ERR_DNS_FAIL error message was missing a headline.
Major update of Lithuanian error pages, including addition of
several previously missing error messages which made the
translation more or less useless in Squid-2.5. |
| severity |
Cosmetic |
| date |
2004-02-12 17:45 |
| bugzilla |
#795, #803 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-errorpages.patch |
| synopsis |
The auth_param documentation was unclear on default values etc.
This patch makes sure the example auth_param lines after each
parameter documentation has the default value.
This patch also adds a default "realm" value. |
| severity |
Cosmetic |
| date |
2003-11-06 14:58 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4_auth_param_doc.patch |
| synopsis |
The patch changes pam_auth to not use persistent PAM connections
by default. The use of persistent PAM connections is slightly
outside the PAM specifications and may fail in certain PAM
configurations.
It also adds support for clearing the new PAM_AUTHTOK item
to hopefully allow the use of persistent PAM connections on
Solaris. |
| severity |
Minor |
| date |
2003-11-05 18:16 |
| versions |
Squid-2.5.STABLE4 and earlier |
| platforms |
All |
| patch |
pam_auth-2.2.patch |
| workaround |
Use the one-shot mode of the helper (-1 comand line flag) |
| synopsis |
When using the internal DNS client fqdncache (ip->name) does
not negatively cache lookup failures. |
| severity |
Minor |
| date |
2003-10-11 22:39 |
| bugzilla |
#791 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-fqdnnegcache.patch |
| workaround |
Ignore the minor issue, or compile Squid with --disable-internal-dns |
| synopsis |
If authentication or ident gives a login name containing a space
character then redirector helpers trying to read the username or
request method field will be confused by this.
This patch URL-encodes the login name making sure the helpers
always know how to parse the data sent by Squid. |
| severity |
Minor |
| date |
2003-09-24 01:09 |
| bugzilla |
#789 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-redirect_login_space.patch |
| workaround |
Don't use space characters in your login names |
| synopsis |
If using digest authentication then Squid does not detect password
changes. |
| severity |
Minor |
| date |
2003-09-23 16:09 |
| bugzilla |
#787 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE4-digest_auth_pwchange.patch |
| workaround |
Restart Squid after modifying digest passwords |
| synopsis |
The cache.log message on "squid -k reconfigure" claimed Squid
restarted, when in reality it just reconfigures itself.
This patch changes the message to say Reconfiguring. |
| severity |
Cosmetic |
| date |
2003-09-19 06:40 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE4-reconfigure_message.patch |
Patches released after the 2.5.STABLE3 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
| synopsis |
This patch corrects two minor issues. a) Properly detect if too
many helpers crashes when only using a single helper. b) Automatically
start new helpers instead of restarting the whole Squid unless the
helpers are crashing too rapidly (30 seconds or less) |
| severity |
Minor |
| date |
2003-09-12 20:35 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-helper_crash.patch |
| workaround |
Use at least 2 helpers, and live with the fact that Squid will
restart if more than 50% of your helpers crashes |
| synopsis |
The winbnd helpers complains with a "fgets failed" error in cache.log each
time the helpers are restarted. The helpers also fail to start if winbind has
not yet fully finished it's startup procedure. |
| severity |
Minor |
| date |
2003-09-12 10:18 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE3-winbind.patch |
| workaround |
Ignore the error in cache.log, and make sure winbind has started fully before
you start Squid. |
| synopsis |
To lessen confusion in later upgrades to Squid-3 the external_acl_type
concurrency= option has been renamed to children= to match Squid-3
usage. This is done because concurrency= has a completely different
meaning in squid-3. Squid-2.5 still accepts the old syntax to keep
compatibility within the Squid-2.5 release, but it is recommended
to start using the new syntax unless you need to be able to easily
downgrade to a earlier Squid-2.5 release. |
| severity |
Cosmetic |
| date |
2003-09-02 07:55 |
| versions |
Squid-2.5.STABLE3 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-external_acl_children.patch |
| workaround |
Make sure to read the Squid-3 releasenotes very carefully when
upgrading. |
| synopsis |
If proxy_auth acl type is used in delay_access then Squid may abort
with an assertion error or segmentation fault.
Notice: This patch may change some error conditions to be logged with
TCP_DENIED rather than TCP_MISS. |
| severity |
Medium |
| date |
2003-09-01 20:45 |
| bugzilla |
#638, #756 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE3-delay_access_auth.patch |
| workaround |
Don't use proxy_auth acl types in delay_access |
| synopsis |
In configurations where authentication is enforced in http_access
and then reused in http_reply_access to further control access
levels Squid may segfault if the ntlm authentication scheme is used. |
| severity |
Medium |
| date |
2003-09-01 20:13 |
| bugzilla |
#763 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE3-http_reply_access_denied.patch |
| workaround |
Don't use proxy_type acls in http_reply_access or disable the
use of the ntlm authentication scheme (disabled by default) |
| synopsis |
delay_access can disturb Squids logics on when to request a new
login from the user. Most notably if delay_access ends up in
a proxy_auth acl then any access denials will require a new login
but the opposite may also happen. |
| severity |
Medium |
| date |
2003-08-31 09:42 |
| bugzilla |
#742 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-auth_delay_pools.patch |
| workaround |
make sure delay_access always ends up in the same class of ACL as
http_access does on the same request. |
| synopsis |
Large POST/PUT requests may fail with a "Connection reset" error
in the browser in situations where Squid immediately responds with
an error page. This is most notable when using NTLM authentication
but may also occur in a few other situations |
| severity |
Medium |
| date |
2003-08-28 22:00 |
| bugzilla |
#267, #757 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-POST-error.patch |
| workaround |
Allow POST/PUT without requiring authentication if you are using NTLM
authentication. |
| synopsis |
ncsa_auth just exists if it can not read the supplied password file,
instead of reporting an error. |
| severity |
Minor |
| date |
2003-08-20 12:58 |
| bugzilla |
#733 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-ncsa_auth_passwdfile.patch |
| workaround |
If ncsa_auth exits for no apparent reason, verify that the given
ncsa password file is readable by the cache_effective_user. |
| synopsis |
The patch for Bug #92 (squid-2.5.STABLE3-mem_cfd.patch) broke
the forwarded_for directive. |
| severity |
Minor |
| date |
2003-08-18 17:29 |
| bugzilla |
#750 |
| versions |
Squid-2.5.STABLE3 snapshots 2003-08-07 to 2003-08-18 |
| platforms |
All |
| patch |
squid-2.5.STABLE3-forwarded_for.patch |
| workaround |
Use anonymization via http_header_access to delete the X-Forwarded-For
header from forwarded requests. This is probably preferred in any case. |
| synopsis |
The algorithm that calculates the timeout for a set of ICP
queries ignores multicast neighbors. It also ignores the
expected number of replies because "*exprep" is always set
equal to parent_exprep + sibling_exprep. |
| severity |
Minor |
| date |
2003-08-13 00:31 |
| bugzilla |
#736 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-multicast-ICP-timeout.patch |
| workaround |
Don't use multicast ICP. |
| synopsis |
Squid is supposed to log the username in access.log on unsuccessful
authentication, but it does not. |
| severity |
Minor |
| date |
2003-08-10 19:01 |
| bugzilla |
#663 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE3-407_user_name.patch |
| synopsis |
The Digest auth update in Squid-2.5.STABLE3 caused a slight
portability problem to platforms where struct in_addr is defined
"differenlty". If you find that auth/digest_auth.c fails to compile
in 2.5.STABLE3 but works in Squid-2.5.STABLE2 or earlier then you
may need this patch. |
| severity |
Cosmetic |
| date |
2003-08-10 07:39 |
| versions |
Squid-2.5.STABLE3 |
| platforms |
MinGW, maybe a few others |
| patch |
squid-2.5.STABLE3-digest_compile.patch |
| synopsis |
The automatic calculation on number of threads and queue limits
based on number of cache directories got the calculation slightly wrong. |
| severity |
Minor |
| date |
2003-08-06 14:21 |
| bugzilla |
#732 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-aufs_threads.patch |
| workaround |
manually specify the number of threads to configure |
| synopsis |
If aufs fails to open files in the cache_dir which should be there
then Squid may crash with the above assertion failure. |
| severity |
Medium |
| date |
2003-08-06 14:21 |
| bugzilla |
#716 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-aufs_open_fail.patch |
| workaround |
do not manually delete files from an aufs cache_dir |
| synopsis |
In certain unfrequend situations involving aborted requests
Squid could crash with the above assertion |
| severity |
Medium |
| date |
2003-08-06 13:56 |
| bugzilla |
#92 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-mem_cfd.patch |
| synopsis |
More improvements to make COSS more useable and reliable.
Fixed off_t/int comparison bug that caused Squid to think
it hit the end of the disk much sooner than it should have.
Use blocking I/O, instead of aborting when aio calls fail.
Another bug caused Squid to not write the last byte of
each COSS stripe. Added statistics and a cachemgr page. |
| severity |
Minor |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| workaround |
Don't use COSS |
| synopsis |
A blank username is logged as a blank space which may confuse
log file parsers. This patch will replace blank usernames with
a dash (-). |
| severity |
Minor |
| date |
2003-07-28 09:16 |
| bugzilla |
#721 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-blank-username-log.patch |
| workaround |
Rework parsing scripts to "guess" whether the username is there or not. |
| synopsis |
Improvements to make COSS more useable and reliable. Added
block-size option to 'cache_dir' line and fixed lockcount
(memory leak) bug. |
| severity |
Minor |
| date |
2003-07-29 22:29 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-coss-improvements-2.patch |
| workaround |
Don't use COSS |
| synopsis |
The statCounter.syscalls.disk are handled differently in
some cases. For example, they are not incremented by AUFS
(except for writes which are handled by file_write()).
Also, requests given to unlinkd do not increment the
syscalls.disk.unlinks value. |
| severity |
Cosmetic |
| date |
2003-07-22 15:39 |
| bugzilla |
#715 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-syscalls.disk-counters.patch |
| synopsis |
in storeDirSelectSwapDirRoundRobin(), there is a loop
variable (i), which is different than the static directory
number (dirn). Instead of checking the cache_dir corresponding
to the loop variable, it should check the directory number. |
| severity |
Minor |
| date |
2003-07-17 15:46 |
| bugzilla |
#710 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-round_robin_max_size.patch |
| workaround |
Don't use round-robin, or don't use max-size cache_dir option. |
| synopsis |
When Squid fails to receive a cache digest from a neighbor,
it may trigger an assertion on the second attempt. This
is probably an old bug, recently brought to light due to
changes elsewhere. |
| severity |
Major |
| date |
2003-07-16 20:30 |
| bugzilla |
#709 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-peer_digest_not_found_assertion.patch |
| workaround |
Add the 'no-digest' option to your cache_peer line. |
| synopsis |
Due to a data connection management error Squid can become very
unstable after the above error message. |
| severity |
Major |
| date |
2003-07-16 13:49 |
| bugzilla |
#700, #681, #684 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-SENT_PASV.patch |
| synopsis |
When using http_reply_access, requests that are denied look
just like requests that are allowed in access.log. In other
words, they are logged with TCP_HIT, TCP_MISS, etc.
This patch causes them to be logged with TCP_DENIED.
You can still differentiate requests denied by http_access
and http_reply_access by looking at the "hierarchy" field.
For http_reply_access denied requests, it will contain
the origin server or neighbor cache hostname/address. |
| severity |
Minor |
| date |
2003-07-15 21:39 |
| bugzilla |
#686 |
| versions |
Squid-2.5.STABLE3 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-http_reply_access-denied.patch |
| synopsis |
The ie_refresh option may be used to allow for Squid to act on
the reload button of MSIE 5.x browsers in transparent proxy setups,
however a slight oversight in the implementation caused the option
to not be as effective as intended if there is parent caches involved. |
| severity |
Minor |
| date |
2003-07-15 20:45 |
| bugzilla |
#708 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-ie_refresh.patch |
| workaround |
Configure your browser to use the proxy and forget about this mess |
| synopsis |
Squid leaks 4KB of memory on each request denied by reply_body_max_size
ultimately leading to crash of Squid when it runs out of memory |
| severity |
Medium |
| date |
2003-07-11 23:23 |
| bugzilla |
#704 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-reply_body_max_size.patch |
| workaround |
dont use reply_body_max_size |
| synopsis |
Some firewalls or servers get confused if the Host header is too
far into the headers. To prevent these from failing on requests
forwarded via Squid make Squid forward the Host header exacly
where it was in the original request. |
| severity |
Medium |
| date |
2003-07-11 22:46 |
| bugzilla |
#699 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-hostheader.patch |
| synopsis |
If deny_info TCP_RESET is used then Squid leaks 4K of memory
on each request denied with a TCP_RESET. |
| severity |
Medium |
| date |
2003-07-09 22:01 |
| bugzilla |
#705 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE3-tcp_reset_leak.patch |
| workaround |
Don't use deny_info TCP_RESET |
| synopsis |
This patch removes the unused minimum_retry_timeout squid.conf
parameter. This variable has not been used for some time it seems. |
| severity |
Cosmetic |
| date |
2003-07-07 08:32 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE3-minimum_retry_timeout.patch |
| synopsis |
cacheMesh.cachePeerTable.cachePeerEntry.cachePeerPingsSent and
cachePeerPingsAcked to match the MIB. Was ASN_INTEGER, is not
SMI_COUNTER32. |
| severity |
Minor |
| date |
2003-07-07 08:32 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-cachePeerPingsSentsnmp.patch |
| synopsis |
put checks for 'release_request' and 'wrong_content_length' before
'not_entry_cachable'. The first two are always zero because they
also alays have ENTRY_CACHABLE bit cleared. |
| severity |
Cosmetic |
| date |
2003-07-07 08:32 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-store_check_cachable_stats.patch |
| synopsis |
parseEtcHosts() does not handle comments in the middle of a line |
| severity |
Minor |
| date |
2003-07-07 08:32 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE3-hostscomments.patch |
| synopsis |
use sbrk() for high_memory_warning check on platforms where
neither mallinfo() or mstats() are available. |
| severity |
Minor |
| date |
2003-07-07 08:32 |
| versions |
Squid-2.5 and earlier |
| patch |
squid-2.5.STABLE3-memwarnsbrk.patch |
| synopsis |
Section 3.3 of
draft-vinod-carp-v1-03.txt says:
The Load Factor Multiplier must be calculated from the smallest
P_k to the largest P_k. The sum of all P_k's must be 1. |
| severity |
Minor |
| date |
2003-07-07 08:32 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-carpfactor.patch |
| synopsis |
GCC-3.3 gets slightly confused by the Squid code and gives a few
mostly false warnings regarding type-punning. |
| severity |
Cosmetic |
| date |
2003-07-07 08:32 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-gcc-3_3.patch |
| workaround |
Ignore the warnings |
| synopsis |
Under certain conditions the "Files queued for open counter" could
grow larger than intended. If this grows too large then Squid may
think it runs out of filedescriptors even if there is plenty of
filedescriptors free, but we do not expect this to become a real
problem in any installations. |
| severity |
Minor |
| date |
2003-06-18 23:18 |
| versions |
Squid-2.5 and earlier |
| platforms |
All using aufs |
| patch |
squid-2.5.STABLE3-aufs-openingfds.patch |
| synopsis |
extrenal_acl_type %IDENT does not wait for ident lookups to complete. |
| severity |
Minor |
| date |
2003-06-17 07:32 |
| bugzilla |
#683 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE3-external_acl_ident.patch |
| workaround |
use an ident acl before your external acl to trigger the ident lookup |
| synopsis |
Handle the case when recv() returns EAGAIN and do not treat it like
an error |
| severity |
Minor |
| date |
2003-07-18 20:34 |
| bugzilla |
#655 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-icmpRecv.patch |
| synopsis |
correction to squid.conf comments. RFC 2396 (not 2616) talks about
dealing with whitespace in URIs. |
| severity |
Cosmetic |
| date |
2003-06-17 07:32 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-rfc_reference.patch |
| synopsis |
log_quote() and username_quote() should always quote '%' character |
| severity |
Cosmetic |
| date |
2003-06-17 07:32 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-log_quote.patch |
| synopsis |
This patch makes Squid print an error rather than consume 100%
CPU time if /dev/null can not be opened. |
| severity |
Cosmetic |
| date |
2003-06-17 07:39 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-devnull.patch |
| workaround |
Make sure you have a /dev/null if you chroot Squid |
| synopsis |
The cache_dir documentation is slightly confusing regarding diskd
configuration. This patch removes old comments no longer valid. |
| severity |
Cosmetic |
| date |
2003-06-17 07:32 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-cache_dir_doc.patch |
| synopsis |
The Squid-2.5.STABLE2 patch for deny_info TCP_RESET was not entirely
correct and causes segmentation fault on startup if more than one
custom deny_info error message is defined |
| severity |
Medium |
| date |
2003-05-27 07:25 |
| bugzilla |
#662 |
| versions |
Squid-2.5.STABLE3 |
| platforms |
All |
| patch |
squid-2.5.STABLE3-deny_info.patch |
| workaround |
Disable the use deny_info in your squid.conf. |
| synopsis |
The Squid-2.5.STABLE2 patch for digest authentication used
a C99 feature (dynamic array initializers) which may not be
available in all C compilers |
| severity |
Minor |
| date |
2003-05-27 08:04 |
| bugzilla |
#660 |
| versions |
Squid-2.5.STABLE3 |
| platforms |
Several platforms not using GCC or a C99 compliant C compiler |
| patch |
squid-2.5.STABLE3-HttpHeaderTools.patch |
| workaround |
Use GCC |
| synopsis |
Lithuanian error messages added. These was actually added to the
CVS tree for the 2.5.STABLE1 release, but never got included in
the distributed tarballs. |
| severity |
Cosmetic |
| date |
2003-05-25 13:57 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE3-Lithuanian.patch |
Patches released after the 2.5.STABLE2 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
| synopsis |
A regression error introduces by the patch for digest authentication
caused NTLM authentication to fail. |
| severity |
Minor |
| date |
2003-05-25 12:32 |
| versions |
Squid-2.5 snapshots 20030518-20030524 |
| platforms |
All |
| patch |
squid-2.5.STABLE2-20030518-ntlm.patch |
| synopsis |
This patch is the deny_info_url patch which corrects this issue
and also adds the ability to redirect. The earlier merge of the
TCP_RESET deny_info syntax from deny_info_url was not complete
and did not work.
It was not originally planned to add the redirect capability to
Squid-2.5, but the patch is well tested and making a new patch
which only fixes TCP_RESET is not worth the effort. |
| severity |
Minor |
| date |
2003-05-21 14:37 |
| bugzilla |
#648 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE2-deny_info_reset.patch |
| synopsis |
Due to a HTTP header parsing error Digest authentication always
fails on requests for URLs with one or more comma in them |
| severity |
Minor |
| date |
2003-05-20 23:55 |
| bugzilla |
#644 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE2-digestcomma.patch |
| workaround |
Don't require authenitcation on URLs with comma in them |
| synopsis |
Digest authentication qop implementation in many mainstream browsers
are quite poor and often causes authentication problems when used
with Squid. This patch adds a couple of workarounds which can be
used to work around the most obvious errors while still maintaining
a reasonable level of security in the Digest authentication protocol,
and also fixes a minor issue where Squid failed to correctly indicate
when a used nonce was stale, thereby causing these browser bugs to
show up as authentication failures (new login box) than actually needed. |
| severity |
Minor |
| date |
2003-05-18 21:55 |
| bugzilla |
#630 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE2-digest_nonce_count.patch |
| synopsis |
Due to an error introduced by the patch for Bug #553 external
acl lookups hangs if defined with ttl=0. |
| severity |
Minor |
| date |
2003-05-18 21:55 |
| bugzilla |
#643 |
| versions |
Squid-2.5.STABLE2 |
| platforms |
All |
| patch |
squid-2.5.STABLE2-external_acl_ttl0.patch |
| synopsis |
Due to the change in basic auth helper protocol introduced in
Squid-2.5 to deal with login names or passwords with spaces
or other odd characters in them smb_auth.pl fails to authenticate
domain qualified logins (domain\user). |
| severity |
Minor |
| date |
2003-05-19 07:51 |
| bugzilla |
#640 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE2-smb_auth_pl.patch |
| synopsis |
In Squid-2.5 the format of basic auth helpers changed slightly to
better support logins or passwords with spaces or other odd characters,
however the smb_auth helper was not updated correctly making it fail
on full domain logins etc. |
| severity |
Minor |
| date |
2003-05-13 08:22 |
| bugzilla |
#558, #587 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE2-smb_auth.patch |
| synopsis |
A small regression error was introduced by the earlier patch for acl loops. The patch denied access if an acl could not be evaluated. This patch changes the behaviour back to that ot 2.5.STABLE2 and earlier and makes Squid contine to the next access rule. |
| severity |
Minor |
| date |
2003-05-12 07:29 |
| versions |
Squid-2.5.STABLE2-20030508 to 20030512 |
| platforms |
All |
| patch |
squid-2.5.STABLE2-aclregression.patch |
| synopsis |
If detailed debugging is enabled (squid -k debug) then Squid may
segfault on certain platforms while processing authentication. |
| severity |
Cosmetic |
| date |
2003-05-11 21:48 |
| bugzilla |
#591 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE2-authdebug.patch |
| synopsis |
Certain code could never be reached due to signed/unsigned
errors. To our knowledge this has not caused any ill effects,
but this patch corrects the code to behave as expected. |
| severity |
Cosmetic |
| date |
2003-05-11 17:35 |
| bugzilla |
#597 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE2-unreachcode.patch |
| synopsis |
poll() underperforms if enabled and used. Apply the bugfix to reduce CPU and
kernel overhead. |
| severity |
Minor |
| date |
2003-05-11 16:49 |
| bugzilla |
#596 |
| versions |
Squid-2.5 Stable2 and earlier. (Search for earliest version not done) |
| platforms |
All |
| patch |
squid-2.5.STABLE2-comm-select.patch |
| workaround |
none. |
| synopsis |
To allow access to groups in other domains it needs to be
possible to specify groups by their fully qualified name. |
| severity |
Minor |
| date |
2003-05-11 12:56 |
| bugzilla |
#622 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
wb_group-1.2.patch |
| synopsis |
In certain configurations involving negated external acls (!aclname
where aclname is an external acl) Squid may crash with a segmentation
fault error or behave oddly. |
| severity |
Minor |
| date |
2003-05-10 22:23 |
| bugzilla |
#623 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE2-external_lookup.patch |
| workaround |
Make sure you only use negated external acls as the last acl element
in your http_access lines if needed.
http_access allow acl1 acl2 !externalacl
|
| synopsis |
This update of squid_ldap_auth adds:
TLS/SSL encryption support required to connect to certain LDAP servers
Ability to read bindpasswd from file to increase security
Timeout options for better recovery when using multiple LDAP servers |
| severity |
Minor |
| date |
2003-05-08 20:22 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE2-squid_ldap_auth.patch |
| workaround |
For SSL encryption you can use stunnel as a workaround with earlier
versions of the squid_ldap_auth helper. |
| synopsis |
In certain configurations with more than one proxy_auth acl on the
same access line http_access can get stuck, causing Squid to
continously querying the authentication helper. |
| severity |
Major |
| date |
2003-05-07 20:08 |
| bugzilla |
#606 |
| versions |
Squid-2.5 and maybe earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE2-acl_lookup_loop.patch |
| workaround |
Make sure you never use more than one proxy_auth or related
acl on the same http_access line. |
| synopsis |
reply_body_max_size fails with ident or proxy_auth acls. Also
if fails to block too large objects where the content-length
is not known |
| severity |
Minor |
| date |
2003-05-06 20:16 |
| bugzilla |
#432 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE2-reply_body_max_size.patch |
| synopsis |
acl ident REQUIRED matches even if the ident lookup fails |
| severity |
Minor |
| date |
2003-05-06 19:57 |
| bugzilla |
#620 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE2-ident_REQUIRED.patch |
| workaround |
acl noident ident -
http_access deny noident |
| synopsis |
The msntauth helper crashes if more than 256 users is specified in
a allow/deny file, or if kill HUP is used and no allow or deny file
is specified. |
| severity |
Minor |
| date |
2003-05-06 07:59 |
| bugzilla |
#609, #612 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE2-msntauth.patch |
| synopsis |
Even after a "squid -k reconfigure" squid continues using the
old log paths until "squid -k rotate". Also it is impossible
to disable logs active without a full restart of Squid. |
| severity |
Minor |
| date |
2003-05-06 00:28 |
| bugzilla |
#579 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE2-reconfig_logs.patch |
| workaround |
Restart Squid when making log file changes |
| synopsis |
Compilation of Squid with --enable-ssl fails on RedHat 9
because the RedHat 9 version of OpenSSL depends on Kerberos
which are not in the standard include path |
| severity |
Cosmetic |
| date |
2003-05-04 21:29 |
| versions |
Squid-2.5 |
| platforms |
RedHat 9 |
| patch |
squid-2.5.STABLE2-redhat9-ssl.patch |
| workaround |
--enable-ssl=/usr/kerberos |
| synopsis |
cacheNumObjCount, cacheCurrentUnlinkRequests, cacheCurrentSwapSize
and cacheClients all reported as Counter32 type SNMP objects where
they actually represent gauges. |
| severity |
Cosmetic |
| date |
2003-05-02 09:54 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE2-snmp_gauges.patch |
| workaround |
Convince your SNMP monitor to use the values as if they were gauges. |
| synopsis |
The wb_group helper has been updated to version 1.1. This update
includes an option for case insensitive group name comparation
(Bugzilla #574), Fixed a segfault (Bugzilla #574) and
updated the documentation according to FAQ on squid-users |
| severity |
Minor |
| date |
2003-05-15 11:02 |
| bugzilla |
#574 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
wb_group-1.1.patch |
| synopsis |
Cachemgr was reporting huge values for Maximum Resident Size on AIX 5,
and snprintf is now a supported function on AIX 5 so Squid does not
need to supply it's own version. |
| severity |
Cosmetic |
| date |
2003-04-29 16:19 |
| versions |
Squid-2.5 and earlier |
| platforms |
AIX 5 |
| patch |
squid-2.5.STABLE2-aix5.patch |
| workaround |
Just ignore the Maximum Resident Size value in cachemgr. |
| synopsis |
A bug in how Squid processes certain DNS replies can cause
segmentation faults on certain platforms. Linux and FreeBSD on X86
platforms seems unaffected however. |
| severity |
Major |
| date |
2003-04-25 12:17 |
| bugzilla |
#605 |
| versions |
Squid-2.5 and earlier |
| platforms |
Solaris SPARC and several other |
| patch |
squid-2.5.STABLE2-dns_root_label.patch |
| workaround |
Recompile squid with --disable-internal-dns |
| synopsis |
The paranoid header_access example is missing WWW-Authenticate,
and thereby unintentionally denying authentication to web sites
if used without modifitaions |
| severity |
Cosmetic |
| date |
2003-04-14 20:04 |
| bugzilla |
#600 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE2-header_access_paranoid.patch |
| synopsis |
The cache_peer documentation for the htcp and carp related options was missing |
| severity |
Cosmetic |
| date |
2003-04-09 13:47 |
| bugzilla |
#365 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE2-cache_peer_docs.patch |
| synopsis |
The cache_effective_user/group documentation was unclear on what happens
if only one of the directives is set, or when Squid is started as a
non-root user. |
| severity |
Cosmetic |
| date |
2003-04-09 13:47 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE2-cache_effective_user_docs.patch |
| synopsis |
If there is a queue overload for external acl lookups then Squid
logs "externalAclLookup: 'xxx' queue overload" at a very high
rate in cache.log until the condition clears up. |
| severity |
Major |
| date |
2003-04-09 12:59 |
| bugzilla |
#590 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE2-external_acl_overload.patch |
| workaround |
Make sure there is sufficient number of helpers to handle your
request load. |
| synopsis |
Squid may hang or otherwise behave oddly in shutdown if there
is new requests processed at the same time. On shutdown Squid
internally shut down DNS, redirectors and external acls while
still processing new requests already received. In combination
with the external acl queue overload bug this can completely
hang Squid, preventing it from shutting down. |
| severity |
Minor |
| date |
2003-04-09 12:59 |
| bugzilla |
#590 |
| versions |
Squid-2.5 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE2-shutdown.patch |
| synopsis |
Squid crashes with the above assertion failure if an external_acl
helper crashes while processing a request |
| severity |
Minor |
| date |
2003-03-24 17:28 |
| bugzilla |
#577 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE2-external_acl_crash.patch |
| workaround |
Fix the helper to not crash |
| synopsis |
If you are using a external acl based on data which changes
during a browsing session then false negatives may be seen if
there is multiple requests immediately after the request data
used by the acl has changed, or other situations where there
may be multiple concurrent requests for the same external acl
lookup.
The error automatically clears up if the failing request
is retried. |
| severity |
Minor |
| date |
2003-03-18 22:12 |
| bugzilla |
#573 |
| versions |
Squid-2.5 |
| platforms |
All |
| patch |
squid-2.5.STABLE2-concurrent_external_acl.patch |
| workaround |
Press reload, or otherwise try the request again. |
Patches released after the 2.5.STABLE1 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
| synopsis |
Due to an oversight in the implementation of server side persistent
connections in Squid-2.5.STABLE1 and earlier POST or PUT requests
may fail if sent just as an existing persistent connection is timed
out by the origin server. |
| date |
2003-03-17 18:39 |
| bugzilla |
#569 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-indempotent.patch |
| workaround |
Disable server side persistent connection by setting "server_persistent_connections off" in squid.conf |
| synopsis |
external acl types have the ability to provide a username to be
used when logging the request. This patch extends the capabilities
of this function by also making the username available as IDENT
in later acl checks. |
| date |
2003-02-27 13:54 |
| bugzilla |
#552 |
| versions |
2.5.STABLE1 |
| platforms |
All |
| patch |
squid-2.5.STABLE1-external_acl_user.patch |
| synopsis |
Security issues have been found in how Squid managed digest
authentication nounces, possibly giving unauthorized users
who can sniff the network traffic of a valid user session,
or denying authorized users access if they fail to provide
correct credentials on the first request. |
| date |
2003-02-27 13:54 |
| bugzilla |
#543 |
| versions |
2.5.STABLE1 |
| platforms |
All |
| patch |
squid-2.5.STABLE1-auth_digest.patch |
| synopsis |
make install fails to install icons after make distclean
if you do not have uudecode installed |
| date |
2003-02-21 22:21 |
| bugzilla |
#548 |
| versions |
2.5.STABLE1 |
| platforms |
All |
| patch |
squid-2.5.STABLE1-distclean_icons.patch |
| workaround |
install uudecode, or unpack Squid from the distributed
tarball again. |
| synopsis |
If certain malformed request is received then Squid logs
"error: invalid HTTP-ident" in the URL column of access.log,
making problems for log parsers to read the line correctly. |
| date |
2003-02-19 23:41 |
| bugzilla |
#547 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-error-http-ident.patch |
| synopsis |
A syntax error / obsolete syntax in the declaration of the
Squid SNMP MIB (SQUID-MIB) causes current SNMP tools to fail
reading the file |
| date |
2003-02-19 23:29 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-mib.patch |
| synopsis |
The winbind helpers depend on a internal Samba winbindd interface
which was changed in the Samba 2.2.6 release.
This patch updates the Samba support headers to those of
Samba 2.2.7a, and adds a configure directive (--with-samba-sources=..)
which can be used to override which samba version the Squid winbind
helpers should be built for |
| date |
2003-02-12 02:11 |
| versions |
2.5.STABLE1 |
| platforms |
All |
| patch |
squid-2.5.STABLE1-winbind.patch |
| workaround |
Manually copy and adjust the needed winbind helpers from Samba to each
of the winbind helpers you use. |
| synopsis |
Clients who start sending data after a CONNECT request prior to
receiving the 200 OK reply may experience data corruption.
Normally clients do not do this as the specifications say that
the client must wait. |
| date |
2003-02-12 02:07 |
| bugzilla |
#490 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-CONNECT_pipeline.patch |
| synopsis |
Only the first time of a time acl type was used. This patch
corrects this to allow the same acl to specify multiple times
of the day. |
| date |
2003-02-09 10:12 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-time_acl_list.patch |
| workaround |
If you need to specify multiple times, use one acl for each time |
| synopsis |
Certain malfunctioning HTTP servers can confuse Squids client
persisten connection management by sending a malformed reply
in response to a HEAD request, causing unexpected delays in
request processing for the client. |
| date |
2003-02-09 10:12 |
| bugzilla |
#520 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-HEAD_bad_headers.patch |
| workaround |
client_persistent_connections off |
| synopsis |
The SSL accelerator function of Squid-2.5 (--with-ssl option)
fails to compile if using OpenSSL 0.9.7 or later |
| date |
2003-02-09 10:12 |
| bugzilla |
#501 |
| versions |
2.5.STABLE1 |
| platforms |
All |
| patch |
squid-2.5.STABLE1-openssl097.patch |
| synopsis |
Squid silently accepted cachemgr_passwd to be specified multiple
times for the same action, but only the first one is accepted. This
patch adds a warning when such configurations are seen. |
| date |
2003-02-09 10:12 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-cachemgr_passwd.patch |
| workaround |
Manualy inspect your configuration to only have one password
specified per action. |
| synopsis |
In cetain conditions Squid crashes with the above assertion
failure on shutdown. |
| date |
2003-02-09 10:12 |
| bugzilla |
#484 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-shutdown_assert.patch |
| synopsis |
The configure scripts accepts --with-aufs-threads argument without
any value, causing the compilation to later fail. |
| date |
2003-02-09 10:13 |
| versions |
2.5.STABLE1 |
| platforms |
All |
| patch |
squid-2.5.STABLE1-with_aufs_threads_trap.patch |
| workaround |
Make sure to always specify a correct value if using
the --with-aufs-threads=NN option, or do not specify the option
at all (the defaults is good for most uses) |
| synopsis |
the authenticate_program directive was replaced by auth_param
in Squid-2.5 but documentation for some other configuration
directives still refers to authenticate_program instead of the
current directive |
| date |
2003-02-05 06:06 |
| versions |
2.5.STABLE1 |
| platforms |
All |
| patch |
squid-2.5.STABLE1-authenticate_program_docs.patch |
| workaround |
use auth_param instead even if the documentation refers to the
non-existing authenticate_program directive |
| synopsis |
authentication could only be used in http_access rules in Squid-2.5
(as noted in the release notes).
Any attempt to use authentication in other access rules either caused
the above error or even worse a segmentation fault if using NTLM
authentication.
Note: This patch depends on the earlier patch for the same problem. |
| date |
2003-02-05 06:06 |
| bugzilla |
#448, #393, #456, #478, #524, #164 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-auth_connection.patch |
| workaround |
make sure to not use authentication based acls outside http_access |
| synopsis |
Some nitpicks and cleanup relating to cache manager helper
stats and user authentication |
| date |
2003-02-03 16:16 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-helper_stats.patch |
| synopsis |
A internal error caused Squid to abort if FTP PUT requests are
aborted. |
| date |
2003-02-01 22:19 |
| bugzilla |
#507 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-ftp_abort.patch |
| workaround |
Deny FTP PUT in squid.conf. |
| synopsis |
A coding error could cause issues with auth scheme configurations
in certain configurations. On some systems it may be impossible
to properly configure authentication, on others it only fails
if authentication is added by "squid -k reconfigure". |
| date |
2003-02-01 22:19 |
| versions |
2.5.STABLE1 |
| platforms |
All |
| patch |
squid-2.5.STABLE1-authsheme_realloc.patch |
| synopsis |
The Cacheable statistics "no.non_get" is always 0 as the
code relating to this statistics item is not active.
This patch removes this useless field from the statistics. |
| date |
2003-02-01 22:19 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-cachemgr_non_get.patch |
| synopsis |
From the documentation of http_reply_body_max_size it was
not obvious that the size is in bytes. This patch rewords
the documentation slightly to make this clearer. |
| date |
2003-02-01 22:19 |
| versions |
2.5.STABLE1 |
| platforms |
All |
| patch |
squid-2.5.STABLE1-http_reply_max_size.patch |
| synopsis |
When "squid -k shutdown" or kill is used to shut down Squid, the
pid file should be removed when Squid has shut down, but was removed
as soon as the shutdown completed. |
| date |
2003-01-29 23:40 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-pidfile.patch |
| synopsis |
One of the statistics counters was only updated when using
poll() (default on most OS:es) |
| date |
2003-01-29 23:26 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-select_stat.patch |
| synopsis |
The cachemgr histogram output was missing histogram count
on filedescriptor activity |
| date |
2003-01-29 23:26 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-select_fds_hist.patch |
| synopsis |
At one place in the code sc->copy_offset was assigned twice
to the same value. Once is sufficient. |
| date |
2003-01-29 23:28 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-copy_offset.patch |
| workaround |
None needed. Harmless. |
| synopsis |
The mem_pool_free_calls statistics parameter was printed
as a signed integer, possibly causing negative values to
be printed once there has been more than 2^31 mempool
free operations. |
| date |
2003-01-29 23:28 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-mempoolstat.patch |
| workaround |
ignore any negative values printed |
| synopsis |
The code dealing with peer selection accounting has been
cleaned up slightly, and accounting for cache-digest siblings
has been corrected. |
| date |
2003-01-29 23:26 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-peer_select_alg.patch |
| workaround |
None needed |
| synopsis |
If log_mime_hdrs is enabled then Squid's access.log may include garbage
if overly long request headers is received casuing the logged line to
become more than 8192 characters long. |
| date |
2003-01-20 19:03 |
| bugzilla |
#506 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-log_mime_hdrs.patch |
| workaround |
postprocess the logs to remove the garbage, or limit request/reply header
sizes in squid.conf. |
| synopsis |
To aid in determining how large your Squid process really is
statistics based on the growth of the process sbrk value has been
added to cachemgr |
| date |
2003-02-09 10:14 |
| updated |
2003-01-20 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-sbrk.patch |
| synopsis |
Squid had the odd habit of normalizing double dots (www..example.com)
in hostnames to one dot. Such hostnames is strictly not valid, and
can in some configurations allow users to bypass filters. This patch
makes Squid reject hostnames with double or leading dots.
This patch also adds a configure option to disable the character
checks performed by Squid on domain name labels. It is not really
the business of Squid to police what characters are used in domain
name labels. |
| date |
2003-02-09 10:15 |
| bugzilla |
#504, #503 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-hostnames.patch |
| synopsis |
The cachemgr output indicated failure_ratio was a percentage when
it in fact is a ratio. This patch removes the % sign from cachemgr
output. |
| date |
2003-01-18 14:52 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-failure_ratio.patch |
| synopsis |
The offline_toggle cachemgr action needs to be enabled in
cachemgr_passwd before use. This was omitted from the squid.conf
documentation. |
| date |
2003-01-18 14:52 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-offline_toggle.patch |
| synopsis |
squid_ldap_group fails to compile if using OpenLDAP 2.1.X or later.
This patch also adds many new features to squid_ldap_group, allowing
true group matches, NT domain integration and some other small fixes. |
| date |
2003-01-11 13:08 |
| updated |
2003-01-11 |
| versions |
2.5.STABLE1 |
| platforms |
All |
| patch |
squid-2.5.STABLE1-ldap_group.patch |
| workaround |
Use OpenLDAP 2.0.X. |
| synopsis |
The documentation for refresh_pattern contained a stale reference
to a Squid-1.1 release notes document which no longer exists |
| date |
2003-01-10 23:16 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-relnote11.patch |
| workaround |
Don't bother looking for the Squid-1.1 release notes. The information
found therein is not applicable to current Squid versions. |
| synopsis |
Squid 2.5 stable 2 will only allow aufs to be built with the
_REENTRANT define enabled. This is to ensure correct threading
operation on all platforms, and it's optionality led to some
spurious bug reports and failure in 2.5 stable 1 and earlier. |
| date |
2003-01-10 23:16 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
none |
| patch |
squid-2.5.STABLE1-aufs_reentrant.patch |
| workaround |
make sure --enable-pthreads is used when compiling support for aufs |
| synopsis |
When using chroot_dir Squid complains about all paths in squid.conf
unless the same paths is accessible outside the chroot jail, even
if they will actually be used only within the chroot. |
| date |
2003-01-09 05:36 |
| bugzilla |
#493, #151 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-chroot.patch |
| workaround |
create symlinks as needed |
| synopsis |
Segfault when using -S in combination with cache_dir coss/null |
| date |
2003-01-09 05:36 |
| bugzilla |
488 |
| versions |
2.5.STABLE1 |
| platforms |
All |
| patch |
squid-2.5.STABLE1-S.patch |
| workaround |
Don't use -S if configured with a coss/null cache_dir |
| synopsis |
Even in offline_mode expired content sometimes is processed as a cache
miss. The intention of offline_mode is to make Squid very aggressively
return cached content, assuming the Internet is not available for
checking freshness. |
| date |
2003-01-09 04:21 |
| bugzilla |
#395 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-offline_mode.patch |
| synopsis |
In certain conditions Squid may crash while rebuilding dirty cache
directories. |
| date |
2003-01-09 03:46 |
| bugzilla |
#465 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-rebuild_assert.patch |
| workaround |
always shut down Squid cleanly, or start Squid with the -F option
to not accept requests while the cache index is beeing rebuilt. |
| synopsis |
The RunCache/RunAccel scripts was not modified to look for Squid
in it's new location 'sbin'. |
| date |
2003-01-07 03:52 |
| versions |
2.5.STABLE1 |
| platforms |
All |
| patch |
squid-2.5.STABLE1-RunCache.patch |
| workaround |
Modify the script to look in sbin, or start squid directly |
| synopsis |
If Squid is configured to use aufs cache_dir type then performance
may seem slow when Squid is only processing a few requests |
| date |
2003-01-09 00:58 |
| updated |
2003-01-09 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All when configured to use aufs |
| patch |
squid-2.5.STABLE1-aufs_performance.patch |
| workaround |
give Squid more work to do. aufs is designed for busy caches. If you
have a single user cache consider using ufs instead. |
| synopsis |
Compilation of squid_ldap_group fails with errors about undefined
symbol "socket", "getpeername" and other networking related symbols. |
| date |
2002-12-12 00:33 |
| versions |
2.5.STABLE1 |
| platforms |
Solaris and others requiring special libraries for networking |
| patch |
squid-2.5.STABLE1-ldap_group-compile.patch |
| workaround |
Manually edit helpers/external_acl/ldap_group/Makefile to include
the needed libraries last on the LDADD line |
| synopsis |
Squid sometimes crashes with 'assertion failed: comm.c:646:
"F->flags.open"' logged to cache.log. |
| date |
2002-12-09 16:38 |
| bugzilla |
#466 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-flags_open.patch |
| workaround |
Deny the use of CONNECT |
| synopsis |
It is impossible to define acls with spaces in them. Previously
this have not been such a big problem, but with the addition
of external acl checks and integration with various foreign
user group systems such as Windows Domain this has became more
of a problem.
This patch allows you to use the "include" function to define
such acls. |
| date |
2002-11-24 11:03 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-spaces.patch |
| workaround |
Make sure that all groups etc you need to refer to does not
contain spaces. |
| synopsis |
There is a small typo in the error message returned if the DNS queue
overloads when Squid is compiled with --disable-internal-dns |
| date |
2002-11-12 07:45 |
| bugzilla |
#471 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-dnsserver.patch |
| workaround |
Do not compile Squid with --disable-internal-dns. The default internal
DNS client is much more efficient and cannot be overloaded. |
| synopsis |
Microsoft "Integrated Login" authentiation schemes NTLM and Negotiate
(SPNEGO) cannot be proxied due to a design flaw in these protocols,
authenticating TCP connections rather than HTTP messages.
Previously this was only a problem with IIS servers on the Internet
but with the addition of NTLM support in Squid this is now also a
problem in Squid cache hierarchies. |
| date |
2002-11-11 21:01 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-auth-proxy.patch |
| workaround |
Make sure "Integrated Logon" is disabled on all parent proxies os
web servers your users need to log on to. |
| synopsis |
If the HTTP server running cachemgr is configured to log query
parameters then your cachemgr login & password may be revealed
in the access logs. This patch changes cachemgr to use POST
which should hide this information from most logs |
| date |
2002-11-11 21:47 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-cachemgr.patch |
| synopsis |
"make uninstall" removes squid.conf, and with it any local modifications
which may have been done. This patch changes "make uninstall" to not
remove squid.conf. |
| date |
2002-11-11 22:57 |
| bugzilla |
#453 |
| versions |
2.5.STABLE1 |
| platforms |
All |
| patch |
squid-2.5.STABLE1-uninstall.patch |
| workaround |
backup squid.conf before runnign "make uninstall" if you want to save
a copy, or manually delete the unwanted files. |
| synopsis |
If a external_acl helper exist prematurely then Squid segfaults.
This patch makes Squid deal more gracefully with the situation
and retry the request to next available helper. If too many of the
helper instances dies then Squid will do a controlled restart. |
| date |
2002-11-11 22:57 |
| bugzilla |
#458 |
| versions |
2.5.STABLE1 |
| platforms |
All |
| patch |
squid-2.5.STABLE1-ext_acl_exit.patch |
| workaround |
Write crash proof external_acl helpers |
| synopsis |
Squid rejects requests having a request entity with error "411
Length Required". While the HTTP specification allows for such
requests it also says the request entity must have no meaning.
This patch adds a new squid.conf directive "request_entities on/off"
which can be used to enable support for such strange GET/HEAD
requests is needed. |
| date |
2002-11-11 22:57 |
| bugzilla |
#463 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-request_entity.patch |
| workaround |
Don't use the proxy for devices sending such strange HTTP requests |
| synopsis |
Certain compilers complain about a extra comma in external_acl.c |
| date |
2002-11-11 22:57 |
| versions |
2.5.STABLE1 |
| platforms |
Compiler Speficic |
| patch |
squid-2.5.STABLE1-ext_acl_comma.patch |
| workaround |
Use GNU CC |
| synopsis |
Squid sometimes leaks acl structures on "squid -k reconfigure". |
| date |
2002-11-10 03:58 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-acl_leak.patch |
| synopsis |
Due to a race condition in the aufs storeio implementation data
corruption can occur if the client aborts a cache hit while
aufs is reading data from the disk |
| date |
2002-11-15 06:35 |
| updated |
2002-11-15 |
| bugzilla |
#451 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All using aufs |
| patch |
squid-2.5.STABLE1-aufs.patch |
| synopsis |
The cachemgr "Total accounted:" statistics field always report "-1" |
| date |
2002-11-10 17:00 |
| updated |
2002-11-10 |
| versions |
2.5.STABLE1 |
| platforms |
All |
| patch |
squid-2.5.STABLE1-memstat.patch |
| synopsis |
In certain conditions the WCCP router might miss the hash assignment
sent by Squid. |
| date |
2002-11-09 09:59 |
| bugzilla |
#462 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-wccp.patch |
| synopsis |
A internal error in the strwordtok() function causes problems
for external_acl if the last helper argument is quoted by Squid.
For example if using a group helper and having groups with spaces
in them. |
| date |
2002-11-09 09:59 |
| versions |
2.5.STABLE1 |
| platforms |
All |
| patch |
squid-2.5.STABLE1-strwordtok.patch |
| synopsis |
If --enable-async-io or --with-storeio=aufs is used then configure
attempts to automatically enable --with-pthreads. Unfortunately
it only gets it half right, resulting in a unstable aufs storeio driver. |
| date |
2002-11-14 08:26 |
| versions |
2.5.STABLE1 |
| platforms |
All using aufs |
| patch |
squid-2.5.STABLE1-pthreads.patch |
| workaround |
Make sure to include --with-pthreads when building with the aufs
storeio driver. |
| synopsis |
The undocumented "make addlang" target does not work. This make
target is intended to be used when adding additional languages
to a installation where configure was instructed not to install
all languages. |
| date |
2002-11-09 09:59 |
| versions |
2.5.STABLE1 |
| platforms |
All |
| patch |
squid-2.5.STABLE1-addlang.patch |
| workaround |
Select the languages during the normal install procedure |
| synopsis |
The command line syntax of specifying LDAP servers last on the command
line does not work. |
| date |
2002-10-18 09:50 |
| bugzilla |
#460 |
| versions |
2.5.STABLE1 |
| platforms |
All |
| patch |
squid-2.5.STABLE1-ldap_auth.patch |
| workaround |
Make use of the -h option to specify LDAP servers. |
| synopsis |
If the referer log file is enabled then Squid might complain
about this log file being open on shutdown. This is the same
problem as Bug #120
but for the referer log. |
| date |
2002-10-13 17:04 |
| versions |
2.5.STABLE1 and earlier |
| platforms |
All |
| patch |
squid-2.5.STABLE1-referer_log.patch |
| workaround |
None needed. Ignore any complaints from Squid that the referer
log is open |
| synopsis |
Many files such as squid.rc were missing from the contrib directory. |
| versions |
2.5.STABLE1 |
| platforms |
All |
| workaround |
Copy the files from another Squid release |
| synopsis |
If urlParse() fails in mimeLoadIconFile() (e.g., because the user put
illegal characters in the visible_hostname), this patch makes Squid
emit a fatal error message, rather than suffer a NULL pointer
dereference. |
| date |
2002-10-08 21:30 |
| versions |
2.5.STABLE1 |
| platforms |
All |
| patch |
squid-2.5.STABLE1-load_icons.patch |
| workaround |
Make sure visible_hostname has a correct value with only valid
hostname characters, and that your icon files are readable by the
user Squid is running as (cache_effective_user if started by root) |
| synopsis |
The documentation for max_user_ip and authenticate_ip_ttl is slightly misleading |
| date |
2002-10-08 21:30 |
| versions |
2.5.STABLE1 |
| platforms |
All |
| patch |
squid-2.5.STABLE1-max_user_ip.patch |
| synopsis |
proxy_auth (and other authentication acl types) only works in
http_access. |
| date |
2002-10-08 12:59 |
| versions |
2.5.STABLE1 |
| platforms |
All |
| patch |
squid-2.5.STABLE1-proxy_auth.patch |
| synopsis |
The compiler may warn about unused parse/dump/free_http_header_access
function is the configure directive --disable-http-violations is used |
| date |
2002-11-10 03:21 |
| versions |
2.5.STABLE1 |
| platforms |
All |
| patch |
squid-2.5.STABLE1-disable-http-violations.patch |
| workaround |
Ignore the warning. It is harmless. |
| synopsis |
The compiler may warn about a unused error label if the
configure directive --disable-ident-lookups is used |
| date |
2002-09-29 19:14 |
| versions |
2.5.STABLE1 |
| platforms |
All |
| patch |
squid-2.5.STABLE1-disable-ident-lookups.patch |
| workaround |
Ignore the warning. It is harmless. |
$Id: index.tmpl,v 1.350 2006/06/21 12:33:13 hno Exp hno $