-------- Original Message -------- Subject: Squid-2.5.STABLE5 released [minor security / major bugfix release] Date: Mon, 1 Mar 2004 12:37:00 +0100 (CET) From: Henrik Nordstrom <hno@xxxxxxxxxxxxxxx> To: squid-announce@xxxxxxxxxxxxxxx
The Squid HTTP Proxy team is pleased to announce the availability of the Squid-2.5.STABLE5 bugfix release.
This new release can be downloaded from our HTTP or FTP servers
http://www.squid-cache.org/Versions/v2/2.5/ ftp://ftp.squid-cache.org/pub/squid-2/STABLE/
or the mirrors (may take a while before all mirrors are updated). For a list of mirror sites see
http://www.squid-cache.org/Mirrors/http-mirrors.html http://www.squid-cache.org/Mirrors/ftp-mirrors.html
Squid-2.5.STABLE5 is a major bugfix release of Squid-2.5 and corrects one minor security issue in url_regex access controls and several major non-security related bugs found in the earlier Squid-2.5 releases. Users are recommended to upgrade to this new release, especially if using any of the features mentioned below.
The most important bug-fixes in this release are:
[security] %00 in could be used in to bypass url_regex and urlpath_regex access controls in certain configurations. Other acl directives not affected. More information on this issue can be found in the SQUID-2004:1 security advisory distributed separately <url:http://www.squid-cache.org/Advisories/SQUID-2004_1.txt>
[major] Several NTLM related bugfixes and improvements fixing the problem of random auth popups and account lockouts. Optional support for the NEGOTIATE NTLM packet is also added to allow Samba-3.0.2 or later to negotiate the use of NTLMv2 or NTLM2.
[major] Several authentication related bugfixes to allow authentication to work in additional acl driven directives outside of http_access, and a number of corrections to assertion or segmentation faults and some memory leaks.
In addition there is a small number of new features or improvements which enhances the functionality of Squid
[medium] redirector interface modified to work with login names containing spaces or other odd characters. This is accomplished by URL-encoding the login name before sent to redirectors. Note: Existing redirectors or their configuration may need to be slightly modified in how they process the ident column to support the new username format (only applies to redirectors looking into the username)
[medium] various timeouts adjusted: connect_timeout 1 minute (was 2 minutes which is now forward_timeout), negative_dns_ttl 1 minute (was 5 minutes) and is now also used as minimum positive dns ttl, dns_timeout 2 minutes (was 5 minutes)
[minor] "short_icon_urls on" can be used to simplify the URLs used for icons etc to avoid issues with proxy host naming and authentication when requesting icons.
[minor] A new "urllogin" ACL type has been introduced allowing regex matches to the "login" component of Internet style URLs (protocol://user:password@host/path/to/file).
[minor] Squid now respects the Telnet protocol on connections to FTP servers. The ftp_telnet_protocol directice can be used to revert back to the old incorrect implementation if required.
[minor] The default mime.conf has been updated with many new mime types and a few minor corrections. In addition the download and view links is used more frequently to allow view/download of different ftp:// contents regardless of their mime type assignment.
in addition there is a large amount of minor and cosmetic bugfixes not included in the above list. For a complete list of changes see the ChangeLog and the Squid-2.5 Patches page <url:http://www.squid-cache.org/Versions/v2/2.5/bugs/>
It is recommended to read the release notes when upgrading from an earlier Squid release (including Squid-2.5.STABLE4) as there has been some minor changes in the configuration.
Thanks goes to MARA Systems AB who has been actively sponsoring this bugfix release of Squid as part of their continuing effort to provide both free and commercial support to the Squid community, and to all users who have provided valuable bug reports and feedback via the Squid bug reporting tool.
Regards The Squid HTTP Proxy developer team