The Squid HTTP Proxy team is very pleased to announce the
availability of the Squid-3.1.15 release!
This release brings many bug fixes, several regressions on earlier
releases and some further portability improvements into 3.1.
In order of most-to-least visible effects from the change these bugs are:
Bug 3107: ncsa_auth DES silently truncates passwords to 8 bytes
http://www.squid-cache.org/Advisories/SQUID-2011_2.txt
This is an old known problem with the DES hash algorithm and
libraries. Due to being part of the weak Basic authentication scheme
security impact is low. Despite this low impact we have decided to close
this security hole in the Squid-3.2 series.
However there is a potentially large impact on end-users who have been
encouraged in recent years to use long passwords. If the background
security system has not also been updated to use MD5 hash for long
password support they will be completely unable to login.
This release of Squid has an updated helper which will detect the DES
algorithm being used with long passwords and log a SECURITY ALERT while
allowing the end-user login to proceed. Allowing you a short transition
period in which to migrate your security systems away from the DES hash
algorithm.
Bug 3295: broken escaping in rfc1738_do_escape
This bug affected all helper communications and logging. Particularly
of NTLM and UTF-8 non-English user credentials. If you have an
unresolved bug concerning authentication in Squid-3.1 please re-test
using this release and update the bug report.
Bug 2051: 'default' cache_peer option does not match documentation
This bug was affecting all installations with cache_peer configured
for both load balancing and using a "default" peer. Previously the
default peer would receive an unfairly large proportion of the traffic.
Effectively breaking the load balancing.
When upgrading to this release expect to see a large difference in
your traffic distribution across peers. It may be necessary to re-tune
some load balancing controls after upgrade.
Bug 3213: https sites (CONNECT) not open when using NTLM
We finally have keep-alive support working on CONNECT requests up
until the point of successful tunnel opening. So all forms of
http_access denial, adaptation or redirection can be expected to work in
this release.
As a result NTLM handshakes can now be performed for CONNECT when the
users software supports it.
Bug 2662: cf_gen failure when cross compiling.
The cf_gen tool used to create installed config files has been fully
rewritten in C++ to avoid dependency on code and compatibility wrappers
built for the target host system.
./configure has also been updated to support an additional
environment variable, HOSTCXX, which receives the compiler command and
flags for cf_gen and other tools run on the build host.
There are several minor cross-compile bugs remaining to be fixed in
Kerberos and SASL auth helpers. However this release is expected to
cross-compile easily when avoiding those helpers.
HTTP/1.1 caching support
RFC compliance fixes have been added in the caching of responses with
very old Date: or invalid Expires: headers.
See the ChangeLog for the list of other minor changes in this release.
All users of Squid-3 are urged to upgrade as soon as possible.
Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.1/RELEASENOTES.html
when you are ready to make the switch to Squid-3.1
This new release can be downloaded from our HTTP or FTP servers
http://www.squid-cache.org/Versions/v3/3.1/
ftp://ftp.squid-cache.org/pub/squid/
ftp://ftp.squid-cache.org/pub/archive/3.1/
or the mirrors. For a list of mirror sites see
http://www.squid-cache.org/Download/http-mirrors.html
http://www.squid-cache.org/Download/mirrors.html
If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/
Amos Jeffries
