The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.2.0.19 beta release!
This release is expected to be the final release for 3.2 series. It
contains workarounds for the worst of the remaining bugs. Not all are
fully fixed unfortunately, but we believe the workarounds applied are
sufficient to make the 3.2 series stable enough for general production use.
A reminder to all:
Bugs get reported through bugzilla please. The mailing lists are not
sufficient record for tracking what need fixing.
Please read the release notes for the 3.2 series before upgrading from
older versions of Squid. There are a number of security enhancements in
this series which are known to be surprising if you are not aware of the
change. Particularly notice the NCSA and CVE-2009-0801 sections, and
where applicable the "regressions since squid-2" section. Those changes
MAY affect your traffic behaviour in a significant way.
Please remember to run "squid -k parse" when testing upgrade to a new
version of Squid. It will audit your configuration file and report any
identifiable issues the new release will have in your installation
before you "press go". We are still removing the infamous "Bungled
Config" halting points and adding checks, so if something is not
identified please report it.
All feature additions are considered *experimental* until they have
survived at least one series of releases in general production use.
Please be aware of that when rolling out features like SMP support which
are new in this series. Not all use-cases have been well tested yet and
some may not even have been implemented. Assistance is still needed
despite the releases general stability level.
Important changes to note in this release:
* As you should know CVE-2009-0801 security vulnerability protection was
added in 3.2 series.
Earlier betas attempted to protect peer caches as well as themselves, by
blocking relay of untrusted requests until we could implement a safe relay.
Due to time constraints this extra layer of peer protection
has been REMOVED from 3.2 default builds.
Interception cache proxies are themselves well protected against the
vulnerability, but can indirectly poison any cache heirarchy they are
integrated with. The -DSTRICT_HOST_VERIFY compile-time flag can be
defined in CXXFLAGS to re-enable this peer protection if desired. Its
use is encouraged, but will result in problems for some popular
configurations. ie ISP interception proxy gatewaying through a cache
array, matrix of interception proxies as siblings.
Use of the client destination IP (ORIGINAL_DST) is still preferred for
untrusted requests, so if your proxy is backed by a firewall denial
please ensure that the rules are REJECT rules rather than DROP for best
performance. never_direct does not affect this routing preference as it
does for DIRECT traffic.
* request_header_access, request_header_replace, reply_header_access and
reply_header_replace directives improved.
These directives were previously limited to the registered RFC 2616 and
a few other common headers. They can now take any header name and handle
custom headers individually.
The bulk "Other" and "All" groupings are still present for seamless use
by existing configurations. Their use and interaction is better
documented now so please see the squid.conf documentation for further
details on this if you wish to update or check your config.
"Anonymous proxy" users will want to investigate this in relation to the
DNT headers and similar HTTP privacy extensions.
* "Leaking" filedescriptors are fixed.
This release of Squid lets go of unnecessary TCP connections more
efficiently than ever before. Bringing more performance gains at peak
traffic.
As usual this release contains all the fixes passed on to 3.1 series
alongside its own changes.
See the ChangeLog for the list of other minor changes in this release.
All users interested in 3.2 features are encouraged to assist testing
this release.
Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html
when you are ready to make the switch to Squid-3.2
Upgrade tip:
"squid -k parse" is starting to display even more useful hints about
squid.conf changes.
This new release can be downloaded from our HTTP or FTP servers
http://www.squid-cache.org/Versions/v3/3.2/
ftp://ftp.squid-cache.org/pub/squid/
ftp://ftp.squid-cache.org/pub/archive/3.2/
or the mirrors. For a list of mirror sites see
http://www.squid-cache.org/Download/http-mirrors.html
http://www.squid-cache.org/Download/mirrors.html
If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/
Amos Jeffries
