The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.5.7 release! This release is a bug fix release resolving several issues found in the the prior Squid releases. The major changes to be aware of: * Regression Bug 4227: assertions in AuthUserHashPointer This bug showed up as occasional (or not so occasional) crashes when Squid is cleaning up the username cache that sits behind HTTP Basic and Digest authentication. It also affected NTLM and Negotiate which populate the cache entries but do not use them directly. * Bug 4251: incorrect instance name for memory segments in /dev/shm This was an omitted part of the named services feature added in 3.5 which rendered it unusable in previous releases. Now this is resolved Squid-3.5 instances should be fully multi-tenant / multi-instance capable as documented in the Release Notes. * Bug 3345: 'any available user name' format code for external ACLs. This is a long requested feature port from Squid-2.8 (2.HEAD). The %un format code can be used in place of %LOGIN to provide a user name from any available source of credentials. However, it does not trigger HTTP authentication in the absence of credentials. The resulting user value is generated as documented for the identical %un logformat code. Exact contents may vary depending on what details are available at the time the ACL is tested. * SSL certificate database corruption The ssl_crtd helper occasionally discovers that its backend disk store has become corrupted. A number of potential reasons have been identified for this. Some of those reasons have been fully solved. Extra validation checks and automatic recovery procedures are added to resolve others. The problem may remain for some installations but this release should be a lot more resilient for most using the ssl_crtd helper. Work is ongoing with this set of problems. Please stay in touch about ssl_crtd issues in this or later releases. * TLS: Splice to origin cache_peer. When ssl-bump splice action is selected Squid can now relay the traffic to a cache_peer configured with the 'originserver' option. SNI and other certificate information received from the client is sent to the peer exactly as it would have been on a DIRECT origin connection. * TLS: HTTP error reponses served using invalid certificates when dealing with SSL server errors. When ssl-bump bump action is performed this bug would cause cryptic certificate errors to be presented to users. A Squid-generated error "page" to be sent over a secure connection would be sent with an incorrect Squid-generated server certificate. * IPv6: improve BCP 177 compliance Since early 2012 it has been mandatory for new or upgraded Internet connected machinery and software to support IPv6 ad use it in preference over IPv4. Squid IPv6 behaviour has followed these practices since well before the guidelines became a BCP. Over the years it has also grown into a well-tested and widely used feature. The --disable-ipv6 build option is now deprecated. It is long past time to fix whatever network brokenness you may have that made it look attractive in past years. Squid-3.5.7 and later will perform IPv6 availability tests on startup in all builds. - Where IPv6 is unavailable Squid will continue exactly as it would have had the build option not been used. These Squid can have the build option removed now. - Where IPv6 is detected but --disable-ipv6 prevents use Squid will log "WARNING: BCP 177 violation". Please test whether you can rebuild with IPv6 enabled. * Perl pod2man is now optional Several of the perl based helpers bundled with Squid have previously been requiring the pod2man documentation generator before they will build. Since it is only used to create documentation that tool is not optional and these helpers may be built and installed on any system containing just a Perl installation. * basic_smb_auth issues with Samba 4 The basic_smb_auth helper has been identified as having several issues authenticating with Samba 4 smbclient or any networks containing WINS servers. Those are now fixed. All users of Squid are urged to upgrade to this release as soon as possible. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html when you are ready to make the switch to Squid-3.5 Upgrade tip: "squid -k parse" is starting to display even more useful hints about squid.conf changes. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.5/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/3.5/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries _______________________________________________ squid-announce mailing list squid-announce@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-announce