The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-3.5.21 release! This release is a bug fix release resolving several issues found in the prior Squid releases. The major changes to be aware of: * Bug #4534: assertion failure in xcalloc when using many cache_dir Squid is documented as supporting up to 64 cache directories, but would crash with a memory allocation error if more than a few were actually configured. * Bug #4542: authentication credentials IP TTL updated incorrectly This bug caused error in max_user_ip ACL accounting to allow clients to shift IP address more times than configured. This bug fix may have an effect on IPv6 clients using "proviacy adressing" to rotate IPs. * Bug #4428: mal-formed Cache-Control:stale-if-error header This bug shows up as incorrect stale-if-error values being relayed by Squid breaking the use of this feature in the recipients. Squid now relays the header values correctly. * Bug #3025: Proxy-Authenticate problem using ICAP server With this change Squid now treats the ICAP REQMOD adaptation point as a part of itself with regards to proxy authentication. The Proxy-Authentication header received from the client is delivered as part of the HTTP request headers in expectation that the ICAP service may authenticate and/or produce 407 response itself. Note that use of stateful or connection-oriented authentication schemes is not possible. HTTP is designed to operate in a stateless way and any deviation from that design requires Squid to perform special message processing. * HTTP: MUST always revalidate Cache-Control:no-cache responses. This bug shows up as Squid not revalidating some responses until they became stale according to refresh_pattern heuristic rules (specifically the minimum caching age). Squid now revalidates these objects on every request. * HTTP: do not allow Proxy-Connection to override Connection header The Proxy-Connection: header is a long-deprecated experimental header. For the past decade Squid has been actively stripping it out of relayed traffic. This release continues the removal process by also preventing it from having any effect on Squid client connection persistence when a Connection: header is present. * SSL CN wildcard must only match a single domain component [fragment]. This bug shows up as incorrect matching (or non-matching) of the ss::server_name ACL against TLS certificate values. Squid now treats the certificate CN fields according to X.509 domain matching requirements instead of HTTP domain matching requirements. All users of Squid-3 are encouraged to upgrade to this release as soon as possible. See the ChangeLog for the full list of changes in this and earlier releases. Please refer to the release notes at http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html when you are ready to make the switch to Squid-3.5 Upgrade tip: "squid -k parse" is starting to display even more useful hints about squid.conf changes. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v3/3.5/ ftp://ftp.squid-cache.org/pub/squid/ ftp://ftp.squid-cache.org/pub/archive/3.5/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Download/http-mirrors.html http://www.squid-cache.org/Download/mirrors.html If you encounter any issues with this release please file a bug report. http://bugs.squid-cache.org/ Amos Jeffries _______________________________________________ squid-announce mailing list squid-announce@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-announce
