diff -u -r -N squid-3.1.0.18/ChangeLog squid-3.1.1/ChangeLog
--- squid-3.1.0.18/ChangeLog 2010-03-14 20:06:08.000000000 +1300
+++ squid-3.1.1/ChangeLog 2010-03-29 22:02:56.000000000 +1200
@@ -1,3 +1,11 @@
+Changes to squid-3.1.1 (29 Mar 2010):
+
+ - Bug 2873: undefined symbol
+ - Bug 2827: assertion in authentication
+ - Remove ufsdump binary from default builds
+ - Remove pinger from default startups
+ - ... and several documentation updates.
+
Changes to squid-3.1.0.18 (14 Mar 2010):
- Regression Fix: IPv4-mapped prefix, broken in 3.1.0.16
diff -u -r -N squid-3.1.0.18/configure squid-3.1.1/configure
--- squid-3.1.0.18/configure 2010-03-14 20:06:46.000000000 +1300
+++ squid-3.1.1/configure 2010-03-29 22:03:35.000000000 +1200
@@ -1,7 +1,7 @@
#! /bin/sh
# From configure.in Revision.
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.62 for Squid Web Proxy 3.1.0.18.
+# Generated by GNU Autoconf 2.62 for Squid Web Proxy 3.1.1.
#
# Report bugs to
We welcome feedback and bug reports. If you find a new bug, please see +http://wiki.squid-cache.org/SquidFaq/BugReporting for how to submit a report with a stack trace and other required details. Additional information is also very welcome on other open bugs.
Although this release is deemed good enough for use in many setups, please note the existence of -open bugs against Squid-3.1.
+open bugs against Squid-3.1. + +Some issues to note as currently known in this release which are not able to be fixed in this 3.1 series are:
++
Currently known issues which only depends on available developer time and may still be resolved in a future 3.1 release are:
++
Begining with 3.1 the Squid Developers are trialling a new release numbering system.
+Begining with 3.1 the Squid Developers are using a new release numbering system.
We have decided, based on input from interested users to drop the Squid-2 terminology of (DEVEL, PRE, RC, and STABLE) from the release package names. @@ -162,19 +181,24 @@
squid.conf has undergone a facelift.
Don't worry, few operational changes have been made. -Older configs from are still expected to run in 3.1 with only the usual minor +Older configs from Squdi 2.x and 3.0 are still expected to run in 3.1 with only the usual minor changes seen between major release. Details on those are listed below.
-New users will be relieved to see a short 32-line or less squid.conf on clean installs. +
New users will be relieved to see a very short squid.conf on clean installs. Many of the options have reasonable defaults but had previously needed them explicitly configured! These are now proper built-in defaults and no longer need to be in squid.conf unless changed.
All of the option documentation has been offloaded to another file squid.conf.documented which -contains a fully documented set of options previously cluttering up squid.conf itself.
+contains a fully documented set of available options previously cluttering up squid.conf itself.Package maintainers are provided with a second file squid.conf.default which as always contains the default config options provided on a clean install.
+We are also providing online copies of configuration documentation. +Updated live to match the latest release of each Squid series, and a combined global version. +This is available on +the Squid website
+Pinger has been upgraded to perform both ICMP and ICMPv6 as required. As a result of this and due to a change in the binary protocol format between them, -new builds of squid are no longer backwards-compatible with old pinger binaries. -You will need to perform "make install-pinger" again after installing squid.
+new builds of Squid are no longer backwards-compatible with old pinger binaries. +You will need to perform "make install-pinger" again after installing Squid.Peer and Client SNMP tables have been altered to handle IPv6 addresses. As a side effect of this the long-missing fix to show seperate named peers on one IP has been integrated. Making the SNMP peer table now produce correct output. The table structure change is identical for both IPv4-only and Dual modes but with IPv4-only simply not including any IPv6 entries. This means any third-party SNMP -software which hard coded the MIB paths needs to be upgraded for this Squid release.
- +software which hard coded the MIB paths needs to be upgraded for this Squid release. +Details can be found in the wiki +SNMP feature page.In this release there is no split-stack support. This means that OS which do not provide +IP stacks based on the KAME stack with Hybrid extensions to do IPv4-mapping cannot use IPv6 +with Squid.
+Specify a specific tcp_outgoing_address and the clients who match its ACL are limited to the IPv4 or IPv6 network that address belongs to. They are not permitted over the IPv4-IPv6 boundary. Some ACL voodoo can however be applied to explicitly route the @@ -213,8 +242,8 @@
WCCP is not available (neither version 1 or 2). It remains built into squid for use with IPv4 traffic but IPv6 cannot use it.
-Transparent Interception is done via NAT at the OS level and is not available in IPv6. -Squid will ensure that any port set with transparent, intercept, or tproxy options be an IPv4-only +
Pseudo-Transparent Interception is done via NAT at the OS level and is not available in IPv6. +Squid will ensure that any port set with transparent or intercept options be an IPv4-only listening address. Wildcard can still be used but will not open as an IPv6. To ensure that squid can accept IPv6 traffic on its default port, an alternative should be chosen to handle transparently intercepted traffic. @@ -224,6 +253,11 @@
+Real transparent Interception (TPROXY) may be able to perform IPv6 interception. +However this currently still needs kernel patching with experimental patches to enable IPv6. +Squid will attempt to discover support on startup and may permit or deny IPv6 wildcard for +tproxy flagged ports depending on your system.
+The bundled NTLM Auth helper is IPv4-native between itself and the NTLM server. A new one will be needed for IPv6 traffic between the helper and server.
@@ -245,7 +279,7 @@For best coverage of languages, using the latest language pack of error files is recommended. Updates can be downloaded from -www.squid-cache.org/Versions/langpack/
+www.squid-cache.org/Versions/langpack/The squid developers are interested in making squid available in a wide variety of languages. Contribution of new languages is encouraged.
@@ -296,9 +330,9 @@Squid 3.1 needs to be configured with --enable-zph-qos for the ZPH QoS controls to be available.
+Squid 3.1 needs to be configured with --enable-zph-qos for the ZPH QoS controls to be available.
-The configuration options for 2.7 and 3.1 are based on different ZPH patches. +
The configuration options for Squid 2.7 and 3.1 are based on different ZPH patches. The two releases configuration differs and only the TOS mode settings are directly translatable.
The lines above are spearated for documentation. qos_flows may be configured with all options on one line, or separated as shown. +
The lines above are separated for documentation. qos_flows may be configured with all options on one line, or separated as shown. Also options may be repeated as many times as desired. Only the final configured value for any option will be used.
The legacy Option and Priority modes available in Squid-2.7 are no longer supported.
@@ -320,10 +354,15 @@Details in The Squid wiki
-Squid-in-the-middle decryption and encryption of straight CONNECT and transparently redirected SSL traffic, +
Squid-in-the-middle decryption and encryption of CONNECT tunneled SSL traffic, using configurable client- and server-side certificates. While decrypted, the traffic can be inspected using ICAP.
+Squid 3.1 releases limit SSL Bump to CONNECT requests and requires that clients are +configured to explicitly use the proxy in their browser settings or via WPAD/PAC +configuration. Use of interception for port 443 is not officially supported, despite +being known to work under certain limited networking circumstances.
+Details in The Squid wiki
+eCAP provides a way to integrate CAP modules directly into Squid without the need for +a c-icap server wrapper. This enables faster processing.
+ +Currently known and available eCAP modules are listed in the wiki feature page on eCAP.
+ +Squid-3.1 adds native support for streaming protocol ICY.
+Squid-3.1 adds native support for streaming protocol ICY. +Also commonly known as SHOUTcast multimedia streams.
This protocol uses port 80 and violates RFC 2616 by using an HTTP/1.1 compliant request and non-HTTP reply to start the stream transaction. If the reply is handled according to HTTP/1.1 RFC-compliance requirements @@ -409,7 +456,7 @@
Squid-2 contained a hack using the update_http0.9 squid.conf option to work around the unusual replies. This option is now obsolete.
-The proto ACL type matches ICY once the reply has been received, before that the processing +
The proto ACL type matches ICY once the reply has been received, before that the processing is only aware on an HTTP request. So the ACL will match HTTP.
@@ -965,7 +1012,7 @@Control whether the pinger is active at run-time. Enables turning ICMP pinger on and off with a simple squid -k reconfigure. - default is on when --enable-icmp is compiled in. + default is off when --enable-icmp is compiled in.@@ -1423,6 +1470,8 @@ is never forced or permitted out the IPv4 interface. acl to_ipv6 dst ipv6 + http_access allow to_ipv6 !all + tcp_outgoing_address 2002::c001 good_service_net to_ipv6 tcp_outgoing_address 10.0.0.2 good_service_net !to_ipv6 @@ -1524,7 +1573,7 @@
Build without support for loadable modules.
Build Squid without advanced compiler error checking. +
Build Squid without advanced compiler error checking (without the -Werror option). This only affects the building process, enabling it to complete despite some possibly serious issues. Please do not use lightly, and please report the build issues which make it needed @@ -1533,8 +1582,10 @@
Prevent Squid generating localized error page templates and manuals. Which is usually tried, but may not be needed.
-This is a development optimization for building from VCS when localization is -not needed. Has no effect on pre-translated source bundles.
+This is an optimization for building fast when localization is not needed +or localization tools are not available.
+A copy of the latest translated files can instead be downloaded from +http://www.squid-cache.org/Versions/langpack/
Enable CNAME recursion within the Internal DNS resolver stub squid uses. @@ -1589,7 +1640,8 @@
Older REDIRECT and DNAT targets work as before on HTTP ports marked 'intercept'.
Deprecated. Remains only to support old TPROXY version 2.2 installations.
+Deprecated. Remains only to support old TPROXY version 2.2 installations. +Scheduled for complete removal in Squid 3.2
Helper previously built by SMB is now built by smb_lm. @@ -1597,7 +1649,8 @@
Better support for Linux using the external DNS helper. -The helper will now compile and work with dns_nameservers on more variants of Linux than previously.
+The helper will now compile and work with dns_nameservers on more variants of Linux than previously. +It is still deprecated however and use of this option should be avoided as much as possible.Deprecated. POSIX AIO is now auto-detected and enabled. @@ -1638,6 +1691,9 @@
blankpassword option for basic scheme removed.
+http11 Obsolete.
+Format tag %{Header} replaced by %>{Header}
Format tag %{Header:member} replaced by %>{Header:member}
@@ -1661,6 +1717,9 @@Replaced by url_rewrite_bypass
+Obsolete.
+Obsolete. ICY protocol streaming support added natively.
@@ -1787,7 +1846,6 @@idle= not yet ported from 2.7
-http11 not yet ported from 2.7
monitorinterval= not yet ported from 2.6
monitorsize= not yet ported from 2.6
monitortimeout= not yet ported from 2.6
@@ -1830,7 +1888,7 @@Not yet ported from 2.6
Not yet ported from 2.7
+Not yet ported from 2.7.
%oa tag not yet ported from 2.7
@@ -1851,9 +1909,6 @@Not yet ported from 2.7
-Not yet ported from 2.7
-Not yet ported from 2.7
diff -u -r -N squid-3.1.0.18/src/acl/FilledChecklist.cc squid-3.1.1/src/acl/FilledChecklist.cc --- squid-3.1.0.18/src/acl/FilledChecklist.cc 2010-03-14 20:06:08.000000000 +1300 +++ squid-3.1.1/src/acl/FilledChecklist.cc 2010-03-29 22:02:56.000000000 +1200 @@ -86,15 +86,18 @@ if (auth_user_request) { /* the filled_checklist lock */ AUTHUSERREQUESTUNLOCK(auth_user_request, "ACLFilledChecklist"); + /* it might have been connection based */ - assert(conn() != NULL); /* * DPW 2007-05-08 * yuck, this make me uncomfortable. why do this here? * ConnStateData will do its own unlocking. */ - AUTHUSERREQUESTUNLOCK(conn()->auth_user_request, "conn via ACLFilledChecklist"); - conn()->auth_type = AUTH_BROKEN; + /* BUG 2827: the connection may also not exist. ie fast ACL tests vs client disconnection. */ + if (conn()) { + AUTHUSERREQUESTUNLOCK(conn()->auth_user_request, "conn via ACLFilledChecklist"); + conn()->auth_type = AUTH_BROKEN; + } } ACLChecklist::checkCallback(answer); // may delete us diff -u -r -N squid-3.1.0.18/src/cf.data.pre squid-3.1.1/src/cf.data.pre --- squid-3.1.0.18/src/cf.data.pre 2010-03-14 20:06:08.000000000 +1300 +++ squid-3.1.1/src/cf.data.pre 2010-03-29 22:02:56.000000000 +1200 @@ -1521,6 +1521,19 @@ TYPE: string DOC_START SSL engine options to use when proxying https:// URLs + + The most important being: + + NO_SSLv2 Disallow the use of SSLv2 + NO_SSLv3 Disallow the use of SSLv3 + NO_TLSv1 Disallow the use of TLSv1 + SINGLE_DH_USE + Always create a new key when using + temporary/ephemeral DH key exchanges + + These options vary depending on your SSL engine. + See the OpenSSL SSL_CTX_set_options documentation for a + complete list of possible options. DOC_END NAME: sslproxy_cipher @@ -1530,6 +1543,8 @@ TYPE: string DOC_START SSL cipher list to use when proxying https:// URLs + + Colon separated list of supported ciphers. DOC_END NAME: sslproxy_cafile @@ -3074,7 +3089,7 @@ NAME: pinger_enable TYPE: onoff -DEFAULT: on +DEFAULT: off LOC: Config.pinger.enable IFDEF: USE_ICMP DOC_START diff -u -r -N squid-3.1.0.18/src/Makefile.am squid-3.1.1/src/Makefile.am --- squid-3.1.0.18/src/Makefile.am 2010-03-14 20:06:08.000000000 +1300 +++ squid-3.1.1/src/Makefile.am 2010-03-29 22:02:56.000000000 +1200 @@ -172,14 +172,14 @@ recv-announce \ tests/testUfs \ tests/testCoss \ - tests/testNull + tests/testNull \ + ufsdump ## cfgen is used when building squid ## ufsdump is a debug utility, it is possibly useful for end users with cache ## corruption, but at this point we do not install it. noinst_PROGRAMS = \ - cf_gen \ - ufsdump + cf_gen sbin_PROGRAMS = \ squid diff -u -r -N squid-3.1.0.18/src/Makefile.in squid-3.1.1/src/Makefile.in --- squid-3.1.0.18/src/Makefile.in 2010-03-14 20:06:29.000000000 +1300 +++ squid-3.1.1/src/Makefile.in 2010-03-29 22:03:18.000000000 +1200 @@ -57,8 +57,8 @@ EXTRA_PROGRAMS = DiskIO/DiskDaemon/diskd$(EXEEXT) unlinkd$(EXEEXT) \ dnsserver$(EXEEXT) recv-announce$(EXEEXT) \ tests/testUfs$(EXEEXT) tests/testCoss$(EXEEXT) \ - tests/testNull$(EXEEXT) -noinst_PROGRAMS = cf_gen$(EXEEXT) ufsdump$(EXEEXT) + tests/testNull$(EXEEXT) ufsdump$(EXEEXT) +noinst_PROGRAMS = cf_gen$(EXEEXT) sbin_PROGRAMS = squid$(EXEEXT) bin_PROGRAMS = libexec_PROGRAMS = $(am__EXEEXT_1) $(DISK_PROGRAMS) $(am__EXEEXT_2)