Unless otherwise is indicated in the patch description these fixes is
included in the current nightly Squid-2.5 snapshots and is scheduled to
be included in the next Squid-2.5.STABLE release.
Note to binary package maintainers: Patches to the current STABLE release
represents work in progress and has not yet undergone full quality checks.
The developer team reserves the right to update these at any time to fix
problems found during quality checking. For this reason package maintainers
are discouraged from using such patches, and only use this page to backport
changes from published releases to earlier releases if your QA policy does
not allow upgrading your package to the current STABLE release. If there
is any questions regarding this policy please contact
squid-dev@squid-cache.org.
These issues have been identified as important to be fixed for the next Squid-2.5 version, listed in priority order.
1500 diskd related memory corruption under heavy load
See also Open bug reports pending to be fixed in Squid-2.5
This is a list of shortcomings known to exists in Squid-2.5. At this stage there is no plans on addressing these in Squid-2.5. Some may be addressed in the Squid-3.0 release.
- Bug #1059 mime.conf and referenced icons must be within chroot
- Bug #692 tcp_outgoing_address using an ident ACL does not work
- Bug #581 acl max_user_ip and multiple authentication schemes
- Bug #528 miss_access fails on slow acl types such as dst
- Bug #513 squid -F is starting server sockets to early
- Bug #457 does not handle swap.state corruption properly
- Bug #410 unstable if runs out of disk space
- Bug #355 diskd may appear slow on low loads
- Bug #219 delay_pools stops working on -k reconfigure
See also Open bug reports for Squid-2.5
Patches released after the 2.5.STABLE14 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
synopsis
The patch for Bug #1504 forgot to account for persistent connections,
causing NONE/- to be logged in the hierarchy field when using a persistent
peer connection.
A workaround is to set "server_persistent_connections off"
severity
Cosmetic
date
2006年06月21日 12:25
versions
squid-2.5.STABLE13 and later
synopsis
assertion failed: HttpReply.c:105: "rep"
The patch for Bug #1511 "Some 206 responses logged incorrectly" was slightly
broken and could cause the above assert.
severity
Major
date
2006年06月02日 22:00
versions
squid-2.5.STABLE13 and later
Patches released after the 2.5.STABLE13 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
synopsis
On some systems POSIX AIO functions are in libaio
severity
Minor
date
2006年05月12日 19:35
versions
squid-2.5.STABLE13 and earlier
synopsis
Memory leak in header processing related to external_acl or custom log formats
severity
Medium
date
2006年05月12日 16:17
versions
squid-2.5.STABLE13 and earlier
synopsis
memory leak in ident processing
severity
Major
date
2006年05月12日 16:00
versions
squid-2.5.STABLE13 and earlier
synopsis
Memleak in HTCP client code
severity
Medium
date
2006年05月12日 15:58
versions
squid-2.5.STABLE13 and earlier
synopsis
Mime icons are not displayed when viewing ftp sites when
visible_hostname is a short hostname (without domain).
severity
Minor
date
2006年05月12日 15:57
versions
squid-2.5.STABLE13 and earlier
synopsis
SQUIDHOSTNAMELEN issues
cosmetic cleanup to get rid of remaining SQUIDHOSTNAMELEN magics which
may cause issues for very long hostnames.
severity
Cosmetic
date
2006年05月12日 15:54
versions
squid-2.5.STABLE13 and earlier
synopsis
Current release is STABLE13, not 12..
severity
Cosmetic
date
2006年04月28日 10:09
versions
squid-2.5.STABLE13
Patches released after the 2.5.STABLE12 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
synopsis
connstate memory leak on cetain failed requests
severity
Major
date
2006年03月10日 23:17
versions
Squid-2.5 and earlier
platforms
All
synopsis
Cleanup of stateful helpers statistics (NTLM auth) to match
the statistics provided for stateless helpers (basic auth etc)
severity
Cosmetic
date
2006年03月10日 23:17
versions
Squid-2.5
platforms
All
synopsis
The error message returned when DNS lookup of a peer name fails
seemed to indicate it was the requested host name which could not
be found when it was the peer which could not be found.
severity
Cosmetic
date
2006年03月10日 23:17
versions
Squid-2.5 and earlier
platforms
All
synopsis
Error pages translated into Azerbaijani
severity
Cosmetic
date
2006年03月10日 23:17
versions
Squid-2.5 and earlier
platforms
All
synopsis
Squid fails to process requests for very long host names.
severity
Minor
date
2006年03月10日 23:17
versions
Squid-2.5 and earlier
platforms
All
synopsis
Adds back the logging of duplicate IP usage in the max_user_ip acl.
severity
Cosmetic
date
2006年03月10日 23:17
versions
Squid-2.5
platforms
All
synopsis
Failed to properly parse FTP file or directory names with
" -> " in their name
severity
Cosmetic
date
2006年02月26日 00:06
versions
Squid-2.5 and earlier
platforms
All
workaround
Open the directory as a "plain" directory by adding ;type=d after
the URL.
synopsis
A harmless typo in ftp.c could cause the ftp directory parser to
incorrectly think it successfully parsed certain "odd" lines not
automatically enabling the "plain directory" option link.
severity
Cosmetic
date
2006年02月26日 00:06
versions
Squid-2.5 and earlier
platforms
All
workaround
Manually add ;type=d after the URL if encountering a FTP server
where this problem is seen. The Squid developers does not know
of any FTP server giving out directory listings which would trigger
this.
synopsis
- New GCC triggering on a few minor things related to variable aliasing
- New OpenLDAP depreated the common LDAP C-API simple bind functions
severity
Minor
date
2006年02月26日 00:06
versions
Squid-2.5 and earlier
platforms
All
synopsis
Squid hangs at 100% CPU while starting helpers if /dev/null
can not be opened (non-existing or bad permissions).
severity
Cosmetic
date
2006年02月26日 00:06
versions
Squid-2.5 and earlier
platforms
All
workaround
Make sure /dev/null exists and is world read/writeable.
synopsis
The patch adds a new persistent_connection_after_error directive
enabling/disabling the use of persistent connections after error. If set to off
then it behaves very close to Squid-2.4 even if you have persistent connections
enabled.
severity
Cosmetic
date
2006年02月26日 00:06
versions
Squid-2.5 and earlier
platforms
All
synopsis
Delay pools assigned too much traffic credit after "squid -k
reconfigure" (first time double the amount, second time three times
the amount etc..)
severity
Medium
date
2006年02月26日 00:06
versions
Squid-2.5 and earlier
platforms
All
workaround
Restart Squid instead of using "-k reconfigure", or don't allow for
any bandwidth credit in your delay pools.
synopsis
FTP uploads fails if the upload takes longer than read_timeout
to complete.
severity
Medium
date
2006年02月26日 00:06
versions
Squid-2.5 and earlier
platforms
All
workaround
Set read_timeout high, but be warned that this combined with
"half_closed_clients on" (default) may cause servere filedescriptor
shortage.
synopsis
Some clients is capable of using NTLM authentication even if they
do not negotiate persistent connections on the initial request.
severity
Minor
date
2006年02月26日 00:06
versions
Squid-2.5.STABLE12
platforms
All
workaround
Allow basic authentcation to be used by these clients
synopsis
Ident access lists don't work in delay_access statements
severity
Minor
date
2006年02月26日 00:06
versions
Squid-2.5 and earlier
platforms
All
synopsis
Segmentation fault on empty proxy_auth ACLs
severity
Cosmetic
date
2006年02月26日 00:06
versions
Squid-2.5.STABLE8 to 2.5.STABLE12
platforms
All
workaround
Make sure your configuration is correct with no empty
proxy_auth ACLs defined.
synopsis
Range processing still failed on objects>2GB. This could be triggered
either by range_offset_limit, or by enabling cacheing of such large
objects.
severity
Minor
date
2006年03月04日 03:30
versions
Squid-2.5 and earlier
platforms
All
workaround
range_offset_limit 0 KB (default), maximum_object_size below 2 GB (default 4096 KB which is safe).
synopsis
This patch adds an HttpReply *reply member to clientHttpRequest. This
reply will be used to generate the client-side reply header and will
stay in memory until the end of the transaction so the correct status
code may be logged.
severity
Minor
date
2006年03月04日 03:07
versions
Squid-2.5 and earlier
platforms
All
synopsis
On 64 bit Irix systems the declaration of timezone is different
from 32 bit and the build fails.
severity
Minor
date
2006年01月22日 17:28
versions
Squid-2.5 and earlier
platforms
SGI Irix (64 bit systems only)
workaround
Manually remove the 'timezone' declaration from lib/rfc1123.c.
synopsis
A minor error in the patch to allow coredumps on linux. Not
harmful today, but maybe in future if these unused arguments
is used for something..
severity
Cosmetic
date
2006年01月15日 01:23
versions
Squid-2.5.STABLE11
platforms
All
synopsis
When accessing Async IO Function Counters from the Cachemgr interface, if aufs
is not in use, Squid could segfaults.
This happens only when Squid is build with aufs and aufs's number of threads is
set with the --enable-async-io configure option.
severity
Minor
date
2005年12月26日 16:41
versions
Squid-2.5 and earlier
platforms
All
workaround
Specify during configure only the store FS that will be used.
synopsis
wbinfo -n output was changed in Samba 3.0.21, adding a SID description after the
SID value:
giove:~# wbinfo -n Staff
S-1-5-21-682003330-854245398-1708537768-1123 Domain Group (2)
So a little change in the wbinfo_group.pl parsing is needed.
severity
Minor
date
2005年12月24日 11:02
versions
Squid-2.5 and earlier
platforms
All
workaround
None.
synopsis
The SMB NTLM authentication helper doesn't work as expected when
using the --enable-ntlm-fail-open configure option because
credentials are not fetched correctly (username is missing).
This problem is triggered only when using the --enable-ntlm-fail-open configure
option and the helper was not able to validate the user.
severity
Minor
date
2005年12月11日 10:52
versions
Squid-2.5 and earlier
platforms
All
workaround
Don't use the --enable-ntlm-fail-open configure option.
synopsis
Added WebDAV REPORT method to know HTTP methods list
severity
Cosmetic
date
2006年02月26日 14:47
versions
Squid-2.5 and earlier
platforms
All
workaround
extension_methods REPORT
synopsis
Squid-2.5.STABLE12 assumes the OS provides a setenv() function,
causing compilation to fail on platforms not providing such function.
severity
Minor
date
2005年10月26日 20:31
versions
Squid-2.5.STABLE12
platforms
Solaris and other platforms not having a setenv() function
workaround
Back out squid-2.5.STABLE11-HOME-2.patch
Patches released after the 2.5.STABLE11 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
synopsis
The individual pools for network 255 in a class 3 pool was handled
wrongly, causing clients with ip X.X.255.X to hang after downloading
a few bytes.
severity
Minor
date
2005年10月20日 17:42
versions
Squid-2.5 and earlier
platforms
All
workaround
Don't assign clients in network 255 to a class 3 pool. Use a class 2 pool
for this network alone.
synopsis
In certain odd FTP server responses Squid may crash with a segmentation
fault in rfc1738_do_escape.
severity
Major
date
2005年10月18日 15:48
versions
Squid-2.5.STABLE11
platforms
All
workaround
deny access to the ftp protocol via the proxy
synopsis
In sertain situations involving cache refreshes of 302 responses
Set-Cookie headers may be lost.
severity
Minor
date
2005年10月18日 15:47
versions
Squid-2.5.STABLE9 to 2.5.STABLE11
platforms
All
workaround
Use the no_cache directive to deny the cache to be used on the affected
URLs (if identified).
synopsis
If a redirector attempted to return a 302 redirect in response
to a CONNECT method Squid responded with an error.
severity
Minor
date
2005年10月18日 15:47
versions
Squid-2.5 and earlier
platforms
All
synopsis
Due to a long standing misunderstanding of HEAD requests it
has not been possible to revalidate the cache on a HEAD request. Since
2.5.STABLE7 this have had the sideeffect that the cache hit ratio
for applications using HEAD has been very low.
severity
Minor
date
2005年10月18日 15:47
versions
SquId-2.5 and earlier, made more visible in 2.5.STABLE7 and later
platforms
All
synopsis
netdb excahnges failure when peering with a 2.5.STABLE11 configured as
an transparently intercepting proxy
severity
Minor
date
2005年10月18日 15:47
versions
Squid-2.5.STABLE11
platforms
All
workaround
Set the first http_port to 80 (same as httpd_accel_port).
synopsis
The wrong TTL was seleced on certain CNAME based DNS responses
such as used in certain load balancing methods etc.
severity
Minor
date
2005年09月28日 21:52
versions
Squid-2.5 and earlier
platforms
All
workaround
Don't set dns_positive_ttl too high. This directive puts an upper
bound on the DNS cache time to live compensating for this error.
synopsis
configure accepts a number of parameters as input in environment
variables and setting CACHE_HTTP_PORT is meant to define the default
port where Squid listen. This was however only half-way implemented.
severity
Cosmetic
date
2005年09月28日 21:16
versions
Squid-2.5 and earlier
platforms
All
workaround
edit the http_port section in src/cf.data.pre in adition to defining
CACHE_HTTP_PORT.
synopsis
Persistent connections did not work proper in accelerator mode using
httpd_accel_single_host, causing a lot of connections to build up to
the backend web server.
severity
Minor
date
2005年09月28日 21:07
versions
Squid-2.5 and earlier(?)
platforms
All
workaround
server_persistent_connections off, or disable persistent connection support
on the web server.
synopsis
The environment variable $HOME is not set properly when Squid is
started as root, causing problems for some helpers to find their
configuration details. For example LDAP helpers finding their .ldaprc
configuration data.
This patch sets $HOME to the home of cache_effective_user.
severity
Cosmetic
date
2005年09月28日 21:42
versions
Squid-2.5 and earlier
platforms
All
workaround
Set $HOME appropriately when starting Squid, or wrap the helper
needing this in a small script setting $HOME.
synopsis
This patch adds some additional tracing to squid_ldap_auth hopefully
making it easier to isolate squid_ldap_auth configuration errors.
The patch also corrects a small but important error in one of the
examples in how to connect to Microsoft Active Directory.
severity
Cosmetic
date
2005年09月28日 21:07
versions
Squid-2.5 and earlier
platforms
All
workaround
None needed
synopsis
The tcp_outgoin_address and tcp_outgoing_tos directives is evaluated
when a new outgoing connection is set up and not changed if the same
connection is later reused for a completely different requests.
This patch clarifies this limitation.
severity
Cosmetic
date
2005年09月28日 21:07
versions
Squid-2.5 and earlier
platforms
All
workaround
Set server_persistent_connections off when using these directives to set
the outgoing address/tos depending on the requesting client or similar.
synopsis
A small but critical error has been found in the patch for Bug #500
causing responses to get truncated when using delay pools.
severity
Major
date
2005年09月27日 22:29
versions
Squid-2.5.STABLE11 only
platforms
All
workaround
Disable the use of delay pools
Patches released after the 2.5.STABLE10 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
synopsis
New configure option to make life easier for people needing to
build a binary supporting a higher number of filedescriptors
than the user they build Squid as is allowed to open.
severity
Cosmetic
date
2005年09月19日 15:50
versions
Squid-2.5 and earlier
platforms
All
workaround
Squid FAQ 11.4 Running out of filedescriptors
synopsis
Instead of always being false the dst acl match was using the
address 255.255.255.255 if no IP could be found for the requested
host. Apart from being slightly odd and unexpected this made it
hard to differentiate uknown hosts from badly registered hosts.
severity
Minor
date
2005年09月16日 21:58
versions
Squid-2.5 and earlier
platforms
All
workaround
none needed
synopsis
pipeline_prefetch is incompatible with NTLM authentication, but Squid
failed to detect this if pipeline_prefetch was set after the auth_param
ntlm directive.
severity
Cosmetic
date
2005年09月16日 21:49
versions
Squid-2.5
platforms
All
workaround
Leave pipeline_prefetch at it's default "off" setting
synopsis
Squid may crash with the above error when given certain request sequences.
severity
Major
date
2005年09月16日 11:10
versions
Squid-2.5
platforms
All
workaround
Disable ntlm authentication
synopsis
If Squid is configured with "pipeline_prefetch on" then odd results
and instability may be seen on pipelined CONNECT requests.
severity
Medium
date
2005年09月15日 09:56
versions
Squid-2.5 and earlier
platforms
All
workaround
"pipeline_prefetch off" in squid.conf. (the default setting).
synopsis
On NetBSD and maybe others, when using Ipfilter 4.x, opening of the NAT device fails.
On Solaris the following message can appear in cache.log:
parseHttpRequest: NAT lookup failed: ioctl(SIOCGNATL): (22) Invalid argument
This patch adds the usage of ipfobj structure for IP Filter 4.0alpha27 and later.
severity
Minor
date
2005年09月13日 03:22
versions
Squid-2.5 and earlier
platforms
NetBSD, Solaris and maybe others
synopsis
Clients may bypass delay pool settings by carefully constructing
the request making it look like a cache hit.
severity
Medium
date
2005年09月11日 01:53
versions
Squid-2.5 and earlier
platforms
All
synopsis
Linux and other operating systems by default prevent saving of
core dumps on fatal application errors if the application has
changed user ID since it was started.
severity
Cosmetic
date
2005年09月16日 21:16
versions
Squid-2.5 and earlier
platforms
Linux (maybe others)
workaround
Start Squid as your cache_effective_user
synopsis
The header_id enum was misused assuming compilers would compile
the type equivalent to an signed integer, while the enum was only
defined with positive values allowing compilers to select an
unsigned integer data type to store the enum.
severity
Cosmetic
date
2005年09月11日 01:21
versions
Squid-2.5 and earlier
platforms
Some compilers on some platforms
synopsis
Incorrect store dir selection debug message on objects>2G
severity
Cosmetic
date
2005年09月11日 01:21
versions
Squid-2.5.STABLE10 (earlier versions could not handle such large objects at all)
platforms
All
synopsis
Due to a logics error in squid-2.5.STABLE9-LDAP_SUN_SDK.patch
TLS could not be activated when using the OpenLDAP SDK.
severity
Minor
date
2005年09月11日 00:57
versions
Squid-2.5.STABLE10
platforms
All
synopsis
The e-mail sent when the cache dies use as "From:" field the Squid internal
appname "squid".
This "From:" address is invalid for the majority of antispam filters because
doesn't contains a valid domain name.
This patch adds the 'mail_from' directive to squid.conf, allowing to specify the
from e-mail address and change the default to use 'appname@unique_hostname'.
severity
Minor
date
2005年09月03日 09:41
versions
Squid-2.5 and earlier
platforms
All
workaround
Define special rules into antispam configuration.
synopsis
On Solaris Ipfilter include files use a SOLARIS2 define defined
only in the ipfilter makefile at ipfilter build time.
When building applications like Squid that use ipfilter include files, this
define must be defined according to the Solaris minor version:
On solaris 8: #define SOLARIS2 8
On solaris 10 #define SOLARIS2 10
Another minor problem is that getconf during configure remove the 'sun'
define used from ipfilter to recognize the Solaris platform.
severity
Minor
date
2005年09月13日 02:59
versions
Squid-2.5 and earlier
platforms
Solaris Sparc and x86
workaround
Manually define SOLARIS2 before running configure.
synopsis
snmp cacheClientTable fails to return any information for "long" IP
addresses. Clients with IP xxx.xxx.xxx.xx or shorter works, but
xxx.xxx.xxx.xxx does not work.
severity
Minor
date
2005年09月01日 22:57
versions
Squid-2.5 and earlier
platforms
All
synopsis
The -U option added earlier does not work entirely correct
severity
Minor
date
2005年09月01日 22:49
versions
Squid-2.5
platforms
All
synopsis
Squid crashes with the above assertion failure in certain conditions
involving aborted requests.
severity
Major
date
2005年09月01日 22:44
versions
Squid-2.5 and earlier
platforms
All
synopsis
Greek translation of the Squid error messages, kindly provided by
George Papamichelakis.
severity
Cosmetic
date
2005年09月01日 22:39
versions
Squid-2.5 and earlier
platforms
All
synopsis
Some off FTP servers mistakenly responds with a 250 code where 226
is expected, making Squid mistakenly think something went wrong with
the transfer
severity
Minor
date
2005年09月01日 22:31
versions
Squid-2.5 and earlier
platforms
All
synopsis
Squid fails to compile if glibc -D_FORTIFY_SOURCE=2 is ued (used by
Fedora Core 4 and others). This due to the way -D_FORTIFY_SOURCE=2
is implemented in the glibc headers, redefining vprintf and a number
of other functions as preprocessor macros, causing problems for
applications like Squid reusing the same name as structure members.
severity
Cosmetic
date
2005年09月01日 22:26
versions
Squid-2.5 and earlier
platforms
All
workaround
Don't use -D_FORTIFY_SOURCE=2
synopsis
In certain error conditions on requests forwarded to a peer proxy the
URL in the error message could look a bit strange (NONE://10.72.43.56:8181http://www.abcd.com/)
and a number of inconsistences in what %xx error page components may be used where
severity
Cosmetic
date
2005年09月01日 22:18
versions
Squid-2.5 and earlier
platforms
All
synopsis
Issues with reading mime.conf and a few other files when using chroot_dir
and issuing a "squid -k reconfigure".
severity
Minor
date
2005年09月01日 22:09
versions
Squid-2.5 and earlier
platforms
All
workaround
Make sure the chroot path exists within the chroot as well..
synopsis
One slightly oddly done sanity check in Squid may trigger compiler bugs
on certain platforms.
severity
Medium
date
2005年09月01日 21:56
versions
Squid-2.5 and earlier
platforms
Some (compiler dependent)
workaround
Probably works fine if optimizations is disabled
synopsis
After certain slightly odd requests Squid crashes with a segmentation
fault in sslConnectTimeout
severity
Major
date
2005年09月01日 20:27
versions
Squid-2.5
platforms
All
synopsis
Workaround needed to allow the build of both ipfilter and ARP acl
support on Solaris x86.
Some defines, like
#define free +
are used in squid.h to block misuse of standard malloc routines
where the Squid versions should be used. This pollutes the C/C++
token namespace crashing any structures or classes having members
of the same names.
severity
Minor
date
2005年08月19日 09:31
versions
Squid-2.5 and earlier
platforms
Solaris x86 and may be Solaris Sparc
synopsis
This patch adds new 'mail_program' configuration option in squid.conf.
This option allow to specify the mailer program name that squid will use to
send fatal reports by mail and related command line options.
severity
Cosmetic
date
2005年08月14日 17:05
versions
Squid-2.5 and earlier
platforms
All
synopsis
The new --with-build-environment=... configure option added in
STABLE10 doesn't work other than the "default" case.
severity
Cosmetic
date
2005年07月11日 00:46
versions
Squid-2.5.STABLE10
platforms
All
workaround
Specify the needed CFLAGS etc as environment variables when
running configure.
synopsis
This patch allow wb_ntlm_auth to run more silent:
- Don't try to open /dev/urandom if it's not available.
- Changed the level of the "target domain" message from warn to debug.
severity
Cosmetic
date
2005年07月09日 08:58
versions
Squid-2.5 and earlier
platforms
All
synopsis
This patch fixes many warnings during build on HP Tru64 Unix:
- assert() must test logical expressions, not pointers
- STATUS define conflict in parse.c (snmplib)
- Warnings in winbind, winbind_group, SMB, fakeauth and MSNT helpers
- Warnings in net_db.c
severity
Cosmetic
date
2005年07月03日 08:24
versions
Squid-2.5 and earlier
platforms
HP Tru64 and probably some other 64 bit platforms
synopsis
wbinfo_group.pl only looks into the first group specified, while
all other group helpers allows a list of groups to look for
severity
Minor
date
2005年06月29日 20:36
versions
Squid-2.5
platforms
All
workaround
use one acl per group
synopsis
This patch changes the directory cleanup to use relative URLs rather
than BASE HREF when a directory is requested without trailing /
severity
Minor
date
2005年06月21日 22:28
versions
Squid-2.5 and earlier
platforms
All
workaround
Make sure to end the ftp:// URL in / when requestign a diretory
synopsis
The squid-2.5.STABLE8-html_high_chars patch was a little too agressive
messing up URLs having characters which was intentionally encoded such
as / as used for the UNIX root directory.
severity
Cosmetic
date
2005年06月22日 10:46
versions
Squid-2.5.STABLE9 and 10
platforms
All
synopsis
This quick patch fixes the SNMP GETNEXT search when given an OID outside
the Squid MIB. This allows proper integration of Squid into proxy SNMP
agents.
severity
Minor
date
2005年06月19日 21:03
versions
Squid-2.5 and earlier
platforms
All
synopsis
Failed to detect if the type of an existing cache_dir was changed,
calling the parser function of the new type with the internal data of
the existing one..
This patch detects this and logs to cache.log (and the console) that a
restart is required.
severity
Minor
date
2005年06月19日 09:39
versions
Squid-2.5 and earlier
platforms
All
workaround
Restart Squid whenever changing the type of an existing cache_dir.
synopsis
Due to an internal error httpd_accel_single_host was incompatible
with redirection.
severity
Minor
date
2005年06月13日 22:55
versions
Squid-2.5 and earlier
platforms
All
synopsis
Abnormal crash if Squid was built with --enable-ipf-transparent
but access to the NAT device was denied.
severity
Minor
date
2005年06月30日 08:49
versions
Squid-2.5.STABLE10
platforms
All
workaround
Properly configure your OS to grant Squid access to the NAT device
when using --enable-ipf-transparent
synopsis
Due to a slight confusion about paths when using the chroot directive
"squid -k" could fail to find the pid file.
severity
Minor
date
2005年06月27日 21:24
versions
Squid-2.5.STABLE10
platforms
All
workaround
Use symlinks to make the pid file appear in the same location both
within and outside the chroot.
synopsis
The Date header on internal icons always showed the date when Squid
was started, causing slight cache problems for client and second-level
non-squid proxies.
severity
Minor
date
2005年06月09日 08:01
versions
Squid-2.5 and earlier
platforms
All
workaround
None needed.
synopsis
Updated Spanish error messages with translation for the ERR_INVALID_RESP
page and numerous minor corrections in other pages.
severity
Cosmetic
date
2005年06月06日 21:38
versions
Squid-2.5
platforms
All
synopsis
There is quite many web servers out there with broken banner engines
forgetting to delete the original content-length after adding the
banner. Currently these are (rightfully) rejected by Squid.
Instead of rejecting we could select the biggest content-length header
found and remove the other. This should fix up these replies while not
allowing for attacks.
severity
Cosmetic
date
2005年05月25日 23:01
versions
Squid-2.5.STABLE8 to STABLE10
platforms
All
workaround
The proper fix to this problem is to work with the site operators to
have their web servers corrected.
Patches released after the 2.5.STABLE9 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
synopsis
There has been a lot of questions about always_direct. This patch
tries to answer the most common questions on what always_direct does
and it's relations to other directives.
severity
Cosmetic
date
2005年05月10日 23:11
versions
Squid-2.5 and earlier
platforms
All
synopsis
A race window in the 2GB patch could make Squid abort with the above
assertion error
severity
Medium
date
2005年05月10日 22:33
versions
Squid-2.5.STABLE9+2GB patch
platforms
All
synopsis
Malicious users may spoof DNS lookups if the DNS client UDP port
(random, assigned by OS at startup) is unfiltered and your network
is not protected from IP spoofing.
severity
Security issue
date
2005年05月10日 22:24
versions
Squid-2.5 and earlier
platforms
All
workaround
Firewall your Squid server to not allow spoofed DNS responses
to reach the server.
synopsis
This patch extends the dstdomain and dstdom_regex acls to also
allow matching of numeric host names (IP addresses) in the requested
URLs.
severity
Minor
date
2005年05月09日 01:51
versions
Squid-2.5 and earlier
platforms
All
workaround
In prior versions only url_regex could be used for matching these,
and then with rather complex patterns..
synopsis
Cosmetic improvements to arp ACL code:
- Fixed a build warning on FreeBSD
- Added documentation info in squid.conf
- Fixed dump format of arp ACL configuration in cachemgr
severity
Cosmetic
date
2005年05月08日 14:01
versions
Squid-2.5 and earlier
platforms
All
synopsis
This patch corrects two minor issues in the SNMP agent. The first
ignored all but the first OID in GETNEXT/GETBULK requests. The second
is that Squid always responded with a SNMPv1 response even when the
request was a SNMPv2(c) request, causing the requestor to ignore the
response sent by Squid.
severity
Minor
date
2005年05月04日 18:09
versions
Squid-2.5 and earlier
platforms
All
workaround
Use SNMPv1 and only request one OID at a time
synopsis
This patch align labels and expand OPS and SUCCESS fields of DISKD cachemgr stats
severity
Cosmetic
date
2005年05月01日 10:58
versions
Squid-2.5 and earlier
platforms
All
synopsis
This patch corrects a problem with the squid-2.5.STABLE9-2GB patch
where the hot object cache showed a very poor hit ratio and also
sporadic aborts with assertion failed: store_swapin.c: e->mem_status == NOT_IN_MEMORY.
severity
Medium
date
2005年04月30日 12:58
versions
Squid-2.5.STABLE9+2GB patch
platforms
All
synopsis
- Currently internal thread request counters are increased at every request, but they don't are displayable in cachemgr. This patch adds in the "Async IO Function Counters" cachemgr page thread request counters.
- Usage of FD_READ_METHOD/FD_WRITE_METHOD instead of read()/write() int the async-io completion event for better portability.
severity
Cosmetic
date
2005年04月25日 16:36
versions
Squid-2.5 and earlier
platforms
All
synopsis
This patch adds access controls to the cachemgr.cgi script, preventing
it from being abused to reach other servers than allowed in a local
configuration file.
severity
Minor Security
date
2005年04月26日 04:30
versions
Squid-2.5 and earlier
platforms
All
workaround
Configure your web server to restrict which users may use
the cachemgr.cgi CGI program.
synopsis
The PID file check gets somewhat confused when chrooting, writing
the pid within the chroot but trying to read it before chrooting.
severity
Cosmetic
date
2005年04月22日 20:48
versions
Squid-2.5 and earlier
platforms
All
workaround
Use symlinks to make sure the PID file can be read both within and
outside the chroot.
synopsis
This patch extends the helper protocols for Basic and Digest to provide
some basig information in error responses, and makes use of the error
response already included in the NTLM helper protocol, making these
messages available as %m in error pages. Can be used if desired to
indicate why a login failed. The exact messages returned is helper
dependent.
severity
Minor
date
2005年04月24日 16:35
versions
Squid-2.5
platforms
All
synopsis
This patch corrects forwarding of unrecognized cache-control
directives in forwarded requests.
severity
Minor
date
2005年04月22日 20:21
versions
Squid-2.5 and earlier
platforms
All
synopsis
The configuration parser sometimes misunderstood lines using the
DOS/Windows CRLF line terminator, causing the CR to be read as part
of the configured strings. This could be seen in auth_param realm
and a few other places.
severity
Cosmetic
date
2005年04月21日 10:31
versions
Squid-2.5 and earlier
platforms
All
workaround
Make sure your squid.conf is in proper UNIX format with only NL as
line terminator.
synopsis
Unable to run "squid -k" when hostname cannot be determined
severity
Minor
date
2005年04月20日 21:55
versions
Squid-2.5 and earlier
platforms
All
workaround
Set visible_hostname in squid.conf
synopsis
The logics on how Squid should reconstruct the requested URL when
running as an transarently intercepting proxy was a bit muddled and
failed in some cases is Squid was listening on a different port
than the intercepted traffic.
severity
Minor
date
2005年04月20日 21:55
versions
Squid-2.5 and earlier
platforms
All
workaround
Use one http_port directive per intercepted port
synopsis
Some debug statements missing newlines causing cache.log debug output
to look somewhat odd.
severity
Cosmetic
date
2005年04月21日 10:46
versions
Squid-2.5 and earlier
platforms
All
synopsis
This patch adds support for the %a code in error page templates,
expanding into the authenticated user name or - if the request
was not authenticated.
severity
Cosmetic
date
2005年04月20日 21:36
versions
Squid-2.5 and earlier
platforms
All
synopsis
The syslog facility Squid logs as was hardcoded to "local4". This
patch changes it to the more appropriate "daemon", and adds a -l
command line option to specify the facility if another facility
is desired.
severity
Cosmetic
date
2005年04月26日 04:42
versions
Squid-2.5 and earlier
platforms
All
synopsis
Squid normally has the logic that if an request was denied by an acl
requiring authentication then the user should be requested to provide
"better" login credentials. This patch extends this to also work on
external acls requiring authentication (%LOGIN)
severity
Cosmetic
date
2005年03月30日 22:51
versions
Squid-2.5
platforms
All
workaround
You get the same effect by using a "proxy_auth REQUIRED" acl last on
the http_access deny line, after the external acl.
synopsis
This patch adds two new cachemgr actions to give access to two classes
of interesting ongoing objects:
pending_objects: Objects being retreived from the network
client_objects : Objects being sent to clients
severity
Cosmetic
date
2005年03月29日 09:52
versions
Squid-2.5 and earlier
platforms
All
synopsis
On Windows (both native and Cygwin ports) and OS/2 is not possible rename a file
over an existent one, so before the rename operation an unlink() is always needed.
Sometimes, after a squid crash, storeDirCloseTmpSwapLog() function family fails
because there is no target file to delete causing a fatal error.
This patch move the unlink() into xrename() like the native Windows port and
remove all no more needed unlink().
severity
Minor
date
2005年03月26日 23:53
versions
Squid-2.5 and earlier
platforms
OS/2, Cygwin and native Windows
synopsis
This rather intrusive patch makes Squid request forwarding 64-bit clean
on 32-bit platforms with support for long long, allowing Squid to process
requests for files larger than 2GB.
- squid_off_t type, defined to 64 bit in size when available. Used
everwhere where an object size is seen.
- cleaned up use of off_t / size_t / ssize_t.
- several invalid typecasts to int removed
- PRINTF_OFF_T macro for the proper printf format for squid_off_t
variables.
- --with-large-files option to enable large file support on UNIX
compatible platforms (writing of log files etc).
- --enable-large-cache-files option to enable caching of very large
files
severity
Medium
date
2005年04月20日 14:59
versions
Squid-2.5 and earlier
platforms
All
synopsis
This patch addresses the warning on shutdown about two open
event related filedescriptors on shutdown. It also contains
a microscopic performance enhancement by starting the I/O
threads early during the startup rather than on the first
I/O request.
severity
Cosmetic
date
2005年03月19日 23:57
versions
Squid-2.5
platforms
All
synopsis
The advertised --disable-hostname-checks could not be set, causing
Squid to always sanity check the hostnames even if this
configure option was used.
severity
Minor
date
2005年03月19日 01:35
versions
Squid-2.5
platforms
All
synopsis
The LDAP helpers fails to compile with SUN LDAP SDK
severity
Cosmetic
date
2005年04月19日 22:46
versions
Squid-2.5
platforms
All
workaround
Compile the LDAP helpers towards OpenLDAP SDK
synopsis
This mainly causes problems for applications abusing the CONNECT method
for tunneling other traffic than SSL via the proxy, for example some FTP
clients when uploading files.
The "problem" was introduced by squid-2.5.STABLE6-CONNECT.patch which
immediately disconnects from the server when seeing a client disconnect
not waiting for pending "upload" data to be sent first.
It is strongly recommended to not use the CONNECT method in this manner.
If you want a general purpose proxy then look into SOCKS which provides
much better support for this kind of proxying.
Or in the case of FTP use a FTP proxy.
severity
Minor
date
2005年03月21日 20:44
versions
Squid-2.5.STABLE6 to 2.5.STABLE9
platforms
All
synopsis
There was an artificial limit on the login+password to no more than 64
characters in total.
severity
Minor
date
2005年03月19日 00:25
versions
Squid-2.5 and earlier
platforms
All
synopsis
- Enhance performance by zero-copy writes, enabled by making the mem
nodes reference counted.
- Implement ASYNC_CLOSE define, default to off.
- Correct ASYNC_WRITE logics if enabled (default to off)
- Correct a potential memory corruption error on queued write errors
- Remove unused aioFDWasClosed call
severity
Minor
date
2005年03月29日 08:45
versions
Squid-2.5 and earlier
platforms
All
synopsis
This patch extends "relaxed_header_parser on" to also quell warnings
about "excess data" due several major web server vendors not complying
proper with the HTTP specifications in some aspects.
severity
Cosmetic
date
2005年03月09日 15:46
versions
Squid-2.5.STABLE9
platforms
All
synopsis
With relaxed_header_parser off duplicate content-length headers were
incorrecly logged as conflicting, not duplicates. In addition it
forgot to clean up the duplicate when relaxed-header_parser was
enabled (on/warn setting)
severity
Cosmetic
date
2005年03月09日 15:46
versions
Squid-2.5.STABLE9
platforms
All
synopsis
The cache digest retreival should be deferred if the peer is
not allowed to be used for the request.
severity
Cosmetic
date
2005年03月09日 15:46
versions
Squid-2.5 and earlier
platforms
All
synopsis
SOme parts of the code was found to make incorrect use of the
ctype functions, possibly causing problems with "high" characters.
severity
Minor
date
2005年03月10日 23:38
versions
Squid-2.5 and earlier
platforms
All
synopsis
On some platforms Squid compiler warnings was seen about
pid_t not being an integer. But this could cause debug output
from the affected components to be somewhat garbled on the
affected platforms.
severity
Minor
date
2005年03月15日 04:27
versions
Squid-2.5 and earlier
platforms
mostly 64-bit platforms
synopsis
bzero is a non-standard function not available on all platforms.
The standard function for this is memset with a value of 0.
severity
Minor
date
2005年03月09日 15:46
versions
Squid-2.5 and earlier
platforms
All
synopsis
Due to integer overflows several directives behaves differently
than expected if given values greater than 2^31. (2 GB). This
applies to maxiumum_object_size and several other directives.
severity
Cosmetic
date
2005年03月09日 15:46
versions
Squid-2.5 and earlier
platforms
All
workaround
Keep the configuration specifications in values < 2 GB.
synopsis
Clarify the wordign in the delay_access documentation to make
it clearer this directive is sorted per pool, not used in the
order specified.
severity
Cosmetic
date
2005年03月09日 15:46
versions
Squid-2.5 and earlier
platforms
All
workaround
Read documentation carefully
synopsis
If the reload_into_ims directive is used Squid may fail to revalidate
negatively cached entries on reload.
severity
Minor
date
2005年03月09日 15:46
versions
Squid-2.5 and earlier
platforms
All
workaround
Don't use reload_into_ims. This is recommended as reload_into_ims
is a violation of the HTTP standards.
synopsis
A number of different web servers sends dates in odd formats
outside the three "official" formats documented in RFC2616,
indirectly causing Squid to not cache objets from such sites.
severity
Minor
date
2005年03月09日 15:46
versions
Squid-2.5 and earlier
platforms
All
synopsis
On configuration errors involving wrongly defined or missing
acls the http_access results may be different than expected,
possibly allowing more access than intended.
This patch makes such configuration errors a fatal error,
preventing the service from starting until the access control
configuration errors have been corrected.
severity
Cosmetic Security
date
2005年03月04日 22:48
versions
Squid-2.5 and earlier
platforms
All
workaround
Verify your configuration with "squid -k parse" and correct
any errors reported before starting Squid.
synopsis
Links in FTP directory listings when the requested URL is missing
the trailing / fails.
severity
Minor
date
2005年03月04日 11:55
versions
Squid-2.5.STABLE9
platforms
All
workaround
Request the directory with the trailing /.
synopsis
The EPLF FTP directory parser failed to parse all attributes
of the files, showing everything as unknown files.
severity
Minor
date
2005年03月04日 11:55
versions
Squid-2.5
platforms
All
synopsis
A race window has been discovered where Set-Cookie headers may leak
to another users if the requested server relies on the old obsolete
(since 1997) Netscape Set-Cookie specifications in how caches should handle
the Set-Cookie header on otherwise cacheable content.
severity
Minor Security
date
2005年03月03日 02:26
versions
Squid-2.5.STABLE7 to 2.5.STABLE9
platforms
All
workaround
Not a workaround, but the proper fix to this issue is to convert the
server to send proper "Cache-Control: no-cache=Set-Cookie" when required
as per the official RFC2109 / RFC2965 specifications.
Patches released after the 2.5.STABLE8 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
synopsis
Proxies should not automatically retry requests on 403 (Access Denied)
or other server errors. In the past Squid has done this to work around
problems with misconfigured/malfunctioning peers in complex cache
hierarchies. If you want to revert Squid back to the old behaviour of
aggressively retry failed requests then enable the new "retry_on_error"
squid.conf directive.
severity
Medium
date
2005年02月23日 00:11
versions
Squid-2.5 and earlier
platforms
All
synopsis
This patch makes Squid ignore fqdn DNS responses with spaces in the
returnedhostname. Spaces are not valid in internet hostnames.
severity
Minor
date
2005年02月21日 17:02
versions
Squid-2.5 and earlier
platforms
All
synopsis
FTP URLs was displayed in "raw" format, making them look very ugly
in precense of national characers or other characters outside of the
plain US-ASCII alphabet.
severity
Cosmetic
date
2005年02月21日 03:38
versions
Squid-2.5 and earlier
platforms
All
synopsis
This patch corrects two peer related memory leaks on "squid -k
reconfigure", one related to digests the other related to
cache_peer_access. In addition it speeds up cancellation of
nullified events to make it easier to detect reconfigure related
memory leaks.
severity
Minor
date
2005年02月21日 02:58
versions
Squid-2.5 and earlier
platforms
All
synopsis
Due to a minor bug in automake it is not possible to specify the
archiver proram (AR) when running configure.
severity
Cosmetic
date
2005年02月21日 01:38
versions
Squid-2.5 and earlier
platforms
All
workaround
Specify the AR variable when running make
synopsis
This patch makes Squid compile without warnings using GCC4. Purely cosmetic changes.
severity
Cosmetic
date
2005年02月20日 19:11
versions
Squid-2.5 and earlier
platforms
All
workaround
Use an older less picky GCC version
synopsis
Squid-2.5.STABLE8 introduced a new stricter HTTP protocol parser
rejecting malformed HTTP responses. Due to the large number of
broken web servers this patch extends the relaxed_header_parser
directive to work around even more malformed HTTP responses than
it did in 2.5.STABLE8.
severity
Minor
date
2005年02月20日 10:47
versions
Squid-2.5.STABLE8
platforms
All
workaround
The correct fix to this problem is to have the malfunctioning web
servers corrected.
synopsis
Some minor cleanups of FTP URLs, mainly to work better with Mozilla
severity
Cosmetic
date
2005年02月15日 02:14
versions
Squid-2.5 and earlier
platforms
All
synopsis
Squid translated all non-ASCII octets in generated HTML content
such as FTP or Gopher listings into entity codes.
severity
Cosmetic
date
2005年02月15日 01:07
versions
Squid-2.5 and earlier
platforms
All
synopsis
This patch fixes some cross-platform build format warnings.
severity
Cosmetic
date
2005年02月20日 11:03
versions
Squid-2.5 and earlier
platforms
Solaris, FreeBSD, Linux and maybe others
synopsis
Squid may abort with "xstrndup: Asserton 'n' failed" or other
errors when receiving certain odd DNS responses
severity
Major
date
2005年02月13日 05:58
versions
Squid-2.5.STABLE5 to 2.5.STABLE8
platforms
All
workaround
The risk is reduced with "log_fqdn off" (the default setting)
Patches released after the 2.5.STABLE7 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
synopsis
Under certain conditions involving HTTP headers split over multiple
reply packets the HTTP reply may be corrupted by Squid. Symptoms range
from hanging requests to corrupted data or error messages about the reply
sent to the clients (usually "httpProcessReplyHeader: Too large reply header")
severity
Major
date
2005年02月11日 10:59
versions
Squid-2.5.STABLE7
platforms
All
synopsis
This patch improves handling of passwords in non-anonymous FTP requests
using ftp://user@host/ syntax slightly.
Note: Neither MSIE or Mozilla supports this URL syntax and only accepts
ftp://user:password@host/
severity
Cosmetic
date
2005年02月06日 00:57
versions
Squid-2.5 and earlier
platforms
All
workaround
Close your browser if you enter the wrong password
synopsis
The WCCP control channel is easily disturbed if users sends forged
WCCP pakets to the Squid cache.
severity
Minor
date
2005年02月04日 11:41
versions
Squid-2.5 and earlier
platforms
All
workaround
Firewall the WCCP port making sure only your WCCP router can send
WCCP packets to Squid. This is highly recommended even with this
patch due to the lack of security within the WCCP protocol.
synopsis
Failed PUT/POST requests can cause the next request to the same
server to hang or behave oddly. Warnings about wrstate != NULL
may also be seen in cache.log.
severity
Medium
date
2005年02月04日 00:33
versions
Squid-2.5 and earlier
platforms
All
workaround
server_persistent_connections off
synopsis
An inconsistent state is entered on a failed PUT/POST request
making a high risk for segmentation faults or other strange errors
severity
Major
date
2005年02月04日 00:12
versions
Squid-2.5 and earlier
platforms
All
synopsis
A race window in NTLM authentication and interactions with the
backend helper could cause Squid to abort with a segmentation
fault
severity
Minor
date
2005年02月03日 23:27
versions
Squid-2.5
platforms
All
synopsis
The LDAP helpers sends slightly incorrect search requests when
looking for the user DN.
severity
Minor
date
2005年02月03日 23:17
versions
Squid-2.5
platforms
All
workaround
None needed. All known LDAP servers accepts the search query as-is.
synopsis
This patch addresses a HTTP protocol mismatch related to
oversized reply headers. In addition it enhances the cache.log
reporting on reply header parsing failures to make it easier to
track down which sites are malfunctioning.
severity
Security issue
date
2005年01月31日 22:50
versions
Squid-2.5
platforms
All
synopsis
The length argument of the WCCP recvfrom() call is
larger than it should be. An attacker may send a
larger-than-normal WCCP packet and overflow a buffer.
severity
Security issue
date
2005年01月28日 23:16
versions
Squid-2.5 and earlier
platforms
All
synopsis
This patch additionaly strengthens Squid from the HTTP response
splitting cache pollution attack described by Sanctum.
severity
Security issue
date
2005年01月31日 01:50
versions
Squid-2.5 and earlier
platforms
All
synopsis
Icons fails to load on non-anonymous FTP when using short_icons_url directive
severity
Minor
date
2005年01月21日 12:10
versions
Squid-2.5
platforms
All
workaround
Leave short_icons_url in it's default "off" setting, and make sure clients
know how to fetch the icons by full URL to Squid.
synopsis
Some FTP servers incorrectly drops already established data channel
connections after a failed command. This patch makes Squid work around
this by always opening a new FTP data channel before attempting to retreive
a directory listing or a file from the FTP server.
severity
Minor
date
2005年01月21日 12:10
versions
Squid-2.5 and earlier
platforms
All
workaround
Use the correct FTP URL for the resource in question
synopsis
This patch adds a new configuration directive httpd_accel_no_pmtu_disc
directive to allow easy setup to disable path MTU discovery in certain
interception proxy environments (WCCP, Route maps etc where ICMP is not
redirected proper by the intercepting device)
severity
Minor
date
2005年01月21日 12:10
versions
Squid-2.5 and earlier
platforms
All
workaround
Use firewall rules to remove the DF flag on return traffic to your clients
on intercepted requests, or ask the users to configure the proxy settings.
synopsis
This patch makes Squid considerably stricter while parsing the HTTP
protocol.
- A Content-length header should only appear once in a valid request
or response. Multiple Content-length headers, in conjunction with
specially crafted requests, may allow Squid's cache to be poisioned with
bad content in certain situations.
- CR characters is only allowed as part of the CR NL line terminator,
not alone. This to ensure that all involved agrees on the structure
of HTTP headers.
- Rejects requests/responses that have whitespace in an HTTP header
name.
The patch also adds a new relaxed_header_parser directive which
defaults to on. If set off Squid will become really strict about
CR characters and whitespace in header names, while in the default
on setting Squid will ignore (and automatically clean up) common
deviations from these parts of the HTTP specification.
severity
Security issue
date
2005年02月10日 10:14
versions
Squid-2.5 and earlier
platforms
All
workaround
Disable client- and server-side persistent connections. This will
limit the impact of mismatches in HTTP protocol parsing somewhat,
but not fully.
synopsis
LDAP is very forgiving about spaces in search filters and
this could be abused to log in using several variants of
the login name, possibly bypassing explicit access controls
or confusing accounting
severity
Minor Secuity issue
date
2005年01月17日 04:29
versions
Squid-2.5 and earlier
platforms
All
workaround
Block logins with spaces
acl login_with_spaces proxy_auth_regex [:space:]
http_access deny login_with_spaces
synopsis
In certain conditions involving compressed DNS responses
returned host names could be truncated. This is most notably
seen in client hostnames when using log_fqdn, but can also
happen in the domain driven acls when the user requests a
site by IP.
severity
Minor
date
2005年01月17日 02:52
versions
Squid-2.5
platforms
All
workaround
--disable-internal-dns
synopsis
A slight memory leak in the processing of malformed DNS responses
severity
Minor
date
2005年01月17日 02:52
versions
Squid-2.5 and earlier
platforms
All
workaround
--disable-internal-dns
synopsis
WCCP_I_SEE_YOU messages contain a 'number of caches' field
which should be between 1 and 32. Values outside that range
may crash Squid if WCCP is enabled, and if an attacker can
spoof UDP packets with the WCCP router's IP address.
severity
Security issue
date
2005年01月12日 17:21
versions
Squid-2.5 and earlier
platforms
All
workaround
WCCP is disabled by default. Make sure WCCP is enabled only
if you are really using it.
Make sure that your next-hop router does not allow
spoofed source address packets onto the network
where Squid runs.
synopsis
A malicious gopher server may return a response with very
long lines that cause a buffer overflow in Squid.
severity
Security issue
date
2005年01月12日 17:19
versions
Squid-2.5 and earlier
platforms
All
workaround
Since gopher is very obscure these days, do not allow
Squid to any gopher servers. Use an ACL rule like:
acl Gopher proto gopher
http_access deny Gopher
synopsis
The NTLM fakeauth_auth helper has a memory leak that may
cause it to run out of memory under high load, or if it
runs for a very long time. Additionally, a malformed NTLM
type 3 message could cause a segmentation violation.
severity
Medium
date
2005年01月08日 03:13
versions
Squid-2.5
platforms
All
workaround
The memory leak bug can be avoided by periodically restarting
Squid.
synopsis
Previously, when Squid was started it forcibly closed all "other" filedescriptors
other than stdin/stdout/stderr. While this is a reasonable security precaution
to clean up filedescriptor leakage from the caller it crashes some SSL libraries
and possibly other functions which opens internal filedescriptors on startup or
while the configuration is parsed (syslog likely candidate)
The reasoning in removing this function from Squid is that if the one starting
Squid has other filedescriptors open and not closing them this is their problem,
not ours.
severity
Minor
date
2004年12月28日 12:55
versions
Squid-2.5 and earlier
platforms
All
workaround
If you need earlier Squid versions to not forcibly close all filedescriptors
then start SQuid in
foreground mode (-N) with catching of signals disabled (-C).
To gain the functionality that all filedescriptors is closed on startup
after applying the patch wrap Squid in a small warpper binary which closes
all filedescriptors and then exec:s Squid.
synopsis
The meaning of the access controls becomes somewhat confusing if any
of the referenced acls is declared empty, without any members.
severity
Minor Security
date
2004年12月27日 18:54
versions
Squid-2.5 and earlier
platforms
All
workaround
Pay attention to warnings from "squid -k parse" and do not use
configurations where there are warnings about access controls in
production.
synopsis
The cachemgr vm_objects operation occationally causes Squid to
crash with a segmentation fault.
severity
Minor
date
2004年12月08日 01:03
versions
Squid-2.5 and earlier
platforms
All
synopsis
httpd_accel_port 0 did not work unless httpd_accel_host virtual
was also specified.
severity
Minor
date
2004年12月08日 00:47
versions
Squid-2.5 and earlier
platforms
All
workaround
enable httpd_accel_host virtual if you need the virtual port
support.
synopsis
this patch adds an access check to deny PURGE of internal objects,
to prevent the administrator from accidently deleting the icons or other
internal objects.
severity
Minor
date
2004年12月08日 00:00
versions
Squid-2.5 and earlier
platforms
All
workaround
Make sure your http_access rules do not allow PURGE of the internal
objects.
synopsis
In certain conditions Squid returns random data as error messages
in response to malformed host name, possibly leaking random internal
information which may come from other requests.
severity
Cosmetic / Minor Security issue
date
2004年12月07日 23:45
versions
Squid-2.5
platforms
All
synopsis
In certain malformed blank HTTP responses Squid fails to properly
close the client connection, causing a significant delay to the client
severity
Minor
date
2004年11月07日 23:37
versions
Squid-2.5 and earlier
platforms
All
workaround
client_persistent_connections off
synopsis
O_NONBLOCK on disk files is not is not standardized, and results may be unexpected.
Linux now starts to add O_NONBLOCK support on disk files but the implementation is
far from complete yet and this bites Squid.
severity
Minor
date
2004年11月06日 21:42
versions
Squid-2.5 and earlier
platforms
All
synopsis
If a helper was busy at the time of helper shutdown (-k rotate/reconfigure)
then Squid could forget to shut down the helper and continues using it.
severity
Minor
date
2004年11月06日 15:28
versions
Squid-2.5 and earlier
platforms
All
synopsis
The implementation of the new req_header and resp_header acls was not
complete, causing Squid to crash with a segmentation fault it one
attempted to configure these. In addition the configuration dump
on mgr:config showed incomplete data
severity
Minor
date
2004年10月20日 23:23
versions
Squid-2.5.STABLE7
platforms
All
synopsis
Since some time back the LDAP helpers have a -v option to specify
the LDAP protocol version, but this never got documented in the
manpage.
severity
Cosmetic
date
2004年10月19日 10:09
versions
Squid-2.5
platforms
All
synopsis
Squid enters a 100% CPU usage condition when encountering a half-closed
PUT/POST requests. The situation persists until either the request times
out, or Squid succeeds in forwarding the request data to the server.
Apart from the 100% CPU usage there is no other illeffects of this bug,
and Squid continues processing requests like normal.
severity
Minor
date
2004年10月14日 22:48
versions
Squid-2.5 and earlier
platforms
All
workaround
half_closed_clients off
Patches released after the 2.5.STABLE6 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
synopsis
If certain malformed SNMP request is received Squid restarts
with a Segmentation Fault error.
severity
Security issue
date
2004年09月29日 21:23
bugzilla
CAN-2004-0918
versions
Squid-2.5 and earlier
platforms
All
workaround
SNMP support is by default not compiled into the binary. If your binary is
built with SNMP support you can temporarily disable the SNMP support by entering
"snmp_port 0" into squid.conf.
synopsis
By default Squid-2.5.STABLE6 and ealier allows memory pools to grow
without bounds and never reclaims memory to the OS. This patch
adds a default limit of 5 MB unused memory.
severity
Minor
date
2004年10月08日 17:46
versions
Squid-2.5 and earlier
platforms
All
workaround
delay_pools_limit 5 MB
synopsis
It is suspected there may be an instability on aborted POST/PUT
requests in certain conditions. This patch restructures and
strengthens the way Squid processes request entitites of POST/PUT
requests.
severity
Medium
date
2004年10月07日 17:04
versions
Squid-2.5 and earlier
platforms
All
synopsis
Squid behaves somewhat oddly if the server returns large HTTP headers.
This patch increases the header size Squid is capable of fully understanding
from 4KB to a new configurable reply_header_max_size parameter with default
of 20KB
severity
Medium
date
2004年10月05日 21:38
versions
Squid-2.5 and earlier
platforms
All
synopsis
When using the CARP peer selection algorithm (not enabled by default)
Squid ignores the cache_peer_domain/cache_peer_access directives.
severity
Minor
date
2004年09月30日 09:28
versions
Squid-2.5 and earlier
platforms
All
configuration
CARP enabled Squids only (--enable-carp configure option)
workaround
Do not build Squid with the CARP peer selection algorithm
synopsis
This patch adds a new balance_on_multiple_ip squid.conf directive
which can be used to work around certain broken load balancing setups.
In addition it optimizes the DNS usage on reload requests and speeds
up recovery when encountering non-responding servers.
severity
Minor
date
2004年09月27日 18:23
versions
Squid-2.5 and earlier
platforms
All
synopsis
The way Squid dealed with aborted CONNECT requests was sub-optimal
and could in some rare situations end up in a race window.
severity
Minor
date
2004年09月27日 18:10
versions
Squid-2.5 and earlier
platforms
All
synopsis
In certain specific installations it may be desireable to install Squid
using transformed programnames using the --program-prefix/suffix configure
options.
severity
Cosmetic
date
2004年09月25日 21:42
versions
Squid-2.5 and earlier
platforms
All
synopsis
Correct the documentation of the caseinsensitive basic auth option
and include it in cachemgr config dumps
severity
Cosmetic
versions
Squid-2.5.STABLE6 + case insensitive patch
platforms
All
synopsis
ncsa_auth is sensitive on the line ending format of the password
file and may fail to verify the passwords is the password file
is transferred between UNIX and Windows.
severity
Cosmetic
date
2004年09月25日 20:57
versions
Squid-2.5 and earlier
platforms
All
workaround
Make sure the password file is transferred in ASCII format when
moving it between systems.
synopsis
This patch adds support for access controls on arbitrary HTTP
headers. http_header_access & replace extended to support
arbitrary HTTP headers, not only well known headers, and
adds two new acl types req_header and resp_header to match
content of arbitrary HTTP headers, useful for blocking certain
types of malware/spyware.
severity
Medium
date
2004年09月25日 12:00
versions
Squid-2.5
platforms
All
synopsis
In certain misguided OS configurations where the default TCP
windows sizes have been tuned very large Squid could fail to run
properly, crashing on the first request with no message explaining
why.
severity
Minor
date
2004年09月26日 21:22
versions
Squid-2.5 and earlier
platforms
All
workaround
Do not configure your OS with overly large TCP windows. The defaults
is usually good or at least not totally out of range.
synopsis
arp acls are supported on FreeBSD since Squid-2.5.STABLE6 but
configure still warned that it was not supported.
severity
Cosmetic
date
2004年10月10日 02:38
versions
Squid-2.5
platforms
FreeBSD
workaround
None needed, just ignore the warning.
synopsis
Squid does not recognise Content-Disposition header making it
impossible to use in http_header_access
severity
Minor
date
2004年09月01日 13:59
versions
Squid-2.5
platforms
All
synopsis
Due to an internal error in httpHeaderNameById() configuration
dumps of http_header_* directives referring to Range or Request-Range
headers indicated the other header.
severity
Cosmetic
date
2004年09月01日 13:09
versions
Squid-2.5 and earlier
platforms
All
workaround
Ignore the confusing cachemgr configuration dump output
synopsis
"acl time 01:00-02:00 03:00-04:00" is parsed as if only the last
time 03:00-04:00 was specified.
severity
Minor
date
2004年09月01日 12:25
versions
Squid-2.5 and earlier
platforms
All
workaround
Split the acl definition to use one time per line, all using the
same acl name.
synopsis
If the digest helper crashes or otherwise exits unexpectedly
Squid terminates with a segmentation fault.
severity
Minor
date
2004年08月28日 22:46
versions
Squid-2.5
platforms
All
configuration
Only if the digest authentication scheme is used (auth_param digest ...).
workaround
If this problem plauges you a lot then you can temporary disable the digest authentication scheme
by commenting out the "auth_param digest program .." configuration directive in your squid.conf.
synopsis
If a cache_dir or swap.state.clean file is not writeable then Squid
aborts with the above assertion error during "squid -k rotate", and
this before all log files have been rotated.
This patch makes this a soft error but clearly logged in cache.log,
giving the administrator a reasonable chance to clear up the error
severity
Minor
date
2004年08月25日 21:11
versions
Squid-2.5
platforms
All
synopsis
If challenge-reuse is enabled then NTLM authentication could
temporarily build up response cache information related to old
challenges until the user expires from the auth cache. This patch
discards old responses when the challenge becomes invalid (after
which it won't be used again).
severity
Minor
date
2004年08月25日 20:30
versions
Squid-2.5
platforms
All
synopsis
The helper state was not properly freed between client
connections, causing a slow leak of memory for each challenge
issued with challenge reuse disabled.
severity
Medium
date
2004年08月25日 20:30
versions
Squid-2.5
platforms
All
synopsis
Certain malformed NTLMSSP packets could crash the NTLM helpers
provided by Squid.
severity
Major
date
2004年08月20日 08:18
versions
Squid-2.5
platforms
All
workaround
Use ntlm_auth from Samba-3.X which is not affected by this issue, or disable
ntlm authentication by removing any "auth_param ntlm program ..." directives
from your squid.conf.
synopsis
The external_acl helper protocol format does not handle newlines
in the embedded data. This patch adds support for quoting of newlines
as \n and also adds support for URL encoding of the data instead of
quoting. URL encoding will be the default in Squid-3.0 as this is
a well known format and generally easier to deal with than the quoting
used in Squid-2.5.
severity
Minor
date
2004年08月14日 21:07
versions
Squid-2.5
platforms
All
workaround
Generally no workaround is needed as the need for newlines in
external_acl helpers is very rare.
synopsis
cache_effective_user should gain the supplementary group memberships of
the specified user. This is required to be able to configure sane
permissions of several authentication backends such as pam_auth or winbind.
In addition cache_effective_group should not be ignored when not starting
Squid as root. If cache_effective_group is specified Squid should run
as this and only this group.
severity
Minor
date
2004年08月09日 14:03
versions
Squid-2.5 and earlier
platforms
All
workaround
Configure your system to only have Squid require a single effective
privileged group, or start Squid as a non-root user in which case
it preserves the same groups as the user starting Squid. When not
starting Squid as root make sure to not have any group permissions
yout Squid should not have.
synopsis
A bug in the heap policy code in dealign with temporarily locked
objects could cause memory corruption, leading to segmentation
faults or other strange crashes.
severity
Medium
date
2004年08月05日 20:33
versions
Squid-2.5
platforms
All
workaround
Use the default lru polic.
synopsis
Squid is supposed to leave unknown %X errorpage codes untouched but
accidently HTML quoted them causing %" to end up as %"
severity
Cosmetic
date
2004年08月06日 11:05
versions
Squid-2.5
platforms
All
workaround
Use %% where you want a literal % in the resulting HTML code
in your error pages. This is the official syntax for % in Squid
error pages. Relying on today undefined %X codes such as %"
to be preserved is not very reliable as new codes may be defined
in later versions.
synopsis
Several gramatical errors in the squid.conf.default documentation
severity
Cosmetic
date
2004年08月17日 12:22
versions
Squid-2.5 and earlier
platforms
All
workaround
Ignore the poor english
synopsis
A slight misunderstanding of the NTLM protocol caused Squid to sometimes truncate NTLM
authentication blobs, causing the login to consequently fail for some users/environments.
severity
Minor
date
2004年07月27日 21:52
versions
Squid-2.5
platforms
All
synopsis
The client_db database was never cleaned from old entries causing
it to grow over time to eventually include every single IP address
ever accessing the proxy (allowed or not). This patch adds a slow
garbage collector throwing away old or otherwise uninteresting
entries from the client database.
severity
Minor
date
2004年12月20日 15:27
versions
Squid-2.5 and earlier
platforms
All
workaround
If the proxy is publically accessible on the http_port (even if
then denied by http_access) make sure to set "client_db off" in
squid.conf to disable the collection of per client-ip statistics.
Note: the max_ip acl requires per-client ip statistics.
synopsis
This patch adds information about the active delay pool in cachemgr
active_requests entry.
severity
Cosmetic
date
2004年07月17日 20:11
versions
Squid-2.5 and earlier
platforms
All
synopsis
Most authentication backends are case insensitive on the user name, and
so should Squid. (with option for case sensitive operation). This
affects primarily the max_user_ip acl, but also processing of log
files etc.
severity
Minor
date
2004年09月25日 21:08
versions
Squid-2.5 and earlier
platforms
All
workaround
Make sure your backend user database is case sensitive if you use
max_user_ip or similar constructs
synopsis
If the cache directory for some reason is now writeable
then Squid silently ignored the error until it no longer
could find any free file numbers. This patch adds a warning
in cache.log explaining the error.
severity
Cosmetic
date
2004年07月17日 19:48
versions
Squid-2.5
platforms
All
synopsis
A slight misunderstanding of the HTTP RFC could cause Squid to
return stale information in response to a HEAD request.
severity
Cosmetic
date
2004年07月17日 16:33
versions
Squid-2.5 and earlier
platforms
All
synopsis
Partial hits on objectscurrently being retrieved results
in TCP_HIT, even when the requested data is not yet in
the cache. This patch logs these requests as TCP_MISS.
severity
Minor
date
2004年07月17日 16:33
versions
Squid-2.5 and earlier
platforms
All
synopsis
Squid accepted slightly larger request headers than set by the
request_header_max_size directive.
severity
Cosmetic
date
2004年07月17日 16:33
versions
Squid-2.5 and earlier
platforms
All
synopsis
this patch merges pending lookups for the same domain until
retransmission timeout.
severity
Minor
date
2004年07月29日 13:29
versions
Squid-2.5 and earlier
platforms
All
synopsis
This LDAP helper update corrects some errors in the documentation
and adds two new options to squid_ldap_auth to accomodate certain LDAP
directories with restrictions on how users may log in.
severity
Minor
date
2004年08月10日 09:40
versions
Squid-2.5 and earlier
platforms
All
synopsis
In some configurations/environment the ufs store would refuse
caching of all files, always resulting in the above error message.
severity
Medium
date
2004年07月14日 16:29
versions
Squid-2.5.STABLE6
platforms
All
Patches released after the 2.5.STABLE5 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
synopsis
Users may be able to generate long passwords that overflow a
buffer in the ntlm_auth helper. See also
Squid Advisory 2004:2
severity
Security issue
date
2004年06月18日 17:39
versions
Squid-2.5 up to STABLE5
platforms
All
workaround
Use the ntlm_auth helper that comes with the Samba-3 package instead.
If that is not an option, stop using the ntlm_auth helper until you've
upgraded to Squid-2.5.STABLE6.
synopsis
SASL2 uses a slightly different API and sasl_auth needs to be
adjusted slightly to work with both SASL1 and SASL2.
severity
Minor
date
2004年06月19日 17:47
versions
Squid-2.5
platforms
All
workaround
Install SALS1 development libraries
synopsis
Under certain conditions Squid crashes with a "Segmentation Fault"
after the above warning message has been printed in cache.log.
severity
Major
date
2004年06月08日 11:01
versions
Squid-2.5.STABLE5
platforms
All
synopsis
Due to 2GB limitations of 32-but CPUs long running CONNECT requests
coult indicate a negative size in the access.log if more than 2GB
of data had been transferred.
This patch crops stops the counter at approximately 2GB and thereby
making sure very large CONNECT requests gets logged as 2GB rather than
negative.
severity
Cosmetic
date
2004年06月07日 21:25
versions
Squid-2.5 and earlier
platforms
All
synopsis
Certain platforms require the use of va_copy to duplicate a va_list
variable. On these platforms memBufVPrintf would crash if it needed
to allocate memory.
severity
Medium
date
2004年06月06日 15:40
versions
Squid-2.5 and earlier
platforms
S390, maybe others
synopsis
msnt_auth basic authentication helper documentation update
severity
Cosmetic
date
2004年06月01日 00:00
versions
Squid-2.5 and earlier
platforms
All
synopsis
dns_servers should default to localhost if no resolv.conf
severity
Cosmetic
date
2004年05月31日 23:37
versions
Squid-2.5 and earlier
platforms
All
synopsis
Certain thirt party tools misreads the HTML DOCTYPE indicated
by Squid in FTP directory listings.
severity
Cosmetic
date
2004年05月31日 23:37
versions
Squid-2.5
platforms
All
synopsis
One earlier workaround for other m88k based systems caused trouble
for OpenBSD where this workaround is not needed.
severity
Minor
date
2004年06月01日 08:26
versions
Squid-2.5 and earlier
platforms
All
synopsis
To make it easier to correlate cache.log debug output to client
requests include the client address information when accepting
a new client connection.
severity
Cosmetic
date
2004年05月31日 22:59
versions
Squid-2.5 and earlier
platforms
All
synopsis
The cacheCurrentUnlinkRequests SNMP variable is a counter, not
a gauge.
severity
Minor
date
2004年05月31日 22:43
versions
Squid-2.5 and earlier
platforms
All
workaround
Force your SNMP collector to read the SNMP variable as a counter
even if Squid indicates it is a gauge.
synopsis
The ufs cache_dir type always indicated a load of 99.9% invalidating
the least-load cache_dir selection algorithm. This patch makes the
ufs cache_dir type return a load between 50% and 100% based on the
number of open filedescriptors.
severity
Minor
date
2004年05月31日 22:08
versions
Squid-2.5 and earlier
platforms
All
workaround
Use the round-robin algorithm instead
synopsis
Very large cache_mem values may cause the amount of memory cache
to be reported negatively in cahce.log.
severity
Cosmetic
date
2004年05月31日 21:32
versions
Squid-2.5 and earlier
platforms
All
workaround
Make sure your cache_mem is specified smaller than 2 GB.
synopsis
The fix for bug #817 broke "range_offset_limit -1 KB" which is
documented as a method of allowing Squid to always fetch full
objects in response to range requests.
severity
Minor
date
2004年04月30日 00:01
versions
Squid-2.5.STABLE5
platforms
All
workaround
Specify a large object size (but not larger than 2000 MB)
synopsis
Negatively cached objects with a Vary header never matches on
cache hits unless there is a positively cached object on the
same URL.
severity
Minor
date
2004年04月24日 14:10
versions
Squid-2.5.STABLE5 and earlier
platforms
All
synopsis
Small spelling error in the Turkish ERR_DNS_FAIL error page
severity
Cosmetic
date
2004年04月20日 12:38
versions
Squid-2.5.STABLE5 and earlier
platforms
All
workaround
None needed
synopsis
This patch clarifies the meaning of the ERR keyword in the
digest helper protocol.
severity
Cosmetic
date
2004年04月20日 12:38
versions
Squid-2.5.STABLE5 and earlier
platforms
All
workaround
None needed
synopsis
A few spelling errors and the like in configure and squid.conf.default
severity
Cosmetic
date
2004年04月20日 12:30
versions
Squid-2.5.STABLE5 and earlier
platforms
All
workaround
Live with them. No negative impact.
synopsis
In certain rare conditions invovling failed POST/PUT requests Squid
could abort with the above assertion failure.
severity
Medium
date
2004年04月18日 23:46
versions
Squid-2.5.STABLE5
platforms
All
synopsis
If using Digest authentication then users can crash Squid with
a segmentation fault simply by entering a blank user name
severity
Major
date
2004年04月18日 01:33
versions
Squid-2.5.STABLE5 and earlier
platforms
All
workaround
Disable the use of Digest authentication in your squid.conf
(not enabled by default)
synopsis
Upon receiving truncated DNS replies Squid may abort with the above
assertion.
severity
Medium
date
2004年04月11日 09:19
versions
Squid-2.5.STABLE5 and earlier
platforms
All
workaround
Compile with --disable-internal-dns
synopsis
A minor typo in the Squid sources spotted by new versions of GCC
severity
Cosmetic
date
2004年04月06日 14:12
bugzilla
RedHat Bug 111254
versions
Squid-2.5.STABLE5 and earlier
platforms
All
workaround
Ignore the warning
synopsis
swap.log was renamed to swap.state very many versions ago, but squid.conf
documentation still referred to the old "swap.log" name.
severity
Cosmetic
date
2004年04月03日 13:54
versions
Squid-2.5 and earlier
platforms
All
synopsis
Squid should send a "504 Gateway Timeout" or "503 Service
Unavailable" if the requested server in the CONNECT request is not
reachable, not just close the connection.
severity
Minor
date
2004年03月29日 10:02
versions
Squid-2.5 and earlier
platforms
All
synopsis
%s in deny_info escaped the URL wrongly, applying both HTML and URL
escaping to the original URL
severity
Minor
date
2004年03月29日 09:47
versions
Squid-2.5
platforms
All
workaround
Decode & etc manually in the receiving application
synopsis
This patch is mostly intended for binary packagers which runs
autoconf (or the bootstrap.sh) script while building Squid. Due
to a minor error in our distribution scripts configure.in still
indicated a -CVS version in the stable distribution. This was
not our intention.
severity
Cosmetic
date
2004年03月19日 09:17
versions
Squid-2.5
platforms
All
synopsis
Due to a defiance in the poll() specification regarding POLL_HUP Squid
can end up in a temporary 100% CPU loop on half-closed connections.
severity
Minor
date
2004年03月19日 09:12
versions
Squid-2.5 and earlier
platforms
Linux-2.2 only
workaround
"half_closed_clients off" or --disable-poll configure option.
synopsis
Squid-2.5 ignores "Vary: *" headers, possibly returning unacceptable
cache hits if such header is present.
severity
Medium
date
2004年03月19日 09:02
versions
Squid-2.5
platforms
All
synopsis
On some systems finding the correct flags for compiling applications
using OpenSSL is somewhat tricky. Fortunately some of these systems
provide the pkg-config tool which can be used to query what the
OpenSSL package (and many other) require. This patch adds automatic
support for using pkg-config if available.
severity
Cosmetic
date
2004年03月12日 10:13
versions
Squid-2.5
platforms
All
configuration
--enable-ssl
workaround
On most systems no workaround is needed, but where needed you manually
need to edit src/Makefile after running configure to provide the correct
compiler flags for compiling applications using OpenSSL.
synopsis
The warning message when running out of helpers (redirectors,
authentication etc) was a little inprecise on the number of helpers
required.
severity
Cosmetic
date
2004年03月11日 15:29
versions
Squid-2.5.STABLE5
platforms
All
synopsis
squid_ldap_auth may be confused by the use of reserved characters
allowing the login name to be masqueraded in different manners possibly
allowing the user to partially bypass certain per-user restrictions
or confuse third party accounting packages.
Note that the user can not bypass the login procedure as such. All
he can do is to make the login name look different than normal. There
is still full audit trails on who the user is etc.
The patch also adds and documents a -d flag to both squid_ldap_auth
and squid_ldap_group to allow for easier tracing of the operation
of these programs if results is not what is expected.
severity
Medium
date
2004年03月04日 09:37
versions
Squid-2.5 and earlier
platforms
All
configuration
configurations where squid_ldap_auth is used for authentication
using a search filter (-f option) and where squid_ldap_group is not
used to further restrict the valid usernames.
workaround
Combine squid_ldap_auth with squid_ldap_group to only allow valid
logins who are member of a certain group, or alternatively use a
proxy_auth_regex acl to deny the use of any login using restricted
characters
acl bad_login proxy_auth_regex [()\\*]
http_access deny bad_login
synopsis
If using ntlm authentication then Squid may randomly abort with
the above assertion failure if a request is aborted while Squid
waits for a response from the domain controller
severity
Major
date
2004年03月01日 23:55
versions
Squid-2.5.STABLE5
platforms
All
workaround
half_closed_connections on (the default)
Patches released after the 2.5.STABLE4 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
synopsis
This minor patch to tries to address a possible race condition
causing the above error.
severity
Minor
date
2003年11月06日 14:51
versions
Squid-2.5
platforms
All
synopsis
Squid "unescapes" URLs when performing certain ACL checks. This
means, for example, that the URL http://junk%00@www.bad.site/
becomes just "http://junk" for the url_regex ACLs. Thus,
it may not match ACL entries that it should match.
severity
Security issue
versions
Squid-2.5 and earlier
platforms
All
workaround
Avoid regex-based ACL checks or upgrade to the current version.
synopsis
A recently committed patch to aclCheckCleanup() duplicated
some lines and ends up calling authenticateAuthUserRequestUnlock()
twice, the second time with a NULL value. This bug only
happens if Squid is reconfigured while there is an outstanding
authentication transaction.
severity
Major
date
2004年02月28日 14:09
versions
2.5.STABLE4-CVS after 2004年02月24日
platforms
All
workaround
None
synopsis
Mime types missing for .bz2 and several other file types, causing
slightly undesireable results when browsing ftp:// directories
(viewed in browser rather than downloaded).
The patch also make sure the download icon is always shown to
make downloading more obvious
severity
Minor
date
2004年02月26日 20:27
versions
Squid-2.5 and earlier
platforms
All
synopsis
Some software incorrectly uses ftp://anonymous@server for anonymous
FTP when the correct format is simply ftp://server.
severity
Cosmetic
date
2004年02月24日 23:34
versions
Squid-2.5 and earlier
platforms
All
workaround
Use a redirector to remove anonymous@ from FTP URLs
synopsis
The authfixes patch was incomplete and could still cause failures
when using authentication outside of http_access.
severity
Medium
date
2004年02月24日 18:46
versions
Squid-2.5.STABLE4 with authfixes patch
platforms
All
synopsis
There is a temporary auth_user_hash_pointer memory leak when using
NTLM authentication, causing a lot of auth_user_hash_pointer structures
to build up over time until the user expires from the auth cache
(authenticate_ttl parameter). This patch corrects the problem when
challenge reuses are disabled (the default).
severity
Minor
date
2004年02月19日 13:30
versions
Squid-2.5
platforms
All
workaround
Set authenticate_ttl relatively short to have the memory reclaimed
in a reasonable time frame.
synopsis
If a request was aborted while Squid was waiting for the digest
helper to return the H(A1) value for the user Squid crashes with
a segmentation fault.
severity
Medium
date
2004年02月19日 12:44
versions
Squid-2.5
platforms
All
synopsis
Some instabilities have been observed while using ntlm authentication
in reply_body_max_size.
severity
Medium
date
2004年02月18日 18:59
versions
Squid-2.5
platforms
All
synopsis
This patch fixes yet two more authentication related issues
- segfault in basic auth if request aborted while evaluating the credentials
- memoryleak of clientHttpRequest is request aborted while evaluating the credentials
severity
Medium
date
2004年02月18日 17:54
versions
Squid-2.5
platforms
All
synopsis
The deny_info directive fails to supply the configured error page
in case the request is denied by http_reply_access or miss_access.
severity
Minor
date
2004年02月18日 13:48
versions
Squid-2.5 and earlier
platforms
All
workaround
Deny access in http_access if you need to provide a custom errror
message, or edit the default error messages accordingly.
synopsis
This patch adds ARP ACL support for FreeBSD
severity
Minor
date
2004年02月18日 13:32
versions
Squid-2.5 and earlier
platforms
All
synopsis
This patch fixes several authentication related issues
- miss_access and delay_access works with authentcation again
- some fixes related to basic auth. These issues was probably
introduced by the recent ntlm patch.
severity
Medium
date
2004年02月18日 18:53
versions
Squid-2.5
platforms
All
synopsis
If the proxy or web server authentication options of squidclient
is used then the HTTP headers sent in the request is slightly
malformed and may confuse other non-Squid software which is not
as tolerant on HTTP format.
severity
Minor
date
2004年02月18日 03:50
versions
Squid-2.5 and earlier
platforms
All
synopsis
The miss_access directive limits internal and cachemgr requests
even if these requests are actually local and not really misses
severity
Minor
date
2004年02月18日 03:50
versions
Squid-2.5 and earlier
platforms
All
workaround
Allow internal and cachemgr requests in miss_access if these
would otherwise be denied
synopsis
helpers/ntlm_auth/SMB/ fails to compile on certain platforms,
failing on non-standard malloc.h header.
severity
Minor
date
2004年02月17日 23:13
versions
Squid-2.5
platforms
All
synopsis
A minor syntax error in wbinfo_group.pl makes it fail to find
groups with Samba-3
severity
Minor
date
2004年02月17日 22:53
versions
Squid-2.5
platforms
All
synopsis
cache_peer_access, always_direct, never_direct and a number
of other acl driven directives fails with NTLM authentication
severity
Medium
date
2004年02月12日 16:27
versions
Squid-2.5
platforms
All
workaround
Use Basic or Digest authentication
synopsis
The squid-2.5.STABLE4-connect_cleanup.patch was not entirely correct
and could cause memory corruption in certain situations involving
negative DNS replies (host not found etc)
severity
Major
date
2004年02月12日 09:42
versions
Squid-2.5.STABLE4-20031210 to 20040212
platforms
All
synopsis
The -S and -E options in squid_ldap_group v2.12 was mixed up,
making the options somewhat hard to use.
severity
Minor
date
2004年02月09日 17:10
versions
Squid-2.5.STABLE4 + ldap_group 2.12 patch
platforms
All
workaround
Specify -E instead of -S.
synopsis
When using NTLM authentication random auth popups and account
lockouts may be experienced.
severity
Medium
date
2004年02月11日 22:12
versions
Squid-2.5
platforms
All
workaround
It may help to configure a lot of NTLM helpers but this is
not verified.
synopsis
Squid forgot to escape IAC characters (ascii code 255) in FTP
requests, causing problems to access files/directories using
this character in their name or to log in with this character
in the login or password.
severity
Minor
date
2004年02月03日 14:38
versions
Squid-2.5 and earlier
platforms
All
workaround
Double any such characters in the input to Squid. (%ff%ff
instead of %ff)
synopsis
If a proxy_auth acl is incorrectly defined with no members
then any http_access rules using this acl will give unpredictable
results depending on the results of earlier acl lookups.
This patch corrects both the reason to why acl lookups became
unpredictable and makes Squid reject such incorrect acl definitions.
severity
Medium
date
2004年01月15日 07:44
versions
Squid-2.5 and earlier
platforms
All
workaround
Make sure your proxy_auth acls are correctly defined. If the acl
should not match any users then don't declare the acl at all.
synopsis
This patch adds a new detect_broken_pconn squid.conf directive allowing
you to tenable a workaround to certain broken HTTP servers (reportedly IIS-5)
who incorrectly signals the use of persistent connections even if the reply
is not compatible with persistent connections. It also corrects some minor
HTTP issues to make the Squid proxy more semantically transparent.
severity
Minor
date
2004年01月30日 23:11
versions
Squid-2.5 and earlier
platforms
All
synopsis
If the request to squid_ldap_group (login name + all group names)
exceed 256 characters then group lookups fails or behaves erratically.
severity
Minor
date
2004年01月08日 19:54
versions
Squid-2.5
platforms
All
workaround
Define multiple ACLs instead of listing many groups in the same ACL
synopsis
The TLS mode of the LDAP helpers did not work and always reported
"TLS Connection failed"
severity
Minor
date
2004年01月05日 12:08
versions
Squid-2.5
platforms
All
workaround
Use the ldaps:// URI method instead, if your LDAP server supports it.
synopsis
Under certain conditions incomplete objects may appear stuck in
the cache, not even reload giving a new fresh copy.
severity
Major
date
2003年12月23日 01:10
versions
Squid-2.5 and earlier
platforms
All
workaround
Compiling squid with --disable-http-violations completely avoids
the issue. Setting "half_closed_clients off" and making
quick_abort as aggressively aborting as possible by
"quick_abort_min 0 KB" and "quick_abort_max 0 KB" mostly
hides the problem.
synopsis
In Squids built with --enable-icmp the pinger helper may exit
with the above assertion failure if Squid receives a request with
a very long host name.
severity
Minor
date
2003年12月23日 01:01
versions
Squid-2.5 and earlier
platforms
All
workaround
Don't build squid with --enable-icmp. This is generally recommended
anyway unless you are absolutely sure you want to ICMP PING random
sites all over the Internet to measure RTT information even if this
may trigger IDS systems etc.
synopsis
Redirects initiated by redirector helpers was logged as TCP_MISS/000
instead of the expected TCP_MISS/302. This patch corrects this and
should also correct log_mime_hdrs output for the same.
severity
Minor
date
2003年12月21日 16:53
versions
Squid-2.5 and earlier
platforms
All
synopsis
In a current version threre is a problem. The absence of "yo" letter.
("e" with 2 dots ). People prefer to write "E" instead "yo", that is
not quite correct, like "How r u" intstead "How are you?"
severity
Cosmetic
date
2003年12月21日 15:22
versions
Squid-2.5 and earlier
platforms
All
synopsis
This is not a fix for a Squid bug. It is a new feature to workaround
an MSIE6 bug that uses control characters to obfuscate the true
origin server hostname. You can use the 'urllogin' acl TYPE to
deny HTTP requests that contain certain characters in the URL login
field.
severity
Medium
date
2003年12月19日 16:41
versions
Squid-2.5 and earlier
platforms
All
workaround
Patch MSIE6, if/when the patch becomes available.
synopsis
Squid would not process hostnames longer than 128 characters.
This affects few hosts on the internet, but with the growing use
of iDNA it's becoming an issue.
severity
Minor
date
2003年12月18日 01:41
versions
Squid-2.5 and earlier
platforms
All
workaround
None.
synopsis
Contrary to the documentation "pid_filename none" is not accepted
and Squid refuses to start.
severity
Minor
date
2003年12月17日 21:12
versions
Squid-2.5 and earlier
platforms
All
synopsis
Due to the a accounting mismatch in the number of open connections
to peers the cache_peer max-conn=.. option does not work. This issue
is also seen as very high numbers in the OPEN CONN peer statistics
via cachemgr.
severity
Minor
date
2003年12月20日 20:10
versions
Squid-2.5 and earlier
platforms
All
synopsis
Persistent server connections are reused in a round-robin fashion which
may cause the number of connections to stay artificially high after a sudden
burst of requests.
This patch changes persistent connection management to use a LIFO order
reusing the most recently used connection first, thereby allowing unneeded
connections to close down by idle timeout.
severity
Minor
date
2003年12月15日 23:44
versions
Squid-2.5 and earlier
platforms
All
workaround
This usually is not a significant problem, but if you are plauged by this
you can try disabling server-side persistent connections in squid.conf.
synopsis
redirector_access was a "fast" acl lookup and did not handle
"slow" acls requiring external lookups such as dst or external
correcly
severity
Minor
date
2003年12月14日 13:43
versions
Squid-2.5 and earlier
platforms
All
synopsis
The URL syntax used by Squid for FTP/Gopher icons are uneededly
complex and often causes problems.
This patch adds a "short_icon_urls" directive which can be used
to enable a less complex URL syntax for icons.
severity
Cosmetic
date
2003年12月14日 13:36
versions
Squid-2.5 and earlier
platforms
All
synopsis
Under high usage a lot of filedescriptors may be idle persistent
connections, causing a shortage of filedescriptors for handling
new requests.
severity
Minor
date
2003年12月14日 12:38
versions
Squid-2.5 and earlier
platforms
All
workaround
Disable the use of persistent connections in squid.conf. But pleae
note that disabling persistent connections will cause a networking
performance penalty unless you are actually short on filedescriptors.
Alternatively rebuild Squid with support for more filedescriptors.
synopsis
If a FTP PUT request is aborted while Squid is writing data to
the server then Squid may abort with a segmentation fault.
severity
Major
date
2003年12月14日 12:25
versions
Squid-2.5 and earlier
platforms
All
workaround
If this plauges you a lot then you can deny the use of FTP PUT
until the server can be patched. But please note that this will
limit the functionality of the proxy by not allowing FTP uploads
via the proxy.
acl FTP protocol FTP
acl PUT method PUT
http_access deny FTP PUT
synopsis
If responses to POST or other non-indempotent requests allows the
connection to be kept persistently open then this can lead to
a increased connection usage by Squid. This patch changes the
behaviour to keep the number of connections stable by closing
a persistent connection before opening the new connection.
severity
Minor
date
2003年12月13日 16:57
versions
Squid-2.5
platforms
All
workaround
Disable server-side persistent connections by setting
"server_persistent_connections off" in squid.conf.
synopsis
Several minor errors related to how Squid finds a connection
where to forward requests. This patch
- Corrects DNS retransmission rate to decay like documented to avoid
flooding the DNS server with the same query.
- Adds a new configuration parameter "forward_timeout" to control how
long Squid tries to find a method to find a path where to forward the
request before giving up. Defaults to 2 minutes.
- The default connect_timeout tuned down from 2 minutes to 1 minute to
allow for two attempts to find a suitable path within the forward_timeout
- fqdncache/ipcache restructured to allow for DNS code to allow the
queried name to be logged in cache.log on errors.
- negative_dns_ttl now overloaded to also specify the minimum ttl used
when caching DNS responses, and tuned down from 5 minutes to 1 minute.
- default dns_timeout tuned down from 5 minutes to 2 minutes
- some minor compilation warnings on --disable-internal-dns corrected
- properly report DNS timeouts as timeouts and not just "No DNS records"
severity
Minor
date
2003年12月09日 21:52
versions
Squid-2.5 and earlier
platforms
All
synopsis
FQDN lookups sometimes give garbage after the result. This can be seen
as junk in access.log when using log_fqdn or false access control results
when using dstdomain acl type and the user requests a URL by IP address.
severity
Minor
date
2003年12月04日 10:16
versions
Squid-2.5 and earlier
platforms
All
workaround
Don't use log_fqdn or alternatively compile Squid with --disable-internal-dns
synopsis
If the contacted server refuses connection then the repeated attempts
to connect to the server may look like a syn flood attack. This patch
makes Squid behave a little friendler in such case and
* Delays a little between the repeated attempts. Longer if the attempt was to
an origin server.
* Limits origin server attempts to 3 connection setup attempts or 2 request
forwarding attempts (was 10 on both which only makes sense in peering
relations)
* Changes the default for maximum_single_addr_tries to 1 as there is plenty of
reforwarding attempts done by Squid and at least 3 attempts to initiate the
request which makes this directive redundant.
* removes a redundant lock from commConnect*() (cbdata managed)
* Adds a small delay to commConnect() reconnection attempts when the contacted
destination has more than one IP address or maximum_single_addr_tries is used.
* Small cleanup in how/when digest considers a peer usable to not disturb the
peer probing.
* Cleanup of peer TCP probing to correct timeout management etc and to more
promptly recover after a failure.
severity
Minor
date
2003年11月29日 18:58
versions
Squid-2.5 and earlier
platforms
All
synopsis
On certain linux versions --enable-arp-acl may give a warning
in net/route.h that this file is not meant to be used outside the kernel.
severity
Cosmetic
date
2003年11月29日 09:04
versions
Squid-2.5 and earlier
platforms
All
workaround
Don't use --enable-arp-acl or ignore the warning. The use of MAC based
acls is overrated anyway and does not give any added security compared
to IP based acls.
synopsis
If a gopher server returns an empty response then Squid may render
incorrect HTML in the gopher menu representation. In addition a
PRE endtag was often missing from gopher menus.
severity
Cosmetic
date
2003年11月29日 08:43
versions
Squid-2.5 and earlier
platforms
All
synopsis
The positive_dns_ttl directive is not used by the internal dns
client (the default). This patch changes it to at least be used
as a upper limit on how long DNS data may be cached.
severity
Cosmetic
date
2003年11月28日 19:41
versions
Squid-2.5 and earlier
platforms
All
synopsis
This patch updates squid_ldap_group to the latest version, adding
support for ldaps://, corrected documentation, and allows specifying
the bind password via a file rather than on the command line for
increased security against local users on the proxy.
severity
Cosmetic
date
2003年11月21日 17:14
versions
Squid-2.5
platforms
All
synopsis
If Squid is configured using external acls and a single http_access
line uses a authentication related acl after an external ACL
not using authentication then the authentication lookup gets stuck
continously querying the helper until the request is aborted.
severity
Medium
date
2003年11月19日 16:58
versions
Squid-2.5
platforms
All
synopsis
Squid fails to detect invalid size based configurations where
the size is too large to fit in the internal variable. This patch
makes Squid detect many such cases and tell you when the
configuration is out of range.
severity
Cosmetic
date
2003年11月06日 16:59
versions
Squid-2.5 and earlier
platforms
All
workaround
Specify sane values in your configuration
synopsis
Mozilla/Netscape uses a custom mime type for plugins, and as this
is not known to Squid installation of such plugins using FTP fails.
severity
Cosmetic
date
2003年11月06日 16:36
versions
Squid-2.5 and earlier
platforms
All
workaround
Define the application/x-xpinstall mime type for .xpi files in mime.conf
synopsis
If Squid fails to load a error page (builtin or deny_info defined)
then it segfaults instead of aborting with a "FATAL Error" message.
severity
Cosmetic
date
2003年11月06日 16:36
versions
Squid-2.5 and earlier
platforms
All
synopsis
The German ERR_DNS_FAIL error message was missing a headline.
Major update of Lithuanian error pages, including addition of
several previously missing error messages which made the
translation more or less useless in Squid-2.5.
severity
Cosmetic
date
2004年02月12日 17:45
versions
Squid-2.5 and earlier
platforms
All
synopsis
The auth_param documentation was unclear on default values etc.
This patch makes sure the example auth_param lines after each
parameter documentation has the default value.
This patch also adds a default "realm" value.
severity
Cosmetic
date
2003年11月06日 14:58
versions
Squid-2.5 and earlier
platforms
All
synopsis
The patch changes pam_auth to not use persistent PAM connections
by default. The use of persistent PAM connections is slightly
outside the PAM specifications and may fail in certain PAM
configurations.
It also adds support for clearing the new PAM_AUTHTOK item
to hopefully allow the use of persistent PAM connections on
Solaris.
severity
Minor
date
2003年11月05日 18:16
versions
Squid-2.5.STABLE4 and earlier
platforms
All
workaround
Use the one-shot mode of the helper (-1 comand line flag)
synopsis
When using the internal DNS client fqdncache (ip->name) does
not negatively cache lookup failures.
severity
Minor
date
2003年10月11日 22:39
versions
Squid-2.5 and earlier
platforms
All
workaround
Ignore the minor issue, or compile Squid with --disable-internal-dns
synopsis
If authentication or ident gives a login name containing a space
character then redirector helpers trying to read the username or
request method field will be confused by this.
This patch URL-encodes the login name making sure the helpers
always know how to parse the data sent by Squid.
severity
Minor
date
2003年09月24日 01:09
versions
Squid-2.5 and earlier
platforms
All
workaround
Don't use space characters in your login names
synopsis
If using digest authentication then Squid does not detect password
changes.
severity
Minor
date
2003年09月23日 16:09
versions
Squid-2.5
platforms
All
workaround
Restart Squid after modifying digest passwords
synopsis
The cache.log message on "squid -k reconfigure" claimed Squid
restarted, when in reality it just reconfigures itself.
This patch changes the message to say Reconfiguring.
severity
Cosmetic
date
2003年09月19日 06:40
versions
Squid-2.5 and earlier
platforms
All
Patches released after the 2.5.STABLE3 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
synopsis
This patch corrects two minor issues. a) Properly detect if too
many helpers crashes when only using a single helper. b) Automatically
start new helpers instead of restarting the whole Squid unless the
helpers are crashing too rapidly (30 seconds or less)
severity
Minor
date
2003年09月12日 20:35
versions
Squid-2.5 and earlier
platforms
All
workaround
Use at least 2 helpers, and live with the fact that Squid will
restart if more than 50% of your helpers crashes
synopsis
The winbnd helpers complains with a "fgets failed" error in cache.log each
time the helpers are restarted. The helpers also fail to start if winbind has
not yet fully finished it's startup procedure.
severity
Minor
date
2003年09月12日 10:18
versions
Squid-2.5
platforms
All
workaround
Ignore the error in cache.log, and make sure winbind has started fully before
you start Squid.
synopsis
To lessen confusion in later upgrades to Squid-3 the external_acl_type
concurrency= option has been renamed to children= to match Squid-3
usage. This is done because concurrency= has a completely different
meaning in squid-3. Squid-2.5 still accepts the old syntax to keep
compatibility within the Squid-2.5 release, but it is recommended
to start using the new syntax unless you need to be able to easily
downgrade to a earlier Squid-2.5 release.
severity
Cosmetic
date
2003年09月02日 07:55
versions
Squid-2.5.STABLE3 and earlier
platforms
All
workaround
Make sure to read the Squid-3 releasenotes very carefully when
upgrading.
synopsis
If proxy_auth acl type is used in delay_access then Squid may abort
with an assertion error or segmentation fault.
Notice: This patch may change some error conditions to be logged with
TCP_DENIED rather than TCP_MISS.
severity
Medium
date
2003年09月01日 20:45
versions
Squid-2.5
platforms
All
workaround
Don't use proxy_auth acl types in delay_access
synopsis
In configurations where authentication is enforced in http_access
and then reused in http_reply_access to further control access
levels Squid may segfault if the ntlm authentication scheme is used.
severity
Medium
date
2003年09月01日 20:13
versions
Squid-2.5
platforms
All
workaround
Don't use proxy_type acls in http_reply_access or disable the
use of the ntlm authentication scheme (disabled by default)
synopsis
delay_access can disturb Squids logics on when to request a new
login from the user. Most notably if delay_access ends up in
a proxy_auth acl then any access denials will require a new login
but the opposite may also happen.
severity
Medium
date
2003年08月31日 09:42
versions
Squid-2.5 and earlier
platforms
All
workaround
make sure delay_access always ends up in the same class of ACL as
http_access does on the same request.
synopsis
Large POST/PUT requests may fail with a "Connection reset" error
in the browser in situations where Squid immediately responds with
an error page. This is most notable when using NTLM authentication
but may also occur in a few other situations
severity
Medium
date
2003年08月28日 22:00
versions
Squid-2.5 and earlier
platforms
All
workaround
Allow POST/PUT without requiring authentication if you are using NTLM
authentication.
synopsis
ncsa_auth just exists if it can not read the supplied password file,
instead of reporting an error.
severity
Minor
date
2003年08月20日 12:58
versions
Squid-2.5 and earlier
platforms
All
workaround
If ncsa_auth exits for no apparent reason, verify that the given
ncsa password file is readable by the cache_effective_user.
synopsis
The patch for Bug #92 (squid-2.5.STABLE3-mem_cfd.patch) broke
the forwarded_for directive.
severity
Minor
date
2003年08月18日 17:29
versions
Squid-2.5.STABLE3 snapshots 2003年08月07日 to 2003年08月18日
platforms
All
workaround
Use anonymization via http_header_access to delete the X-Forwarded-For
header from forwarded requests. This is probably preferred in any case.
synopsis
The algorithm that calculates the timeout for a set of ICP
queries ignores multicast neighbors. It also ignores the
expected number of replies because "*exprep" is always set
equal to parent_exprep + sibling_exprep.
severity
Minor
date
2003年08月13日 00:31
versions
Squid-2.5 and earlier
platforms
All
workaround
Don't use multicast ICP.
synopsis
Squid is supposed to log the username in access.log on unsuccessful
authentication, but it does not.
severity
Minor
date
2003年08月10日 19:01
versions
Squid-2.5
platforms
All
synopsis
The Digest auth update in Squid-2.5.STABLE3 caused a slight
portability problem to platforms where struct in_addr is defined
"differenlty". If you find that auth/digest_auth.c fails to compile
in 2.5.STABLE3 but works in Squid-2.5.STABLE2 or earlier then you
may need this patch.
severity
Cosmetic
date
2003年08月10日 07:39
versions
Squid-2.5.STABLE3
platforms
MinGW, maybe a few others
synopsis
The automatic calculation on number of threads and queue limits
based on number of cache directories got the calculation slightly wrong.
severity
Minor
date
2003年08月06日 14:21
versions
Squid-2.5 and earlier
platforms
All
workaround
manually specify the number of threads to configure
synopsis
If aufs fails to open files in the cache_dir which should be there
then Squid may crash with the above assertion failure.
severity
Medium
date
2003年08月06日 14:21
versions
Squid-2.5 and earlier
platforms
All
workaround
do not manually delete files from an aufs cache_dir
synopsis
In certain unfrequend situations involving aborted requests
Squid could crash with the above assertion
severity
Medium
date
2003年08月06日 13:56
versions
Squid-2.5 and earlier
platforms
All
synopsis
More improvements to make COSS more useable and reliable.
Fixed off_t/int comparison bug that caused Squid to think
it hit the end of the disk much sooner than it should have.
Use blocking I/O, instead of aborting when aio calls fail.
Another bug caused Squid to not write the last byte of
each COSS stripe. Added statistics and a cachemgr page.
severity
Minor
versions
Squid-2.5 and earlier
platforms
All
workaround
Don't use COSS
synopsis
A blank username is logged as a blank space which may confuse
log file parsers. This patch will replace blank usernames with
a dash (-).
severity
Minor
date
2003年07月28日 09:16
versions
Squid-2.5 and earlier
platforms
All
workaround
Rework parsing scripts to "guess" whether the username is there or not.
synopsis
Improvements to make COSS more useable and reliable. Added
block-size option to 'cache_dir' line and fixed lockcount
(memory leak) bug.
severity
Minor
date
2003年07月29日 22:29
versions
Squid-2.5 and earlier
platforms
All
workaround
Don't use COSS
synopsis
The statCounter.syscalls.disk are handled differently in
some cases. For example, they are not incremented by AUFS
(except for writes which are handled by file_write()).
Also, requests given to unlinkd do not increment the
syscalls.disk.unlinks value.
severity
Cosmetic
date
2003年07月22日 15:39
versions
Squid-2.5 and earlier
platforms
All
synopsis
in storeDirSelectSwapDirRoundRobin(), there is a loop
variable (i), which is different than the static directory
number (dirn). Instead of checking the cache_dir corresponding
to the loop variable, it should check the directory number.
severity
Minor
date
2003年07月17日 15:46
versions
Squid-2.5 and earlier
platforms
All
workaround
Don't use round-robin, or don't use max-size cache_dir option.
synopsis
When Squid fails to receive a cache digest from a neighbor,
it may trigger an assertion on the second attempt. This
is probably an old bug, recently brought to light due to
changes elsewhere.
severity
Major
date
2003年07月16日 20:30
versions
Squid-2.5 and earlier
platforms
All
workaround
Add the 'no-digest' option to your cache_peer line.
synopsis
Due to a data connection management error Squid can become very
unstable after the above error message.
severity
Major
date
2003年07月16日 13:49
versions
Squid-2.5 and earlier
platforms
All
synopsis
When using http_reply_access, requests that are denied look
just like requests that are allowed in access.log. In other
words, they are logged with TCP_HIT, TCP_MISS, etc.
This patch causes them to be logged with TCP_DENIED.
You can still differentiate requests denied by http_access
and http_reply_access by looking at the "hierarchy" field.
For http_reply_access denied requests, it will contain
the origin server or neighbor cache hostname/address.
severity
Minor
date
2003年07月15日 21:39
versions
Squid-2.5.STABLE3 and earlier
platforms
All
synopsis
The ie_refresh option may be used to allow for Squid to act on
the reload button of MSIE 5.x browsers in transparent proxy setups,
however a slight oversight in the implementation caused the option
to not be as effective as intended if there is parent caches involved.
severity
Minor
date
2003年07月15日 20:45
versions
Squid-2.5 and earlier
platforms
All
workaround
Configure your browser to use the proxy and forget about this mess
synopsis
Squid leaks 4KB of memory on each request denied by reply_body_max_size
ultimately leading to crash of Squid when it runs out of memory
severity
Medium
date
2003年07月11日 23:23
versions
Squid-2.5 and earlier
platforms
All
workaround
dont use reply_body_max_size
synopsis
Some firewalls or servers get confused if the Host header is too
far into the headers. To prevent these from failing on requests
forwarded via Squid make Squid forward the Host header exacly
where it was in the original request.
severity
Medium
date
2003年07月11日 22:46
versions
Squid-2.5 and earlier
platforms
All
synopsis
If deny_info TCP_RESET is used then Squid leaks 4K of memory
on each request denied with a TCP_RESET.
severity
Medium
date
2003年07月09日 22:01
versions
Squid-2.5
platforms
All
workaround
Don't use deny_info TCP_RESET
synopsis
Spanish translation of ERR_TOO_BIG error message
severity
Cosmetic
date
2003年07月20日 10:40
versions
Squid-2.5 and earlier
platforms
All
synopsis
This patch removes the unused minimum_retry_timeout squid.conf
parameter. This variable has not been used for some time it seems.
severity
Cosmetic
date
2003年07月07日 08:32
versions
Squid-2.5
platforms
All
synopsis
cacheMesh.cachePeerTable.cachePeerEntry.cachePeerPingsSent and
cachePeerPingsAcked to match the MIB. Was ASN_INTEGER, is not
SMI_COUNTER32.
severity
Minor
date
2003年07月07日 08:32
versions
Squid-2.5 and earlier
platforms
All
synopsis
put checks for 'release_request' and 'wrong_content_length' before
'not_entry_cachable'. The first two are always zero because they
also alays have ENTRY_CACHABLE bit cleared.
severity
Cosmetic
date
2003年07月07日 08:32
versions
Squid-2.5 and earlier
platforms
All
synopsis
parseEtcHosts() does not handle comments in the middle of a line
severity
Minor
date
2003年07月07日 08:32
versions
Squid-2.5
platforms
All
synopsis
use sbrk() for high_memory_warning check on platforms where
neither mallinfo() or mstats() are available.
severity
Minor
date
2003年07月07日 08:32
versions
Squid-2.5 and earlier
synopsis
Fix HTTP anonymization feature acl checks when using parent proxies
severity
Minor
date
2003年07月07日 08:32
versions
Squid-2.5
platforms
All
synopsis
neighbor_type_domain usage incorrect; missing neighbor hostname
severity
Cosmetic
date
2003年07月07日 08:32
versions
Squid-2.5 and earlier
platforms
All
synopsis
Section 3.3 of
draft-vinod-carp-v1-03.txt says:
The Load Factor Multiplier must be calculated from the smallest
P_k to the largest P_k. The sum of all P_k's must be 1.
severity
Minor
date
2003年07月07日 08:32
versions
Squid-2.5 and earlier
platforms
All
synopsis
GCC-3.3 gets slightly confused by the Squid code and gives a few
mostly false warnings regarding type-punning.
severity
Cosmetic
date
2003年07月07日 08:32
versions
Squid-2.5 and earlier
platforms
All
workaround
Ignore the warnings
synopsis
Under certain conditions the "Files queued for open counter" could
grow larger than intended. If this grows too large then Squid may
think it runs out of filedescriptors even if there is plenty of
filedescriptors free, but we do not expect this to become a real
problem in any installations.
severity
Minor
date
2003年06月18日 23:18
versions
Squid-2.5 and earlier
platforms
All using aufs
synopsis
extrenal_acl_type %IDENT does not wait for ident lookups to complete.
severity
Minor
date
2003年06月17日 07:32
versions
Squid-2.5
platforms
All
workaround
use an ident acl before your external acl to trigger the ident lookup
synopsis
Handle the case when recv() returns EAGAIN and do not treat it like
an error
severity
Minor
date
2003年07月18日 20:34
versions
Squid-2.5 and earlier
platforms
All
synopsis
correction to squid.conf comments. RFC 2396 (not 2616) talks about
dealing with whitespace in URIs.
severity
Cosmetic
date
2003年06月17日 07:32
versions
Squid-2.5 and earlier
platforms
All
synopsis
log_quote() and username_quote() should always quote '%' character
severity
Cosmetic
date
2003年06月17日 07:32
versions
Squid-2.5 and earlier
platforms
All
synopsis
This patch makes Squid print an error rather than consume 100%
CPU time if /dev/null can not be opened.
severity
Cosmetic
date
2003年06月17日 07:39
versions
Squid-2.5 and earlier
platforms
All
workaround
Make sure you have a /dev/null if you chroot Squid
synopsis
The cache_dir documentation is slightly confusing regarding diskd
configuration. This patch removes old comments no longer valid.
severity
Cosmetic
date
2003年06月17日 07:32
versions
Squid-2.5 and earlier
platforms
All
synopsis
The Squid-2.5.STABLE2 patch for deny_info TCP_RESET was not entirely
correct and causes segmentation fault on startup if more than one
custom deny_info error message is defined
severity
Medium
date
2003年05月27日 07:25
versions
Squid-2.5.STABLE3
platforms
All
workaround
Disable the use deny_info in your squid.conf.
synopsis
The Squid-2.5.STABLE2 patch for digest authentication used
a C99 feature (dynamic array initializers) which may not be
available in all C compilers
severity
Minor
date
2003年05月27日 08:04
versions
Squid-2.5.STABLE3
platforms
Several platforms not using GCC or a C99 compliant C compiler
workaround
Use GCC
synopsis
Lithuanian error messages added. These was actually added to the
CVS tree for the 2.5.STABLE1 release, but never got included in
the distributed tarballs.
severity
Cosmetic
date
2003年05月25日 13:57
versions
Squid-2.5 and earlier
platforms
All
Patches released after the 2.5.STABLE2 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
synopsis
A regression error introduces by the patch for digest authentication
caused NTLM authentication to fail.
severity
Minor
date
2003年05月25日 12:32
versions
Squid-2.5 snapshots 20030518-20030524
platforms
All
synopsis
This patch is the deny_info_url patch which corrects this issue
and also adds the ability to redirect. The earlier merge of the
TCP_RESET deny_info syntax from deny_info_url was not complete
and did not work.
It was not originally planned to add the redirect capability to
Squid-2.5, but the patch is well tested and making a new patch
which only fixes TCP_RESET is not worth the effort.
severity
Minor
date
2003年05月21日 14:37
versions
Squid-2.5
platforms
All
synopsis
Due to a HTTP header parsing error Digest authentication always
fails on requests for URLs with one or more comma in them
severity
Minor
date
2003年05月20日 23:55
versions
Squid-2.5
platforms
All
workaround
Don't require authenitcation on URLs with comma in them
synopsis
Digest authentication qop implementation in many mainstream browsers
are quite poor and often causes authentication problems when used
with Squid. This patch adds a couple of workarounds which can be
used to work around the most obvious errors while still maintaining
a reasonable level of security in the Digest authentication protocol,
and also fixes a minor issue where Squid failed to correctly indicate
when a used nonce was stale, thereby causing these browser bugs to
show up as authentication failures (new login box) than actually needed.
severity
Minor
date
2003年05月18日 21:55
versions
Squid-2.5
platforms
All
synopsis
Due to an error introduced by the patch for Bug #553 external
acl lookups hangs if defined with ttl=0.
severity
Minor
date
2003年05月18日 21:55
versions
Squid-2.5.STABLE2
platforms
All
synopsis
Due to the change in basic auth helper protocol introduced in
Squid-2.5 to deal with login names or passwords with spaces
or other odd characters in them smb_auth.pl fails to authenticate
domain qualified logins (domain\user).
severity
Minor
date
2003年05月19日 07:51
versions
Squid-2.5
platforms
All
synopsis
In Squid-2.5 the format of basic auth helpers changed slightly to
better support logins or passwords with spaces or other odd characters,
however the smb_auth helper was not updated correctly making it fail
on full domain logins etc.
severity
Minor
date
2003年05月13日 08:22
versions
Squid-2.5
platforms
All
synopsis
A small regression error was introduced by the earlier patch for acl loops. The patch denied access if an acl could not be evaluated. This patch changes the behaviour back to that ot 2.5.STABLE2 and earlier and makes Squid contine to the next access rule.
severity
Minor
date
2003年05月12日 07:29
versions
Squid-2.5.STABLE2-20030508 to 20030512
platforms
All
synopsis
If detailed debugging is enabled (squid -k debug) then Squid may
segfault on certain platforms while processing authentication.
severity
Cosmetic
date
2003年05月11日 21:48
versions
Squid-2.5
platforms
All
synopsis
Certain code could never be reached due to signed/unsigned
errors. To our knowledge this has not caused any ill effects,
but this patch corrects the code to behave as expected.
severity
Cosmetic
date
2003年05月11日 17:35
versions
Squid-2.5 and earlier
platforms
All
synopsis
poll() underperforms if enabled and used. Apply the bugfix to reduce CPU and
kernel overhead.
severity
Minor
date
2003年05月11日 16:49
versions
Squid-2.5 Stable2 and earlier. (Search for earliest version not done)
platforms
All
workaround
none.
synopsis
To allow access to groups in other domains it needs to be
possible to specify groups by their fully qualified name.
severity
Minor
date
2003年05月11日 12:56
versions
Squid-2.5
platforms
All
synopsis
In certain configurations involving negated external acls (!aclname
where aclname is an external acl) Squid may crash with a segmentation
fault error or behave oddly.
severity
Minor
date
2003年05月10日 22:23
versions
Squid-2.5
platforms
All
workaround
Make sure you only use negated external acls as the last acl element
in your http_access lines if needed.
http_access allow acl1 acl2 !externalacl
synopsis
This update of squid_ldap_auth adds:
TLS/SSL encryption support required to connect to certain LDAP servers
Ability to read bindpasswd from file to increase security
Timeout options for better recovery when using multiple LDAP servers
severity
Minor
date
2003年05月08日 20:22
versions
Squid-2.5 and earlier
platforms
All
workaround
For SSL encryption you can use stunnel as a workaround with earlier
versions of the squid_ldap_auth helper.
synopsis
In certain configurations with more than one proxy_auth acl on the
same access line http_access can get stuck, causing Squid to
continously querying the authentication helper.
severity
Major
date
2003年05月07日 20:08
versions
Squid-2.5 and maybe earlier
platforms
All
workaround
Make sure you never use more than one proxy_auth or related
acl on the same http_access line.
synopsis
reply_body_max_size fails with ident or proxy_auth acls. Also
if fails to block too large objects where the content-length
is not known
severity
Minor
date
2003年05月06日 20:16
versions
Squid-2.5
platforms
All
synopsis
acl ident REQUIRED matches even if the ident lookup fails
severity
Minor
date
2003年05月06日 19:57
versions
Squid-2.5
platforms
All
workaround
acl noident ident -
http_access deny noident
synopsis
The msntauth helper crashes if more than 256 users is specified in
a allow/deny file, or if kill HUP is used and no allow or deny file
is specified.
severity
Minor
date
2003年05月06日 07:59
versions
Squid-2.5 and earlier
platforms
All
synopsis
The squid_ldap_auth helper may crash if the LDAP server is
unavailable
severity
Minor
date
2003年05月06日 00:39
versions
Squid-2.5 and earlier
platforms
All
synopsis
Even after a "squid -k reconfigure" squid continues using the
old log paths until "squid -k rotate". Also it is impossible
to disable logs active without a full restart of Squid.
severity
Minor
date
2003年05月06日 00:28
versions
Squid-2.5 and earlier
platforms
All
workaround
Restart Squid when making log file changes
synopsis
Compilation of Squid with --enable-ssl fails on RedHat 9
because the RedHat 9 version of OpenSSL depends on Kerberos
which are not in the standard include path
severity
Cosmetic
date
2003年05月04日 21:29
versions
Squid-2.5
platforms
RedHat 9
workaround
--enable-ssl=/usr/kerberos
synopsis
cacheNumObjCount, cacheCurrentUnlinkRequests, cacheCurrentSwapSize
and cacheClients all reported as Counter32 type SNMP objects where
they actually represent gauges.
severity
Cosmetic
date
2003年05月02日 09:54
versions
Squid-2.5 and earlier
platforms
All
workaround
Convince your SNMP monitor to use the values as if they were gauges.
synopsis
The wb_group helper has been updated to version 1.1. This update
includes an option for case insensitive group name comparation
(Bugzilla #574), Fixed a segfault (Bugzilla #574) and
updated the documentation according to FAQ on squid-users
severity
Minor
date
2003年05月15日 11:02
versions
Squid-2.5
platforms
All
synopsis
Cachemgr was reporting huge values for Maximum Resident Size on AIX 5,
and snprintf is now a supported function on AIX 5 so Squid does not
need to supply it's own version.
severity
Cosmetic
date
2003年04月29日 16:19
versions
Squid-2.5 and earlier
platforms
AIX 5
workaround
Just ignore the Maximum Resident Size value in cachemgr.
synopsis
A bug in how Squid processes certain DNS replies can cause
segmentation faults on certain platforms. Linux and FreeBSD on X86
platforms seems unaffected however.
severity
Major
date
2003年04月25日 12:17
versions
Squid-2.5 and earlier
platforms
Solaris SPARC and several other
workaround
Recompile squid with --disable-internal-dns
synopsis
The paranoid header_access example is missing WWW-Authenticate,
and thereby unintentionally denying authentication to web sites
if used without modifitaions
severity
Cosmetic
date
2003年04月14日 20:04
versions
Squid-2.5
platforms
All
synopsis
The cache_peer documentation for the htcp and carp related options was missing
severity
Cosmetic
date
2003年04月09日 13:47
versions
Squid-2.5 and earlier
platforms
All
synopsis
The cache_effective_user/group documentation was unclear on what happens
if only one of the directives is set, or when Squid is started as a
non-root user.
severity
Cosmetic
date
2003年04月09日 13:47
versions
Squid-2.5 and earlier
platforms
All
synopsis
If there is a queue overload for external acl lookups then Squid
logs "externalAclLookup: 'xxx' queue overload" at a very high
rate in cache.log until the condition clears up.
severity
Major
date
2003年04月09日 12:59
versions
Squid-2.5
platforms
All
workaround
Make sure there is sufficient number of helpers to handle your
request load.
synopsis
Squid may hang or otherwise behave oddly in shutdown if there
is new requests processed at the same time. On shutdown Squid
internally shut down DNS, redirectors and external acls while
still processing new requests already received. In combination
with the external acl queue overload bug this can completely
hang Squid, preventing it from shutting down.
severity
Minor
date
2003年04月09日 12:59
versions
Squid-2.5 and earlier
platforms
All
synopsis
Squid crashes with the above assertion failure if an external_acl
helper crashes while processing a request
severity
Minor
date
2003年03月24日 17:28
versions
Squid-2.5
platforms
All
workaround
Fix the helper to not crash
synopsis
If you are using a external acl based on data which changes
during a browsing session then false negatives may be seen if
there is multiple requests immediately after the request data
used by the acl has changed, or other situations where there
may be multiple concurrent requests for the same external acl
lookup.
The error automatically clears up if the failing request
is retried.
severity
Minor
date
2003年03月18日 22:12
versions
Squid-2.5
platforms
All
workaround
Press reload, or otherwise try the request again.
Patches released after the 2.5.STABLE1 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.
synopsis
Due to an oversight in the implementation of server side persistent
connections in Squid-2.5.STABLE1 and earlier POST or PUT requests
may fail if sent just as an existing persistent connection is timed
out by the origin server.
date
2003年03月17日 18:39
versions
2.5.STABLE1 and earlier
platforms
All
workaround
Disable server side persistent connection by setting "server_persistent_connections off" in squid.conf
synopsis
external acl types have the ability to provide a username to be
used when logging the request. This patch extends the capabilities
of this function by also making the username available as IDENT
in later acl checks.
date
2003年02月27日 13:54
versions
2.5.STABLE1
platforms
All
synopsis
Security issues have been found in how Squid managed digest
authentication nounces, possibly giving unauthorized users
who can sniff the network traffic of a valid user session,
or denying authorized users access if they fail to provide
correct credentials on the first request.
date
2003年02月27日 13:54
versions
2.5.STABLE1
platforms
All
synopsis
In certain conditions external_acl_type definitions using %LOGIN
could result in the above assertion failure.
date
2003年02月27日 13:54
versions
2.5.STABLE1
platforms
All
synopsis
make install fails to install icons after make distclean
if you do not have uudecode installed
date
2003年02月21日 22:21
versions
2.5.STABLE1
platforms
All
workaround
install uudecode, or unpack Squid from the distributed
tarball again.
synopsis
If certain malformed request is received then Squid logs
"error: invalid HTTP-ident" in the URL column of access.log,
making problems for log parsers to read the line correctly.
date
2003年02月19日 23:41
versions
2.5.STABLE1 and earlier
platforms
All
synopsis
A syntax error / obsolete syntax in the declaration of the
Squid SNMP MIB (SQUID-MIB) causes current SNMP tools to fail
reading the file
date
2003年02月19日 23:29
versions
2.5.STABLE1 and earlier
platforms
All
synopsis
The winbind helpers depend on a internal Samba winbindd interface
which was changed in the Samba 2.2.6 release.
This patch updates the Samba support headers to those of
Samba 2.2.7a, and adds a configure directive (--with-samba-sources=..)
which can be used to override which samba version the Squid winbind
helpers should be built for
date
2003年02月12日 02:11
versions
2.5.STABLE1
platforms
All
workaround
Manually copy and adjust the needed winbind helpers from Samba to each
of the winbind helpers you use.
synopsis
Clients who start sending data after a CONNECT request prior to
receiving the 200 OK reply may experience data corruption.
Normally clients do not do this as the specifications say that
the client must wait.
date
2003年02月12日 02:07
versions
2.5.STABLE1 and earlier
platforms
All
synopsis
Only the first time of a time acl type was used. This patch
corrects this to allow the same acl to specify multiple times
of the day.
date
2003年02月09日 10:12
versions
2.5.STABLE1 and earlier
platforms
All
workaround
If you need to specify multiple times, use one acl for each time
synopsis
Certain malfunctioning HTTP servers can confuse Squids client
persisten connection management by sending a malformed reply
in response to a HEAD request, causing unexpected delays in
request processing for the client.
date
2003年02月09日 10:12
versions
2.5.STABLE1 and earlier
platforms
All
workaround
client_persistent_connections off
synopsis
The SSL accelerator function of Squid-2.5 (--with-ssl option)
fails to compile if using OpenSSL 0.9.7 or later
date
2003年02月09日 10:12
versions
2.5.STABLE1
platforms
All
synopsis
Each time Squid is reconfigured one filedescriptor is leaked
for /etc/hosts
date
2003年02月09日 10:12
versions
2.5.STABLE1
platforms
All
synopsis
Squid silently accepted cachemgr_passwd to be specified multiple
times for the same action, but only the first one is accepted. This
patch adds a warning when such configurations are seen.
date
2003年02月09日 10:12
versions
2.5.STABLE1 and earlier
platforms
All
workaround
Manualy inspect your configuration to only have one password
specified per action.
synopsis
In cetain conditions Squid crashes with the above assertion
failure on shutdown.
date
2003年02月09日 10:12
versions
2.5.STABLE1 and earlier
platforms
All
synopsis
The configure scripts accepts --with-aufs-threads argument without
any value, causing the compilation to later fail.
date
2003年02月09日 10:13
versions
2.5.STABLE1
platforms
All
workaround
Make sure to always specify a correct value if using
the --with-aufs-threads=NN option, or do not specify the option
at all (the defaults is good for most uses)
synopsis
the authenticate_program directive was replaced by auth_param
in Squid-2.5 but documentation for some other configuration
directives still refers to authenticate_program instead of the
current directive
date
2003年02月05日 06:06
versions
2.5.STABLE1
platforms
All
workaround
use auth_param instead even if the documentation refers to the
non-existing authenticate_program directive
synopsis
authentication could only be used in http_access rules in Squid-2.5
(as noted in the release notes).
Any attempt to use authentication in other access rules either caused
the above error or even worse a segmentation fault if using NTLM
authentication.
Note: This patch depends on the earlier patch for the same problem.
date
2003年02月05日 06:06
versions
2.5.STABLE1 and earlier
platforms
All
workaround
make sure to not use authentication based acls outside http_access
synopsis
delay_pools example does not match text; values are bytes, not bits
date
2003年02月05日 06:06
versions
2.5.STABLE1 and earlier
platforms
All
synopsis
Some nitpicks and cleanup relating to cache manager helper
stats and user authentication
date
2003年02月03日 16:16
versions
2.5.STABLE1 and earlier
platforms
All
synopsis
A internal error caused Squid to abort if FTP PUT requests are
aborted.
date
2003年02月01日 22:19
versions
2.5.STABLE1 and earlier
platforms
All
workaround
Deny FTP PUT in squid.conf.
synopsis
A coding error could cause issues with auth scheme configurations
in certain configurations. On some systems it may be impossible
to properly configure authentication, on others it only fails
if authentication is added by "squid -k reconfigure".
date
2003年02月01日 22:19
versions
2.5.STABLE1
platforms
All
synopsis
The Cacheable statistics "no.non_get" is always 0 as the
code relating to this statistics item is not active.
This patch removes this useless field from the statistics.
date
2003年02月01日 22:19
versions
2.5.STABLE1 and earlier
platforms
All
synopsis
From the documentation of http_reply_body_max_size it was
not obvious that the size is in bytes. This patch rewords
the documentation slightly to make this clearer.
date
2003年02月01日 22:19
versions
2.5.STABLE1
platforms
All
synopsis
When "squid -k shutdown" or kill is used to shut down Squid, the
pid file should be removed when Squid has shut down, but was removed
as soon as the shutdown completed.
date
2003年01月29日 23:40
versions
2.5.STABLE1 and earlier
platforms
All
synopsis
One of the statistics counters was only updated when using
poll() (default on most OS:es)
date
2003年01月29日 23:26
versions
2.5.STABLE1 and earlier
platforms
All
synopsis
The cachemgr histogram output was missing histogram count
on filedescriptor activity
date
2003年01月29日 23:26
versions
2.5.STABLE1 and earlier
platforms
All
synopsis
At one place in the code sc->copy_offset was assigned twice
to the same value. Once is sufficient.
date
2003年01月29日 23:28
versions
2.5.STABLE1 and earlier
platforms
All
workaround
None needed. Harmless.
synopsis
The mem_pool_free_calls statistics parameter was printed
as a signed integer, possibly causing negative values to
be printed once there has been more than 2^31 mempool
free operations.
date
2003年01月29日 23:28
versions
2.5.STABLE1 and earlier
platforms
All
workaround
ignore any negative values printed
synopsis
The code dealing with peer selection accounting has been
cleaned up slightly, and accounting for cache-digest siblings
has been corrected.
date
2003年01月29日 23:26
versions
2.5.STABLE1 and earlier
platforms
All
workaround
None needed
synopsis
If log_mime_hdrs is enabled then Squid's access.log may include garbage
if overly long request headers is received casuing the logged line to
become more than 8192 characters long.
date
2003年01月20日 19:03
versions
2.5.STABLE1 and earlier
platforms
All
workaround
postprocess the logs to remove the garbage, or limit request/reply header
sizes in squid.conf.
synopsis
To aid in determining how large your Squid process really is
statistics based on the growth of the process sbrk value has been
added to cachemgr
date
2003年02月09日 10:14
updated
2003年01月20日
versions
2.5.STABLE1 and earlier
platforms
All
synopsis
Squid had the odd habit of normalizing double dots (www..example.com)
in hostnames to one dot. Such hostnames is strictly not valid, and
can in some configurations allow users to bypass filters. This patch
makes Squid reject hostnames with double or leading dots.
This patch also adds a configure option to disable the character
checks performed by Squid on domain name labels. It is not really
the business of Squid to police what characters are used in domain
name labels.
date
2003年02月09日 10:15
versions
2.5.STABLE1 and earlier
platforms
All
synopsis
The cachemgr output indicated failure_ratio was a percentage when
it in fact is a ratio. This patch removes the % sign from cachemgr
output.
date
2003年01月18日 14:52
versions
2.5.STABLE1 and earlier
platforms
All
synopsis
The offline_toggle cachemgr action needs to be enabled in
cachemgr_passwd before use. This was omitted from the squid.conf
documentation.
date
2003年01月18日 14:52
versions
2.5.STABLE1 and earlier
platforms
All
synopsis
squid_ldap_group fails to compile if using OpenLDAP 2.1.X or later.
This patch also adds many new features to squid_ldap_group, allowing
true group matches, NT domain integration and some other small fixes.
date
2003年01月11日 13:08
updated
2003年01月11日
versions
2.5.STABLE1
platforms
All
workaround
Use OpenLDAP 2.0.X.
synopsis
The documentation for refresh_pattern contained a stale reference
to a Squid-1.1 release notes document which no longer exists
date
2003年01月10日 23:16
versions
2.5.STABLE1 and earlier
platforms
All
workaround
Don't bother looking for the Squid-1.1 release notes. The information
found therein is not applicable to current Squid versions.
synopsis
Squid 2.5 stable 2 will only allow aufs to be built with the
_REENTRANT define enabled. This is to ensure correct threading
operation on all platforms, and it's optionality led to some
spurious bug reports and failure in 2.5 stable 1 and earlier.
date
2003年01月10日 23:16
versions
2.5.STABLE1 and earlier
platforms
none
workaround
make sure --enable-pthreads is used when compiling support for aufs
synopsis
When using chroot_dir Squid complains about all paths in squid.conf
unless the same paths is accessible outside the chroot jail, even
if they will actually be used only within the chroot.
date
2003年01月09日 05:36
versions
2.5.STABLE1 and earlier
platforms
All
workaround
create symlinks as needed
synopsis
Segfault when using -S in combination with cache_dir coss/null
date
2003年01月09日 05:36
bugzilla
488
versions
2.5.STABLE1
platforms
All
workaround
Don't use -S if configured with a coss/null cache_dir
synopsis
Even in offline_mode expired content sometimes is processed as a cache
miss. The intention of offline_mode is to make Squid very aggressively
return cached content, assuming the Internet is not available for
checking freshness.
date
2003年01月09日 04:21
versions
2.5.STABLE1 and earlier
platforms
All
synopsis
In certain conditions Squid may crash while rebuilding dirty cache
directories.
date
2003年01月09日 03:46
versions
2.5.STABLE1 and earlier
platforms
All
workaround
always shut down Squid cleanly, or start Squid with the -F option
to not accept requests while the cache index is beeing rebuilt.
synopsis
The RunCache/RunAccel scripts was not modified to look for Squid
in it's new location 'sbin'.
date
2003年01月07日 03:52
versions
2.5.STABLE1
platforms
All
workaround
Modify the script to look in sbin, or start squid directly
synopsis
If Squid is configured to use aufs cache_dir type then performance
may seem slow when Squid is only processing a few requests
date
2003年01月09日 00:58
updated
2003年01月09日
versions
2.5.STABLE1 and earlier
platforms
All when configured to use aufs
workaround
give Squid more work to do. aufs is designed for busy caches. If you
have a single user cache consider using ufs instead.
synopsis
Compilation of squid_ldap_group fails with errors about undefined
symbol "socket", "getpeername" and other networking related symbols.
date
2002年12月12日 00:33
versions
2.5.STABLE1
platforms
Solaris and others requiring special libraries for networking
workaround
Manually edit helpers/external_acl/ldap_group/Makefile to include
the needed libraries last on the LDADD line
synopsis
Squid sometimes crashes with 'assertion failed: comm.c:646:
"F->flags.open"' logged to cache.log.
date
2002年12月09日 16:38
versions
2.5.STABLE1 and earlier
platforms
All
workaround
Deny the use of CONNECT
synopsis
It is impossible to define acls with spaces in them. Previously
this have not been such a big problem, but with the addition
of external acl checks and integration with various foreign
user group systems such as Windows Domain this has became more
of a problem.
This patch allows you to use the "include" function to define
such acls.
date
2002年11月24日 11:03
versions
2.5.STABLE1 and earlier
platforms
All
workaround
Make sure that all groups etc you need to refer to does not
contain spaces.
synopsis
There is a small typo in the error message returned if the DNS queue
overloads when Squid is compiled with --disable-internal-dns
date
2002年11月12日 07:45
versions
2.5.STABLE1 and earlier
platforms
All
workaround
Do not compile Squid with --disable-internal-dns. The default internal
DNS client is much more efficient and cannot be overloaded.
synopsis
Microsoft "Integrated Login" authentiation schemes NTLM and Negotiate
(SPNEGO) cannot be proxied due to a design flaw in these protocols,
authenticating TCP connections rather than HTTP messages.
Previously this was only a problem with IIS servers on the Internet
but with the addition of NTLM support in Squid this is now also a
problem in Squid cache hierarchies.
date
2002年11月11日 21:01
versions
2.5.STABLE1 and earlier
platforms
All
workaround
Make sure "Integrated Logon" is disabled on all parent proxies os
web servers your users need to log on to.
synopsis
If the HTTP server running cachemgr is configured to log query
parameters then your cachemgr login & password may be revealed
in the access logs. This patch changes cachemgr to use POST
which should hide this information from most logs
date
2002年11月11日 21:47
versions
2.5.STABLE1 and earlier
platforms
All
synopsis
"make uninstall" removes squid.conf, and with it any local modifications
which may have been done. This patch changes "make uninstall" to not
remove squid.conf.
date
2002年11月11日 22:57
versions
2.5.STABLE1
platforms
All
workaround
backup squid.conf before runnign "make uninstall" if you want to save
a copy, or manually delete the unwanted files.
synopsis
If a external_acl helper exist prematurely then Squid segfaults.
This patch makes Squid deal more gracefully with the situation
and retry the request to next available helper. If too many of the
helper instances dies then Squid will do a controlled restart.
date
2002年11月11日 22:57
versions
2.5.STABLE1
platforms
All
workaround
Write crash proof external_acl helpers
synopsis
Squid rejects requests having a request entity with error "411
Length Required". While the HTTP specification allows for such
requests it also says the request entity must have no meaning.
This patch adds a new squid.conf directive "request_entities on/off"
which can be used to enable support for such strange GET/HEAD
requests is needed.
date
2002年11月11日 22:57
versions
2.5.STABLE1 and earlier
platforms
All
workaround
Don't use the proxy for devices sending such strange HTTP requests
synopsis
Certain compilers complain about a extra comma in external_acl.c
date
2002年11月11日 22:57
versions
2.5.STABLE1
platforms
Compiler Speficic
workaround
Use GNU CC
synopsis
Squid sometimes leaks acl structures on "squid -k reconfigure".
date
2002年11月10日 03:58
versions
2.5.STABLE1 and earlier
platforms
All
synopsis
Due to a race condition in the aufs storeio implementation data
corruption can occur if the client aborts a cache hit while
aufs is reading data from the disk
date
2002年11月15日 06:35
updated
2002年11月15日
versions
2.5.STABLE1 and earlier
platforms
All using aufs
synopsis
The cachemgr "Total accounted:" statistics field always report "-1"
date
2002年11月10日 17:00
updated
2002年11月10日
versions
2.5.STABLE1
platforms
All
synopsis
In certain conditions the WCCP router might miss the hash assignment
sent by Squid.
date
2002年11月09日 09:59
versions
2.5.STABLE1 and earlier
platforms
All
synopsis
A internal error in the strwordtok() function causes problems
for external_acl if the last helper argument is quoted by Squid.
For example if using a group helper and having groups with spaces
in them.
date
2002年11月09日 09:59
versions
2.5.STABLE1
platforms
All
synopsis
If --enable-async-io or --with-storeio=aufs is used then configure
attempts to automatically enable --with-pthreads. Unfortunately
it only gets it half right, resulting in a unstable aufs storeio driver.
date
2002年11月14日 08:26
versions
2.5.STABLE1
platforms
All using aufs
workaround
Make sure to include --with-pthreads when building with the aufs
storeio driver.
synopsis
The undocumented "make addlang" target does not work. This make
target is intended to be used when adding additional languages
to a installation where configure was instructed not to install
all languages.
date
2002年11月09日 09:59
versions
2.5.STABLE1
platforms
All
workaround
Select the languages during the normal install procedure
synopsis
The command line syntax of specifying LDAP servers last on the command
line does not work.
date
2002年10月18日 09:50
versions
2.5.STABLE1
platforms
All
workaround
Make use of the -h option to specify LDAP servers.
synopsis
If the referer log file is enabled then Squid might complain
about this log file being open on shutdown. This is the same
problem as
Bug #120
but for the referer log.
date
2002年10月13日 17:04
versions
2.5.STABLE1 and earlier
platforms
All
workaround
None needed. Ignore any complaints from Squid that the referer
log is open
synopsis
Many files such as squid.rc were missing from the contrib directory.
versions
2.5.STABLE1
platforms
All
workaround
Copy the files from another Squid release
synopsis
If urlParse() fails in mimeLoadIconFile() (e.g., because the user put
illegal characters in the visible_hostname), this patch makes Squid
emit a fatal error message, rather than suffer a NULL pointer
dereference.
date
2002年10月08日 21:30
versions
2.5.STABLE1
platforms
All
workaround
Make sure visible_hostname has a correct value with only valid
hostname characters, and that your icon files are readable by the
user Squid is running as (cache_effective_user if started by root)
synopsis
Iproved documentation on how to set the cache_dir size parameter
date
2002年10月08日 12:59
versions
2.5.STABLE1
platforms
All
synopsis
The documentation for max_user_ip and authenticate_ip_ttl is slightly misleading
date
2002年10月08日 21:30
versions
2.5.STABLE1
platforms
All
synopsis
proxy_auth (and other authentication acl types) only works in
http_access.
date
2002年10月08日 12:59
versions
2.5.STABLE1
platforms
All
synopsis
The compiler may warn about unused parse/dump/free_http_header_access
function is the configure directive --disable-http-violations is used
date
2002年11月10日 03:21
versions
2.5.STABLE1
platforms
All
workaround
Ignore the warning. It is harmless.
synopsis
The compiler may warn about a unused error label if the
configure directive --disable-ident-lookups is used
date
2002年09月29日 19:14
versions
2.5.STABLE1
platforms
All
workaround
Ignore the warning. It is harmless.
$Id: index.tmpl,v 1.350 2006年06月21日 12:33:13 hno Exp hno $