-
Notifications
You must be signed in to change notification settings - Fork 528
/
ChangeLog
7009 lines (6346 loc) · 323 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Changes in squid-6.7 (4 Feb 2024)
- Bug 5337: workaround for crash on startup if -a option is used
- Bug 5274: Successful tunnels logged as TCP_TUNNEL/500
- Fix crash when NTLM and Negotiate helpers are queried with no HTTP request
- Fix SslBump memory leak when mimicking certificates with Authority Key Identifier
- Fix memory leak on SslBump certificates with Authority Key Identifier extension
- Fix a possible integer overflow in FTP Gateway
- Extend cache_log_message to Bug 5187 and job invalidation BUGs
- Remove incorrect beta version warning
- MS Windows portability improvements
- ... and some documentation improvements
Changes in squid-6.6 (5 Dec 2023):
- Bug 5328: Fix ESI build with libxml2 v2.12.0
- Bug 5319: QOS Netfilter MARK preservation is always disabled
- Bug 5318: peer_digest.cc:399: "fetch->pd && receivedData.data"
- Bug 5317: FATAL attempt to read data from memory
- Bug 5154: Do not open IPv6 sockets when IPv6 is disabled
- FTP: Ignore credentials with a NUL-prefixed username
- log_db_daemon: Fix DSN construction
- Limit the number of allowed X-Forwarded-For hops
- Do not update StoreEntry expiration after errorAppendEntry()
- improve handling of response sending errors
Changes in squid-6.5 (5 Nov 2023):
- Bug 5309: frequent "lowestOffset () <= target_offset" assertion
- Bug 4977: Remove mem_hdr::freeDataUpto() assertion
- Fix handling of expanding HTTP header values
- Fix RFC 1123 date parsing
- Gracefully shutdown when helper process startup fails
Changes in squid-6.4 (22 Oct 2023):
- Regression: Restore support for legacy cache_object cache manager requests
- Regression: Do not use static initialization to register modules
- Bug 5301: cachemgr.cgi not showing new manager interface URLs
- Bug 5300: cachemgr.cgi assertion
- Fix stack buffer overflow when parsing Digest Authorization
- Fix userinfo percent-encoding
- Fix store_client caller memory leak on certain errors
- Fix validation of certificates with CN=*
- Fix handling of large stored response headers
- Miss if a HTTP/304 update would exceed reply_header_max_size
- RFC 9112: Improve HTTP chunked encoding compliance
- HTTP: Improve handling of empty lines received prior to request-line
- Y2038: improve printing of time settings
- Extend cache_log_message to problematic from-helper annotations
- ... and several Continuous Integration improvements
Changes in squid-6.3 (03 Sep 2023):
- Bug 5294: ERR_CANNOT_FORWARD returned instead of ERR_DNS_FAIL
- Bug 4981: Work around in-call job invalidation bugs
- basic_smb_lm_auth: fix 'no previous declaration' warnings
- CacheManager: require /squid-internal-mgr/ URL path prefix
- ESI: Fix build [-Wsingle-bit-bitfield-constant-conversion]
- ... and some documentation changes
Changes in squid-6.2 (06 Aug 2023):
- Bug 5187: Work around REQMOD satisfaction regression
- Bug 5290: pure virtual call in Ftp::Client constructor
- Fix memory leak when reconfiguring multiline all-of ACLs
- ... and a lot of code cleanups
- ... and some portability fixes on GNU/Hurd and MSWindows
Changes in squid-6.1 (06 Jul 2023):
- Bug 5278: Log %err_code for "early" request handling errors
- Do not cache (and do not serve cached) cache manager responses
- Fix key equality comparison in LookupTable map
- Honor DNS RR TTLs larger than negative_dns_ttl
- ... and some documentation changes
Changes in squid-6.0.3 (07 Jun 2023):
- Bug 5148: Log %Ss of failed tunnels as TCP_TUNNEL
- Do not leak Security::CertErrors created in X509_verify_cert()
- Do not erase aborted StoreMap entries that are still being read
- Fix build in environments lacking syslog
- Fix build failures in some environments due to time_t type conflicts in libdebug
- Remove obsolete caddr_t
- ... and some documentation changes
Changes in squid-6.0.2 (30 Apr 2023):
- Avoid excessive disk I/O in some environments
- ... and several build and portability fixes
- ... and all fixes from 5.9
Changes in squid-6.0.1 (28 Feb 2023):
- Bug 5256: Intercepting port fails to accept
- Bug 5241: Block all non-localhost requests by default
- Bug 5241: Block to-localhost, to-link-local requests by default
- Bug 5232: Fix GCC v12 build [-Wuse-after-free]
- Bug 5211: support.cc:355: "!filledCheck->sslErrors" assertion
- Bug 5194: Remove all unused debug sections
- Bug 5162: mgr:index URL do not produce MGR_INDEX template
- Bug 5129 pt1: remove Lock use from HttpRequestMethod
- Bug 5128: Translation: Fix % i typo in es/ERR_FORWARDING_DENIED
- Bug 5021: Add a script to fix spelling error with codespell
- Bug 4946: client_side_request.cc: "request != newRequest"
- Bug 4832: '!schemeAccess' assertion on exit
- Bug 4572: squidclient: Remove deprecated cache_object:// support
- Bug 4528: ICAP transactions quit on async DNS lookups
- Add scripts/trace-context.pl: a debugging tool
- Remove cache_diff tool
- Remove membanger tool
- Remove pconn-banger tool
- Remove recv-announce tool
- Remove send-announce tool
- Remove tcp-banger* tools
- Remove ufsdump tool
- Remove support for Gopher protocol
- Remove support for unused libbsd
- Remove bundled GnuRegex library
- Remove CPU profiler mechanism
- Remove leakfinder (--enable-leakfinder)
- Remove --enable-kill-parent-hack
- Remove --disable-loadable-modules
- Remove unused/disabled/broken LEAK_CHECK_MODE code
- Remove SCO 3.2 support
- Remove m88k-specific support
- Remove NeXTSTEP support
- Remove HPUX compiler support
- Remove CBDATA debugging
- Require C++17
- cachemgr.cgi: Remove deprecated cache_object:// support
- ext_kerberos_ldap_group_acl: Support -b with -D
- ext_lm_group_acl: Improved username handling
- negotiate_wrapper: ensure null-termination of strings
- pinger: Fix MAX_PKT{4,6}_SZ to account for icmpEchoData padding
- HTTP: Replaced X-Cache and X-Cache-Lookup headers with Cache-Status
- HTTP: Update Host, Via, and other headers in-place when possible
- HTTP: Update status code 413 compliance
- RFC 9110: Reject different HTTP requests with unusual framing
- RFC 9111: Stop treating Warning specially
- RFC 9113: update documentation references
- RFC 9218: Priority header registration
- SSL-Bump: Remove step2+ stare-and-splice and peek-and-bump support
- TLS: Do not send more than one self-signed certificate
- TLS: Sort CA certificates in tls-cert=bundle
- TLS: Preserve configured order of intermediate CA certificate chain
- WCCP: Validate packets better
- CI: Support "negative" squid-conf-tests
- CI: Maintenance: Support custom astyle versions
- CI: test-builds.sh: in case of error dump full log
- CI: Add --progress option to test-builds.sh
- CI: Change time_units test to also work on 32bit systems
- CI: Maintenance: Update astyle version to 3.1
- Add cache_log_message directive
- Add paranoid_hit_validation directive
- Add tls_key_log to report TLS communication secrets
- Add %busy_time logformat code
- Add %transport::>connection_id logformat code
- Add %request_attempts logformat code
- Warn about some bad from-helper annotations
- Ban acl key changes in req_header, rep_header, and note ACLs
- Optimize ephemeral port reuse with IP_BIND_ADDRESS_NO_PORT
- Honor httpd_suppress_version_string in more contexts
- Honor ftp_port worker-queues option
- Log early level-0/1 debugs() messages to cache_log
- Support reliable zeroing of sensitive buffers
- Do not overwrite caching bans
- Do not blame cache_peer for 4xx CONNECT responses
- Mimic GET reforwarding decisions when our CONNECT fails
- Discarded connections do not contribute to forward_max_tries
- Honor assertions during shutdown
- Do not stop listening after "ERROR: NAT/TPROXY lookup failed..."
- Do not skip problematic regexes in ACLs
- Improve coredump_dir on FreeBSD and Solaris based OS
- Avoid reverse DNS lookups when logformat %>A is unused
- BUG: Unexpected state while connecting to ... server
- Properly track (and mark) truncated store entries
- Support "file" syntax for 'squid_error' and 'has' ACL parameters
- Allow sending "squid -k ..." signals to PID 1
- Remove bogus "found KEY_PRIVATE" WARNINGs
- Avoid "BUG #3329: Lost orphan ..." during accept problems
- Report SMP store queues state (mgr:store_queues)
- Remove 8K limit for single access.log line
- Rename ./configure option --with-libxml2 to --with-xml2
- Rename ./configure option --with-libcap to --with-cap
- Match ./configure --help parameter names with their defaults
- Remove broken -sha1 option from server_cert_fingerprint
- Fix typo in manager ACL
- Fix milliseconds in certain cache.log messages
- Fix ignore-cc/act-as-origin in wildcard split-stack ports
- Fix comm.cc:644: "address.port() != 0" assertion
- Fix StoreMap.cc "anchorAt(anchorId).reading()" assertions
- Fix double-free segmentation fault on shutdown
- Fix client_side_request.cc:2028 "request->method.id()" assertion
- Fix reconfiguration leaking tls-cert=... memory
- Fix X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY handling
- Fix "mem_obj->inmem_lo == 0" assertion in StoreEntry::swapOut()
- Fix TCP keepalive
- Fix SslBump reconfiguration leaking public key memory
- Fix socket accounting for TCP accept()
- ... and many documentation changes
- ... and much code cleanup and polishing
- ... and all fixes from 5.8
Changes in squid-5.9 (30 Apr 2023):
- Improve reply_body_max_size matching accuracy
- ... and some documentation changes
- ... and many portability fixes
Changes in squid-5.8 (28 Feb 2023):
- Bug 5162: mgr:index URL do not produce MGR_INDEX template
- Bug 5241: Block all non-localhost requests by default
- Bug 5241: Block to-localhost, to-link-local requests by default
- ext_kerberos_ldap_group_acl: Support -b with -D
- Fix ACL type typo in req_header, rep_header key-changing ERRORs
- ... and several compile fixes
- ... and some code cleanup and polishing
Changes in squid-5.7 (05 Sep 2022):
- Regression Fix: Typo in manager ACL
- Bug 5186: noteDestinationsEnd check failed: transportWait
- Bug 5160: Test suite fails with -flto=auto
- Bug 3193 pt2: NTLM decoder truncating strings
- Bug 5133: OpenSSL 3.0 support
- ext_session_acl: fix TDB key lookup
- forward_max_tries: Do not count discarded connections
- ... and many compile and debugging fixes
Changes in squid-5.6 (06 Jun 2022):
- Bug 5208: Part 1: Restart kids killed by SIGKILL
- Fix SQUID-MIB smilint errors
- negotiate_kerberos_auth: Initialise default_keytab
- Improve handling of Gopher responses
- ... and some semi-automated code polish
Changes in squid-5.5 (12 Apr 2022):
- Regression Bug 5192: esi_parser default is incorrect
- Bug 5177: clientca certificates sent to https_port clients
- Bug 5090: Must(!request->pinnedConnection()) violation
- Kid restart leads to persistent queue overflows, delays/timeouts
- Fix build on Illumos
- ESI: Drop incorrect and unnecessary xmlSetFeature() call
Changes in squid-5.4.1 (12 Feb 2022):
- Bug 5055: FATAL FwdState::noteDestinationsEnd exception: opening
- Fix FATAL ServiceRep::putConnection exception: theBusyConns > 0
- Fix ConnOpener orphan connection warnings when requester ends early
- Fix ConnOpener connection handling when sending negative answers
- Fix Comm::ConnOpener::cleanFd() debugging
- Fix ConnOpener callback's syncWithComm()
- Fix FwdState::advanceDestination() losing ERR_GATEWAY_FAILURE details
- Fix Tunneler handling of last-resort callback on premature job ending
- Fix PeerConnector handling of last-resort callback on premature job ending
- Fix FreeBSD 14 build
- Fix OpenBSD 7.0 build
- Add Comm::Connection::cloneDestinationDetails() debugging
- Improve Security::PeerConnector::serverConn and Http::Tunneler::connection management
- Refactor ConnOpener users to stop relying on the answer providing Comm::Connection
- Refactor ICAP connection-establishing code
- Polish PeerPoolMgr code
- Polish IDENT code
- Polish Gopher code
- Polished AsyncJob::Start() API
- ... and update code documentation
Changes in squid-5.4 (07 Feb 2022):
- Bug 5190: Preserve configured order of intermediate CA certificate chain
- Bug 5188: Fix reconfiguration leaking tls-cert=... memory
- Bug 5187: Properly track (and mark) truncated store entries
- Bug 5134: assertion failed: Transients.cc:221: "old == e"
- Bug 5132: Close the tunnel if to-server conn closes after client
- langpack: Fix typo in Russian texts
- copyright years and CONTRIBUTORS update
Changes in squid-5.3 (06 Dec 2021):
- Bug 5169: StoreMap.cc:517 "!s.reading()" assertion
- Bug 5158: AnyP::Uri::host() mishandles [escaped] IPv6 addresses
- Bug 5060: Parallel builds are not reliable
- Documentation updates for logformat directive
Changes in squid-5.2 (03 Oct 2021):
- Bug 5164: a copy-paste typo in HttpHdrCc::hasMinFresh()
- Bug 4922: Improve ftp://... filename extraction
- TLS: Fix X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY handling
- ... and all fixes from 4.17
Changes in squid-5.1 (01 Aug 2021):
- Bug 4696: Fix leaky String move assignment operator
- Fix ACL-related reconfiguration memory leak
- Fix SSL-Bump reconfiguration leaking public key memory
- Fix build on RISC-V
- Fix build on Ubuntu 21.04
Changes in squid-5.0.7 (04 Jul 2021):
- Fix a helper logging issues
- Fix some helper connection issues
- Cleanup: remove much unused code
- ... and all fixes from 4.16
Changes in squid-5.0.6 (10 May 2021):
- Bug 5057: Generated response lacks status code
- TLS: Handling missing issuer certificates for TLSv1.3
- TLS: Detail certificate validation errors during TLS handshake
- TLS: Detail client closures of CONNECT tunnels during TLS handshake
- TLS: %ssl::<negotiated_version and %ssl::>negotiated_version for TLS/1.3
- HTTP: Allow 1xx and 204 responses with Transfer-Encoding headers
- Maintenance: Start following Inclusive Naming Initiative advice
- Maintenance: Sort source file lists in Makefiles
- Maintenance: Support plugin-style scripts for source format enforcement
- Cleanup: Deduplicating IPC strand messages
- ... and some compile and debugging fixes
- ... and all fixes from 4.15
Changes in squid-5.0.5 (02 Feb 2021):
- HTTP: Do not send Connection:keep-alive/close in HTTP Upgrade requests
- Translations: Add es-mx dialect translation of error pages
- Fix missing port in request-target of CONNECT requests to peers
- Fix some warnings about client_lifetime timeout
- ... and several documentation updates
- ... and some debug improvements
- ... and all fixes from 4.14
Changes in squid-5.0.4 (23 Aug 2020):
- Bug 5054: mark dns_v4_first as obsolete in cf.data.pre
- Bug 5048: ResolvedPeers.cc:35: "found != paths_.end()" assertion
- Reforward CONNECT after TLS handshake failure with peer
- Do not send keep-alive in 101 (Switching Protocols) responses
- Add http_port sslflags=CONDITIONAL_AUTH
- ... and several documentation changes
- ... and some compile fixes
- ... and all fixes from 4.13
Changes in squid-5.0.3 (05 Jun 2020):
- Bug 5046: FreeBSD lacks open(2) O_DSYNC flag
- Happy Eyeballs: Do not discard viable reforwarding destinations
- Reduced startup time with large rock cache_dirs
- Fix the ABA problem with Ipc::Mem::PageStack::pop() in v5.0.1
- Fix sending of unknown validation errors to certificate validator
- ... and several debug improvements
- ... and all fixes from 4.12
Changes in squid-5.0.2 (18 Apr 2020):
- Bug 5030: Negative responses are never cached
- Bug 4796: comm.cc !isOpen(conn->fd) assertion when rotating logs
- Support worker-dedicated listening queues (SO_REUSEPORT)
- High precision time units
- Ban reserved annotations in "note", "adaptation_meta" directives
- ESI: convert parse exceptions into 500 status response
- Fix PURGE error responses
- ... and several documentation changes
- ... and some compile fixes
- ... and all fixes from 4.11
Changes in squid-5.0.1 (14 Jan 2020):
- Bug 4989: Leaking StoreEntry objects on Cache Digest rebuilds
- Bug 4912: same-name notes being appended instead of replaced
- Bug 4864: !Comm::MonitorsRead assertion in maybeReadVirginBody()
- Bug 4579: cannot hit an entry being written by another worker
- ICAP: Initial support for trailers
- Add auth_schemes to control schemes presence and order in 401s/407s
- Make CONNECT ACL a built-in default
- Remove USE_CHUNKEDMEMPOOLS compiler flag
- Two new ACLs implemented: annotate_transaction and annotate_client
- Add response delay pools feature for Squid-to-client speed limiting
- QA: allow test-suite to be run without a full build
- Happy Eyeballs: Use each fully resolved forwarding destination ASAP
- Support selective CF: collapsed_forwarding_access
- Reworked packet/connection marking
- Add new deny_info %A macro
- Identify collapsed transactions
- Add sample Kerberos group authentication external_acl helper
- Optimization: Fewer memory (re)allocations for HTTP headers
- Add TrivialDB support
- Do not send Content-Length in 1xx or 204 responses
- negotiate_kerberos_auth: fix memory leaks
- ntlm_fake_auth: add ability to test delayed responses
- Add %ssl::<cert macro for logging server X.509 certificate
- Reuse reserved Negotiate and NTLM helpers after an idle timeout
- Log PROXY protocol v2 TLVs
- Support logformat %codes in error page templates
- Fix incremental parsing of chunked quoted extensions
- Peering support for SslBump
- RFC 8586: Loop Detection in Content Delivery Networks
- Prevent TLS transaction stalls by preserving flags.read_pending
- Fix "BUG: Lost previously bumped from-Squid connection"
- Add %master_xaction logformat code
- Log "-" instead of the made-up method "NONE"
- Add GeneratingCONNECT step for the existing at_step ACL
- Report context of level-0/1 cache.log messages
- Re-enabled updates of stored headers on HTTP 304 responses
- Translations: Fix grammatical error in French error pages
- Smarter auth_param utf8 handling, including CP1251 support
- Fix rock disk entry contamination related to aborted swapouts
- Send HTTP/500 (Internal Server Error) when lacking peers
- Fix prohibitively slow search for new SMP shm pages
- Centralized PagePool/PageStack ID generation
- ... and many documentation changes
- ... and much code cleanup and polishing
- ... and all fixes from 4.10
Changes in squid-4.17 (03 Oct 2021):
- WCCP: Validate packets better
Changes in squid-4.16 (04 Jul 2021):
- Regression Fix: --with-valgrind-debug build broken since 4.15
- Bug 5129 pt1: remove Lock use from HttpRequestMethod
- Bug 5128: Translation: Fix '% i' typo in es/ERR_FORWARDING_DENIED
- Bug 4528: ICAP transactions quit on async DNS lookups
Changes in squid-4.15 (10 May 2021):
- Bug 5112: Excessively loud chunked reply parsing error reporting
- Bug 5106: Broken cache manager URL parsing
- Bug 5104: Memory leak in RFC 2169 response parsing
- Bug 3556: "FD ... is not an open socket" for accept() problems
- Profiling: CPU timing implemented for MAC non-x86
- Fix HttpHeaderStats definition to include hoErrorDetail
- Fix Squid-to-client write_timeout triggers client_lifetime timeout
- Limit HeaderLookupTable_t::lookup() to BadHdr and specific IDs
- Handle more Range requests
- Handle more partial responses
- Stop processing a response if the Store entry is gone
- ... and some portability fixes
- ... and some documentation updates
Changes in squid-4.14 (02 Feb 2021):
- Regression Fix: support for non-lowercase Transfer-Encoding value
- Regression Fix: cachemgr.cgi wrong 403 response to authenticated menu URIs
- Bug 5076: WCCP Security Info incorrect
- Bug 5073: Compile error: index was not declared in this scope
- Bug 5065: url_rewrite_program documentation update
- Bug 3074 pt2: improved handling of URI paths implicit '/'
- Fix transactions exceeding client_lifetime logged as _ABORTED
Changes to squid-4.13 (23 Aug 2020):
- Regression Fix: Support parsing GREASEd (and future) TLS handshakes
- Bug 5051: Some collapsed revalidation responses never expire
- HTTP: Enforce token characters for field-name
- HTTP: Forbid obs-fold and bare CR whitespace in framing header fields
- HTTP: Improve Transfer-Encoding handling
- WCCP: Fix GCC-10 -Wstringop-truncation failures
- Honor on_unsupported_protocol for intercepted https_port
- Fix livelocking in peerDigestHandleReply
- Do not stall while debugging a scan of an empty store_table
Changes to squid-4.12 (05 Jun 2020):
- Regression Fix: Revert to slow search for new SMP shm pages
- Bug 5045: ext_edirectory_userip_acl is missing include files
- Bug 5041: Missing Debug::Extra breaks build on hosts with systemd
- Bug 5030: Negative responses are never cached
- HTTP: validate Content-Length value prefix
- HTTP: add flexible RFC 3986 URI encoder
- SslBump: disable OpenSSL TLSv1.3 support for older TLS traffic
- Tests: Support passing a custom config.cache to test builds
- Fix IPFilter IPv6 detection, especially on NetBSD
- Fix stall if transaction overwrites a recently active cache entry
- ... and some compile fixes
Changes to squid-4.11 (18 Apr 2020):
- Bug 5036: capital 'L's in logs when daemon queue overflows
- Bug 5022: Reconfigure kills Coordinator in SMP+ufs configurations
- Bug 5016: systemd thinks Squid is ready before Squid listens
- kerberos_ldap_group: fix encryption type for cross realm check
- HTTP: Ignore malformed Host header in intercept and reverse proxy mode
- Fix Digest authentication nonce handling
- Supply ALE to request_header_add/reply_header_add
- ... and some documentation updates
- ... and some compile fixes
Changes to squid-4.10 (14 Jan 2020):
- Bug 5009: Build failure with older clang libc++
- Bug 5008: SIGBUS in PagePool::level() with custom rock slot size
- Bug 5007: Docs: Fix max_filedescriptors description
- Bug 4735: Truncated chunked responses cached as whole
- ext_lm_group_acl: Improved username handling
- Fix FTP buffers handling
- Fix shared memory size calculation on 64-bit systems
- Fix server_cert_fingerprint on cert validator-reported errors
- Fix request URL generation in reverse proxy configurations
- ... and several documentation updates
- ... and several compile fixes
Changes to squid-4.9 (05 Nov 2019):
- Bug 4978: eCAP crash after using MyHost().newRequest()
- Bug 4970: excessive gnutls_certificate_credentials debug msgs
- Bug 4969: GCC-9 build failure: stringop-truncation
- Bug 4966: Lower cache_peer hostname
- Bug 4918: Crashes when using OpenSSL prior to v1.0.2
- TLS: Fix parsing of certificate validator responses
- TLS: Fix parsing of TLS messages that span multiple records
- TLS: Fix on_unsupported_protocol tunnel action
- TLS: Fix expiration of self-signed generated certs to be 3 years
- HTTP: Ignore malformed Host header in intercept and reverse proxy mode
- HTTP: RFC 7230: server MUST reject messages with BWS after field-name
- HTTP: Fix URN response handling
- HTTP: Hash Digest noncedata
- Update URI parser to use SBuf parsing APIs
- Prevent truncation for large origin-relative domains
- Fix several rock cache_dir corruption issues
- Debug detail validation errors for loaded-from-file certificate chains
- smblib: Improve SMB server name maintenance
- cachemgr.cgi: Add validation for hostname parameter
- ... and several compile issues
- ... and some documentation updates
Changes to squid-4.8 (09 Jul 2019):
- Bug 4957: Multiple XSS issues in cachemgr.cgi
- Bug 4953: to_localhost does not include ::
- Bug 4937: cachemgr.cgi: unallocated memory access
- Bug 4936: terminating c-strings beyond BASE64_DECODE_LENGTH
- Bug 4889: Ignore ECONNABORTED in accept(2)
- Bug 4842: Memory leak when http_reply_access uses external_acl
- TLS: Fix tls-min-version= being ignored
- TLS: Add the NO_TLSv1_3 option to available tls-options values
- HTTP: RFC 7230 forbids generation of userinfo subcomponent of https URL
- HTTP: Remove userinfo support from old protocols
- HTTP: Fix Digest auth parameter parsing
- HTTP: Send Connection:close with the known-last request on a connection
- HTTP: Fix handling of tiny invalid responses
- Replace uudecode with libnettle base64 decoder
- Update HttpHeader::getAuth to SBuf
- ... and some compile issues
Changes to squid-4.7 (06 May 2019):
- Bug 4942: --with-filedescriptors does not do anything
- Bug 4928: Cannot convert non-IPv4 to IPv4
- Bug 4823: assertion failed: "lowestOffset () <= target_offset"
- Bug 4796: comm.cc !isOpen(conn->fd) assertion when rotating logs
- Fix squidclient authentication to origin servers
- Fix stack-based buffer-overflow when parsing SNMP messages
- Add support for buffer-size= to UDP logging
- TLS: When using OpenSSL, trust intermediate CAs from trusted store
Changes to squid-4.6 (19 Feb 2019):
- Bug 4915: Detect IPv6 loopback binding errors
- Bug 4914: Do not call setsid() in --foreground mode
- Bug 4875 pt2: GCC-8 compile errors with -O3 optimization
- Bug 4856: Exit when GoIntoBackground() fork() call fails
- basic_ldap_auth: Return BH on internal errors; polished messages
- Fix BodyPipe/Sink memory leaks associated with auto-consumption
- Fix OpenSSL builds that define OPENSSL_NO_ENGINE
- Fix several cases of rock cache corruption
- Add Georgian (ka) language translation
Changes to squid-4.5 (01 Jan 2019):
- Bug 4253: ssl_bump prevents access to some web contents
- TLS: add %>handshake logformat code
- Redesign forward_max_tries to count TCP connection attempts
- Fix client_connection_mark ACL handling of clientless transactions
- Fix netdb exchange with a TLS cache_peer
- Update netdb when tunneling requests
- Use pkg-config for detecting libxml2
- ... and some documentation updates
- ... and some code compile fixes
Changes to squid-4.4 (28 Oct 2018):
- Bug 4893: Malformed %>ru URIs for CONNECT requests
- Fix %USER_CA_CERT_xx and %USER_CERT_xx crashes
- SSL: support compilation with minimal OpenSSL
- SSL: certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL
- Fix netdb not saving to disk
- Fix memory leak when parsing SNMP packet
- ... and some compile issues
Changes to squid-4.3 (01 Oct 2018):
- Bug 4885: Excessive memory usage when running out of descriptors
- Bug 4877: Add missing text about external_acl_type %DATA changes
- Bug 4875 pt1: GCC-8 compile errors with -O3 optimization
- Bug 4716: Blank lines in cachemgr.conf are not skipped
- Bug 4691: balance_on_multiple_ip config option docs
- basic_pop3_auth: fix startup errors
- langpack: Add missing dialect aliases
- Fix range_offset_limit debugging
- Fix icc build errors
- Update systemd dependencies in squid.service
Changes to squid-4.2 (04 Aug 2018):
- Regression fix: support for https_port clientca= option
- Regression Bug 4870: milliseconds logformats prepend 0s instead of spaces
- Bug 4861: HTTPMSGLOCK missing pointer safety
- Bug 4843 pt3: GCC-8 fixes and refactoring
- HTTP: Do not update stored headers on 304 responses
- Fix segmentation fault on -k parse
- Fix %>ru logging of huge URLs
- ... and several performance optimizations
- ... and some documentation updates
- ... and all fixes from 3.5.28
Changes to squid-4.1 (02 Jul 2018):
- Bug 4223: fixed retries of failed re-forwardable transactions
- Bug 4791: Build failure on MacOS
- Fix --with-netfilter-conntrack error message
- ... and many documentation updates
Changes to squid-4.0.25 (11 Jun 2018):
- Regression Bug 4855: querying private entries for HTCP/ICP
- Regression Bug 4852: deny_info %R macro not being expanded
- Regression Bug 4847: proxy_auth ACL -i/+i flags not working
- Regression Bug 4831: filter chain certificates for validity when loading
- Regression fix: Transient reader locking broken in 4.0.24
- Bug 4845: NegotiateSsl crash on aborting transaction
- Bug 4843 pt1: ext_edirectory_userip_acl refactoring for GCC-8
- Bug 4843 pt2: squidclient refactoring for GCC-8
- Bug 4829: IPC shared memory leaks when disker queue overflows
- Bug 4828: Use feature detection for IPFilter API/ABI checks
- Bug 4816: update negotiate_kerberos_auth helper protocol to v3.4
- Bug 4811: supply AccessLogEntry (ALE) for more fast ACL checks
- Bug 4707: purge tool does not obey --sysconfdir= build option
- Bug 4171: checking for log_file_daemon despite disabling logging
- Bug 4042: ext_kerberos_ldap_group: add -P principal option
- TLS: avoid "ssl_crtd" assertions on reconfiguration
- Add timestamps to (most) FATAL messages
- Add "--kid role-ID" command line option
- ... and many documentation updates
Changes to squid-4.0.24 (07 Mar 2018):
- Bug 4822: Build failure (-Wformat) where time_t is not long int
- Bug 4505: SMP caches sometimes do not purge entries
- TLS: GnuTLS implementation for listening ports and client connections
- TPROXY: Fix clientside_mark and client port logging
- Native FTP: Fix "Cannot assign requested address" with TPROXY
- SSL-Bump: Fix authentication with types other than Basic
- ... and many small compile and stability fixes
- ... and some documentation fixes
Changes to squid-4.0.23 (19 Jan 2018):
- Bug 4715: security_file_certgen: Remove -g and -n options docs
- Bug 4679: User names not sent to url_rewrite_program
- Bug 4631: security_file_certgen helper without disk cache
- Bug 3911: clang -fsanitize warnings
- Bug 2378: Duplicates in selected peer destinations
- Nettle v3.4 support
- Fix Squid FTP server dying because of an unhandled exception
- Automatically revive hopeless kids on reconfigure and after a timeout
- Fix %<Hs, %<pt, %<tt, %<bs calculation bugs for error responses
- ... and many documentation updates
- ... and some stability fixes
Changes to squid-4.0.22 (07 Dec 2017):
- Regression fix: Relay peer CONNECT error status line and headers to clients
- Bug 4767: SMP breaks IPv6 SNMP and cache manager queries
- Bug 4718: support filling raw buffer space of shared SBufs
- Bug 4648: object revalidation for HTTPS scheme
- Bug 4616: store_client.cc:92: "mem" assertion
- Bug 2821: ignore Content-Range in non-206 responses
- HTCP: Ignore packets with invalid URI
- TLS: Validate the shortest certificate chain
- TLS: Add checks for OpenSSL 1.1.0f API changes
- TLS: Fix reporting of validation errors for downloaded intermediate certs
- TLS: Fix SSL certificate cache refresh and collision handling
- Fix backwards compatibility for Squid-3.5 external_acl_type formats
- Fix invalid mime icon URLs in cache
- Do not die silently when dying early
- Docs: update translation files
Changes to squid-4.0.21 (02 Jul 2017):
- Bug 4730: segfault while processing internal HTTP requests
- Bug 4492: Chunk extension parser is too pedantic
- Bug 1961: Redesign urlParse() API
- TLS: recognise tls:: namespace on logformat tokens
- SSL-Bump: tproxy does not spoof spliced connections
- security_file_certgen: collapse queued requests
- Add a basic apparmour profile
- Add transaction_initiator ACL for detecting various unusual transactions
- Add ssl::server_name options to control matching logic
- Support for --long-acl-options
- Do not die silently when dying via std::terminate()
- Fix option --foreground to implement expected behavior
- Translations: update .po and .pot to latest texts
- ... and some documentation updates
- ... and many code cleanup and stability fixes
- ... and all fixes from 3.5.27
Changes to squid-4.0.20 (01 Jun 2017):
- Bug 4692: SslBump breaks intercepted IPv6 connections
- Bug 4682: ignoring http_access deny when client-first bumping mode is used
- Bug 4662: build errors with LibreSSL 2.4.4
- Bug 4659: sslproxy_foreign_intermediate_certs does not work
- Bug 4321: ssl_bump terminate does not terminate at step1
- Add 'has' ACL
- Do not forward HTTP requests to dead idle peers
- Do not unconditionally revive dead peers after a DNS refresh
- Make PID file check/creation atomic to avoid associated race conditions
- Count failures and use peer-specific connect timeouts when tunneling
- SSL-Bump: Fix crashes when server-first bumping mode is used with openSSL-1.1.0
- eCAP: Fix empty header handling in Ecap::HeaderRep::hasAny()
- SSL-Bump: Second adaptation missing for CONNECTs
- ext_session_acl: cope with new logformat inputs
- ... and some documentation updates
- ... and some code stability fixes
- ... and all fixes from 3.5.26
Changes to squid-4.0.19 (02 Apr 2017):
- Bug 4674: delay_parameters for class 3 and 4 assertion failed
- Bug 4671: GCC 7 compile errors
- Bug 4663: GCC 5+ compile errors with optimization level -O3
- Bug 4657: delay IDENT until after PROXY protocol handling
- Bug 4610: cleanup of BerkleyDB related checks
- squidclient: Fix missing error handling on PUT
- digest_ldap_auth: Add -r option to clamp the realm to a fixed value
- TLS: initial GnuTLS support for encrypted server connections
- Fix appending Http::HdrType::VIA code
- Fix URI scheme case-sensitivity treatment
- Fix two read-ahead problems related to delay pools (or lack thereof)
- Detail swapfile header inconsistencies
- ... and several build fixes
- ... and many code polishing updates
- ... and all fixes from 3.5.25
Changes to squid-4.0.18 (06 Feb 2017):
- Bug 4661: compile error 'warning: _XPG4_2 redefined' with GCC on Solaris 10
- Bug 4636: assertion 'byteCount > 0 && byteCount <= inBuf.length()'
- Bug 4610 partial: compile errors on Solaris 11.3 with Oracle Studio 12.5
- Bug 4599: support OpenSSL 1.1
- squidclient: link GnuTLS library debugs to -v level display
- Fix GCC6: unused local variable 'weInitiatedThisClosure'
- ... and some code polishing
- ... and some copyright updates
- ... and all fixes from 3.5.24
Changes to squid-4.0.17 (16 Dec 2016):
- Bug 4630: user credentials cache cleanup not re-scheduled
- Bug 4610 partial: compile errors on Solaris 11.3 with Oracle Studio 12.5
- Bug 4599 partial: initial support for OpenSSL v1.1
- TLS: Support tunneling of bumped non-HTTP traffic
- ... and many code polishing and performance updates
- ... and some documentation updates
- ... and some fixes from 3.5.23
Changes to squid-4.0.16 (30 Oct 2016):
- Avoid segfaults when lacking the server name for certificate validator
- HTTP: initial support for Cache-Control:immutable
- Fix ssl::server_name ACL
- ... and many code polishing updates
- ... and some fixes from 3.5.23
Changes to squid-4.0.15 (09 Oct 2016):
- Regression fix crash on reconfigure with TOS/DiffServ/MARK configured
- Bug 4610: compile errors on Solaris 11.3 with Oracle Studio 12.5
- Bug 4581: Secure ICAP segfault in checkForMissingCertificates
- Bug 4578: changes required to install squid.service
- Fix crash on shutdown while cleaning up idle ICAP connections
- Fix memory leak of Downloader-related objects
- HTTP/1.1: handle syntactically valid requests with unsupported HTTP versions
- Log TCP client port for error:transaction-end-before-headers and such
- ... and many portability and build fixes
- ... and some documentation updates
- ... and all fixes from 3.5.22
Changes to squid-4.0.14 (08 Sep 2016):
- Regression Bug 4570: crash after rev.14755
- Regression Bug 4561: Replace use of default move operators with explicit implementation
- Bug 4503: Do not access-log SslBump-faked CONNECTs with _ABORTED suffixes
- Bug 4404: Do not access-log chunked non-persistent responses with _ABORTED suffix
- Fix crashes on shutdown while cleaning up idle ICAP connections
- Fix logformat unable to configure codes with /-escape
- HTTP: MUST respond with 414 (URI Too Long) when request-target exceeds limits
- HTTP: validate Content-Length header values
- Make Squid death due to overloaded helpers optional
- Better support for unknown URL schemes
- Do not log error:transaction-end-before-headers after invalid requests
- ... and many portability and build fixes
- ... and some documentation updates
- ... and all fixes from 3.5.21
Changes to squid-4.0.13 (05 Aug 2016):
- Regression Bug 4540: revert r14720 buffer update
- Bug 4555: Minor improvements to error pages CSS
- Bug 4551: fix exceptions in new chunked decoder
- Bug 4311: support collapse for internal revalidation requests (SMP-unaware caches)
- Fix Certificate Validator buffer-overflow crashes Squid
- Fix some failed transactions not being logged
- Fix segfault via Ftp::Client::readControlReply().
- basic_db_auth: add support for unsalted SHA1 passwords
- kerberos_ldap_group: add support for SSL/TLS connection to an LDAP server
- TLS: Add missing 'tls' option for cache_peer
- TLS: Do not hang when 'connector' fails
- TLS: Add support for fetching missing certificates
- Remove XSTD_USE_LIBLTDL, which has not been needed in a long while
- ... and many code polishing updates
- ... and some documentation updates
Changes to squid-4.0.12 (01 Jul 2016):
- Regression Fix: shell issues with require_smblib definition
- Regression Bug 4532: pid_filename not working as documented
- Regression Bug 4504: Too many WARNING: Ignoring error setting CA certificate locations
- Bug 4516: security_file_certgen man page update
- Bug 4446: undefined reference to 'libecap::Name::Name'
- Bug 4376: clang cannot build Squid eCAP code
- HTTP/1.1: Update all stored headers on 304 revalidation
- TLS: Authority Key Identifier certificate extension
- Add a script to find kid-specific cache.log lines
- Cleanup cppunit detection and use
- ... and several performance improvements
- ... and some unit test updates
- ... and all fixes from 3.5.20
Changes to squid-4.0.11 (09 Jun 2016):
- Bug 4517: error: comparison between signed and unsigned integer
- Bug 4492: chunked parser needs to accept BWS after chunk size
- HTTP/1.1: allow chunking the last HTTP response on a connection
- HTTP/1.1: unfold mime header blocks
- TLS: fast SNI peek
- TLS: check for SSL_CIPHER_get_id() support required in adjustSSL()
- TLS: never enable OPENSSL_HELLO_OVERWRITE_HACK automatically
- squidclient: improve shell-escape support in -H option
- Do not allow low-level debugging to hide important/critical messages
- Replace new/delete operators using modern C++ rules
- Remove ie_refresh configuration option
- Deprecating SMB LanMan helpers
- Mark refresh-waiting transactions with REFRESH
- ... and some code cleanup and polishing
Changes to squid-4.0.10 (06 May 2016):
- Accumulate fewer unknown-size responses to avoid overwhelming disks.
- Fix shared memory corruption when storing multi-slot (>32KB) shm misses.
- ... and some documentation and code cleanup
- ... and all fixes from 3.5.18
Changes to squid-4.0.9 (20 Apr 2016):
- Bug 4405: assertion failed: comm.cc:554: "Comm::IsConnOpen(conn)"
- Add a new error page token for unquoted external ACL messages.
- Stop parsing response prefix after discovering an "HTTP/0.9" response.
- ... and some documentation updates
- ... and some code polishing
- ... and all fixes from 3.5.17
Changes to squid-4.0.8 (02 Apr 2016):
- Bug 4459: FHS compliance: move netdb.state and ssl_db to /var/cache/squid
- Bug 4458: Behaviour change with external ACL arguments
- Bug 4450: wait() related cleanup
- Bug 4438: SIGSEGV in memFreeString() destructing SBuf globals on shutdown/restart
- Bug 4312: Support disabling collapsed forwarding SMP cooperation
- Bug 3826: SMP compatibility with systemd and --foreground option
- Bug 1979: Add ACL-driven server_pconn_for_nonretriable squid.conf directive
- Bug 7 (partial): Update cached entries on 304 responses
- Add reply_header_add directive
- HTTP/1.1: Do not prohibit updating Last-Modified on 304 responses
- Fix memory leaks of lastAclData and AccessLogentry::url
- Fix clang -Winconsistent-missing-override warning
- Tests: update test suite for GnuTLS
- ... and some documentation updates
- ... and some code cleanup and polishing
- ... and all fixes from squid 3.5.16
Changes to squid-4.0.7 (23 Feb 2016):
- Regression Fix: external_acl parameters separated by %20 instead of space
- Bug 4432: assertion failed: store.cc:1919: "isEmpty()"
- Bug 4111: leave_suid() does not properly handle error codes returned by setuid
- Fix propagation of response status line parsing error details
- Fix memory leak when the cache of sslcrtvalidator_program is disabled via ttl=0
- ... and some code SourceLayout project cleaning
- ... and all fixes from squid 3.5.15
Changes to squid-4.0.6 (16 Feb 2016):
- Regression Bug 4436: Fix DEFAULT_SSL_CRTD
- Fix "dial: Ssl::PeerConnector::sslCrtvdHandleReply threw exception: callback != NULL"
- ... and some documentation updates
- ... and all fixes from squid 3.5.14
Changes to squid-4.0.5 (09 Feb 2016):
- Regression Bug 4429: http(s)_port options= error message missing characters
- Regression Bug 4410: 4.0.4 compile error in basic_ncsa_auth
- Regression Bug 4403: helper compile errors after 4.0.4 rev.14454
- Regression Bug 4401: compile error on Solaris
- Regression Fix: TLS/SSL flags parsing
- Regression Fix: cert validadator always disabled in 4.x
- Regression Fix: Name-only note ACL stopped matching after 4.0.4 rev.14465 (note -m)
- Regression Fix: external_acl problems after 4.0.1 rev.14351
- Bug 4409 (partial): compile error when two Heimdal libraries are installed
- Bug 4005: Dynamic certificate cache exceeds dynamic_cert_mem_cache_size
- SMP: Fix cleanup of a shared memory segment in an unusual configuration
- SSL-Bump: Fix step3 splicing.
- Add connections_encrypted ACL
- Make %<a and %<p details available to [eCAP] RESPMOD services
- Rename cert_valid.pl to security_fake_certverify
- Rename ssl_crtd helper to security_file_certgen
- ... and a lot of code SourceLayout project cleaning
- ... and some documentation updates
- ... and all fixes from squid 3.5.13 up to rev.13979
Changes to squid-4.0.4 (06 Jan 2016):
- Regression Bug 4393: compile fails on OS X
- Bug 4392: assertion CbcPointer.h:159: 'c' via tunnelServerClosed or tunnelClientClosed
- Support use of Kerberos credentials cache instead of keytab
- Support logging of TLS Cryptography Parameters
- Support substring matching in Note ACL
- ... and some code cleanup and polishing
- ... and all fixes from squid 3.5.13
Changes to squid-4.0.3 (28 Nov 2015):
- Bug 4372: missing template files
- Bug 4371: compile errors: no such file or directory: DiskIO/*/*DiskIOModule.o
- Bug 4368: A simpler and more robust HTTP request line parser
- Fix compile erorr on clang undefined reference to '__atomic_load_8'
- ext_kerberos_ldap_group_acl: Add missing workarounds for Heimdal Kerberos
- ext_ldap_group_acl: Allow unlimited LDAP search filter
- ext_unix_group_acl: Support -r parameter to strip @REALM from usernames
- ... and much code cleanup and polishing
- ... and all fixes from squid 3.5.12
Changes to squid-4.0.2 (01 Nov 2015):
- Regression Bug 4351: compile errors when authentication modules disabled
- Regression fix: HTTP/1.1 Transfer-Encoding:chunked parsing
- Bug 4359: assertion failure 'Comm::IsConnOpen(conn)' within ConnStateData::requestTimeout
- Bug 4356: segmentation fault using proxy_auth ACL
- Bug 4352: compile errors in OS X 10.11
- Bug 4021: ext_user_regex does exact match
- Bug 3574: avoid crashes, prohibit reconfiguration during shutdown
- Support re-assigning delay pools based on HTTP reply details
- ... and all fixes from squid 3.5.11
Changes to squid-4.0.1 (14 Oct 2015):
- Bug 4329: GCC 5.2 no known conversion for argument
- Bug 4292: negotiate_wrapper: Unreleased Resources
- Bug 4269: ignore-must-revalidate broken
- Bug 4190: assertion 'hash_remove_link' from Auth::User::cacheCleanup
- Bug 3920: Splay::remove() reference counting inconsistent
- Bug 3069: CONNECT method bytes sent logging
- Bug 2741 partial: libsecurity API for GnuTLS support
- Bug 1961 partial: redesign of URL handling
- Fix crash when parsing invalid squid.conf
- Fix eCAP: Return 'unknown body size' for bodies with unknown body sizes
- Remove unused OS detection: Sun, SysV, Ultrix, BSDi
- Remove cache_peer_domain directive
- RFC 6176 compliance: Remove SSLv2 support
- HTTP/1.1: Remove refresh_pattern ignore-auth and ignore-must-revalidate
- Remove GCC 2.x and 3.x detection and support
- C++11 compiler support is now mandatory
- Enable flexible transport protocol
- Enable long (--foo) command line parameters on squid binary
- Add per-rule refresh_pattern matching statistics
- Replace sslversion=N with tls-min-version=1.N
- Replace sslproxy_* directives with tls_outgoing_options
- Replace GNU atomics and related hacks with C++11 std::atomic
- Replace external_acl_type format %macros with logformat codes
- Support Secure ICAP services
- Support rotate=N option on access_log
- Support bypass for non-HTTP intercepted traffic (on_unsupported_protocol)
- Support lifetime timeout for persistent connections (pconn_lifetime)
- Support timeout for URL-rewrite helper lookups (url_rewrite_timeout)