<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:
- document that tcp_outgoing_xxx works badly in combination with
server_persistent_connections (squid bug #454)
- add more tracing in test mode of squid_ldap_auth (squid bug #1395)
- fix breakage of accel_single_host when combined with
server_persistent_connection (squid bug #1402)
- correctly implement the CACHE_HTTP_PORT configuration directive
(squid bug #1403)
- fix the problem that CNAME addresses were remembered with a wrong TTL
(squid bug #1404)
- fix incorrect handling of squid-internal-dynamic/netdb in conjunction with
httpd_accel/transparent proxies (squid bug #1410)
- properly revalidate the cache on HEAD requests (squid bug #1411)
- correct handling of Set-Cookie headers on cache refreshes (squid bug #1419)
- fix a vulnerability in the FTP parsing code (squid bug #1426)
PR: ports/87637
Submitted by: maintainer
- LDAP helpers do not work with TLS (-Z option)
(squid bug #1389)
- Incorrect store dir selection debug message on objects >2G
(squid bug #1343)
- Enums cannot be assumed to be signed ints
(squid bug #1343)
- Allow leaving core dumps on Linux
(squid bug #1335)
- Do not let clients bypass delay pools by faking a cache hit
(squid bug #500)
- Fix problems regarding CONNECT requests when squid is configured with
"pipeline_prefetch on"
- Fix a possible DOS condition which may be triggered by certain NTLM
authentication requests
(squid bug #1391)
- Remove patching relevant to recently removed pf from ports option
PR: ports/86179
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
- FTP listings use "BASE HREF" much more than necessary (squid bug #1204)
- Cleanups for 64bit architectures (squid bug #1316)
- Allow wb_ntlm_auth to run more silent (squid bug #518)
- Add a new 'mail_program' configuration option
- Fix a possible denial of service condition regarding sslConnectTimeout
(squid bug #1355, Secunia Advisory SA16674)
- Avoid a possible assertion failure in StatHist.c (squid bug #1325)
- Fix issues regarding chroot'ed installations on 'squid -k reconfigure'
(squid bug #1331)
- Make URLs in error pages more consistent and less confusing (squid bug #1342)
- Fix compilation when _FORTIFY_SOURCE is defined (squid bug #1344)
- Fix handling of unexpected 250 replies from certain odd FTP servers
(squid bug #1348)
- Add Greek error pages (squid bug #1351)
- Fix a possible denial of service condition with regards to aborted requests
(squid bug #1368)
- Fix the -U option of squid_ldap_auth (squid bug #1370)
- Fix the output of the SNMP cacheClientTable for IP adresses that consist of
16 digits (squid bug #1375)
- Make the From: field of mails sent from squid configurable to avoid
mails getting lost due to spam filtering (squid bug #1380)
PR: ports/85688
Submitted by: maintainer
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:
+ double content-length often harmless (squid bug #1305)
+ update spanish error pages
+ squid internal icons were served with slightly incorrect headers
(squid bug #1275)
+ squid -k fails in combination with chroot (squid bug #1307)
+ core dump with --enable-ipf-transparent if access to NAT device is denied
(squid bug #1313)
+ http_accel_single_host incompatible with redirection (squid bug #1314)
+ squid -k reconfigure caused data corruption when a cache_dir type had been
changed (squid bug #1308)
+ SNMP getnext failed if the given OID was outside the squid MIB (squid bug
#1317)
PR: ports/82703
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
- remove local patch that is now incorporated into the corresponding
vendor patch (with slightly different wording)
PR: ports/80367
Submitted by: maintainer
squid bugs #1283, 1287 and 1288 (assertion failed in store_client.c:343).
(already committed)
- Bump portrevision as a datapoint for this bugfix.
PR: 80163
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:
- Correct several minor aufs issues (squid bug #671)
- Basic authentification fails when login+password totalled to more than
64 characters (squid bug #1171)
- Fix an assertion that could occur when traffic other than HTTPS was
tunneled through squid via the CONNECT method (squid bug #1269)
- Make the --disable-hostname-check configuration option actually work
(squid bug #1270)
- Fix aufs warning about open filedescriptors when the cache was shut down
(squid bug #671)
- Allow squid to process requests for files larger than 2GB in size
(squid bug #437)
Introduce a new OPTION "WITH_SQUID_LARGEFILE", default to off to match
squid's default behaviour.
Rebuild squid with -DWITH_SQUID_LARGEFILE or run 'make config' and
select this new option.
- Add two new cachemgr actions: "pending_objects" and "client_objects"
- Make external acls that require authentication request new credentials
after access had been denied (squid bug #1278)
- Make squid use "daemon" instead of "local4" as syslog facility (squid bug
#1227)
PR: 80028
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:
+ Handle odd data formats (squid bug #321)
+ reload_into_ims fails to revalidate negatively cached entries
(squid bug #1159)
+ Clarify delay_access function (squid bug #1245)
+ Check several squid.conf directives for int overflows (squid bug #1247)
+ Use memset(3) instead of bzero(3) (squid bug #1256)
+ Fix compile warnings due to pid_t not being an int (squid bug #1257)
+ Fix incorrect use of ctype functions (squid bug #1259)
+ Defer digest fetch if the peer is not allowed to be used (squid bug #1262)
+ Extend relaxed_header_parser to work around "excess data from" errors from
many major web servers (squid bug #1265)
- Enable IPFilter based transparent proxying on all FreeBSD versions where
IPFilter headers are part of the base system (i.e. RELENG_4 < 4.7-RELEASE,
RELENG_5 and 6-CURRENT). Create a new OPTION WITH_SQUID_IPFILTER for this
purpose. Thanks to sem@ for keeping track of this issue!
PR: ports/78780
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
- correct a race condition related to the Set-Cookie header
- correct the FTP parser with regards to the EPLF format
(squid bug #1252)
- correct FTP listing output when the URL was requested without a trailing
slash (squid bug #1253)
- make ACL configuration errors fatal (squid bug #1255)
PR: ports/78446
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
- fix some cross-platform build format warnings
- allow high characters in generated FTP and Gopher directory listings
(squid bug #1220)
- cleanup generation of FTP URLs
- relax the newly introduced strict HTTP parser slightly to work around some
more malformed HTTP responses (squid bug #1242)
PR: ports/77779
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
- Integrate a vendor patch from:
http://www.squid-cache.org/Versions/v2/2.5/bugs/
it fixes a major problem regarding the handling of invalid DNS responses
PR: ports/77423
Submitted by: maintainer
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:
+ Reject malformed HTTP requests and responses that conflict with the HTTP
specifications
This issue is qualified as a security issue by the vendor.
+ PURGE is allowed to delete internal objects (squid bug #1112)
+ Disable Path-MTU discovery on intercepted requests (squid bug #1154)
(VuXML vid=b4d94fa0-6e38-11d9-9e1e-c296ac722cb3)
- Clean up and correct package list generation. Now installed files
and directories are visible via PLIST_FILES and PLIST_DIRS.
- Don't claim that squid related files or directories are still present
after deinstallation when in fact they are not.
- Add "-g" to CFLAGS when WITH_SQUID_STACKTRACES is defined to make this
option actually useful.
PR: ports/76628
Submitted by: maintainer
attack and other patches
Integrate vendor patches as published on
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:
- FTP data connection fails on some FTP servers when requesting
a directory without a trailing slash (squid bug #1194)
- Icons fail to load on non-anonymous FTP when using the
short_icons_url configuration directive (squid bug #1203)
- Strengthen squid against HTTP response splitting cache pollution
attacks (squid bug #1200), classified as security issue by
the vendor
Proposed VuXML information, entry date left to be filled in:
(Note: I added only a publically accessible link to the Sanctum,
Inc. whitepaper, the squid bug tracker contains a deep link
to the PDF itself; if we are allowed to publish it, it could
instead be used as reference because Sanctum, Inc. wants you
to register with them before you get access to their whitepapers.)
PR: ports/76550
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de>
Integrate vendor patches as published on
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:
- Sanity check usernames in squid_ldap_auth (squid bug #1187),
classified as minor security issue by the vendor, see below for VuXML
information
- FQDN names truncated on compressed DNS responses (squid bug #1136)
- Internal DNS memory leak on malformed responses (squid bug #1197)
PR: ports/76364
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de>
<http://www.squid-cache.org/Versions/v2/2.5/bugs/> for the following
issues:
+ Prevent a possible denial of service attack via WCCP messages (squid bug
#1190), classified as security issue by the vendor
+ Fix a buffer overflow in the Gopher to HTML conversion routine (squid bug
#1189), classified as security issue by the vendor
+ Fix a null pointer access and plug memory leaks in the fake_auth NTLM
helper (squid bug #1183) (this helper app is not installed by default by
the port)
+ Stop closing open filedescriptors beyond stdin, stdout and stderr on
startup (squid bug #1177)
- Unbreak the port on NO_NIS systems (thanks to "Alexander <freebsd AT
nagilum.de>" for reporting this)
- Document the two security issues in VuXML.
PR: ports/76173
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
Approved by: erwin (mentor)
http://www.squid-cache.org/Versions/v2/2.5/bugs/:
- a malformed hostname can cause squid to return random data as error messages,
possibly leaking internal information from former requests (squid bug #1143).
(This is classified as a minor security issue by the squid developers, so
maintainer cc'ed security-team@. See VuXML entry.)
- the "httpd_accel_port 0" directive does not work on its own (squid bug #1121)
- fix crashes occuring when using cachemgr's "vm_objects" operation (squid
bug #1149)
PR: ports/74859
Submitted by: maintainer
logrotation (squid bug #1118)
- properly close the client TCP connection when a malformed blank
HTTP response was received from the server (squid bug #1116)
PR: ports/73913
Submitted by: maintainer
- document the LDAP helpers' -v option
- correct the implementation of the req_header and resp_header acls
(the original implementation submitted in squid bug #961 was faulty)
See <http://www.squid-cache.org/Versions/v2/2.5/bugs/> for further details.
- Bump PORTREVISION
PR: ports/73154
Submitted by: Thomas-Martin Seck (maintainer)
CPU for half closed PUT/POST requests (squid bugs #354, 1096).
See <http://www.squid-cache.org/Versions/v2/2.5/bugs/> for further
details.
- Adapt the follow_xff patch to changes in some of squid's data
structures and unbreak the WITH_SQUID_FOLLOW_XFF option.
- Bump PORTREVISION.
PR: ports/72840
Submitted by: Thomas-Martin Seck (maintainer)
the SNMP module
- Remove a patch that is now part of the distribution
- Miscellaneuous small fixes:
+ in squid.sh, make stop_command poll for the squid processes' exit in
the rcNG case too; this eliminates the need to do this in restart_command
+ make the information regarding rcNG'ness in pkg-install easier to read
+ install unstripped binaries if WITH_SQUID_STACKTRACES is defined
PR: ports/72581
Submitted by: Thomas-Martin Seck (maintainer)
The client_db_gc patch contained a wrong debugging information
and was thus reissued by the vendor.
Update distinfo accordingly and bump PORTREVISION.
PR: ports/72387
Submitted by: Thomas-Martin Seck (maintainer)
Approved by: portsmgr (krion)
- try to prevent crashes of the digest helper (squid bug #1031)
- correct parsing of the acl_time directive when multiple time specifications
are given (squid bug #1060)
- correct "cachemgr config" output for http_header_* directives
(squid bug #1056)
- recognize the Content-Disposition header to be able to specify
http_header_access directives using it (squid bug #961)
See <http://www.squid-cache.org/Versions/v2/2.5/bugs/> for further
information.
Reimplement the rcNG support. See UPDATING for details.
PR: ports/71260
Submitted by: maintainer
- close a memory leak when NTLM authentication without challenge reuse
is used (squid bug #994)
- close a temporary memory leak when NTLM challenge response reuse is
enabled (squid bug #910)
- when performing log rotation with 'squid -k rotate' do not crash if a
swap state file or a cache directory is unwriteable (squid bug #1053)
See <http://www.squid-cache.org/Versions/v2/2.5/bugs/> for further
information.
PR: ports/71082
Submitted by: maintainer
Set supplementary group membership correctly when running squid
as a non-root user and do not ignore the squid_group setting
when starting squid as root (squid bug #1021)
Enable the external_acl helper protocol to handle newlines
in the embedded data (squid bug #1038)
PR: ports/70767
Submitted by: maintainer
- fix a problem in the heap policy code that could cause memory
corruption when a {cache,memory}_replacement_policy other
than the default "lru" was used (squid bug #1009)
- correct quoting of unknown % escape codes when generating
error pages (squid bug #1030)
PR: ports/70110
Submitted by: maintainer
The concurrent_dns_lookups patch was reissued, update distinfo accordingly.
See <http://www.squid-cache.org/bugs/show_bug.cgi?id=852> for
further information.
PR: ports/69764
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de>
