quick update notes below, but you should still review upstream's
RELEASENOTES.html if you use this.
- if you explicitly configure sslcrtd_program (for advanced tls mitm
configurations) you need to change from /usr/local/libexec/squid/sslcrtd
to /usr/local/libexec/squid/security_file_certgen in your config (if you
just use options on the http_port line to enable this without extra
config, this doesn't need to change).
- if using a cert helper disk cache, you may need to clear/reinitialize
the directory (not mentioned in release notes but I needed this).
- the SMB_LM helpers (for old lanmanager protocol, which should not be
used anyway) are no longer packaged, following upstream's change in default
build.
Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses.
This problem allows a remote server delivering ESI responses
to trigger a denial of service for all clients accessing the
Squid service.
This problem is limited to Squid operating as reverse proxy.
Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses.
This problem allows a remote server delivering certain ESI
response syntax to trigger a denial of service for all clients
accessing the Squid service.
http://www.squid-cache.org/Advisories/SQUID-2018_2.txt
Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses or downloading
intermediate CA certificates.
This problem allows a remote client delivering certain HTTP
requests in conjunction with certain trusted server responses to
trigger a denial of service for all clients accessing the Squid
service.
While here, fix a number of quite serious escaping errors in
four manual pages that caused loss of important information.
I will also send those upstream.
OK sthen@
New features include:
- SQL Database logging helper
- Time-Quota session helper
- Custom HTTP request headers
- SSL-Bump Server First
- Server Certificate Mimic
While there, add notes to README-main about increasing the number of
file descriptors via login.conf.
#ifdef'd headers to be used and dpb was junking it thus breaking the build;
fix by improving detection for backtrace_symbol_fd / libexecinfo and
explicitly using it.
no_ldap' block
- squid optionally uses atomic ops if available, however in the code
it requires 4 byte operations, whereas configure only tests for int.
change configure test which may give hppa a chance to build; breakage
reported by landry
This is merged from work by myself and Matthias Pitzl @ genua, thanks to
Rodolfo Gouveia for testing with NTLM.
Flavours have been removed:
- the external helper programs for NTLM/LDAP are now in subpackages:
squid-ldap and squid-ntlm.
- SNMP support is built by default in Squid 3.x so this has moved
to the main package (no external dependencies for this).
is the maximum time rc.subr waits for a daemon, so usually it would end up
being forcefully killed (i.e. unclean shutdown -> cache must be rescanned
at next startup). suggested by aja@, diff from Brad.
- adjust PLIST to prevent warnings with pkg_delete -c, from aja@ ok Brad.
