quick update notes below, but you should still review upstream's
RELEASENOTES.html if you use this.
- if you explicitly configure sslcrtd_program (for advanced tls mitm
configurations) you need to change from /usr/local/libexec/squid/sslcrtd
to /usr/local/libexec/squid/security_file_certgen in your config (if you
just use options on the http_port line to enable this without extra
config, this doesn't need to change).
- if using a cert helper disk cache, you may need to clear/reinitialize
the directory (not mentioned in release notes but I needed this).
- the SMB_LM helpers (for old lanmanager protocol, which should not be
used anyway) are no longer packaged, following upstream's change in default
build.
rather than "transparent proxy"; switch the readme to match. also tweak the
wording to make it clear which firewall reals need to be on which machine
when having a router pass off http traffic to squid on a different machine
configured as an interception proxy.
New features include:
- SQL Database logging helper
- Time-Quota session helper
- Custom HTTP request headers
- SSL-Bump Server First
- Server Certificate Mimic
While there, add notes to README-main about increasing the number of
file descriptors via login.conf.
This is merged from work by myself and Matthias Pitzl @ genua, thanks to
Rodolfo Gouveia for testing with NTLM.
Flavours have been removed:
- the external helper programs for NTLM/LDAP are now in subpackages:
squid-ldap and squid-ntlm.
- SNMP support is built by default in Squid 3.x so this has moved
to the main package (no external dependencies for this).
If the proxy server is running on the same subnet as the clients, the
return traffic from the proxy will go directly back to them without
ever hitting the firewall, which means the states will never get updated
and may fill-up your pflog(4) with blocked attempts. To circumvent this
the "no state" option needs to be specified for the route-to rule.
ok Brad, intput/ok sthen@ (maintainer)
is the maximum time rc.subr waits for a daemon, so usually it would end up
being forcefully killed (i.e. unclean shutdown -> cache must be rescanned
at next startup). suggested by aja@, diff from Brad.
- adjust PLIST to prevent warnings with pkg_delete -c, from aja@ ok Brad.
Alex Masterov has reported a vulnerability in Squid,
which potentially can be exploited by malicious people
to cause a DoS.
The vulnerability is caused due to an unspecified error
in the "sslConnectTimeout()" function after handling
malformed requests. This may be exploited to crash Squid.
CAN-2005-2796
- Malicious users may spoof DNS lookups if the DNS client UDP port (random,
assigned by OS at startup) is unfiltered and your network is not protected
from IP spoofing.
- CVE-1999-0710, adds access controls to the cachemgr.cgi script, preventing
it from being abused to reach other servers than allowed in a local
configuration file.
Fixes 2 major issues over STABLE7 + the previous round of patches..
- Data corruption when HTTP reply headers is split in several packets
- Assertion failure on certain odd DNS responses
- add snmp FLAVOR from Joel CARNAT <joel at carnat dot net>
- add some auth types and auth/acl helpers
- add NTLM auth SMB patch even though the default port does NOT compile this support in
