Squid-2.5 Patches

Unless otherwise is indicated in the patch description these fixes is included in the current nightly Squid-2.5 snapshots and is scheduled to be included in the next Squid-2.5.STABLE release.

Note to binary package maintainers: Patches to the current STABLE release represents work in progress and has not yet undergone full quality checks. The developer team reserves the right to update these at any time to fix problems found during quality checking. For this reason package maintainers are discouraged from using such patches, and only use this page to backport changes from published releases to earlier releases if your QA policy does not allow upgrading your package to the current STABLE release. If there is any questions regarding this policy please contact squid-dev@squid-cache.org.

Table of contents


Known Issues

These issues have been identified as important to be fixed for the next Squid-2.5 version, listed in priority order.

1500 diskd related memory corruption under heavy load

See also Open bug reports pending to be fixed in Squid-2.5


Known Shortcomings

This is a list of shortcomings known to exists in Squid-2.5. At this stage there is no plans on addressing these in Squid-2.5. Some may be addressed in the Squid-3.0 release.

See also Open bug reports for Squid-2.5


2.5.STABLE14 Patches

Patches released after the 2.5.STABLE14 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.

Parent not always logged to access.log

synopsis The patch for Bug #1504 forgot to account for persistent connections, causing NONE/- to be logged in the hierarchy field when using a persistent peer connection.

A workaround is to set "server_persistent_connections off"

severity Cosmetic
date 2006-06-21 12:25
bugzilla #1605
versions squid-2.5.STABLE13 and later
patch squid-2.5.STABLE14-hierarchy_tag.patch

assertion failed: HttpReply.c:105: "rep"

synopsis assertion failed: HttpReply.c:105: "rep" The patch for Bug #1511 "Some 206 responses logged incorrectly" was slightly broken and could cause the above assert.
severity Major
date 2006-06-02 22:00
bugzilla #1606
versions squid-2.5.STABLE13 and later
patch squid-2.5.STABLE14-httpReplyDestroy.patch

2.5.STABLE13 Patches

Patches released after the 2.5.STABLE13 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.

On some systems POSIX AIO functions are in libaio

synopsis On some systems POSIX AIO functions are in libaio
severity Minor
date 2006-05-12 19:35
versions squid-2.5.STABLE13 and earlier
patch squid-2.5.STABLE13-libaio-2.patch

Memory leak in header processing related to external_acl or custom log formats

synopsis Memory leak in header processing related to external_acl or custom log formats
severity Medium
date 2006-05-12 16:17
bugzilla #1564
versions squid-2.5.STABLE13 and earlier
patch squid-2.5.STABLE13-header_leak.patch

memory leak in ident processing

synopsis memory leak in ident processing
severity Major
date 2006-05-12 16:00
bugzilla #1557
versions squid-2.5.STABLE13 and earlier
patch squid-2.5.STABLE13-ident_leak.patch

Memleak in HTCP client code

synopsis Memleak in HTCP client code
severity Medium
date 2006-05-12 15:58
bugzilla #1553
versions squid-2.5.STABLE13 and earlier
patch squid-2.5.STABLE13-htcp_leak.patch

Mime icons are not displayed when viewing ftp sites when

synopsis Mime icons are not displayed when viewing ftp sites when visible_hostname is a short hostname (without domain).
severity Minor
date 2006-05-12 15:57
bugzilla #1532
versions squid-2.5.STABLE13 and earlier
patch squid-2.5.STABLE13-icons.patch

SQUIDHOSTNAMELEN issues

synopsis SQUIDHOSTNAMELEN issues cosmetic cleanup to get rid of remaining SQUIDHOSTNAMELEN magics which may cause issues for very long hostnames.
severity Cosmetic
date 2006-05-12 15:54
bugzilla #1434
versions squid-2.5.STABLE13 and earlier
patch squid-2.5.STABLE13-hostnamelen.patch

Current release is STABLE13, not 12..

synopsis Current release is STABLE13, not 12..
severity Cosmetic
date 2006-04-28 10:09
versions squid-2.5.STABLE13
patch squid-2.5.STABLE13-stable13.patch

2.5.STABLE12 Patches

Patches released after the 2.5.STABLE12 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.

connstate memory leag

synopsis connstate memory leak on cetain failed requests
severity Major
date 2006-03-10 23:17
bugzilla #1522
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE12-connstate_leak.patch

confusing statistics on stateful helpers (NTLM auth)

synopsis Cleanup of stateful helpers statistics (NTLM auth) to match the statistics provided for stateless helpers (basic auth etc)
severity Cosmetic
date 2006-03-10 23:17
bugzilla #1506
versions Squid-2.5
platforms All
patch squid-2.5.STABLE12-statefulhelpers_statistics.patch

misleading error message message for bad/unresolveable cache_peer name

synopsis The error message returned when DNS lookup of a peer name fails seemed to indicate it was the requested host name which could not be found when it was the peer which could not be found.
severity Cosmetic
date 2006-03-10 23:17
bugzilla #1504
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE12-peer_dns_error.patch

Azerbaijani errors translation

synopsis Error pages translated into Azerbaijani
severity Cosmetic
date 2006-03-10 23:17
bugzilla #1454
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE12-Azerbaijani.patch

Fails to process long host names

synopsis Squid fails to process requests for very long host names.
severity Minor
date 2006-03-10 23:17
bugzilla #1434
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE12-longhostnames.patch

With Squid-2.5 there is no more the DUPLICATE IP logging in cache.log

synopsis Adds back the logging of duplicate IP usage in the max_user_ip acl.
severity Cosmetic
date 2006-03-10 23:17
bugzilla #779
versions Squid-2.5
platforms All
patch squid-2.5.STABLE12-max_user_ip_log-2.patch

Error in FTP listings of files with -> in their name

synopsis Failed to properly parse FTP file or directory names with " -> " in their name
severity Cosmetic
date 2006-02-26 00:06
bugzilla #1508
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE12-ftpsymlink.patch
workaround Open the directory as a "plain" directory by adding ;type=d after the URL.

Harmless typo in ftp.c

synopsis A harmless typo in ftp.c could cause the ftp directory parser to incorrectly think it successfully parsed certain "odd" lines not automatically enabling the "plain directory" option link.
severity Cosmetic
date 2006-02-26 00:06
bugzilla #1507
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE12-ftpdates.patch
workaround Manually add ;type=d after the URL if encountering a FTP server where this problem is seen. The Squid developers does not know of any FTP server giving out directory listings which would trigger this.

Fails to compile on Fedora Core 5 test 2 x86_64

synopsis - New GCC triggering on a few minor things related to variable aliasing - New OpenLDAP depreated the common LDAP C-API simple bind functions
severity Minor
date 2006-02-26 00:06
bugzilla #1492
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE12-fc5.patch

Hangs at 100% CPU if /dev/null is not accessible

synopsis Squid hangs at 100% CPU while starting helpers if /dev/null can not be opened (non-existing or bad permissions).
severity Cosmetic
date 2006-02-26 00:06
bugzilla #1484
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE12-devnull.patch
workaround Make sure /dev/null exists and is world read/writeable.

New persistent_connection_after_error configuration directive

synopsis The patch adds a new persistent_connection_after_error directive enabling/disabling the use of persistent connections after error. If set to off then it behaves very close to Squid-2.4 even if you have persistent connections enabled.
severity Cosmetic
date 2006-02-26 00:06
bugzilla #1482
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE12-persistent_connection_after_error.patch

delay pools given too much bandwidht after "-k reconfigure"

synopsis Delay pools assigned too much traffic credit after "squid -k reconfigure" (first time double the amount, second time three times the amount etc..)
severity Medium
date 2006-02-26 00:06
bugzilla #1481
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE12-delay_pool_reconfigure.patch
workaround Restart Squid instead of using "-k reconfigure", or don't allow for any bandwidth credit in your delay pools.

504 Gateway Time-out on FTP uploads

synopsis FTP uploads fails if the upload takes longer than read_timeout to complete.
severity Medium
date 2006-02-26 00:06
bugzilla #1459
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE12-ftp_upload.patch
workaround Set read_timeout high, but be warned that this combined with "half_closed_clients on" (default) may cause servere filedescriptor shortage.

Some clients support NTLM even if not initially negotiating persistent connections

synopsis Some clients is capable of using NTLM authentication even if they do not negotiate persistent connections on the initial request.
severity Minor
date 2006-02-26 00:06
bugzilla #1447
versions Squid-2.5.STABLE12
platforms All
patch squid-2.5.STABLE12-ntlm_nonpersistent.patch
workaround Allow basic authentcation to be used by these clients

Ident access lists don't work in delay_access statements

synopsis Ident access lists don't work in delay_access statements
severity Minor
date 2006-02-26 00:06
bugzilla #1428
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE12-ident_acl.patch

Segmentation fault on empty proxy_auth ACLs

synopsis Segmentation fault on empty proxy_auth ACLs
severity Cosmetic
date 2006-02-26 00:06
bugzilla #1414
versions Squid-2.5.STABLE8 to 2.5.STABLE12
platforms All
patch squid-2.5.STABLE12-empty_proxy_auth_acl.patch
workaround Make sure your configuration is correct with no empty proxy_auth ACLs defined.

Issues in processing ranges on objects >2GB

synopsis Range processing still failed on objects >2GB. This could be triggered either by range_offset_limit, or by enabling cacheing of such large objects.
severity Minor
date 2006-03-04 03:30
bugzilla #437
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE12-range2GB-2.patch
workaround range_offset_limit 0 KB (default), maximum_object_size below 2 GB (default 4096 KB which is safe).

Some 206 responses logged incorrectly

synopsis This patch adds an HttpReply *reply member to clientHttpRequest. This reply will be used to generate the client-side reply header and will stay in memory until the end of the transaction so the correct status code may be logged.
severity Minor
date 2006-03-04 03:07
bugzilla #1511
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE12-log_206-2.patch

Wrong timezone declaration for 64 bit Irix

synopsis On 64 bit Irix systems the declaration of timezone is different from 32 bit and the build fails.
severity Minor
date 2006-01-22 17:28
bugzilla #1479
versions Squid-2.5 and earlier
platforms SGI Irix (64 bit systems only)
patch squid-2.5.STABLE12-irix_timezone.patch
workaround Manually remove the 'timezone' declaration from lib/rfc1123.c.

prctl called with too few arguments

synopsis A minor error in the patch to allow coredumps on linux. Not harmful today, but maybe in future if these unused arguments is used for something..
severity Cosmetic
date 2006-01-15 01:23
bugzilla #1483
versions Squid-2.5.STABLE11
platforms All
patch squid-2.5.STABLE12-prctl_args.patch

Squid crash when asyncio function counters url accessed from Cachemgr CGI

synopsis When accessing Async IO Function Counters from the Cachemgr interface, if aufs is not in use, Squid could segfaults.
This happens only when Squid is build with aufs and aufs's number of threads is set with the --enable-async-io configure option.
severity Minor
date 2005-12-26 16:41
bugzilla #1464
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE12-asyncio_counters.patch
workaround Specify during configure only the store FS that will be used.

wbinfo_group.pl doesn't work with Samba 3.0.21

synopsis wbinfo -n output was changed in Samba 3.0.21, adding a SID description after the SID value:

giove:~# wbinfo -n Staff
S-1-5-21-682003330-854245398-1708537768-1123 Domain Group (2)

So a little change in the wbinfo_group.pl parsing is needed.
severity Minor
date 2005-12-24 11:02
bugzilla #1472
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE12-wbinfo_group.patch
workaround None.

bad credentials fetch (no user)

synopsis The SMB NTLM authentication helper doesn't work as expected when using the --enable-ntlm-fail-open configure option because credentials are not fetched correctly (username is missing).
This problem is triggered only when using the --enable-ntlm-fail-open configure option and the helper was not able to validate the user.
severity Minor
date 2005-12-11 10:52
bugzilla #1022
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE12-SMB_BadFetch.patch
workaround Don't use the --enable-ntlm-fail-open configure option.

Added WebDAV REPORT method to know HTTP methods list

synopsis Added WebDAV REPORT method to know HTTP methods list
severity Cosmetic
date 2006-02-26 14:47
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE12-REPORT.patch
workaround extension_methods REPORT

fails to compile with undefined reference to setenv

synopsis Squid-2.5.STABLE12 assumes the OS provides a setenv() function, causing compilation to fail on platforms not providing such function.
severity Minor
date 2005-10-26 20:31
bugzilla #1435
versions Squid-2.5.STABLE12
platforms Solaris and other platforms not having a setenv() function
patch squid-2.5.STABLE12-setenv.patch
workaround Back out squid-2.5.STABLE11-HOME-2.patch

2.5.STABLE11 Patches

Patches released after the 2.5.STABLE11 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.

Delay pool class 3 fails on clients in network 255 (ip X.X.255.X)

synopsis The individual pools for network 255 in a class 3 pool was handled wrongly, causing clients with ip X.X.255.X to hang after downloading a few bytes.
severity Minor
date 2005-10-20 17:42
bugzilla #1431
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE11-delaypool_3_255.patch
workaround Don't assign clients in network 255 to a class 3 pool. Use a class 2 pool for this network alone.

Segmentation fault in rfc1738_do_escape

synopsis In certain odd FTP server responses Squid may crash with a segmentation fault in rfc1738_do_escape.
severity Major
date 2005-10-18 15:48
bugzilla #1426
versions Squid-2.5.STABLE11
platforms All
patch squid-2.5.STABLE11-rfc1738_do_escape.patch
workaround deny access to the ftp protocol via the proxy

Incorrect handling of Set-Cookie on cache refreshes

synopsis In sertain situations involving cache refreshes of 302 responses Set-Cookie headers may be lost.
severity Minor
date 2005-10-18 15:47
bugzilla #1419
versions Squid-2.5.STABLE9 to 2.5.STABLE11
platforms All
patch squid-2.5.STABLE11-setcookie.patch
workaround Use the no_cache directive to deny the cache to be used on the affected URLs (if identified).

redirector 302 redirects not working for CONNECT method

synopsis If a redirector attempted to return a 302 redirect in response to a CONNECT method Squid responded with an error.
severity Minor
date 2005-10-18 15:47
bugzilla #1412
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE11-redirect-CONNECT.patch

Cache refreshes of HEAD requests did not work

synopsis Due to a long standing misunderstanding of HEAD requests it has not been possible to revalidate the cache on a HEAD request. Since 2.5.STABLE7 this have had the sideeffect that the cache hit ratio for applications using HEAD has been very low.
severity Minor
date 2005-10-18 15:47
bugzilla #1411
versions SquId-2.5 and earlier, made more visible in 2.5.STABLE7 and later
platforms All
patch squid-2.5.STABLE11-IMS-HEAD.patch

Incorrct handling of squid-internal-dynamic/netdb with httpd_accel (transparant proxy)

synopsis netdb excahnges failure when peering with a 2.5.STABLE11 configured as an transparently intercepting proxy
severity Minor
date 2005-10-18 15:47
bugzilla #1410
versions Squid-2.5.STABLE11
platforms All
patch squid-2.5.STABLE11-httpd_accel-internal.patch
workaround Set the first http_port to 80 (same as httpd_accel_port).

CNAME adresses remembered with wrong TTL

synopsis The wrong TTL was seleced on certain CNAME based DNS responses such as used in certain load balancing methods etc.
severity Minor
date 2005-09-28 21:52
bugzilla #1404
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE11-CNAME.patch
workaround Don't set dns_positive_ttl too high. This directive puts an upper bound on the DNS cache time to live compensating for this error.

Defining CACHE_HTTP_PORT does not set the default http_port

synopsis configure accepts a number of parameters as input in environment variables and setting CACHE_HTTP_PORT is meant to define the default port where Squid listen. This was however only half-way implemented.
severity Cosmetic
date 2005-09-28 21:16
bugzilla #1403
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE11-CACHE_HTTP_PORT.patch
workaround edit the http_port section in src/cf.data.pre in adition to defining CACHE_HTTP_PORT.

httpd_accel_single_host breaks in combination with server_persistent_connections

synopsis Persistent connections did not work proper in accelerator mode using httpd_accel_single_host, causing a lot of connections to build up to the backend web server.
severity Minor
date 2005-09-28 21:07
bugzilla #1402
versions Squid-2.5 and earlier(?)
platforms All
patch squid-2.5.STABLE11.accel_single_host_pconn.patch
workaround server_persistent_connections off, or disable persistent connection support on the web server.

$HOME not set when started as root

synopsis The environment variable $HOME is not set properly when Squid is started as root, causing problems for some helpers to find their configuration details. For example LDAP helpers finding their .ldaprc configuration data. This patch sets $HOME to the home of cache_effective_user.
severity Cosmetic
date 2005-09-28 21:42
bugzilla #1401
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE11-HOME-2.patch
workaround Set $HOME appropriately when starting Squid, or wrap the helper needing this in a small script setting $HOME.

More tracing in test mode of squid_ldap_auth

synopsis This patch adds some additional tracing to squid_ldap_auth hopefully making it easier to isolate squid_ldap_auth configuration errors. The patch also corrects a small but important error in one of the examples in how to connect to Microsoft Active Directory.
severity Cosmetic
date 2005-09-28 21:07
bugzilla #1395
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE11-ldap_auth.patch
workaround None needed

Document that tcp_outgoing_xxx works badly in combination with server_persistent_connections

synopsis The tcp_outgoin_address and tcp_outgoing_tos directives is evaluated when a new outgoing connection is set up and not changed if the same connection is later reused for a completely different requests. This patch clarifies this limitation.
severity Cosmetic
date 2005-09-28 21:07
bugzilla #454
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE11-tcp_outgoing_xxx.patch
workaround Set server_persistent_connections off when using these directives to set the outgoing address/tos depending on the requesting client or similar.

Truncated responses when using delay pools

synopsis A small but critical error has been found in the patch for Bug #500 causing responses to get truncated when using delay pools.
severity Major
date 2005-09-27 22:29
bugzilla #1405
versions Squid-2.5.STABLE11 only
platforms All
patch squid-2.5.STABLE11-delaypools_truncated.patch
workaround Disable the use of delay pools

2.5.STABLE10 Patches

Patches released after the 2.5.STABLE10 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.

--with-maxfd=N configure option to override max filedescriptors test

synopsis New configure option to make life easier for people needing to build a binary supporting a higher number of filedescriptors than the user they build Squid as is allowed to open.
severity Cosmetic
date 2005-09-19 15:50
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE10-maxfd.patch
workaround Squid FAQ 11.4 Running out of filedescriptors

invalid host is processed as IP 255.255.255.255 in dst acl

synopsis Instead of always being false the dst acl match was using the address 255.255.255.255 if no IP could be found for the requested host. Apart from being slightly odd and unexpected this made it hard to differentiate uknown hosts from badly registered hosts.
severity Minor
date 2005-09-16 21:58
bugzilla #1394
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE10-dst_unknown.patch
workaround none needed

Odd results when pipeline_prefetch is combined with NTLM authentication

synopsis pipeline_prefetch is incompatible with NTLM authentication, but Squid failed to detect this if pipeline_prefetch was set after the auth_param ntlm directive.
severity Cosmetic
date 2005-09-16 21:49
bugzilla #1396
versions Squid-2.5
platforms All
patch squid-2.5.STABLE10-ntlm-pipeline_prefetch.patch
workaround Leave pipeline_prefetch at it's default "off" setting

FATAL: Incorrect scheme in auth header

synopsis Squid may crash with the above error when given certain request sequences.
severity Major
date 2005-09-16 11:10
bugzilla #1391
versions Squid-2.5
platforms All
patch squid-2.5.STABLE10-NTLM-scheme_assert-2.patch
workaround Disable ntlm authentication

Odd results on pipelined CONNECT requests

synopsis If Squid is configured with "pipeline_prefetch on" then odd results and instability may be seen on pipelined CONNECT requests.
severity Medium
date 2005-09-15 09:56
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE10-pipeline-CONNECT.patch
workaround "pipeline_prefetch off" in squid.conf. (the default setting).

Transparent proxy problem with IP Filter

synopsis On NetBSD and maybe others, when using Ipfilter 4.x, opening of the NAT device fails.
On Solaris the following message can appear in cache.log:
parseHttpRequest: NAT lookup failed: ioctl(SIOCGNATL): (22) Invalid argument

This patch adds the usage of ipfobj structure for IP Filter 4.0alpha27 and later.
severity Minor
date 2005-09-13 03:22
bugzilla #1378
versions Squid-2.5 and earlier
platforms NetBSD, Solaris and maybe others
patch squid-2.5.STABLE10-NetBSD_IPFilter-3.patch

Clients bypassing delay pools by faking a cache hit

synopsis Clients may bypass delay pool settings by carefully constructing the request making it look like a cache hit.
severity Medium
date 2005-09-11 01:53
bugzilla #500
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE10-delay_pools.patch

Allow leaving core dumps on Linux

synopsis Linux and other operating systems by default prevent saving of core dumps on fatal application errors if the application has changed user ID since it was started.
severity Cosmetic
date 2005-09-16 21:16
bugzilla #1335
versions Squid-2.5 and earlier
platforms Linux (maybe others)
patch squid-2.5.STABLE10-allow_coredump-2.patch
workaround Start Squid as your cache_effective_user

enums can not be assumed to be signed ints

synopsis The header_id enum was misused assuming compilers would compile the type equivalent to an signed integer, while the enum was only defined with positive values allowing compilers to select an unsigned integer data type to store the enum.
severity Cosmetic
date 2005-09-11 01:21
bugzilla #1343
versions Squid-2.5 and earlier
platforms Some compilers on some platforms
patch squid-2.5.STABLE10-header_id_enum.patch

Incorrect store dir selection debug message on objects >2G

synopsis Incorrect store dir selection debug message on objects >2G
severity Cosmetic
date 2005-09-11 01:21
bugzilla #1343
versions Squid-2.5.STABLE10 (earlier versions could not handle such large objects at all)
platforms All
patch squid-2.5.STABLE10-storedir_objsize_debug.patch

LDAP helpers does not work with TLS (-Z option)

synopsis Due to a logics error in squid-2.5.STABLE9-LDAP_SUN_SDK.patch TLS could not be activated when using the OpenLDAP SDK.
severity Minor
date 2005-09-11 00:57
bugzilla #1389
versions Squid-2.5.STABLE10
platforms All
patch squid-2.5.STABLE10-LDAP_TLS.patch

E-mail sent when cache dies is blocked from many antispam rules

synopsis The e-mail sent when the cache dies use as "From:" field the Squid internal appname "squid".
This "From:" address is invalid for the majority of antispam filters because doesn't contains a valid domain name.

This patch adds the 'mail_from' directive to squid.conf, allowing to specify the from e-mail address and change the default to use 'appname@unique_hostname'.
severity Minor
date 2005-09-03 09:41
bugzilla #1380
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE10-mail_from.patch
workaround Define special rules into antispam configuration.

Solaris 10 SPARC transparent proxy build problem with ipfilter

synopsis On Solaris Ipfilter include files use a SOLARIS2 define defined only in the ipfilter makefile at ipfilter build time.
When building applications like Squid that use ipfilter include files, this define must be defined according to the Solaris minor version:
On solaris 8: #define SOLARIS2 8
On solaris 10 #define SOLARIS2 10

Another minor problem is that getconf during configure remove the 'sun' define used from ipfilter to recognize the Solaris platform.
severity Minor
date 2005-09-13 02:59
bugzilla #1374
versions Squid-2.5 and earlier
platforms Solaris Sparc and x86
patch squid-2.5.STABLE10-Solaris_IPFilter-2.patch
workaround Manually define SOLARIS2 before running configure.

snmo cacheClientTable fails on "long" IP addresses

synopsis snmp cacheClientTable fails to return any information for "long" IP addresses. Clients with IP xxx.xxx.xxx.xx or shorter works, but xxx.xxx.xxx.xxx does not work.
severity Minor
date 2005-09-01 22:57
bugzilla #1375
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE10-cacheClientTable.patch

squid_ldap_auth -U does not work

synopsis The -U option added earlier does not work entirely correct
severity Minor
date 2005-09-01 22:49
bugzilla #1370
versions Squid-2.5
platforms All
patch squid-2.5.STABLE10-ldap_auth-U.patch

assertion failed: store.c:523: "e->store_status == STORE_PENDING"

synopsis Squid crashes with the above assertion failure in certain conditions involving aborted requests.
severity Major
date 2005-09-01 22:44
bugzilla #1368
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE10-STORE_PENDING.patch

Greek translation of error messages

synopsis Greek translation of the Squid error messages, kindly provided by George Papamichelakis.
severity Cosmetic
date 2005-09-01 22:39
bugzilla #1351
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE10-Greek.patch

Some odd FTP servers respond with 250 where 226 is expected

synopsis Some off FTP servers mistakenly responds with a 250 code where 226 is expected, making Squid mistakenly think something went wrong with the transfer
severity Minor
date 2005-09-01 22:31
bugzilla #1348
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE10-ftp_250.patch

Fails to compile with glibc -D_FORTIFY_SOURCE=2

synopsis Squid fails to compile if glibc -D_FORTIFY_SOURCE=2 is ued (used by Fedora Core 4 and others). This due to the way -D_FORTIFY_SOURCE=2  is implemented in the glibc headers, redefining vprintf and a number of other functions as preprocessor macros, causing problems for applications like Squid reusing the same name as structure members.
severity Cosmetic
date 2005-09-01 22:26
bugzilla #1344
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE10-FORTIFY_SOURCE.patch
workaround Don't use -D_FORTIFY_SOURCE=2

Odd URLs when failing to forward request via parent and several error messages inconsistent in reported request details

synopsis In certain error conditions on requests forwarded to a peer proxy the URL in the error message could look a bit strange (NONE://10.72.43.56:8181http://www.abcd.com/) and a number of inconsistences in what %xx error page components may be used where
severity Cosmetic
date 2005-09-01 22:18
bugzilla #1342
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE10-errmsg.patch

More chroot_dir and squid -k reconfigure issues

synopsis Issues with reading mime.conf and a few other files when using chroot_dir and issuing a "squid -k reconfigure".
severity Minor
date 2005-09-01 22:09
bugzilla #1331
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE10-chroot_dir.patch
workaround Make sure the chroot path exists within the chroot as well..

assertion failed: StatHist.c:93: ((int) floor(0.99L + statHistVal(H, 0) - min)) == 0

synopsis One slightly oddly done sanity check in Squid may trigger compiler bugs on certain platforms.
severity Medium
date 2005-09-01 21:56
bugzilla #1325
versions Squid-2.5 and earlier
platforms Some (compiler dependent)
patch squid-2.5.STABLE10-statHistAssert.patch
workaround Probably works fine if optimizations is disabled

Segmentation fault in sslConnectTimeout

synopsis After certain slightly odd requests Squid crashes with a segmentation fault in sslConnectTimeout
severity Major
date 2005-09-01 20:27
bugzilla #1355
versions Squid-2.5
platforms All
patch squid-2.5.STABLE10-sslConnectTimeout.patch

sync redeclarations when support for ARP acls

synopsis Workaround needed to allow the build of both ipfilter and ARP acl support on Solaris x86.

Some defines, like
#define free +
are used in squid.h to block misuse of standard malloc routines where the Squid versions should be used. This pollutes the C/C++ token namespace crashing any structures or classes having members of the same names.
severity Minor
date 2005-08-19 09:31
bugzilla #199
versions Squid-2.5 and earlier
platforms Solaris x86 and may be Solaris Sparc
patch squid-2.5.STABLE10-arp_ipfilter-2.patch

New 'mail_program' configuration option in squid.conf

synopsis This patch adds new 'mail_program' configuration option in squid.conf.

This option allow to specify the mailer program name that squid will use to send fatal reports by mail and related command line options.
severity Cosmetic
date 2005-08-14 17:05
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE10-mail_program.patch

The new --with-build-environment=... option doesn't work

synopsis The new --with-build-environment=... configure option added in STABLE10 doesn't work other than the "default" case.
severity Cosmetic
date 2005-07-11 00:46
versions Squid-2.5.STABLE10
platforms All
patch squid-2.5.STABLE10-buildenv.patch
workaround Specify the needed CFLAGS etc as environment variables when running configure.

Allow wb_ntlm_auth to run more silent

synopsis This patch allow wb_ntlm_auth to run more silent:
- Don't try to open /dev/urandom if it's not available.
- Changed the level of the "target domain" message from warn to debug.
severity Cosmetic
date 2005-07-09 08:58
bugzilla #518
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE10-wb_ntlm_auth_silent.patch

"make all" gives many warnings

synopsis This patch fixes many warnings during build on HP Tru64 Unix:
- assert() must test logical expressions, not pointers
- STATUS define conflict in parse.c (snmplib)
- Warnings in winbind, winbind_group, SMB, fakeauth and MSNT helpers
- Warnings in net_db.c
severity Cosmetic
date 2005-07-03 08:24
bugzilla #1316
versions Squid-2.5 and earlier
platforms HP Tru64 and probably some other 64 bit platforms
patch squid-2.5.STABLE10-64bit_cleanup.patch

wbinfo_group.pl only looks into the first group specified

synopsis wbinfo_group.pl only looks into the first group specified, while all other group helpers allows a list of groups to look for
severity Minor
date 2005-06-29 20:36
bugzilla #1333
versions Squid-2.5
platforms All
patch squid-2.5.STABLE10-wbinfo_groups.patch
workaround use one acl per group

FTP listings uses "BASE HREF" much more than it needs to,

synopsis This patch changes the directory cleanup to use relative URLs rather than BASE HREF when a directory is requested without trailing /
severity Minor
date 2005-06-21 22:28
bugzilla #1204
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE10-ftp_basehref.patch
workaround Make sure to end the ftp:// URL in / when requestign a diretory

Title in FTP listings somewhat messed up

synopsis The squid-2.5.STABLE8-html_high_chars patch was a little too agressive messing up URLs having characters which was intentionally encoded such as / as used for the UNIX root directory.
severity Cosmetic
date 2005-06-22 10:46
bugzilla #1220
versions Squid-2.5.STABLE9 and 10
platforms All
patch squid-2.5.STABLE10-ftp_title-2.patch

SNMP GETNEXT fails if the given OID is outside the Squid MIB

synopsis This quick patch fixes the SNMP GETNEXT search when given an OID outside the Squid MIB. This allows proper integration of Squid into proxy SNMP agents.
severity Minor
date 2005-06-19 21:03
bugzilla #1317
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE10-snmp_getnext.patch

squid -k reconfigure internal corruption if the type of a cache_dir is changed

synopsis Failed to detect if the type of an existing cache_dir was changed, calling the parser function of the new type with the internal data of the existing one.. This patch detects this and logs to cache.log (and the console) that a restart is required.
severity Minor
date 2005-06-19 09:39
bugzilla #1308
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE10-cache_dir_change.patch
workaround Restart Squid whenever changing the type of an existing cache_dir.

httpd_accel_signle_host incompatible with redireection

synopsis Due to an internal error httpd_accel_single_host was incompatible with redirection.
severity Minor
date 2005-06-13 22:55
bugzilla #1314
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE10-redirect_flags.patch

Core dump with --enable-ipf-transparent if access to NAT device not granted

synopsis Abnormal crash if Squid was built with --enable-ipf-transparent but access to the NAT device was denied.
severity Minor
date 2005-06-30 08:49
bugzilla #1313
versions Squid-2.5.STABLE10
platforms All
patch squid-2.5.STABLE10-transparent-2.patch
workaround Properly configure your OS to grant Squid access to the NAT device when using --enable-ipf-transparent

squid -k fails in combination with chroot after patch for bug 1157

synopsis Due to a slight confusion about paths when using the chroot directive "squid -k" could fail to find the pid file.
severity Minor
date 2005-06-27 21:24
bugzilla #1307
versions Squid-2.5.STABLE10
platforms All
patch squid-2.5.STABLE10-chroot-2.patch
workaround Use symlinks to make the pid file appear in the same location both within and outside the chroot.

Squid internal icons served up with slightly incorrect HTTP headers

synopsis The Date header on internal icons always showed the date when Squid was started, causing slight cache problems for client and second-level non-squid proxies.
severity Minor
date 2005-06-09 08:01
bugzilla #1275
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE10-internal_date.patch
workaround None needed.

Updated Spanish error messages

synopsis Updated Spanish error messages with translation for the ERR_INVALID_RESP page and numerous minor corrections in other pages.
severity Cosmetic
date 2005-06-06 21:38
versions Squid-2.5
platforms All
patch squid-2.5.STABLE10-spanish.patch

Double content-length often harmless

synopsis There is quite many web servers out there with broken banner engines forgetting to delete the original content-length after adding the banner. Currently these are (rightfully) rejected by Squid. Instead of rejecting we could select the biggest content-length header found and remove the other. This should fix up these replies while not allowing for attacks.
severity Cosmetic
date 2005-05-25 23:01
bugzilla #1305
versions Squid-2.5.STABLE8 to STABLE10
platforms All
patch squid-2.5.STABLE10-content_length.patch
workaround The proper fix to this problem is to work with the site operators to have their web servers corrected.

2.5.STABLE9 Patches

Patches released after the 2.5.STABLE9 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.

Extended documentation of the always_direct directive

synopsis There has been a lot of questions about always_direct. This patch tries to answer the most common questions on what always_direct does and it's relations to other directives.
severity Cosmetic
date 2005-05-10 23:11
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-always_direct_documentation.patch

assertion failed: store_client.c:343: "storeSwapOutObjectBytesOnDisk(mem) > sc->copy_offset"

synopsis A race window in the 2GB patch could make Squid abort with the above assertion error
severity Medium
date 2005-05-10 22:33
bugzilla #1301
versions Squid-2.5.STABLE9+2GB patch
platforms All
patch squid-2.5.STABLE9-2GB_assert.patch

DNS lookups unreliable on untrusted networks

synopsis Malicious users may spoof DNS lookups if the DNS client UDP port (random, assigned by OS at startup) is unfiltered and your network is not protected from IP spoofing.
severity Security issue
date 2005-05-10 22:24
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-dns_query-2.patch
workaround Firewall your Squid server to not allow spoofed DNS responses to reach the server.

Allow dstdomain and dstdom_regex to match IP based hosts

synopsis This patch extends the dstdomain and dstdom_regex acls to also allow matching of numeric host names (IP addresses) in the requested URLs.
severity Minor
date 2005-05-09 01:51
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-dstdomain_ip.patch
workaround In prior versions only url_regex could be used for matching these, and then with rather complex patterns..

Minor arp ACL improvements

synopsis Cosmetic improvements to arp ACL code:
- Fixed a build warning on FreeBSD
- Added documentation info in squid.conf
- Fixed dump format of arp ACL configuration in cachemgr
severity Cosmetic
date 2005-05-08 14:01
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-arpacl.patch

SNMP Agent updates to support SNMP Version 2 and bulk requests

synopsis This patch corrects two minor issues in the SNMP agent. The first ignored all but the first OID in GETNEXT/GETBULK requests. The second is that Squid always responded with a SNMPv1 response even when the request was a SNMPv2(c) request, causing the requestor to ignore the response sent by Squid.
severity Minor
date 2005-05-04 18:09
bugzilla #1298, #1299
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-snmp.patch
workaround Use SNMPv1 and only request one OID at a time

Cosmetic change to DISKD statistics

synopsis This patch align labels and expand OPS and SUCCESS fields of DISKD cachemgr stats
severity Cosmetic
date 2005-05-01 10:58
bugzilla #1267
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-diskd.patch

Poor hot object cache hit ratio and sporadic assertion failed: store_swapin.c: e->mem_status == NOT_IN_MEMORY

synopsis This patch corrects a problem with the squid-2.5.STABLE9-2GB patch where the hot object cache showed a very poor hit ratio and also sporadic aborts with assertion failed: store_swapin.c: e->mem_status == NOT_IN_MEMORY.
severity Medium
date 2005-04-30 12:58
bugzilla #1055
versions Squid-2.5.STABLE9+2GB patch
platforms All
patch squid-2.5.STABLE9_2GB-hot_cache.patch

Minor aufs improvements

synopsis - Currently internal thread request counters are increased at every request, but they don't are displayable in cachemgr. This patch adds in the "Async IO Function Counters" cachemgr page thread request counters.
- Usage of FD_READ_METHOD/FD_WRITE_METHOD instead of read()/write() int the async-io completion event for better portability.
severity Cosmetic
date 2005-04-25 16:36
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-aufs_improvement.patch

Fix for CVE-1999-0710: cachemgr malicouse use

synopsis This patch adds access controls to the cachemgr.cgi script, preventing it from being abused to reach other servers than allowed in a local configuration file.
severity Minor Security
date 2005-04-26 04:30
bugzilla #1094
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-cachemgr_conf.patch
workaround Configure your web server to restrict which users may use the cachemgr.cgi CGI program.

PID file check fails when chrooting

synopsis The PID file check gets somewhat confused when chrooting, writing the pid within the chroot but trying to read it before chrooting.
severity Cosmetic
date 2005-04-22 20:48
bugzilla #1157
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-chroot_pidfile.patch
workaround Use symlinks to make sure the PID file can be read both within and outside the chroot.

Make the use of the %m error page to return auth info messages

synopsis This patch extends the helper protocols for Basic and Digest to provide some basig information in error responses, and makes use of the error response already included in the NTLM helper protocol, making these messages available as %m in error pages. Can be used if desired to indicate why a login failed. The exact messages returned is helper dependent.
severity Minor
date 2005-04-24 16:35
bugzilla #1223
versions Squid-2.5
platforms All
patch squid-2.5.STABLE9-authinfo.patch

Unrecognized cache-control directives are silently dropped

synopsis This patch corrects forwarding of unrecognized cache-control directives in forwarded requests.
severity Minor
date 2005-04-22 20:21
bugzilla #414
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-forwardcc.patch

Correctly read DOS/Windows formatted config files with CRLF as line terminator

synopsis The configuration parser sometimes misunderstood lines using the DOS/Windows CRLF line terminator, causing the CR to be read as part of the configured strings. This could be seen in auth_param realm and a few other places.
severity Cosmetic
date 2005-04-21 10:31
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-config_CRLF.patch
workaround Make sure your squid.conf is in proper UNIX format with only NL as line terminator.

Unable to run "squid -k" when hostname cannot be determined

synopsis Unable to run "squid -k" when hostname cannot be determined
severity Minor
date 2005-04-20 21:55
bugzilla #1196
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-squid_k_nohostname.patch
workaround Set visible_hostname in squid.conf

fix transparent proxying when squid listens on NATed non-80 port

synopsis The logics on how Squid should reconstruct the requested URL when running as an transarently intercepting proxy was a bit muddled and failed in some cases is Squid was listening on a different port than the intercepted traffic.
severity Minor
date 2005-04-20 21:55
bugzilla #1193
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-transparent_port.patch
workaround Use one http_port directive per intercepted port

Missing newlines in debug statements

synopsis Some debug statements missing newlines causing cache.log debug output to look somewhat odd.
severity Cosmetic
date 2005-04-21 10:46
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-debug_newlines.patch

Error template substitution for authenitcated user name

synopsis This patch adds support for the %a code in error page templates, expanding into the authenticated user name or - if the request was not authenticated.
severity Cosmetic
date 2005-04-20 21:36
bugzilla #798
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-errpage_user.patch

should syslog to daemon facility not local4

synopsis The syslog facility Squid logs as was hardcoded to "local4". This patch changes it to the more appropriate "daemon", and adds a -l command line option to specify the facility if another facility is desired.
severity Cosmetic
date 2005-04-26 04:42
bugzilla #1227
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-syslog.patch

external acls requiring authentication does not request new credentials on access denials like proxy_auth does.

synopsis Squid normally has the logic that if an request was denied by an acl requiring authentication then the user should be requested to provide "better" login credentials. This patch extends this to also work on external acls requiring authentication (%LOGIN)
severity Cosmetic
date 2005-03-30 22:51
bugzilla #1278
versions Squid-2.5
platforms All
patch squid-2.5.STABLE9-extaclauth.patch
workaround You get the same effect by using a "proxy_auth REQUIRED" acl last on the http_access deny line, after the external acl.

New cachemgr pending_objects and client_objects actions

synopsis This patch adds two new cachemgr actions to give access to two classes of interesting ongoing objects:
pending_objects: Objects being retreived from the network
client_objects : Objects being sent to clients
severity Cosmetic
date 2005-03-29 09:52
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-cachemgr_objects.patch

rename() related cleanup

synopsis On Windows (both native and Cygwin ports) and OS/2 is not possible rename a file over an existent one, so before the rename operation an unlink() is always needed.
Sometimes, after a squid crash, storeDirCloseTmpSwapLog() function family fails because there is no target file to delete causing a fatal error.

This patch move the unlink() into xrename() like the native Windows port and remove all no more needed unlink().

severity Minor
date 2005-03-26 23:53
versions Squid-2.5 and earlier
platforms OS/2, Cygwin and native Windows
patch squid-2.5.STABLE9-rename_cleanup.patch

Fails to process requests for files larger than 2GB in size

synopsis This rather intrusive patch makes Squid request forwarding 64-bit clean on 32-bit platforms with support for long long, allowing Squid to process requests for files larger than 2GB.

- squid_off_t type, defined to 64 bit in size when available. Used everwhere where an object size is seen.
- cleaned up use of off_t / size_t / ssize_t.
- several invalid typecasts to int removed
- PRINTF_OFF_T macro for the proper printf format for squid_off_t variables.
- --with-large-files option to enable large file support on UNIX compatible platforms (writing of log files etc).
- --enable-large-cache-files option to enable caching of very large files

severity Medium
date 2005-04-20 14:59
bugzilla #437
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-2GB.patch

aufs warning about open event filedescriptors on shutdown

synopsis This patch addresses the warning on shutdown about two open event related filedescriptors on shutdown. It also contains a microscopic performance enhancement by starting the I/O threads early during the startup rather than on the first I/O request.
severity Cosmetic
date 2005-03-19 23:57
bugzilla #671
versions Squid-2.5
platforms All
patch squid-2.5.STABLE9-aufs_shutdown.patch

--disable-hostname-checks not working

synopsis The advertised --disable-hostname-checks could not be set, causing Squid to always sanity check the hostnames even if this configure option was used.
severity Minor
date 2005-03-19 01:35
bugzilla #1270
versions Squid-2.5
platforms All
patch squid-2.5.STABLE9-disable_hostname_checks.patch

LDAP helpers fails to compile with SUN LDAP SDK

synopsis The LDAP helpers fails to compile with SUN LDAP SDK
severity Cosmetic
date 2005-04-19 22:46
bugzilla #1258
versions Squid-2.5
platforms All
patch squid-2.5.STABLE9-LDAP_SUN_SDK.patch
workaround Compile the LDAP helpers towards OpenLDAP SDK

CONNECT requests truncated if client side disconnects first

synopsis This mainly causes problems for applications abusing the CONNECT method for tunneling other traffic than SSL via the proxy, for example some FTP clients when uploading files.

The "problem" was introduced by squid-2.5.STABLE6-CONNECT.patch which immediately disconnects from the server when seeing a client disconnect not waiting for pending "upload" data to be sent first.

It is strongly recommended to not use the CONNECT method in this manner. If you want a general purpose proxy then look into SOCKS which provides much better support for this kind of proxying.

Or in the case of FTP use a FTP proxy.

severity Minor
date 2005-03-21 20:44
bugzilla #1269
versions Squid-2.5.STABLE6 to 2.5.STABLE9
platforms All
patch squid-2.5.STABLE9-CONNECT_truncated.patch

Basic authentication fails with very long logins or password

synopsis There was an artificial limit on the login+password to no more than 64 characters in total.
severity Minor
date 2005-03-19 00:25
bugzilla #1171
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-long_basic_auth.patch

Several minor aufs issues

synopsis - Enhance performance by zero-copy writes, enabled by making the mem nodes reference counted.
- Implement ASYNC_CLOSE define, default to off.
- Correct ASYNC_WRITE logics if enabled (default to off)
- Correct a potential memory corruption error on queued write errors
- Remove unused aioFDWasClosed call
severity Minor
date 2005-03-29 08:45
bugzilla #671
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-aufs.patch

Extend relaxed_header_parser to work around "excess data from" errors from many major web servers.

synopsis This patch extends "relaxed_header_parser on" to also quell warnings about "excess data" due several major web server vendors not complying proper with the HTTP specifications in some aspects.
severity Cosmetic
date 2005-03-09 15:46
bugzilla #1265
versions Squid-2.5.STABLE9
platforms All
patch squid-2.5.STABLE9-excess_data.patch

Duplicate content-length headers logged as conflicting with relaxed_header_parser off

synopsis With relaxed_header_parser off duplicate content-length headers were incorrecly logged as conflicting, not duplicates. In addition it forgot to clean up the duplicate when relaxed-header_parser was enabled (on/warn setting)
severity Cosmetic
date 2005-03-09 15:46
bugzilla #1262
versions Squid-2.5.STABLE9
platforms All
patch squid-2.5.STABLE9-dup_content_length.patch

Defer digest fetch if the peer is not allowed to be used

synopsis The cache digest retreival should be deferred if the peer is not allowed to be used for the request.
severity Cosmetic
date 2005-03-09 15:46
bugzilla #1261
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-defer_digest_fetch.patch

Incorrect use of ctype functions

synopsis SOme parts of the code was found to make incorrect use of the ctype functions, possibly causing problems with "high" characters.
severity Minor
date 2005-03-10 23:38
bugzilla #1259
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-ctype.patch

compile warnings due to pid_t not being an int

synopsis On some platforms Squid compiler warnings was seen about pid_t not being an integer. But this could cause debug output from the affected components to be somewhat garbled on the affected platforms.
severity Minor
date 2005-03-15 04:27
bugzilla #1257
versions Squid-2.5 and earlier
platforms mostly 64-bit platforms
patch squid-2.5.STABLE9-pid_t.patch

bzero is a non-standard function not available on all platforms

synopsis bzero is a non-standard function not available on all platforms. The standard function for this is memset with a value of 0.
severity Minor
date 2005-03-09 15:46
bugzilla #1256
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-bzero.patch

Check several squid.conf directives for int overflows

synopsis Due to integer overflows several directives behaves differently than expected if given values greater than 2^31. (2 GB). This applies to maxiumum_object_size and several other directives.
severity Cosmetic
date 2005-03-09 15:46
bugzilla #1247
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-config_overflow.patch
workaround Keep the configuration specifications in values < 2 GB.

Clarify delay_access function

synopsis Clarify the wordign in the delay_access documentation to make it clearer this directive is sorted per pool, not used in the order specified.
severity Cosmetic
date 2005-03-09 15:46
bugzilla #1245
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-delay_access_doc.patch
workaround Read documentation carefully

reload_into_ims fails to revalidate negatively cached entries

synopsis If the reload_into_ims directive is used Squid may fail to revalidate negatively cached entries on reload.
severity Minor
date 2005-03-09 15:46
bugzilla #1159
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-reload_into_ims.patch
workaround Don't use reload_into_ims. This is recommended as reload_into_ims is a violation of the HTTP standards.

Handle odd date formats

synopsis A number of different web servers sends dates in odd formats outside the three "official" formats documented in RFC2616, indirectly causing Squid to not cache objets from such sites.
severity Minor
date 2005-03-09 15:46
bugzilla #321
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-date.patch

Unexpected access control results on configuration errors

synopsis On configuration errors involving wrongly defined or missing acls the http_access results may be different than expected, possibly allowing more access than intended. This patch makes such configuration errors a fatal error, preventing the service from starting until the access control configuration errors have been corrected.
severity Cosmetic Security
date 2005-03-04 22:48
bugzilla #1255
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE9-acl_error.patch
workaround Verify your configuration with "squid -k parse" and correct any errors reported before starting Squid.

Links in FTP listings without / fails due to missing BASE HREF

synopsis Links in FTP directory listings when the requested URL is missing the trailing / fails.
severity Minor
date 2005-03-04 11:55
bugzilla #1253
versions Squid-2.5.STABLE9
platforms All
patch squid-2.5.STABLE9-ftp_base_href.patch
workaround Request the directory with the trailing /.

Fails to parse the EPLF FTP directory format

synopsis The EPLF FTP directory parser failed to parse all attributes of the files, showing everything as unknown files.
severity Minor
date 2005-03-04 11:55
bugzilla #1252
versions Squid-2.5
platforms All
patch squid-2.5.STABLE9-ftp_EPLF.patch

Race condition related to Set-Cookie header

synopsis A race window has been discovered where Set-Cookie headers may leak to another users if the requested server relies on the old obsolete (since 1997) Netscape Set-Cookie specifications in how caches should handle the Set-Cookie header on otherwise cacheable content.
severity Minor Security
date 2005-03-03 02:26
versions Squid-2.5.STABLE7 to 2.5.STABLE9
platforms All
patch squid-2.5.STABLE9-setcookie.patch
workaround Not a workaround, but the proper fix to this issue is to convert the server to send proper "Cache-Control: no-cache=Set-Cookie" when required as per the official RFC2109 / RFC2965 specifications.

2.5.STABLE8 Patches

Patches released after the 2.5.STABLE8 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.

Should not automatically retry request on 403 and other server errors

synopsis Proxies should not automatically retry requests on 403 (Access Denied) or other server errors. In the past Squid has done this to work around problems with misconfigured/malfunctioning peers in complex cache hierarchies. If you want to revert Squid back to the old behaviour of aggressively retry failed requests then enable the new "retry_on_error" squid.conf directive.
severity Medium
date 2005-02-23 00:11
bugzilla #1210
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE8-retry_on_error.patch

fqdn lookups with spaces may confuse redirectors

synopsis This patch makes Squid ignore fqdn DNS responses with spaces in the returnedhostname. Spaces are not valid in internet hostnames.
severity Minor
date 2005-02-21 17:02
bugzilla #1222
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE8-fqdn_spaces.patch

Display FTP URLs in decoded format to allow for sane display of national characters etc

synopsis FTP URLs was displayed in "raw" format, making them look very ugly in precense of national characers or other characters outside of the plain US-ASCII alphabet.
severity Cosmetic
date 2005-02-21 03:38
bugzilla #1220
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE8-ftp_url_display.patch

Peer related memory leaks on "squid -k reconfigure"

synopsis This patch corrects two peer related memory leaks on "squid -k reconfigure", one related to digests the other related to cache_peer_access. In addition it speeds up cancellation of nullified events to make it easier to detect reconfigure related memory leaks.
severity Minor
date 2005-02-21 02:58
bugzilla #1246
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE8-reconfigure_peer_leaks.patch

Doesn't work specifying the AR variable to configure

synopsis Due to a minor bug in automake it is not possible to specify the archiver proram (AR) when running configure.
severity Cosmetic
date 2005-02-21 01:38
bugzilla #1243
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE8-ar.patch
workaround Specify the AR variable when running make

GCC4 warnings

synopsis This patch makes Squid compile without warnings using GCC4. Purely cosmetic changes.
severity Cosmetic
date 2005-02-20 19:11
bugzilla #1211
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE8-gcc4.patch
workaround Use an older less picky GCC version

Relax header parsing slightly again to work around broken web servers

synopsis Squid-2.5.STABLE8 introduced a new stricter HTTP protocol parser rejecting malformed HTTP responses. Due to the large number of broken web servers this patch extends the relaxed_header_parser directive to work around even more malformed HTTP responses than it did in 2.5.STABLE8.
severity Minor
date 2005-02-20 10:47
bugzilla #1242
versions Squid-2.5.STABLE8
platforms All
patch squid-2.5.STABLE8-relaxed_header_parser.patch
workaround The correct fix to this problem is to have the malfunctioning web servers corrected.

FTP URL cleanups

synopsis Some minor cleanups of FTP URLs, mainly to work better with Mozilla
severity Cosmetic
date 2005-02-15 02:14
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE8-ftp_cleanup.patch

Allow high characters in generated FTP and Gopher directory listings

synopsis Squid translated all non-ASCII octets in generated HTML content such as FTP or Gopher listings into entity codes.
severity Cosmetic
date 2005-02-15 01:07
bugzilla #1220
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE8-html_high_chars.patch

Cross-platform format fixes

synopsis This patch fixes some cross-platform build format warnings.
severity Cosmetic
date 2005-02-20 11:03
versions Squid-2.5 and earlier
platforms Solaris, FreeBSD, Linux and maybe others
patch squid-2.5.STABLE8-format_fixes.patch

Assertion failure on certain odd DNS responses

synopsis Squid may abort with "xstrndup: Asserton 'n' failed" or other errors when receiving certain odd DNS responses
severity Major
date 2005-02-13 05:58
bugzilla #1234
versions Squid-2.5.STABLE5 to 2.5.STABLE8
platforms All
patch squid-2.5.STABLE8-dns_assert.patch
workaround The risk is reduced with "log_fqdn off" (the default setting)

2.5.STABLE7 Patches

Patches released after the 2.5.STABLE7 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.

Data corruption when HTTP reply headers is split in several packets

synopsis Under certain conditions involving HTTP headers split over multiple reply packets the HTTP reply may be corrupted by Squid. Symptoms range from hanging requests to corrupted data or error messages about the reply sent to the clients (usually "httpProcessReplyHeader: Too large reply header")
severity Major
date 2005-02-11 10:59
bugzilla #1233
versions Squid-2.5.STABLE7
platforms All
patch squid-2.5.STABLE7-split_headers.patch

Improve password handling in FTP gatewaying of ftp://user@host URLs

synopsis This patch improves handling of passwords in non-anonymous FTP requests using ftp://user@host/ syntax slightly. Note: Neither MSIE or Mozilla supports this URL syntax and only accepts ftp://user:password@host/
severity Cosmetic
date 2005-02-06 00:57
bugzilla #1226
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE7-ftp_password.patch
workaround Close your browser if you enter the wrong password

WCCP easily disturbed by forged packets

synopsis The WCCP control channel is easily disturbed if users sends forged WCCP pakets to the Squid cache.
severity Minor
date 2005-02-04 11:41
bugzilla #1225
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE7-wccp_disturb.patch
workaround Firewall the WCCP port making sure only your WCCP router can send WCCP packets to Squid. This is highly recommended even with this patch due to the lack of security within the WCCP protocol.

Persistent connection trouble on failed PUT/POST requests

synopsis Failed PUT/POST requests can cause the next request to the same server to hang or behave oddly. Warnings about wrstate != NULL may also be seen in cache.log.
severity Medium
date 2005-02-04 00:33
bugzilla #1122
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE7-server_post.patch
workaround server_persistent_connections off

Segmentation fault on failed PUT/POST request

synopsis An inconsistent state is entered on a failed PUT/POST request making a high risk for segmentation faults or other strange errors
severity Major
date 2005-02-04 00:12
bugzilla #1224
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE7-post.patch

Sporadic segmentation fault when using ntlm authentication

synopsis A race window in NTLM authentication and interactions with the backend helper could cause Squid to abort with a segmentation fault
severity Minor
date 2005-02-03 23:27
bugzilla #1127
versions Squid-2.5
platforms All
patch squid-2.5.STABLE7-ntlm_segfault.patch

LDAP helpers sends slightly malformed search requests

synopsis The LDAP helpers sends slightly incorrect search requests when looking for the user DN.
severity Minor
date 2005-02-03 23:17
versions Squid-2.5
platforms All
patch squid-2.5.STABLE7-ldap_search.patch
workaround None needed. All known LDAP servers accepts the search query as-is.

Correct handling of oversized reply headers

synopsis This patch addresses a HTTP protocol mismatch related to oversized reply headers. In addition it enhances the cache.log reporting on reply header parsing failures to make it easier to track down which sites are malfunctioning.
severity Security issue
date 2005-01-31 22:50
bugzilla #1216
versions Squid-2.5
platforms All
patch squid-2.5.STABLE7-oversize_reply_headers.patch

Buffer overflow in WCCP recvfrom() call

synopsis The length argument of the WCCP recvfrom() call is larger than it should be. An attacker may send a larger-than-normal WCCP packet and overflow a buffer.
severity Security issue
date 2005-01-28 23:16
bugzilla #1217
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE7-wccp_buffer_overflow.patch

Strengthen Squid from HTTP response splitting cache pollution attack

synopsis This patch additionaly strengthens Squid from the HTTP response splitting cache pollution attack described by Sanctum.
severity Security issue
date 2005-01-31 01:50
bugzilla #1200
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE7-response_splitting.patch

Icons fails to load on non-anonymous FTP when using short_icons_url directive

synopsis Icons fails to load on non-anonymous FTP when using short_icons_url directive
severity Minor
date 2005-01-21 12:10
bugzilla #1203
versions Squid-2.5
platforms All
patch squid-2.5.STABLE7-short_icons_urls.patch
workaround Leave short_icons_url in it's default "off" setting, and make sure clients know how to fetch the icons by full URL to Squid.

FTP data connection fails on some FTP servers when requesting directory without a trailing slash

synopsis Some FTP servers incorrectly drops already established data channel connections after a failed command. This patch makes Squid work around this by always opening a new FTP data channel before attempting to retreive a directory listing or a file from the FTP server.
severity Minor
date 2005-01-21 12:10
bugzilla #1154
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE7-ftp_datachannel.patch
workaround Use the correct FTP URL for the resource in question

Disable Path-MTU discovery on intercepted requests

synopsis This patch adds a new configuration directive httpd_accel_no_pmtu_disc directive to allow easy setup to disable path MTU discovery in certain interception proxy environments (WCCP, Route maps etc where ICMP is not redirected proper by the intercepting device)
severity Minor
date 2005-01-21 12:10
bugzilla #1154
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE7-httpd_accel_no_pmtu_disc.patch
workaround Use firewall rules to remove the DF flag on return traffic to your clients on intercepted requests, or ask the users to configure the proxy settings.

Reject malformed HTTP requests and responses that conflict with the HTTP specifications

synopsis This patch makes Squid considerably stricter while parsing the HTTP protocol.
  1. A Content-length header should only appear once in a valid request or response. Multiple Content-length headers, in conjunction with specially crafted requests, may allow Squid's cache to be poisioned with bad content in certain situations.
  2. CR characters is only allowed as part of the CR NL line terminator, not alone. This to ensure that all involved agrees on the structure of HTTP headers.
  3. Rejects requests/responses that have whitespace in an HTTP header name.
The patch also adds a new relaxed_header_parser directive which defaults to on. If set off Squid will become really strict about CR characters and whitespace in header names, while in the default on setting Squid will ignore (and automatically clean up) common deviations from these parts of the HTTP specification.
severity Security issue
date 2005-02-10 10:14
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE7-header_parsing.patch
workaround Disable client- and server-side persistent connections. This will limit the impact of mismatches in HTTP protocol parsing somewhat, but not fully.

Sanity check usernames in squid_ldap_auth

synopsis LDAP is very forgiving about spaces in search filters and this could be abused to log in using several variants of the login name, possibly bypassing explicit access controls or confusing accounting
severity Minor Secuity issue
date 2005-01-17 04:29
bugzilla #1187
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE7-ldap_spaces.patch
workaround Block logins with spaces
	acl login_with_spaces proxy_auth_regex [:space:]
	http_access deny login_with_spaces
	

FQDN names truncated on compressed DNS responses

synopsis In certain conditions involving compressed DNS responses returned host names could be truncated. This is most notably seen in client hostnames when using log_fqdn, but can also happen in the domain driven acls when the user requests a site by IP.
severity Minor
date 2005-01-17 02:52
bugzilla #1136
versions Squid-2.5
platforms All
patch squid-2.5.STABLE7-fqdn_truncated.patch
workaround --disable-internal-dns

Internal DNS memory leak on malformed responses

synopsis A slight memory leak in the processing of malformed DNS responses
severity Minor
date 2005-01-17 02:52
bugzilla #1197
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE7-dns_memleak.patch
workaround --disable-internal-dns

Denial of service with forged WCCP messages

synopsis WCCP_I_SEE_YOU messages contain a 'number of caches' field which should be between 1 and 32. Values outside that range may crash Squid if WCCP is enabled, and if an attacker can spoof UDP packets with the WCCP router's IP address.
severity Security issue
date 2005-01-12 17:21
bugzilla #1190
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE7-wccp_denial_of_service.patch
workaround WCCP is disabled by default. Make sure WCCP is enabled only if you are really using it. Make sure that your next-hop router does not allow spoofed source address packets onto the network where Squid runs.

buffer overflow bug in gopherToHTML()

synopsis A malicious gopher server may return a response with very long lines that cause a buffer overflow in Squid.
severity Security issue
date 2005-01-12 17:19
bugzilla #1189
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE7-gopher_html_parsing.patch
workaround Since gopher is very obscure these days, do not allow Squid to any gopher servers. Use an ACL rule like:
    acl Gopher proto gopher
    http_access deny Gopher

fakeauth_auth memory leak and NULL pointer access

synopsis The NTLM fakeauth_auth helper has a memory leak that may cause it to run out of memory under high load, or if it runs for a very long time. Additionally, a malformed NTLM type 3 message could cause a segmentation violation.
severity Medium
date 2005-01-08 03:13
bugzilla #1183
versions Squid-2.5
platforms All
patch squid-2.5.STABLE7-fakeauth_auth.patch
workaround The memory leak bug can be avoided by periodically restarting Squid.

Don't close "other" filedescriptors on startup

synopsis Previously, when Squid was started it forcibly closed all "other" filedescriptors other than stdin/stdout/stderr. While this is a reasonable security precaution to clean up filedescriptor leakage from the caller it crashes some SSL libraries and possibly other functions which opens internal filedescriptors on startup or while the configuration is parsed (syslog likely candidate) The reasoning in removing this function from Squid is that if the one starting Squid has other filedescriptors open and not closing them this is their problem, not ours.
severity Minor
date 2004-12-28 12:55
bugzilla #1177
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE7-close_other.patch
workaround If you need earlier Squid versions to not forcibly close all filedescriptors then start SQuid in foreground mode (-N) with catching of signals disabled (-C).

To gain the functionality that all filedescriptors is closed on startup after applying the patch wrap Squid in a small warpper binary which closes all filedescriptors and then exec:s Squid.

Confusing results on empty acl declarations

synopsis The meaning of the access controls becomes somewhat confusing if any of the referenced acls is declared empty, without any members.
severity Minor Security
date 2004-12-27 18:54
bugzilla #1166
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE7-empty_acls.patch
workaround Pay attention to warnings from "squid -k parse" and do not use configurations where there are warnings about access controls in production.

cachemgr vm_objects segfault

synopsis The cachemgr vm_objects operation occationally causes Squid to crash with a segmentation fault.
severity Minor
date 2004-12-08 01:03
bugzilla #1149
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE7-cachemgr_vmobjects.patch

httpd_accel_port 0 (virtual) not working correctly

synopsis httpd_accel_port 0 did not work unless httpd_accel_host virtual was also specified.
severity Minor
date 2004-12-08 00:47
bugzilla #1121
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE7-httpd_accel_vport.patch
workaround enable httpd_accel_host virtual if you need the virtual port support.

PURGE is allowed to delete internal objects

synopsis this patch adds an access check to deny PURGE of internal objects, to prevent the administrator from accidently deleting the icons or other internal objects.
severity Minor
date 2004-12-08 00:00
bugzilla #1112
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE7-PURGE_internal.patch
workaround Make sure your http_access rules do not allow PURGE of the internal objects.

Random error messages in response to malformed host name

synopsis In certain conditions Squid returns random data as error messages in response to malformed host name, possibly leaking random internal information which may come from other requests.
severity Cosmetic / Minor Security issue
date 2004-12-07 23:45
bugzilla #1143
versions Squid-2.5
platforms All
patch squid-2.5.STABLE7-dothost.patch

Squid fails to close TCP connection after blank HTTP response

synopsis In certain malformed blank HTTP responses Squid fails to properly close the client connection, causing a significant delay to the client
severity Minor
date 2004-11-07 23:37
bugzilla #1116
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE7-blank_response.patch
workaround client_persistent_connections off

100% CPU on startup on new/experimental Linux kernels due to O_NONBLOCK

synopsis O_NONBLOCK on disk files is not is not standardized, and results may be unexpected. Linux now starts to add O_NONBLOCK support on disk files but the implementation is far from complete yet and this bites Squid.
severity Minor
date 2004-11-06 21:42
bugzilla #1102
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE7-non_blocking_disk.patch

Failure to shut down busy helpers on -k rotate/reconfigure

synopsis If a helper was busy at the time of helper shutdown (-k rotate/reconfigure) then Squid could forget to shut down the helper and continues using it.
severity Minor
date 2004-11-06 15:28
bugzilla #1118
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE7-helper_shutdown.patch

The new req_header and resp_header acls segfaults immediately on parse of squid.conf

synopsis The implementation of the new req_header and resp_header acls was not complete, causing Squid to crash with a segmentation fault it one attempted to configure these. In addition the configuration dump on mgr:config showed incomplete data
severity Minor
date 2004-10-20 23:23
bugzilla #961
versions Squid-2.5.STABLE7
platforms All
patch squid-2.5.STABLE7_req_resp_header.patch

Document -v (protocol version) option to LDAP helpers

synopsis Since some time back the LDAP helpers have a -v option to specify the LDAP protocol version, but this never got documented in the manpage.
severity Cosmetic
date 2004-10-19 10:09
versions Squid-2.5
platforms All
patch squid-2.5.STABLE7-LDAP_version_documentation.patch

100% CPU usage on half-closed PUT/POST requests

synopsis Squid enters a 100% CPU usage condition when encountering a half-closed PUT/POST requests. The situation persists until either the request times out, or Squid succeeds in forwarding the request data to the server. Apart from the 100% CPU usage there is no other illeffects of this bug, and Squid continues processing requests like normal.
severity Minor
date 2004-10-14 22:48
bugzilla #354, #1096
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE7-half_closed_POST.patch
workaround half_closed_clients off

2.5.STABLE6 Patches

Patches released after the 2.5.STABLE6 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.

SNMP related denial of service

synopsis If certain malformed SNMP request is received Squid restarts with a Segmentation Fault error.
severity Security issue
date 2004-09-29 21:23
bugzilla CAN-2004-0918
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE6-SNMP_core_dump.patch
workaround SNMP support is by default not compiled into the binary. If your binary is built with SNMP support you can temporarily disable the SNMP support by entering "snmp_port 0" into squid.conf.

There should be a default mempool limit

synopsis By default Squid-2.5.STABLE6 and ealier allows memory pools to grow without bounds and never reclaims memory to the OS. This patch adds a default limit of 5 MB unused memory.
severity Minor
date 2004-10-08 17:46
bugzilla #1095
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE6-memory_pools_limit.patch
workaround delay_pools_limit 5 MB

Possible instability on aborted POST/PUT requests

synopsis It is suspected there may be an instability on aborted POST/PUT requests in certain conditions. This patch restructures and strengthens the way Squid processes request entitites of POST/PUT requests.
severity Medium
date 2004-10-07 17:04
bugzilla #1089
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE6-aborted_POST.patch

Odd things happens on large HTTP reply headers

synopsis Squid behaves somewhat oddly if the server returns large HTTP headers. This patch increases the header size Squid is capable of fully understanding from 4KB to a new configurable reply_header_max_size parameter with default of 20KB
severity Medium
date 2004-10-05 21:38
bugzilla #874
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE6-reply_header_max_size.patch

CARP ignores cache_peer_domain/cache_peer_access

synopsis When using the CARP peer selection algorithm (not enabled by default) Squid ignores the cache_peer_domain/cache_peer_access directives.
severity Minor
date 2004-09-30 09:28
bugzilla #1033
versions Squid-2.5 and earlier
platforms All
configuration CARP enabled Squids only (--enable-carp configure option)
patch squid-2.5.STABLE6-CARP-cache_peer_access.patch
workaround Do not build Squid with the CARP peer selection algorithm

balance_on_multiple_ip squid.conf directive

synopsis This patch adds a new balance_on_multiple_ip squid.conf directive which can be used to work around certain broken load balancing setups. In addition it optimizes the DNS usage on reload requests and speeds up recovery when encountering non-responding servers.
severity Minor
date 2004-09-27 18:23
bugzilla #1058
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE6-balance_on_multiple_ip.patch

Race window and poor responsiveness to aborted CONNECT requests

synopsis The way Squid dealed with aborted CONNECT requests was sub-optimal and could in some rare situations end up in a race window.
severity Minor
date 2004-09-27 18:10
bugzilla #859
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE6-CONNECT.patch

Support the --program-prefix and other program name transforms

synopsis In certain specific installations it may be desireable to install Squid using transformed programnames using the --program-prefix/suffix configure options.
severity Cosmetic
date 2004-09-25 21:42
bugzilla #1019
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE6-program-prefix.patch

Document the caseinsensitive basic auth option

synopsis Correct the documentation of the caseinsensitive basic auth option and include it in cachemgr config dumps
severity Cosmetic
bugzilla #431
versions Squid-2.5.STABLE6 + case insensitive patch
platforms All

ncsa_auth is sensitive on line ending format

synopsis ncsa_auth is sensitive on the line ending format of the password file and may fail to verify the passwords is the password file is transferred between UNIX and Windows.
severity Cosmetic
date 2004-09-25 20:57
bugzilla #1078
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE6-ncsa_auth_lineendings.patch
workaround Make sure the password file is transferred in ASCII format when moving it between systems.

Add support for arbitrary headers acess controls

synopsis This patch adds support for access controls on arbitrary HTTP headers. http_header_access & replace extended to support arbitrary HTTP headers, not only well known headers, and adds two new acl types req_header and resp_header to match content of arbitrary HTTP headers, useful for blocking certain types of malware/spyware.
severity Medium
date 2004-09-25 12:00
bugzilla #961
versions Squid-2.5
platforms All
patch squid-2.5.STABLE6-arbitrary_headers.patch

Limit internal send/receive buffers

synopsis In certain misguided OS configurations where the default TCP windows sizes have been tuned very large Squid could fail to run properly, crashing on the first request with no message explaining why.
severity Minor
date 2004-09-26 21:22
bugzilla #1075
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE6-huge_tcp_windows.patch
workaround Do not configure your OS with overly large TCP windows. The defaults is usually good or at least not totally out of range.

arp acls is supported on FreeBSD these days..

synopsis arp acls are supported on FreeBSD since Squid-2.5.STABLE6 but configure still warned that it was not supported.
severity Cosmetic
date 2004-10-10 02:38
bugzilla #1074
versions Squid-2.5
platforms FreeBSD
patch squid-2.5.STABLE6-freebsd_arp_nowarning.patch
workaround None needed, just ignore the warning.

Squid does not recognise Content-Disposition header

synopsis Squid does not recognise Content-Disposition header making it impossible to use in http_header_access
severity Minor
date 2004-09-01 13:59
bugzilla #961
versions Squid-2.5
platforms All
patch squid-2.5.STABLE6-Content-Disposition.patch

cachemge config dumps mixed up Range and Request-Range headers

synopsis Due to an internal error in httpHeaderNameById() configuration dumps of http_header_* directives referring to Range or Request-Range headers indicated the other header.
severity Cosmetic
date 2004-09-01 13:09
bugzilla #1056
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE6-http_header_range.patch
workaround Ignore the confusing cachemgr configuration dump output

acl time fails to parse multiple time specifications correctly

synopsis "acl time 01:00-02:00 03:00-04:00" is parsed as if only the last time 03:00-04:00 was specified.
severity Minor
date 2004-09-01 12:25
bugzilla #1060
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE6-acl_times.patch
workaround Split the acl definition to use one time per line, all using the same acl name.

Segfault in CvtBin / authenticateDigestHandleReply

synopsis If the digest helper crashes or otherwise exits unexpectedly Squid terminates with a segmentation fault.
severity Minor
date 2004-08-28 22:46
bugzilla #1031
versions Squid-2.5
platforms All
configuration Only if the digest authentication scheme is used (auth_param digest ...).
patch squid-2.5.STABLE6-digest_crash.patch
workaround If this problem plauges you a lot then you can temporary disable the digest authentication scheme by commenting out the "auth_param digest program .." configuration directive in your squid.conf.

assertion failed: comm.c:430: "n_ufs_dirs <= Config.cacheSwap.n_configured"

synopsis If a cache_dir or swap.state.clean file is not writeable then Squid aborts with the above assertion error during "squid -k rotate", and this before all log files have been rotated. This patch makes this a soft error but clearly logged in cache.log, giving the administrator a reasonable chance to clear up the error
severity Minor
date 2004-08-25 21:11
bugzilla #1053
versions Squid-2.5
platforms All
patch squid-2.5.STABLE6-rotate_error.patch

Temporary NTLM memory leak with challenge reuse enabled

synopsis If challenge-reuse is enabled then NTLM authentication could temporarily build up response cache information related to old challenges until the user expires from the auth cache. This patch discards old responses when the challenge becomes invalid (after which it won't be used again).
severity Minor
date 2004-08-25 20:30
bugzilla #910
versions Squid-2.5
platforms All
patch squid-2.5.STABLE6-ntlm_challengereuse_leak.patch

Memory leaks when using NTLM authentication without challenge reuse

synopsis The helper state was not properly freed between client connections, causing a slow leak of memory for each challenge issued with challenge reuse disabled.
severity Medium
date 2004-08-25 20:30
bugzilla #994
versions Squid-2.5
platforms All
patch squid-2.5.STABLE6-ntlm_noreuse_leak.patch

NTLM authentication denial of service

synopsis Certain malformed NTLMSSP packets could crash the NTLM helpers provided by Squid.
severity Major
date 2004-08-20 08:18
bugzilla #1045
versions Squid-2.5
platforms All
patch squid-2.5.STABLE6-ntlm_fetch_string.patch
workaround Use ntlm_auth from Samba-3.X which is not affected by this issue, or disable ntlm authentication by removing any "auth_param ntlm program ..." directives from your squid.conf.

external_acl does not handle newlines

synopsis The external_acl helper protocol format does not handle newlines in the embedded data. This patch adds support for quoting of newlines as \n and also adds support for URL encoding of the data instead of quoting. URL encoding will be the default in Squid-3.0 as this is a well known format and generally easier to deal with than the quoting used in Squid-2.5.
severity Minor
date 2004-08-14 21:07
bugzilla #1038
versions Squid-2.5
platforms All
patch squid-2.5.STABLE6-external_acl_newlines.patch
workaround Generally no workaround is needed as the need for newlines in external_acl helpers is very rare.

Supplementary group memberships not set

synopsis cache_effective_user should gain the supplementary group memberships of the specified user. This is required to be able to configure sane permissions of several authentication backends such as pam_auth or winbind. In addition cache_effective_group should not be ignored when not starting Squid as root. If cache_effective_group is specified Squid should run as this and only this group.
severity Minor
date 2004-08-09 14:03
bugzilla #1021
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE6-initgroups.patch
workaround Configure your system to only have Squid require a single effective privileged group, or start Squid as a non-root user in which case it preserves the same groups as the user starting Squid. When not starting Squid as root make sure to not have any group permissions yout Squid should not have.

Segfaults and other strange crashes when using heap policies

synopsis A bug in the heap policy code in dealign with temporarily locked objects could cause memory corruption, leading to segmentation faults or other strange crashes.
severity Medium
date 2004-08-05 20:33
bugzilla #1009
versions Squid-2.5
platforms All
patch squid-2.5.STABLE6-heap_segfault.patch
workaround Use the default lru polic.

Unknown %X errorpage codes incorrectly quoted

synopsis Squid is supposed to leave unknown %X errorpage codes untouched but accidently HTML quoted them causing %" to end up as %"
severity Cosmetic
date 2004-08-06 11:05
bugzilla #1030
versions Squid-2.5
platforms All
patch squid-2.5.STABLE6-errorpage_quote.patch
workaround Use %% where you want a literal % in the resulting HTML code in your error pages. This is the official syntax for % in Squid error pages. Relying on today undefined %X codes such as %" to be preserved is not very reliable as new codes may be defined in later versions.

Grammatical corrections in squid.conf.default

synopsis Several gramatical errors in the squid.conf.default documentation
severity Cosmetic
date 2004-08-17 12:22
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE6-grammar.patch
workaround Ignore the poor english

NTLM authentication truncated

synopsis A slight misunderstanding of the NTLM protocol caused Squid to sometimes truncate NTLM authentication blobs, causing the login to consequently fail for some users/environments.
severity Minor
date 2004-07-27 21:52
bugzilla #1016
versions Squid-2.5
platforms All
patch squid-2.5.STABLE6-ntlmtruncated.patch

Memory leak in client_db

synopsis The client_db database was never cleaned from old entries causing it to grow over time to eventually include every single IP address ever accessing the proxy (allowed or not). This patch adds a slow garbage collector throwing away old or otherwise uninteresting entries from the client database.
severity Minor
date 2004-12-20 15:27
bugzilla #833
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE6-client_db_gc.patch
workaround If the proxy is publically accessible on the http_port (even if then denied by http_access) make sure to set "client_db off" in squid.conf to disable the collection of per client-ip statistics. Note: the max_ip acl requires per-client ip statistics.

Add delay pools information to active_requests

synopsis This patch adds information about the active delay pool in cachemgr active_requests entry.
severity Cosmetic
date 2004-07-17 20:11
bugzilla #882
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE6-active_requests_delaypool.patch

case insensitive authentication

synopsis Most authentication backends are case insensitive on the user name, and so should Squid. (with option for case sensitive operation). This affects primarily the max_user_ip acl, but also processing of log files etc.
severity Minor
date 2004-09-25 21:08
bugzilla #431
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE6-basic_auth_caseinsensitive-2.patch
workaround Make sure your backend user database is case sensitive if you use max_user_ip or similar constructs

Warn if cache_dir ufs can not create files

synopsis If the cache directory for some reason is now writeable then Squid silently ignored the error until it no longer could find any free file numbers. This patch adds a warning in cache.log explaining the error.
severity Cosmetic
date 2004-07-17 19:48
bugzilla #918
versions Squid-2.5
platforms All
patch squid-2.5.STABLE6-ufs_create_error.patch

HEAD requests may return stale information

synopsis A slight misunderstanding of the HTTP RFC could cause Squid to return stale information in response to a HEAD request.
severity Cosmetic
date 2004-07-17 16:33
bugzilla #1012
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE6-HEAD.patch

Partial hit results in TCP_HIT, not TCP_MISS

synopsis Partial hits on objectscurrently being retrieved results in TCP_HIT, even when the requested data is not yet in the cache. This patch logs these requests as TCP_MISS.
severity Minor
date 2004-07-17 16:33
bugzilla #1001
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE6-partial_hit_is_miss.patch

request_header_max_size configuration option doesn't work correctly

synopsis Squid accepted slightly larger request headers than set by the request_header_max_size directive.
severity Cosmetic
date 2004-07-17 16:33
bugzilla #899
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE6-request_header_max_size.patch

A large number of queued DNS lookups for the same domain

synopsis this patch merges pending lookups for the same domain until retransmission timeout.
severity Minor
date 2004-07-29 13:29
bugzilla #852
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE6-concurrent_dns_lookups.patch

LDAP helpers update

synopsis This LDAP helper update corrects some errors in the documentation and adds two new options to squid_ldap_auth to accomodate certain LDAP directories with restrictions on how users may log in.
severity Minor
date 2004-08-10 09:40
bugzilla #1018, #1032
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE6-ldap_helpers.patch

storeCreate: no valid swapdirs for this object

synopsis In some configurations/environment the ufs store would refuse caching of all files, always resulting in the above error message.
severity Medium
date 2004-07-14 16:29
bugzilla #1011
versions Squid-2.5.STABLE6
platforms All
patch squid-2.5.STABLE6-ufs_no_valid_dir.patch

2.5.STABLE5 Patches

Patches released after the 2.5.STABLE5 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.

Overflow bug in Squid's ntlm_auth helper.

synopsis Users may be able to generate long passwords that overflow a buffer in the ntlm_auth helper. See also Squid Advisory 2004:2
severity Security issue
date 2004-06-18 17:39
versions Squid-2.5 up to STABLE5
platforms All
patch squid-2.5.STABLE5-ntlm_auth_overflow.patch
workaround Use the ntlm_auth helper that comes with the Samba-3 package instead. If that is not an option, stop using the ntlm_auth helper until you've upgraded to Squid-2.5.STABLE6.

sasl_auth doesn't compile with SALS2

synopsis SASL2 uses a slightly different API and sasl_auth needs to be adjusted slightly to work with both SASL1 and SASL2.
severity Minor
date 2004-06-19 17:47
bugzilla #981
versions Squid-2.5
platforms All
patch squid-2.5.STABLE5-sasl_auth_SASL2.patch
workaround Install SALS1 development libraries

Segmentation fault after "Likely proxy abuse detected"

synopsis Under certain conditions Squid crashes with a "Segmentation Fault" after the above warning message has been printed in cache.log.
severity Major
date 2004-06-08 11:01
bugzilla #972
versions Squid-2.5.STABLE5
platforms All
patch squid-2.5.STABLE5-proxy_abuse.patch

Negative size in access.log on long running CONNECT requests

synopsis Due to 2GB limitations of 32-but CPUs long running CONNECT requests coult indicate a negative size in the access.log if more than 2GB of data had been transferred. This patch crops stops the counter at approximately 2GB and thereby making sure very large CONNECT requests gets logged as 2GB rather than negative.
severity Cosmetic
date 2004-06-07 21:25
bugzilla #941
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE5-CONNECT_log_size.patch

Segfault in memBufVPrintf on certain architectures requiring va_copy

synopsis Certain platforms require the use of va_copy to duplicate a va_list variable. On these platforms memBufVPrintf would crash if it needed to allocate memory.
severity Medium
date 2004-06-06 15:40
bugzilla #753
versions Squid-2.5 and earlier
platforms S390, maybe others
patch squid-2.5.STABLE5-va_copy.patch

msnt_auth documentation update

synopsis msnt_auth basic authentication helper documentation update
severity Cosmetic
date 2004-06-01 00:00
bugzilla #717
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE5-msnt_auth_doc.patch

dns_servers should default to localhost if no resolv.conf

synopsis dns_servers should default to localhost if no resolv.conf
severity Cosmetic
date 2004-05-31 23:37
bugzilla #991
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE5-dns_localhost.patch

FTP directory listing HTML DOCTYPE misread by some tools

synopsis Certain thirt party tools misreads the HTML DOCTYPE indicated by Squid in FTP directory listings.
severity Cosmetic
date 2004-05-31 23:37
bugzilla #969
versions Squid-2.5
platforms All
patch squid-2.5.STABLE5-ftp_html_doctype.patch

fix compilation on OpenBSD/m88k

synopsis One earlier workaround for other m88k based systems caused trouble for OpenBSD where this workaround is not needed.
severity Minor
date 2004-06-01 08:26
bugzilla #960
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE5-openbsd_m88k.patch

Show client ip in cache.log debug output

synopsis To make it easier to correlate cache.log debug output to client requests include the client address information when accepting a new client connection.
severity Cosmetic
date 2004-05-31 22:59
bugzilla #948
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE5-debug_client_ip.patch

cacheCurrentUnlinkRequests should be a counter, not gauge

synopsis The cacheCurrentUnlinkRequests SNMP variable is a counter, not a gauge.
severity Minor
date 2004-05-31 22:43
bugzilla #946
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE5-cacheCurrentUnlinkRequests.patch
workaround Force your SNMP collector to read the SNMP variable as a counter even if Squid indicates it is a gauge.

store_dir_select_algorithm least-load doesn't work for ufs cache_dir type

synopsis The ufs cache_dir type always indicated a load of 99.9% invalidating the least-load cache_dir selection algorithm. This patch makes the ufs cache_dir type return a load between 50% and 100% based on the number of open filedescriptors.
severity Minor
date 2004-05-31 22:08
bugzilla #676
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE5-least-load.patch
workaround Use the round-robin algorithm instead

Very large cache_mem values reported wrongly in cache.log

synopsis Very large cache_mem values may cause the amount of memory cache to be reported negatively in cahce.log.
severity Cosmetic
date 2004-05-31 21:32
bugzilla #570
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE5-large_cache_mem.patch
workaround Make sure your cache_mem is specified smaller than 2 GB.

range_offset_limit -1 KB rejected as invalid syntax

synopsis The fix for bug #817 broke "range_offset_limit -1 KB" which is documented as a method of allowing Squid to always fetch full objects in response to range requests.
severity Minor
date 2004-04-30 00:01
bugzilla #968
versions Squid-2.5.STABLE5
platforms All
patch squid-2.5.STABLE5-range_offset_limit.patch
workaround Specify a large object size (but not larger than 2000 MB)

Negative cached 404 replies with VARY header never matches

synopsis Negatively cached objects with a Vary header never matches on cache hits unless there is a positively cached object on the same URL.
severity Minor
date 2004-04-24 14:10
bugzilla #616
versions Squid-2.5.STABLE5 and earlier
platforms All
patch squid-2.5.STABLE5-vary_negatively.patch

Spelling error in Turkish ERR_DNS_FAIL

synopsis Small spelling error in the Turkish ERR_DNS_FAIL error page
severity Cosmetic
date 2004-04-20 12:38
bugzilla #950
versions Squid-2.5.STABLE5 and earlier
platforms All
patch squid-2.5.STABLE5-turkish_ERR_DNS_FAIL.patch
workaround None needed

Clarify meaning of ERR in digest helper protocol

synopsis This patch clarifies the meaning of the ERR keyword in the digest helper protocol.
severity Cosmetic
date 2004-04-20 12:38
versions Squid-2.5.STABLE5 and earlier
platforms All
patch squid-2.5.STABLE5-digest_ERR.patch
workaround None needed

Spelling corrections in configure and squid.conf.default

synopsis A few spelling errors and the like in configure and squid.conf.default
severity Cosmetic
date 2004-04-20 12:30
versions Squid-2.5.STABLE5 and earlier
platforms All
patch squid-2.5.STABLE5-spelling.patch
workaround Live with them. No negative impact.

assertion failed: errorpage.c:292: "mem->inmem_hi == 0"

synopsis In certain rare conditions invovling failed POST/PUT requests Squid could abort with the above assertion failure.
severity Medium
date 2004-04-18 23:46
bugzilla #943
versions Squid-2.5.STABLE5
platforms All
patch squid-2.5.STABLE5-post_assert.patch

Segment violation when using a blank user name in digest authentication

synopsis If using Digest authentication then users can crash Squid with a segmentation fault simply by entering a blank user name
severity Major
date 2004-04-18 01:33
bugzilla #954
versions Squid-2.5.STABLE5 and earlier
platforms All
patch squid-2.5.STABLE5-digest_blank.patch
workaround Disable the use of Digest authentication in your squid.conf (not enabled by default)

rfc1035NameUnpack: Assertion (*off) < sz failed

synopsis Upon receiving truncated DNS replies Squid may abort with the above assertion.
severity Medium
date 2004-04-11 09:19
bugzilla #962
versions Squid-2.5.STABLE5 and earlier
platforms All
patch squid-2.5.STABLE5-rfc1035NameUnpack.patch
workaround Compile with --disable-internal-dns

ntlm/auth_ntlm.c(683): warning #187: use of "=" where "==" may have been intended

synopsis A minor typo in the Squid sources spotted by new versions of GCC
severity Cosmetic
date 2004-04-06 14:12
bugzilla RedHat Bug 111254
versions Squid-2.5.STABLE5 and earlier
platforms All
patch squid-2.5.STABLE5-ntlm_warning.patch
workaround Ignore the warning

cache_swap_log documentation referred to swap.state by it's old swap.log name

synopsis swap.log was renamed to swap.state very many versions ago, but squid.conf documentation still referred to the old "swap.log" name.
severity Cosmetic
date 2004-04-03 13:54
bugzilla #956
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE5-cache_swap_log.patch

CONNECT timeout should produce a 504 or 503

synopsis Squid should send a "504 Gateway Timeout" or "503 Service Unavailable" if the requested server in the CONNECT request is not reachable, not just close the connection.
severity Minor
date 2004-03-29 10:02
bugzilla #495
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE5-CONNECT_timeout.patch

deny_info redirection with requested URL escaped wrongly

synopsis %s in deny_info escaped the URL wrongly, applying both HTML and URL escaping to the original URL
severity Minor
date 2004-03-29 09:47
bugzilla #947
versions Squid-2.5
platforms All
patch squid-2.5.STABLE5-deny_info.patch
workaround Decode & etc manually in the receiving application

Version number includes -CVS if autoconf is run

synopsis This patch is mostly intended for binary packagers which runs autoconf (or the bootstrap.sh) script while building Squid. Due to a minor error in our distribution scripts configure.in still indicated a -CVS version in the stable distribution. This was not our intention.
severity Cosmetic
date 2004-03-19 09:17
versions Squid-2.5
platforms All
patch squid-2.5.STABLE5-version.patch

100% CPU usage on Linux-2.2

synopsis Due to a defiance in the poll() specification regarding POLL_HUP Squid can end up in a temporary 100% CPU loop on half-closed connections.
severity Minor
date 2004-03-19 09:12
versions Squid-2.5 and earlier
platforms Linux-2.2 only
patch squid-2.5.STABLE5-lin22_poll.patch
workaround "half_closed_clients off" or --disable-poll configure option.

"Vary: *" is ignored

synopsis Squid-2.5 ignores "Vary: *" headers, possibly returning unacceptable cache hits if such header is present.
severity Medium
date 2004-03-19 09:02
bugzilla #426
versions Squid-2.5
platforms All
patch squid-2.5.STABLE5-vary.patch

Add pkg-config support for finding correct OpenSSL compile flags

synopsis On some systems finding the correct flags for compiling applications using OpenSSL is somewhat tricky. Fortunately some of these systems provide the pkg-config tool which can be used to query what the OpenSSL package (and many other) require. This patch adds automatic support for using pkg-config if available.
severity Cosmetic
date 2004-03-12 10:13
bugzilla #940, #305
versions Squid-2.5
platforms All
configuration --enable-ssl
patch squid-2.5.STABLE5-pkgconfig.patch
workaround On most systems no workaround is needed, but where needed you manually need to edit src/Makefile after running configure to provide the correct compiler flags for compiling applications using OpenSSL.

Helper queue warnings inprecice on the number of helpers required

synopsis The warning message when running out of helpers (redirectors, authentication etc) was a little inprecise on the number of helpers required.
severity Cosmetic
date 2004-03-11 15:29
versions Squid-2.5.STABLE5
platforms All
patch squid-2.5.STABLE5-helper_warning.patch

squid_ldap_auth can be confused by the use of reserved characters

synopsis squid_ldap_auth may be confused by the use of reserved characters allowing the login name to be masqueraded in different manners possibly allowing the user to partially bypass certain per-user restrictions or confuse third party accounting packages.

Note that the user can not bypass the login procedure as such. All he can do is to make the login name look different than normal. There is still full audit trails on who the user is etc.

The patch also adds and documents a -d flag to both squid_ldap_auth and squid_ldap_group to allow for easier tracing of the operation of these programs if results is not what is expected.

severity Medium
date 2004-03-04 09:37
bugzilla #935
versions Squid-2.5 and earlier
platforms All
configuration configurations where squid_ldap_auth is used for authentication using a search filter (-f option) and where squid_ldap_group is not used to further restrict the valid usernames.
patch squid-2.5.STABLE5-ldap.patch
workaround Combine squid_ldap_auth with squid_ldap_group to only allow valid logins who are member of a certain group, or alternatively use a proxy_auth_regex acl to deny the use of any login using restricted characters

acl bad_login proxy_auth_regex [()\\*]
http_access deny bad_login

assertion failed: helper.c:323: "srv->flags.reserved"

synopsis If using ntlm authentication then Squid may randomly abort with the above assertion failure if a request is aborted while Squid waits for a response from the domain controller
severity Major
date 2004-03-01 23:55
bugzilla #937
versions Squid-2.5.STABLE5
platforms All
patch squid-2.5.STABLE5-ntlm_assert.patch
workaround half_closed_connections on (the default)

2.5.STABLE4 Patches

Patches released after the 2.5.STABLE4 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.

authDigestNonceUnlink; Attempt to lower nonce 0x8505918 refcount below 0

synopsis This minor patch to tries to address a possible race condition causing the above error.
severity Minor
date 2003-11-06 14:51
bugzilla #781
versions Squid-2.5
platforms All
patch squid-2.5.STABLE4-digest_refcount.patch

rfc1738_unescape() changes %00 into a NULL

synopsis Squid "unescapes" URLs when performing certain ACL checks. This means, for example, that the URL http://junk%00@www.bad.site/ becomes just "http://junk" for the url_regex ACLs. Thus, it may not match ACL entries that it should match.
severity Security issue
versions Squid-2.5 and earlier
platforms All
workaround Avoid regex-based ACL checks or upgrade to the current version.

assertion failed: authenticate.c:818: "auth_user_request != NULL"

synopsis A recently committed patch to aclCheckCleanup() duplicated some lines and ends up calling authenticateAuthUserRequestUnlock() twice, the second time with a NULL value. This bug only happens if Squid is reconfigured while there is an outstanding authentication transaction.
severity Major
date 2004-02-28 14:09
bugzilla #933
versions 2.5.STABLE4-CVS after 2004/02/24
platforms All
patch squid-2.5.STABLE4-authenticateAuthUserRequestUnlock-assert.patch
workaround None

mime type missing for .bz2 and many other filetypes

synopsis Mime types missing for .bz2 and several other file types, causing slightly undesireable results when browsing ftp:// directories (viewed in browser rather than downloaded). The patch also make sure the download icon is always shown to make downloading more obvious
severity Minor
date 2004-02-26 20:27
bugzilla #594
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-mime.patch

Accept ftp://anonymous@ as a synonym for anonymous ftp

synopsis Some software incorrectly uses ftp://anonymous@server for anonymous FTP when the correct format is simply ftp://server.
severity Cosmetic
date 2004-02-24 23:34
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-anonymous_ftp.patch
workaround Use a redirector to remove anonymous@ from FTP URLs

Assertion failures when using ntlm auth outside http_access

synopsis The authfixes patch was incomplete and could still cause failures when using authentication outside of http_access.
severity Medium
date 2004-02-24 18:46
bugzilla #872
versions Squid-2.5.STABLE4 with authfixes patch
platforms All
patch squid-2.5.STABLE4-authfixes3.patch

Partial fix for auth_user_hash_pointer leak in NTLM authentication

synopsis There is a temporary auth_user_hash_pointer memory leak when using NTLM authentication, causing a lot of auth_user_hash_pointer structures to build up over time until the user expires from the auth cache (authenticate_ttl parameter). This patch corrects the problem when challenge reuses are disabled (the default).
severity Minor
date 2004-02-19 13:30
bugzilla #910
versions Squid-2.5
platforms All
patch squid-2.5.STABLE4-ntlm_auth_user_hash_pointer-leak.patch
workaround Set authenticate_ttl relatively short to have the memory reclaimed in a reasonable time frame.

Random segmentation fault when using digest authentication

synopsis If a request was aborted while Squid was waiting for the digest helper to return the H(A1) value for the user Squid crashes with a segmentation fault.
severity Medium
date 2004-02-19 12:44
bugzilla #825
versions Squid-2.5
platforms All
patch squid-2.5.STABLE4-digest-abort.patch

NTLM issues when using reply_body_max_size

synopsis Some instabilities have been observed while using ntlm authentication in reply_body_max_size.
severity Medium
date 2004-02-18 18:59
bugzilla #872
versions Squid-2.5
platforms All
patch squid-2.5.STABLE4-reply_body_max_size.patch

More authentication related bug fixes

synopsis This patch fixes yet two more authentication related issues
- segfault in basic auth if request aborted while evaluating the credentials
- memoryleak of clientHttpRequest is request aborted while evaluating the credentials
severity Medium
date 2004-02-18 17:54
bugzilla #922
versions Squid-2.5
platforms All
patch squid-2.5.STABLE4-authfixes2.patch

deny_info does not work for http_reply_access or miss_access

synopsis The deny_info directive fails to supply the configured error page in case the request is denied by http_reply_access or miss_access.
severity Minor
date 2004-02-18 13:48
bugzilla #926
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-deny_info_reply.patch
workaround Deny access in http_access if you need to provide a custom errror message, or edit the default error messages accordingly.

ARP ACL support for FreeBSD

synopsis This patch adds ARP ACL support for FreeBSD
severity Minor
date 2004-02-18 13:32
bugzilla #909
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-arp-FreeBSD.patch

Several authentication related bug fixes

synopsis This patch fixes several authentication related issues
- miss_access and delay_access works with authentcation again
- some fixes related to basic auth. These issues was probably introduced by the recent ntlm patch.
severity Medium
date 2004-02-18 18:53
bugzilla #922
versions Squid-2.5
platforms All
patch squid-2.5.STABLE4-authfixes.patch

squidclient auth headers malformed

synopsis If the proxy or web server authentication options of squidclient is used then the HTTP headers sent in the request is slightly malformed and may confuse other non-Squid software which is not as tolerant on HTTP format.
severity Minor
date 2004-02-18 03:50
bugzilla #925
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-squidclient_auth.patch

miss_access applies to internal and cachemgr requests even if these are local

synopsis The miss_access directive limits internal and cachemgr requests even if these requests are actually local and not really misses
severity Minor
date 2004-02-18 03:50
bugzilla #924
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-miss_access_internal.patch
workaround Allow internal and cachemgr requests in miss_access if these would otherwise be denied

SMB ntlm_auth fails to compile on certain platforms

synopsis helpers/ntlm_auth/SMB/ fails to compile on certain platforms, failing on non-standard malloc.h header.
severity Minor
date 2004-02-17 23:13
bugzilla #892
versions Squid-2.5
platforms All
patch squid-2.5.STABLE4-SMB_ntlm_auth.patch

wbinfo_group fails with Samba-3

synopsis A minor syntax error in wbinfo_group.pl makes it fail to find groups with Samba-3
severity Minor
date 2004-02-17 22:53
versions Squid-2.5
platforms All
patch squid-2.5.STABLE4-wbinfo_group.patch

cache_peer_access fails with NTLM authentication

synopsis cache_peer_access, always_direct, never_direct and a number of other acl driven directives fails with NTLM authentication
severity Medium
date 2004-02-12 16:27
bugzilla #585, #592
versions Squid-2.5
platforms All
patch squid-2.5.STABLE4-cache_peer_access_ntlm.patch
workaround Use Basic or Digest authentication

Squid stuck at 100% CPU loop in ipcache_purgelru, or segfault in the same

synopsis The squid-2.5.STABLE4-connect_cleanup.patch was not entirely correct and could cause memory corruption in certain situations involving negative DNS replies (host not found etc)
severity Major
date 2004-02-12 09:42
bugzilla #891
versions Squid-2.5.STABLE4-20031210 to 20040212
platforms All
patch squid-2.5.STABLE4-ipcache_purge.patch

squid_ldap_group -S option did not work

synopsis The -S and -E options in squid_ldap_group v2.12 was mixed up, making the options somewhat hard to use.
severity Minor
date 2004-02-09 17:10
bugzilla #911
versions Squid-2.5.STABLE4 + ldap_group 2.12 patch
platforms All
patch squid-2.5.STABLE4-ldap_group-S.patch
workaround Specify -E instead of -S.

Random auth popups and account lockouts when using NTLM

synopsis When using NTLM authentication random auth popups and account lockouts may be experienced.
severity Medium
date 2004-02-11 22:12
bugzilla #908
versions Squid-2.5
platforms All
patch squid-2.5.STABLE4-ntlm_auth_popups.patch
workaround It may help to configure a lot of NTLM helpers but this is not verified.

Squid doesn't follow telnet protocol on FTP control connections

synopsis Squid forgot to escape IAC characters (ascii code 255) in FTP requests, causing problems to access files/directories using this character in their name or to log in with this character in the login or password.
severity Minor
date 2004-02-03 14:38
bugzilla #877
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-ftp_telnet.patch
workaround Double any such characters in the input to Squid. (%ff%ff instead of %ff)

Empty proxy_auth ACLs are silently accepted but lead to unpredictable ACL matching

synopsis If a proxy_auth acl is incorrectly defined with no members then any http_access rules using this acl will give unpredictable results depending on the results of earlier acl lookups. This patch corrects both the reason to why acl lookups became unpredictable and makes Squid reject such incorrect acl definitions.
severity Medium
date 2004-01-15 07:44
bugzilla #893
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-empty_proxy_auth.patch
workaround Make sure your proxy_auth acls are correctly defined. If the acl should not match any users then don't declare the acl at all.

Various HTTP workarounds and minor corrections

synopsis This patch adds a new detect_broken_pconn squid.conf directive allowing you to tenable a workaround to certain broken HTTP servers (reportedly IIS-5) who incorrectly signals the use of persistent connections even if the reply is not compatible with persistent connections. It also corrects some minor HTTP issues to make the Squid proxy more semantically transparent.
severity Minor
date 2004-01-30 23:11
bugzilla #890
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-http_workarounds.patch

squid_ldap_group failure if specifying many or long group names

synopsis If the request to squid_ldap_group (login name + all group names) exceed 256 characters then group lookups fails or behaves erratically.
severity Minor
date 2004-01-08 19:54
versions Squid-2.5
platforms All
patch squid-2.5.STABLE4-ldap_group_bufsize.patch
workaround Define multiple ACLs instead of listing many groups in the same ACL

LDAP helpers TLS mode (-Z option) does not work

synopsis The TLS mode of the LDAP helpers did not work and always reported "TLS Connection failed"
severity Minor
date 2004-01-05 12:08
bugzilla #887
versions Squid-2.5
platforms All
patch squid-2.5.STABLE4-ldap_tls.patch
workaround Use the ldaps:// URI method instead, if your LDAP server supports it.

Incomplete objects may appear stuck in the cache

synopsis Under certain conditions incomplete objects may appear stuck in the cache, not even reload giving a new fresh copy.
severity Major
date 2003-12-23 01:10
bugzilla #876
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-partial_reload.patch
workaround Compiling squid with --disable-http-violations completely avoids the issue. Setting "half_closed_clients off" and making quick_abort as aggressively aborting as possible by "quick_abort_min 0 KB" and "quick_abort_max 0 KB" mostly hides the problem.

assertion failed: pinger.c:187: "icmp_pktsize <= MAX_PKT_SZ"

synopsis In Squids built with --enable-icmp the pinger helper may exit with the above assertion failure if Squid receives a request with a very long host name.
severity Minor
date 2003-12-23 01:01
bugzilla #835
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-pinger.patch
workaround Don't build squid with --enable-icmp. This is generally recommended anyway unless you are absolutely sure you want to ICMP PING random sites all over the Internet to measure RTT information even if this may trigger IDS systems etc.

000 status code being logged for redirects (should be 302)

synopsis Redirects initiated by redirector helpers was logged as TCP_MISS/000 instead of the expected TCP_MISS/302. This patch corrects this and should also correct log_mime_hdrs output for the same.
severity Minor
date 2003-12-21 16:53
bugzilla #869
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-redirlog.patch

Update of Russian error pages

synopsis In a current version threre is a problem. The absence of "yo" letter. ("e" with 2 dots ). People prefer to write "E" instead "yo", that is not quite correct, like "How r u" intstead "How are you?"
severity Cosmetic
date 2003-12-21 15:22
bugzilla #864
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-russian.patch

Added 'urllogin' ACL type

synopsis This is not a fix for a Squid bug. It is a new feature to workaround an MSIE6 bug that uses control characters to obfuscate the true origin server hostname. You can use the 'urllogin' acl TYPE to deny HTTP requests that contain certain characters in the URL login field.
severity Medium
date 2003-12-19 16:41
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-urllogin_acl.patch
workaround Patch MSIE6, if/when the patch becomes available.

DNS resolver has too short MAXHOSTNAME

synopsis Squid would not process hostnames longer than 128 characters. This affects few hosts on the internet, but with the growing use of iDNA it's becoming an issue.
severity Minor
date 2003-12-18 01:41
bugzilla #842
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-dns_namelength.patch
workaround None.

Squid refuses to start if "pid_filename none" is specified

synopsis Contrary to the documentation "pid_filename none" is not accepted and Squid refuses to start.
severity Minor
date 2003-12-17 21:12
bugzilla #868
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-pid_filename_none.patch

cache_peer max-conn=.. option does not work

synopsis Due to the a accounting mismatch in the number of open connections to peers the cache_peer max-conn=.. option does not work. This issue is also seen as very high numbers in the OPEN CONN peer statistics via cachemgr.
severity Minor
date 2003-12-20 20:10
bugzilla #867
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-cache_peer_maxconn.patch

Persistent connection usage too high after sudden burst of traffic

synopsis Persistent server connections are reused in a round-robin fashion which may cause the number of connections to stay artificially high after a sudden burst of requests.

This patch changes persistent connection management to use a LIFO order reusing the most recently used connection first, thereby allowing unneeded connections to close down by idle timeout.

severity Minor
date 2003-12-15 23:44
bugzilla #865
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-pconn-lifo.patch
workaround This usually is not a significant problem, but if you are plauged by this you can try disabling server-side persistent connections in squid.conf.

redirector_access does not handle slow acls such as dst or external correctly

synopsis redirector_access was a "fast" acl lookup and did not handle "slow" acls requiring external lookups such as dst or external correcly
severity Minor
date 2003-12-14 13:43
bugzilla #860
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-redirector_access.patch

Icon URLs are uneededly complex

synopsis The URL syntax used by Squid for FTP/Gopher icons are uneededly complex and often causes problems. This patch adds a "short_icon_urls" directive which can be used to enable a less complex URL syntax for icons.
severity Cosmetic
date 2003-12-14 13:36
bugzilla #856
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-icon_urls.patch

Limit use of persistent connections when filedescriptor usage is high

synopsis Under high usage a lot of filedescriptors may be idle persistent connections, causing a shortage of filedescriptors for handling new requests.
severity Minor
date 2003-12-14 12:38
bugzilla #571
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-pconn-load.patch
workaround Disable the use of persistent connections in squid.conf. But pleae note that disabling persistent connections will cause a networking performance penalty unless you are actually short on filedescriptors. Alternatively rebuild Squid with support for more filedescriptors.

Segmentation fault on aborted FTP PUT requests

synopsis If a FTP PUT request is aborted while Squid is writing data to the server then Squid may abort with a segmentation fault.
severity Major
date 2003-12-14 12:25
bugzilla #853
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-ftp_put.patch
workaround If this plauges you a lot then you can deny the use of FTP PUT until the server can be patched. But please note that this will limit the functionality of the proxy by not allowing FTP uploads via the proxy.

acl FTP protocol FTP
acl PUT method PUT
http_access deny FTP PUT

Repeated POST requests causes number of persistent connections to grow

synopsis If responses to POST or other non-indempotent requests allows the connection to be kept persistently open then this can lead to a increased connection usage by Squid. This patch changes the behaviour to keep the number of connections stable by closing a persistent connection before opening the new connection.
severity Minor
date 2003-12-13 16:57
bugzilla #862
versions Squid-2.5
platforms All
patch squid-2.5.STABLE4-pconn_post.patch
workaround Disable server-side persistent connections by setting "server_persistent_connections off" in squid.conf.

Cleanup of DNS retransmissions, connect & dns timeouts etc

synopsis Several minor errors related to how Squid finds a connection where to forward requests. This patch
  • Corrects DNS retransmission rate to decay like documented to avoid flooding the DNS server with the same query.
  • Adds a new configuration parameter "forward_timeout" to control how long Squid tries to find a method to find a path where to forward the request before giving up. Defaults to 2 minutes.
  • The default connect_timeout tuned down from 2 minutes to 1 minute to allow for two attempts to find a suitable path within the forward_timeout
  • fqdncache/ipcache restructured to allow for DNS code to allow the queried name to be logged in cache.log on errors.
  • negative_dns_ttl now overloaded to also specify the minimum ttl used when caching DNS responses, and tuned down from 5 minutes to 1 minute.
  • default dns_timeout tuned down from 5 minutes to 2 minutes
  • some minor compilation warnings on --disable-internal-dns corrected
  • properly report DNS timeouts as timeouts and not just "No DNS records"
severity Minor
date 2003-12-09 21:52
bugzilla #848, #849, #851
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-connect_cleanup.patch

FQDN lookups sometimes returns garbage

synopsis FQDN lookups sometimes give garbage after the result. This can be seen as junk in access.log when using log_fqdn or false access control results when using dstdomain acl type and the user requests a URL by IP address.
severity Minor
date 2003-12-04 10:16
bugzilla #846, #834, #433
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-fqdn.patch
workaround Don't use log_fqdn or alternatively compile Squid with --disable-internal-dns

connection setup may look like syn flood attack if server is refusing connection

synopsis If the contacted server refuses connection then the repeated attempts to connect to the server may look like a syn flood attack. This patch makes Squid behave a little friendler in such case and
* Delays a little between the repeated attempts. Longer if the attempt was to an origin server.
* Limits origin server attempts to 3 connection setup attempts or 2 request forwarding attempts (was 10 on both which only makes sense in peering relations)
* Changes the default for maximum_single_addr_tries to 1 as there is plenty of reforwarding attempts done by Squid and at least 3 attempts to initiate the request which makes this directive redundant.
* removes a redundant lock from commConnect*() (cbdata managed)
* Adds a small delay to commConnect() reconnection attempts when the contacted destination has more than one IP address or maximum_single_addr_tries is used.
* Small cleanup in how/when digest considers a peer usable to not disturb the peer probing.
* Cleanup of peer TCP probing to correct timeout management etc and to more promptly recover after a failure.
severity Minor
date 2003-11-29 18:58
bugzilla #14
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-synflood.patch

--enable-arp-acl may give warning about net/route.h

synopsis On certain linux versions --enable-arp-acl may give a warning in net/route.h that this file is not meant to be used outside the kernel.
severity Cosmetic
date 2003-11-29 09:04
bugzilla #729
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-netroute.patch
workaround Don't use --enable-arp-acl or ignore the warning. The use of MAC based acls is overrated anyway and does not give any added security compared to IP based acls.

Incorrect html on empty Gopher responses

synopsis If a gopher server returns an empty response then Squid may render incorrect HTML in the gopher menu representation. In addition a PRE endtag was often missing from gopher menus.
severity Cosmetic
date 2003-11-29 08:43
bugzilla #690
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-gopherhtml.patch

positive_dns_ttl ignored when using internal DNS client

synopsis The positive_dns_ttl directive is not used by the internal dns client (the default). This patch changes it to at least be used as a upper limit on how long DNS data may be cached.
severity Cosmetic
date 2003-11-28 19:41
bugzilla #799
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-positive_dns_ttl.patch

squid_ldap_group update to version 2.12

synopsis This patch updates squid_ldap_group to the latest version, adding support for ldaps://, corrected documentation, and allows specifying the bind password via a file rather than on the command line for increased security against local users on the proxy.
severity Cosmetic
date 2003-11-21 17:14
versions Squid-2.5
platforms All
patch squid-2.5.STABLE4-squid_ldap_group.patch

100% CPU loop if external_acl combined with authentication

synopsis If Squid is configured using external acls and a single http_access line uses a authentication related acl after an external ACL not using authentication then the authentication lookup gets stuck continously querying the helper until the request is aborted.
severity Medium
date 2003-11-19 16:58
bugzilla #824
versions Squid-2.5
platforms All
patch squid-2.5.STABLE4-extacl_auth_loop.patch

maximum_object_size too large causes squid not to cache

synopsis Squid fails to detect invalid size based configurations where the size is too large to fit in the internal variable. This patch makes Squid detect many such cases and tell you when the configuration is out of range.
severity Cosmetic
date 2003-11-06 16:59
bugzilla #817
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-size_overflow.patch
workaround Specify sane values in your configuration

Install of Mozilla/Netscape plugins fails because .xpi mime type unknown

synopsis Mozilla/Netscape uses a custom mime type for plugins, and as this is not known to Squid installation of such plugins using FTP fails.
severity Cosmetic
date 2003-11-06 16:36
bugzilla #812
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-xpi_mime.patch
workaround Define the application/x-xpinstall mime type for .xpi files in mime.conf

Segfault if failing to load error page

synopsis If Squid fails to load a error page (builtin or deny_info defined) then it segfaults instead of aborting with a "FATAL Error" message.
severity Cosmetic
date 2003-11-06 16:36
bugzilla #806
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-error_load_text.patch

Error page translation updates for German and Lithuanian

synopsis The German ERR_DNS_FAIL error message was missing a headline. Major update of Lithuanian error pages, including addition of several previously missing error messages which made the translation more or less useless in Squid-2.5.
severity Cosmetic
date 2004-02-12 17:45
bugzilla #795, #803
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-errorpages.patch

auth_param documentation update

synopsis The auth_param documentation was unclear on default values etc. This patch makes sure the example auth_param lines after each parameter documentation has the default value. This patch also adds a default "realm" value.
severity Cosmetic
date 2003-11-06 14:58
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4_auth_param_doc.patch

pam_auth fails on Solaris when using pam_authtok_get

synopsis The patch changes pam_auth to not use persistent PAM connections by default. The use of persistent PAM connections is slightly outside the PAM specifications and may fail in certain PAM configurations. It also adds support for clearing the new PAM_AUTHTOK item to hopefully allow the use of persistent PAM connections on Solaris.
severity Minor
date 2003-11-05 18:16
versions Squid-2.5.STABLE4 and earlier
platforms All
patch pam_auth-2.2.patch
workaround Use the one-shot mode of the helper (-1 comand line flag)

FQDNcache discards negative responses when using internal DNS

synopsis When using the internal DNS client fqdncache (ip->name) does not negatively cache lookup failures.
severity Minor
date 2003-10-11 22:39
bugzilla #791
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-fqdnnegcache.patch
workaround Ignore the minor issue, or compile Squid with --disable-internal-dns

login with space confuses redirector helpers

synopsis If authentication or ident gives a login name containing a space character then redirector helpers trying to read the username or request method field will be confused by this. This patch URL-encodes the login name making sure the helpers always know how to parse the data sent by Squid.
severity Minor
date 2003-09-24 01:09
bugzilla #789
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-redirect_login_space.patch
workaround Don't use space characters in your login names

digest auth never detects password changes

synopsis If using digest authentication then Squid does not detect password changes.
severity Minor
date 2003-09-23 16:09
bugzilla #787
versions Squid-2.5
platforms All
patch squid-2.5.STABLE4-digest_auth_pwchange.patch
workaround Restart Squid after modifying digest passwords

cache.log message on "squid -k reconfigure" confusing

synopsis The cache.log message on "squid -k reconfigure" claimed Squid restarted, when in reality it just reconfigures itself. This patch changes the message to say Reconfiguring.
severity Cosmetic
date 2003-09-19 06:40
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE4-reconfigure_message.patch

2.5.STABLE3 Patches

Patches released after the 2.5.STABLE3 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.

Handle crashing helpers more gracefully

synopsis This patch corrects two minor issues. a) Properly detect if too many helpers crashes when only using a single helper. b) Automatically start new helpers instead of restarting the whole Squid unless the helpers are crashing too rapidly (30 seconds or less)
severity Minor
date 2003-09-12 20:35
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-helper_crash.patch
workaround Use at least 2 helpers, and live with the fact that Squid will restart if more than 50% of your helpers crashes

winbind helpers complain on restart or if winbind has not yet fully started

synopsis The winbnd helpers complains with a "fgets failed" error in cache.log each time the helpers are restarted. The helpers also fail to start if winbind has not yet fully finished it's startup procedure.
severity Minor
date 2003-09-12 10:18
versions Squid-2.5
platforms All
patch squid-2.5.STABLE3-winbind.patch
workaround Ignore the error in cache.log, and make sure winbind has started fully before you start Squid.

external_acl_type concurrency= renamed to children=

synopsis To lessen confusion in later upgrades to Squid-3 the external_acl_type concurrency= option has been renamed to children= to match Squid-3 usage. This is done because concurrency= has a completely different meaning in squid-3. Squid-2.5 still accepts the old syntax to keep compatibility within the Squid-2.5 release, but it is recommended to start using the new syntax unless you need to be able to easily downgrade to a earlier Squid-2.5 release.
severity Cosmetic
date 2003-09-02 07:55
versions Squid-2.5.STABLE3 and earlier
platforms All
patch squid-2.5.STABLE3-external_acl_children.patch
workaround Make sure to read the Squid-3 releasenotes very carefully when upgrading.

Assertion error or segmentation fault if using proxy_auth in delay_access

synopsis If proxy_auth acl type is used in delay_access then Squid may abort with an assertion error or segmentation fault. Notice: This patch may change some error conditions to be logged with TCP_DENIED rather than TCP_MISS.
severity Medium
date 2003-09-01 20:45
bugzilla #638, #756
versions Squid-2.5
platforms All
patch squid-2.5.STABLE3-delay_access_auth.patch
workaround Don't use proxy_auth acl types in delay_access

Segmentation fault if proxy_auth with ntlm used in http_reply_access

synopsis In configurations where authentication is enforced in http_access and then reused in http_reply_access to further control access levels Squid may segfault if the ntlm authentication scheme is used.
severity Medium
date 2003-09-01 20:13
bugzilla #763
versions Squid-2.5
platforms All
patch squid-2.5.STABLE3-http_reply_access_denied.patch
workaround Don't use proxy_type acls in http_reply_access or disable the use of the ntlm authentication scheme (disabled by default)

code 407 instead of 403 for authenticated traffic-shaped user

synopsis delay_access can disturb Squids logics on when to request a new login from the user. Most notably if delay_access ends up in a proxy_auth acl then any access denials will require a new login but the opposite may also happen.
severity Medium
date 2003-08-31 09:42
bugzilla #742
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-auth_delay_pools.patch
workaround make sure delay_access always ends up in the same class of ACL as http_access does on the same request.

Form POSTing troubles with NTLM authentication or other error responses

synopsis Large POST/PUT requests may fail with a "Connection reset" error in the browser in situations where Squid immediately responds with an error page. This is most notable when using NTLM authentication but may also occur in a few other situations
severity Medium
date 2003-08-28 22:00
bugzilla #267, #757
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-POST-error.patch
workaround Allow POST/PUT without requiring authentication if you are using NTLM authentication.

No explicit error message when ncsa_auth (squid user) can't access passwd file

synopsis ncsa_auth just exists if it can not read the supplied password file, instead of reporting an error.
severity Minor
date 2003-08-20 12:58
bugzilla #733
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-ncsa_auth_passwdfile.patch
workaround If ncsa_auth exits for no apparent reason, verify that the given ncsa password file is readable by the cache_effective_user.

forwarded_for off has no effect

synopsis The patch for Bug #92 (squid-2.5.STABLE3-mem_cfd.patch) broke the forwarded_for directive.
severity Minor
date 2003-08-18 17:29
bugzilla #750
versions Squid-2.5.STABLE3 snapshots 2003-08-07 to 2003-08-18
platforms All
patch squid-2.5.STABLE3-forwarded_for.patch
workaround Use anonymization via http_header_access to delete the X-Forwarded-For header from forwarded requests. This is probably preferred in any case.

ICP dynamic timeout algorithm ignores multicast

synopsis The algorithm that calculates the timeout for a set of ICP queries ignores multicast neighbors. It also ignores the expected number of replies because "*exprep" is always set equal to parent_exprep + sibling_exprep.
severity Minor
date 2003-08-13 00:31
bugzilla #736
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-multicast-ICP-timeout.patch
workaround Don't use multicast ICP.

Username not logged into ACCESS.LOG in case of /407

synopsis Squid is supposed to log the username in access.log on unsuccessful authentication, but it does not.
severity Minor
date 2003-08-10 19:01
bugzilla #663
versions Squid-2.5
platforms All
patch squid-2.5.STABLE3-407_user_name.patch

Compile error in auth/digest_auth.c

synopsis The Digest auth update in Squid-2.5.STABLE3 caused a slight portability problem to platforms where struct in_addr is defined "differenlty". If you find that auth/digest_auth.c fails to compile in 2.5.STABLE3 but works in Squid-2.5.STABLE2 or earlier then you may need this patch.
severity Cosmetic
date 2003-08-10 07:39
versions Squid-2.5.STABLE3
platforms MinGW, maybe a few others
patch squid-2.5.STABLE3-digest_compile.patch

aufs calculates the number of threads and queue limits wrongly

synopsis The automatic calculation on number of threads and queue limits based on number of cache directories got the calculation slightly wrong.
severity Minor
date 2003-08-06 14:21
bugzilla #732
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-aufs_threads.patch
workaround manually specify the number of threads to configure

assertion failed: client_side.c:1478: "size > 0" when using aufs

synopsis If aufs fails to open files in the cache_dir which should be there then Squid may crash with the above assertion failure.
severity Medium
date 2003-08-06 14:21
bugzilla #716
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-aufs_open_fail.patch
workaround do not manually delete files from an aufs cache_dir

assertion failed: http.c:869: "-1 == cfd || FD_SOCKET == fd_table[cfd].type"

synopsis In certain unfrequend situations involving aborted requests Squid could crash with the above assertion
severity Medium
date 2003-08-06 13:56
bugzilla #92
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-mem_cfd.patch

More improvements to the (experimental) COSS storage scheme.

synopsis More improvements to make COSS more useable and reliable. Fixed off_t/int comparison bug that caused Squid to think it hit the end of the disk much sooner than it should have. Use blocking I/O, instead of aborting when aio calls fail. Another bug caused Squid to not write the last byte of each COSS stripe. Added statistics and a cachemgr page.
severity Minor
versions Squid-2.5 and earlier
platforms All
workaround Don't use COSS

Blank username logging fix

synopsis A blank username is logged as a blank space which may confuse log file parsers. This patch will replace blank usernames with a dash (-).
severity Minor
date 2003-07-28 09:16
bugzilla #721
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-blank-username-log.patch
workaround Rework parsing scripts to "guess" whether the username is there or not.

Improvements to the (experimental) COSS storage scheme.

synopsis Improvements to make COSS more useable and reliable. Added block-size option to 'cache_dir' line and fixed lockcount (memory leak) bug.
severity Minor
date 2003-07-29 22:29
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-coss-improvements-2.patch
workaround Don't use COSS

statCounter.syscalls.disk counters treated inconsistently

synopsis The statCounter.syscalls.disk are handled differently in some cases. For example, they are not incremented by AUFS (except for writes which are handled by file_write()). Also, requests given to unlinkd do not increment the syscalls.disk.unlinks value.
severity Cosmetic
date 2003-07-22 15:39
bugzilla #715
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-syscalls.disk-counters.patch

round-robin cache_dir selection incorrectly compares max-size

synopsis in storeDirSelectSwapDirRoundRobin(), there is a loop variable (i), which is different than the static directory number (dirn). Instead of checking the cache_dir corresponding to the loop variable, it should check the directory number.
severity Minor
date 2003-07-17 15:46
bugzilla #710
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-round_robin_max_size.patch
workaround Don't use round-robin, or don't use max-size cache_dir option.

cbdata.c:186: "c->valid" assertion due to peer digest not found

synopsis When Squid fails to receive a cache digest from a neighbor, it may trigger an assertion on the second attempt. This is probably an old bug, recently brought to light due to changes elsewhere.
severity Major
date 2003-07-16 20:30
bugzilla #709
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-peer_digest_not_found_assertion.patch
workaround Add the 'no-digest' option to your cache_peer line.

Crash after ftpTimeout: timeout in SENT_PASV state

synopsis Due to a data connection management error Squid can become very unstable after the above error message.
severity Major
date 2003-07-16 13:49
bugzilla #700, #681, #684
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-SENT_PASV.patch

Requests denied by http_reply_access are not logged with TCP_DENIED

synopsis When using http_reply_access, requests that are denied look just like requests that are allowed in access.log. In other words, they are logged with TCP_HIT, TCP_MISS, etc. This patch causes them to be logged with TCP_DENIED. You can still differentiate requests denied by http_access and http_reply_access by looking at the "hierarchy" field. For http_reply_access denied requests, it will contain the origin server or neighbor cache hostname/address.
severity Minor
date 2003-07-15 21:39
bugzilla #686
versions Squid-2.5.STABLE3 and earlier
platforms All
patch squid-2.5.STABLE3-http_reply_access-denied.patch

ie_refresh does not signal no-cache to peer caches

synopsis The ie_refresh option may be used to allow for Squid to act on the reload button of MSIE 5.x browsers in transparent proxy setups, however a slight oversight in the implementation caused the option to not be as effective as intended if there is parent caches involved.
severity Minor
date 2003-07-15 20:45
bugzilla #708
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-ie_refresh.patch
workaround Configure your browser to use the proxy and forget about this mess

Client Socket Buffer leak on reply_body_max_size

synopsis Squid leaks 4KB of memory on each request denied by reply_body_max_size ultimately leading to crash of Squid when it runs out of memory
severity Medium
date 2003-07-11 23:23
bugzilla #704
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-reply_body_max_size.patch
workaround dont use reply_body_max_size

Forward Host headers in place

synopsis Some firewalls or servers get confused if the Host header is too far into the headers. To prevent these from failing on requests forwarded via Squid make Squid forward the Host header exacly where it was in the original request.
severity Medium
date 2003-07-11 22:46
bugzilla #699
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-hostheader.patch

Memory leak in deny_info TCP_RESET

synopsis If deny_info TCP_RESET is used then Squid leaks 4K of memory on each request denied with a TCP_RESET.
severity Medium
date 2003-07-09 22:01
bugzilla #705
versions Squid-2.5
platforms All
patch squid-2.5.STABLE3-tcp_reset_leak.patch
workaround Don't use deny_info TCP_RESET

ERR_TOO_BIG Spanish translation

synopsis Spanish translation of ERR_TOO_BIG error message
severity Cosmetic
date 2003-07-20 10:40
bugzilla #702
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-ERR_TOO_BIG_Spanish.patch

minimum_retry_timeout unused

synopsis This patch removes the unused minimum_retry_timeout squid.conf parameter. This variable has not been used for some time it seems.
severity Cosmetic
date 2003-07-07 08:32
versions Squid-2.5
platforms All
patch squid-2.5.STABLE3-minimum_retry_timeout.patch

SNMP update of cachePeerPingsSent and cachePeerPingsAcked

synopsis cacheMesh.cachePeerTable.cachePeerEntry.cachePeerPingsSent and cachePeerPingsAcked to match the MIB. Was ASN_INTEGER, is not SMI_COUNTER32.
severity Minor
date 2003-07-07 08:32
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-cachePeerPingsSentsnmp.patch

store_check_cachable_stats slghtly misleading

synopsis put checks for 'release_request' and 'wrong_content_length' before 'not_entry_cachable'. The first two are always zero because they also alays have ENTRY_CACHABLE bit cleared.
severity Cosmetic
date 2003-07-07 08:32
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-store_check_cachable_stats.patch

/etc/hosts and lines with comments after the host name

synopsis parseEtcHosts() does not handle comments in the middle of a line
severity Minor
date 2003-07-07 08:32
versions Squid-2.5
platforms All
patch squid-2.5.STABLE3-hostscomments.patch

sbrk as fallback method for high_memory_warning

synopsis use sbrk() for high_memory_warning check on platforms where neither mallinfo() or mstats() are available.
severity Minor
date 2003-07-07 08:32
versions Squid-2.5 and earlier
patch squid-2.5.STABLE3-memwarnsbrk.patch

header_access fails when using peers

synopsis Fix HTTP anonymization feature acl checks when using parent proxies
severity Minor
date 2003-07-07 08:32
versions Squid-2.5
platforms All
patch squid-2.5.STABLE3-header_access_peer.patch

neighbor_type_domain documentation update

synopsis neighbor_type_domain usage incorrect; missing neighbor hostname
severity Cosmetic
date 2003-07-07 08:32
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-neighbor_type_domain.patch

issue warning if CARP load factor values decrease in the cache_peer list

synopsis Section 3.3 of draft-vinod-carp-v1-03.txt says: The Load Factor Multiplier must be calculated from the smallest P_k to the largest P_k. The sum of all P_k's must be 1.
severity Minor
date 2003-07-07 08:32
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-carpfactor.patch

Compile time warnings when using GCC-3.3

synopsis GCC-3.3 gets slightly confused by the Squid code and gives a few mostly false warnings regarding type-punning.
severity Cosmetic
date 2003-07-07 08:32
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-gcc-3_3.patch
workaround Ignore the warnings

aufs Files queued for open counter mismatch

synopsis Under certain conditions the "Files queued for open counter" could grow larger than intended. If this grows too large then Squid may think it runs out of filedescriptors even if there is plenty of filedescriptors free, but we do not expect this to become a real problem in any installations.
severity Minor
date 2003-06-18 23:18
versions Squid-2.5 and earlier
platforms All using aufs
patch squid-2.5.STABLE3-aufs-openingfds.patch

external_acl does not wait for ident lookups to complete

synopsis extrenal_acl_type %IDENT does not wait for ident lookups to complete.
severity Minor
date 2003-06-17 07:32
bugzilla #683
versions Squid-2.5
platforms All
patch squid-2.5.STABLE3-external_acl_ident.patch
workaround use an ident acl before your external acl to trigger the ident lookup

icmpRecv: recv: (11) Resource temporarily unavailable

synopsis Handle the case when recv() returns EAGAIN and do not treat it like an error
severity Minor
date 2003-07-18 20:34
bugzilla #655
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-icmpRecv.patch

Incorrect RFC reference regarding URL syntax

synopsis correction to squid.conf comments. RFC 2396 (not 2616) talks about dealing with whitespace in URIs.
severity Cosmetic
date 2003-06-17 07:32
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-rfc_reference.patch

quote '%' character in logs

synopsis log_quote() and username_quote() should always quote '%' character
severity Cosmetic
date 2003-06-17 07:32
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-log_quote.patch

check open("/dev/null") return value for errors.

synopsis This patch makes Squid print an error rather than consume 100% CPU time if /dev/null can not be opened.
severity Cosmetic
date 2003-06-17 07:39
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-devnull.patch
workaround Make sure you have a /dev/null if you chroot Squid

"cache_dir diskd" documentation update

synopsis The cache_dir documentation is slightly confusing regarding diskd configuration. This patch removes old comments no longer valid.
severity Cosmetic
date 2003-06-17 07:32
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-cache_dir_doc.patch

Segmentation fault if more than one custom deny_info message defined

synopsis The Squid-2.5.STABLE2 patch for deny_info TCP_RESET was not entirely correct and causes segmentation fault on startup if more than one custom deny_info error message is defined
severity Medium
date 2003-05-27 07:25
bugzilla #662
versions Squid-2.5.STABLE3
platforms All
patch squid-2.5.STABLE3-deny_info.patch
workaround Disable the use deny_info in your squid.conf.

Compilation error in src/HttpHeaderTools.c on certain platforms

synopsis The Squid-2.5.STABLE2 patch for digest authentication used a C99 feature (dynamic array initializers) which may not be available in all C compilers
severity Minor
date 2003-05-27 08:04
bugzilla #660
versions Squid-2.5.STABLE3
platforms Several platforms not using GCC or a C99 compliant C compiler
patch squid-2.5.STABLE3-HttpHeaderTools.patch
workaround Use GCC

Lithuanian error messages

synopsis Lithuanian error messages added. These was actually added to the CVS tree for the 2.5.STABLE1 release, but never got included in the distributed tarballs.
severity Cosmetic
date 2003-05-25 13:57
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE3-Lithuanian.patch

2.5.STABLE2 Patches

Patches released after the 2.5.STABLE2 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.

NTLM regression error in the patch for digest nonce counts

synopsis A regression error introduces by the patch for digest authentication caused NTLM authentication to fail.
severity Minor
date 2003-05-25 12:32
versions Squid-2.5 snapshots 20030518-20030524
platforms All
patch squid-2.5.STABLE2-20030518-ntlm.patch

deny_info TCP_RESET does not work

synopsis This patch is the deny_info_url patch which corrects this issue and also adds the ability to redirect. The earlier merge of the TCP_RESET deny_info syntax from deny_info_url was not complete and did not work.

It was not originally planned to add the redirect capability to Squid-2.5, but the patch is well tested and making a new patch which only fixes TCP_RESET is not worth the effort.

severity Minor
date 2003-05-21 14:37
bugzilla #648
versions Squid-2.5
platforms All
patch squid-2.5.STABLE2-deny_info_reset.patch

Digest authentication fails on URLs with comma

synopsis Due to a HTTP header parsing error Digest authentication always fails on requests for URLs with one or more comma in them
severity Minor
date 2003-05-20 23:55
bugzilla #644
versions Squid-2.5
platforms All
patch squid-2.5.STABLE2-digestcomma.patch
workaround Don't require authenitcation on URLs with comma in them

digest nonce count workarounds for broken browsers

synopsis Digest authentication qop implementation in many mainstream browsers are quite poor and often causes authentication problems when used with Squid. This patch adds a couple of workarounds which can be used to work around the most obvious errors while still maintaining a reasonable level of security in the Digest authentication protocol, and also fixes a minor issue where Squid failed to correctly indicate when a used nonce was stale, thereby causing these browser bugs to show up as authentication failures (new login box) than actually needed.
severity Minor
date 2003-05-18 21:55
bugzilla #630
versions Squid-2.5
platforms All
patch squid-2.5.STABLE2-digest_nonce_count.patch

external_acl hangs if defined with ttl=0

synopsis Due to an error introduced by the patch for Bug #553 external acl lookups hangs if defined with ttl=0.
severity Minor
date 2003-05-18 21:55
bugzilla #643
versions Squid-2.5.STABLE2
platforms All
patch squid-2.5.STABLE2-external_acl_ttl0.patch

smb_auth.pl (multi-domain-NTLM) fails on domain qualified logins

synopsis Due to the change in basic auth helper protocol introduced in Squid-2.5 to deal with login names or passwords with spaces or other odd characters in them smb_auth.pl fails to authenticate domain qualified logins (domain\user).
severity Minor
date 2003-05-19 07:51
bugzilla #640
versions Squid-2.5
platforms All
patch squid-2.5.STABLE2-smb_auth_pl.patch

smb_auth fails on complex logins (involving domain names or odd characters)

synopsis In Squid-2.5 the format of basic auth helpers changed slightly to better support logins or passwords with spaces or other odd characters, however the smb_auth helper was not updated correctly making it fail on full domain logins etc.
severity Minor
date 2003-05-13 08:22
bugzilla #558, #587
versions Squid-2.5
platforms All
patch squid-2.5.STABLE2-smb_auth.patch

ACL regression error introduced by earlier 2.5.STABLE2 patch

synopsis A small regression error was introduced by the earlier patch for acl loops. The patch denied access if an acl could not be evaluated. This patch changes the behaviour back to that ot 2.5.STABLE2 and earlier and makes Squid contine to the next access rule.
severity Minor
date 2003-05-12 07:29
versions Squid-2.5.STABLE2-20030508 to 20030512
platforms All
patch squid-2.5.STABLE2-aclregression.patch

segmentation fault in authentication if debugging enabled

synopsis If detailed debugging is enabled (squid -k debug) then Squid may segfault on certain platforms while processing authentication.
severity Cosmetic
date 2003-05-11 21:48
bugzilla #591
versions Squid-2.5
platforms All
patch squid-2.5.STABLE2-authdebug.patch

Unreachable code due to siged/unsigned errors

synopsis Certain code could never be reached due to signed/unsigned errors. To our knowledge this has not caused any ill effects, but this patch corrects the code to behave as expected.
severity Cosmetic
date 2003-05-11 17:35
bugzilla #597
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE2-unreachcode.patch

logic error in comm_select.

synopsis poll() underperforms if enabled and used. Apply the bugfix to reduce CPU and kernel overhead.
severity Minor
date 2003-05-11 16:49
bugzilla #596
versions Squid-2.5 Stable2 and earlier. (Search for earliest version not done)
platforms All
patch squid-2.5.STABLE2-comm-select.patch
workaround none.

wb_group update to 1.2 to add support for domain qualified goups

synopsis To allow access to groups in other domains it needs to be possible to specify groups by their fully qualified name.
severity Minor
date 2003-05-11 12:56
bugzilla #622
versions Squid-2.5
platforms All
patch wb_group-1.2.patch

Segmentation fault when using negated external acls

synopsis In certain configurations involving negated external acls (!aclname where aclname is an external acl) Squid may crash with a segmentation fault error or behave oddly.
severity Minor
date 2003-05-10 22:23
bugzilla #623
versions Squid-2.5
platforms All
patch squid-2.5.STABLE2-external_lookup.patch
workaround Make sure you only use negated external acls as the last acl element in your http_access lines if needed.
http_access allow acl1 acl2 !externalacl

squid_ldap_auth update to support TLS, SSL and increased security for bind password

synopsis This update of squid_ldap_auth adds:
TLS/SSL encryption support required to connect to certain LDAP servers
Ability to read bindpasswd from file to increase security
Timeout options for better recovery when using multiple LDAP servers
severity Minor
date 2003-05-08 20:22
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE2-squid_ldap_auth.patch
workaround For SSL encryption you can use stunnel as a workaround with earlier versions of the squid_ldap_auth helper.

Basic auth looping when multiple proxy_auth ACLs combined in one line.

synopsis In certain configurations with more than one proxy_auth acl on the same access line http_access can get stuck, causing Squid to continously querying the authentication helper.
severity Major
date 2003-05-07 20:08
bugzilla #606
versions Squid-2.5 and maybe earlier
platforms All
patch squid-2.5.STABLE2-acl_lookup_loop.patch
workaround Make sure you never use more than one proxy_auth or related acl on the same http_access line.

reply_body_max_size fails with ident or proxy_auth acls

synopsis reply_body_max_size fails with ident or proxy_auth acls. Also if fails to block too large objects where the content-length is not known
severity Minor
date 2003-05-06 20:16
bugzilla #432
versions Squid-2.5
platforms All
patch squid-2.5.STABLE2-reply_body_max_size.patch

acl ident REQUIRED matches even if the ident lookup fails

synopsis acl ident REQUIRED matches even if the ident lookup fails
severity Minor
date 2003-05-06 19:57
bugzilla #620
versions Squid-2.5
platforms All
patch squid-2.5.STABLE2-ident_REQUIRED.patch
workaround acl noident ident -
http_access deny noident

msntauth helper crashes related to the alow/deny file operation

synopsis The msntauth helper crashes if more than 256 users is specified in a allow/deny file, or if kill HUP is used and no allow or deny file is specified.
severity Minor
date 2003-05-06 07:59
bugzilla #609, #612
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE2-msntauth.patch

LDAP basic authentication crash if server is unreachable

synopsis The squid_ldap_auth helper may crash if the LDAP server is unavailable
severity Minor
date 2003-05-06 00:39
bugzilla #598
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE2-ldap_auth_unavail.patch

"squid -k reconfigure" does not close logs to activate new settings

synopsis Even after a "squid -k reconfigure" squid continues using the old log paths until "squid -k rotate". Also it is impossible to disable logs active without a full restart of Squid.
severity Minor
date 2003-05-06 00:28
bugzilla #579
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE2-reconfig_logs.patch
workaround Restart Squid when making log file changes

--enable-ssl fails on RedHat 9

synopsis Compilation of Squid with --enable-ssl fails on RedHat 9 because the RedHat 9 version of OpenSSL depends on Kerberos which are not in the standard include path
severity Cosmetic
date 2003-05-04 21:29
versions Squid-2.5
platforms RedHat 9
patch squid-2.5.STABLE2-redhat9-ssl.patch
workaround --enable-ssl=/usr/kerberos

SNMP MIB used Counter32 for certain values which are gauges

synopsis cacheNumObjCount, cacheCurrentUnlinkRequests, cacheCurrentSwapSize and cacheClients all reported as Counter32 type SNMP objects where they actually represent gauges.
severity Cosmetic
date 2003-05-02 09:54
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE2-snmp_gauges.patch
workaround Convince your SNMP monitor to use the values as if they were gauges.

Upgrade of wb_group to 1.1

synopsis The wb_group helper has been updated to version 1.1. This update includes an option for case insensitive group name comparation (Bugzilla #574), Fixed a segfault (Bugzilla #574) and updated the documentation according to FAQ on squid-users
severity Minor
date 2003-05-15 11:02
bugzilla #574
versions Squid-2.5
platforms All
patch wb_group-1.1.patch

AIX 5 issues

synopsis Cachemgr was reporting huge values for Maximum Resident Size on AIX 5, and snprintf is now a supported function on AIX 5 so Squid does not need to supply it's own version.
severity Cosmetic
date 2003-04-29 16:19
versions Squid-2.5 and earlier
platforms AIX 5
patch squid-2.5.STABLE2-aix5.patch
workaround Just ignore the Maximum Resident Size value in cachemgr.

segmentation fault in idnsGrokReply() on certain platforms

synopsis A bug in how Squid processes certain DNS replies can cause segmentation faults on certain platforms. Linux and FreeBSD on X86 platforms seems unaffected however.
severity Major
date 2003-04-25 12:17
bugzilla #605
versions Squid-2.5 and earlier
platforms Solaris SPARC and several other
patch squid-2.5.STABLE2-dns_root_label.patch
workaround Recompile squid with --disable-internal-dns

The example header_access paranoid setting is missing WWW-Authenticate

synopsis The paranoid header_access example is missing WWW-Authenticate, and thereby unintentionally denying authentication to web sites if used without modifitaions
severity Cosmetic
date 2003-04-14 20:04
bugzilla #600
versions Squid-2.5
platforms All
patch squid-2.5.STABLE2-header_access_paranoid.patch

cache_peer documentation missing for htcp and carp

synopsis The cache_peer documentation for the htcp and carp related options was missing
severity Cosmetic
date 2003-04-09 13:47
bugzilla #365
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE2-cache_peer_docs.patch

cache_effective_user documentation unclear

synopsis The cache_effective_user/group documentation was unclear on what happens if only one of the directives is set, or when Squid is started as a non-root user.
severity Cosmetic
date 2003-04-09 13:47
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE2-cache_effective_user_docs.patch

external acl lookups does not deal well with queue overload

synopsis If there is a queue overload for external acl lookups then Squid logs "externalAclLookup: 'xxx' queue overload" at a very high rate in cache.log until the condition clears up.
severity Major
date 2003-04-09 12:59
bugzilla #590
versions Squid-2.5
platforms All
patch squid-2.5.STABLE2-external_acl_overload.patch
workaround Make sure there is sufficient number of helpers to handle your request load.

Squid may hang or behave oddly on shutdown while requests is being processed.

synopsis Squid may hang or otherwise behave oddly in shutdown if there is new requests processed at the same time. On shutdown Squid internally shut down DNS, redirectors and external acls while still processing new requests already received. In combination with the external acl queue overload bug this can completely hang Squid, preventing it from shutting down.
severity Minor
date 2003-04-09 12:59
bugzilla #590
versions Squid-2.5 and earlier
platforms All
patch squid-2.5.STABLE2-shutdown.patch

assertion failed: cbdata.c:224: "c->y == c" when external_acl helpers crashes

synopsis Squid crashes with the above assertion failure if an external_acl helper crashes while processing a request
severity Minor
date 2003-03-24 17:28
bugzilla #577
versions Squid-2.5
platforms All
patch squid-2.5.STABLE2-external_acl_crash.patch
workaround Fix the helper to not crash

Occational false negatives in external acl lookups

synopsis If you are using a external acl based on data which changes during a browsing session then false negatives may be seen if there is multiple requests immediately after the request data used by the acl has changed, or other situations where there may be multiple concurrent requests for the same external acl lookup.

The error automatically clears up if the failing request is retried.

severity Minor
date 2003-03-18 22:12
bugzilla #573
versions Squid-2.5
platforms All
patch squid-2.5.STABLE2-concurrent_external_acl.patch
workaround Press reload, or otherwise try the request again.

2.5.STABLE1 Patches

Patches released after the 2.5.STABLE1 release. The patches are listed in reverse order and should be applied starting with the one furthest down. The date is last modificationtime.

POST/PUT request sometimes fail with "Broken Pipe" or "Connection reset by peer" errors

synopsis Due to an oversight in the implementation of server side persistent connections in Squid-2.5.STABLE1 and earlier POST or PUT requests may fail if sent just as an existing persistent connection is timed out by the origin server.
date 2003-03-17 18:39
bugzilla #569
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-indempotent.patch
workaround Disable server side persistent connection by setting "server_persistent_connections off" in squid.conf

Make external_acl user names available as IDENT in later acl processing

synopsis external acl types have the ability to provide a username to be used when logging the request. This patch extends the capabilities of this function by also making the username available as IDENT in later acl checks.
date 2003-02-27 13:54
bugzilla #552
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-external_acl_user.patch

digest authentication security issue

synopsis Security issues have been found in how Squid managed digest authentication nounces, possibly giving unauthorized users who can sniff the network traffic of a valid user session, or denying authorized users access if they fail to provide correct credentials on the first request.
date 2003-02-27 13:54
bugzilla #543
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-auth_digest.patch

external_acl Assertion failed: auth_user_request != NULL

synopsis In certain conditions external_acl_type definitions using %LOGIN could result in the above assertion failure.
date 2003-02-27 13:54
bugzilla #553
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-external_acl_auth_segfault.patch

make install fails to install icons after make distclean

synopsis make install fails to install icons after make distclean if you do not have uudecode installed
date 2003-02-21 22:21
bugzilla #548
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-distclean_icons.patch
workaround install uudecode, or unpack Squid from the distributed tarball again.

"error: invalid HTTP-ident" breaks log processing

synopsis If certain malformed request is received then Squid logs "error: invalid HTTP-ident" in the URL column of access.log, making problems for log parsers to read the line correctly.
date 2003-02-19 23:41
bugzilla #547
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-error-http-ident.patch

Squid MIB definition syntax error

synopsis A syntax error / obsolete syntax in the declaration of the Squid SNMP MIB (SQUID-MIB) causes current SNMP tools to fail reading the file
date 2003-02-19 23:29
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-mib.patch

winbind helpers fail to work with Samba 2.2.6 or later

synopsis The winbind helpers depend on a internal Samba winbindd interface which was changed in the Samba 2.2.6 release. This patch updates the Samba support headers to those of Samba 2.2.7a, and adds a configure directive (--with-samba-sources=..) which can be used to override which samba version the Squid winbind helpers should be built for
date 2003-02-12 02:11
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-winbind.patch
workaround Manually copy and adjust the needed winbind helpers from Samba to each of the winbind helpers you use.

CONNECT data corruption if client pipelines data before 200 OK reply

synopsis Clients who start sending data after a CONNECT request prior to receiving the 200 OK reply may experience data corruption. Normally clients do not do this as the specifications say that the client must wait.
date 2003-02-12 02:07
bugzilla #490
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-CONNECT_pipeline.patch

time acls only accept a single time

synopsis Only the first time of a time acl type was used. This patch corrects this to allow the same acl to specify multiple times of the day.
date 2003-02-09 10:12
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-time_acl_list.patch
workaround If you need to specify multiple times, use one acl for each time

Client performance issue with HEAD requests to certain servers

synopsis Certain malfunctioning HTTP servers can confuse Squids client persisten connection management by sending a malformed reply in response to a HEAD request, causing unexpected delays in request processing for the client.
date 2003-02-09 10:12
bugzilla #520
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-HEAD_bad_headers.patch
workaround client_persistent_connections off

--with-ssl fails to compile with OpenSSL 0.9.7 or later

synopsis The SSL accelerator function of Squid-2.5 (--with-ssl option) fails to compile if using OpenSSL 0.9.7 or later
date 2003-02-09 10:12
bugzilla #501
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-openssl097.patch

Slow filedescriptor leak for /etc/hosts

synopsis Each time Squid is reconfigured one filedescriptor is leaked for /etc/hosts
date 2003-02-09 10:12
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-etc_hosts_fdleak.patch

Warn if cachemgr_passwd is specified more than once for the same action

synopsis Squid silently accepted cachemgr_passwd to be specified multiple times for the same action, but only the first one is accepted. This patch adds a warning when such configurations are seen.
date 2003-02-09 10:12
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-cachemgr_passwd.patch
workaround Manualy inspect your configuration to only have one password specified per action.

assertion failed: forward.c:96: "fwdState->err" on shutdown

synopsis In cetain conditions Squid crashes with the above assertion failure on shutdown.
date 2003-02-09 10:12
bugzilla #484
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-shutdown_assert.patch

Compilation fails if incorrect --with-auth-threads=NN option is given

synopsis The configure scripts accepts --with-aufs-threads argument without any value, causing the compilation to later fail.
date 2003-02-09 10:13
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-with_aufs_threads_trap.patch
workaround Make sure to always specify a correct value if using the --with-aufs-threads=NN option, or do not specify the option at all (the defaults is good for most uses)

squid.conf documentation still refers to authenticate_program

synopsis the authenticate_program directive was replaced by auth_param in Squid-2.5 but documentation for some other configuration directives still refers to authenticate_program instead of the current directive
date 2003-02-05 06:06
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-authenticate_program_docs.patch
workaround use auth_param instead even if the documentation refers to the non-existing authenticate_program directive

authenticateAuthenticate: no connection data, cannot process authentication

synopsis authentication could only be used in http_access rules in Squid-2.5 (as noted in the release notes). Any attempt to use authentication in other access rules either caused the above error or even worse a segmentation fault if using NTLM authentication.

Note: This patch depends on the earlier patch for the same problem.

date 2003-02-05 06:06
bugzilla #448, #393, #456, #478, #524, #164
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-auth_connection.patch
workaround make sure to not use authentication based acls outside http_access

delay_pools example does not match text

synopsis delay_pools example does not match text; values are bytes, not bits
date 2003-02-05 06:06
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-delay_pools_docs.patch

cachemgr helper stats cleanup

synopsis Some nitpicks and cleanup relating to cache manager helper stats and user authentication
date 2003-02-03 16:16
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-helper_stats.patch

Segmentation fault after ftpDataWriteCallback

synopsis A internal error caused Squid to abort if FTP PUT requests are aborted.
date 2003-02-01 22:19
bugzilla #507
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-ftp_abort.patch
workaround Deny FTP PUT in squid.conf.

Issues with auth scheme configurations

synopsis A coding error could cause issues with auth scheme configurations in certain configurations. On some systems it may be impossible to properly configure authentication, on others it only fails if authentication is added by "squid -k reconfigure".
date 2003-02-01 22:19
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-authsheme_realloc.patch

Removed Cachable stats "no.non_get"

synopsis The Cacheable statistics "no.non_get" is always 0 as the code relating to this statistics item is not active. This patch removes this useless field from the statistics.
date 2003-02-01 22:19
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-cachemgr_non_get.patch

unclear documentation of http_reply_body_max_size

synopsis From the documentation of http_reply_body_max_size it was not obvious that the size is in bytes. This patch rewords the documentation slightly to make this clearer.
date 2003-02-01 22:19
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-http_reply_max_size.patch

The pid file was removed too early in the shutdown process

synopsis When "squid -k shutdown" or kill is used to shut down Squid, the pid file should be removed when Squid has shut down, but was removed as soon as the shutdown completed.
date 2003-01-29 23:40
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-pidfile.patch

select loops statistics incorrect when using select()

synopsis One of the statistics counters was only updated when using poll() (default on most OS:es)
date 2003-01-29 23:26
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-select_stat.patch

Added select filedescriptor histogram output to cachemgr

synopsis The cachemgr histogram output was missing histogram count on filedescriptor activity
date 2003-01-29 23:26
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-select_fds_hist.patch

Duplicate assignment of sc->copy_offset

synopsis At one place in the code sc->copy_offset was assigned twice to the same value. Once is sufficient.
date 2003-01-29 23:28
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-copy_offset.patch
workaround None needed. Harmless.

mem_pool_free_calls should be printed as a unsigned integer

synopsis The mem_pool_free_calls statistics parameter was printed as a signed integer, possibly causing negative values to be printed once there has been more than 2^31 mempool free operations.
date 2003-01-29 23:28
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-mempoolstat.patch
workaround ignore any negative values printed

Internal cleanup of peer selection accounting

synopsis The code dealing with peer selection accounting has been cleaned up slightly, and accounting for cache-digest siblings has been corrected.
date 2003-01-29 23:26
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-peer_select_alg.patch
workaround None needed

log_mime_hdrs can show garbage in the access log on overly long request headers

synopsis If log_mime_hdrs is enabled then Squid's access.log may include garbage if overly long request headers is received casuing the logged line to become more than 8192 characters long.
date 2003-01-20 19:03
bugzilla #506
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-log_mime_hdrs.patch
workaround postprocess the logs to remove the garbage, or limit request/reply header sizes in squid.conf.

Improved memory usage statistics via sbrk

synopsis To aid in determining how large your Squid process really is statistics based on the growth of the process sbrk value has been added to cachemgr
date 2003-02-09 10:14
updated 2003-01-20
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-sbrk.patch

Hostname cleanups performed by Squid

synopsis Squid had the odd habit of normalizing double dots (www..example.com) in hostnames to one dot. Such hostnames is strictly not valid, and can in some configurations allow users to bypass filters. This patch makes Squid reject hostnames with double or leading dots.

This patch also adds a configure option to disable the character checks performed by Squid on domain name labels. It is not really the business of Squid to police what characters are used in domain name labels.

date 2003-02-09 10:15
bugzilla #504, #503
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-hostnames.patch

cachemgr failure_ratio is a ratio, not percentage

synopsis The cachemgr output indicated failure_ratio was a percentage when it in fact is a ratio. This patch removes the % sign from cachemgr output.
date 2003-01-18 14:52
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-failure_ratio.patch

offline_toggle cachemgr documentation

synopsis The offline_toggle cachemgr action needs to be enabled in cachemgr_passwd before use. This was omitted from the squid.conf documentation.
date 2003-01-18 14:52
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-offline_toggle.patch

squid_ldap_group update to version 2.10

synopsis squid_ldap_group fails to compile if using OpenLDAP 2.1.X or later.

This patch also adds many new features to squid_ldap_group, allowing true group matches, NT domain integration and some other small fixes.

date 2003-01-11 13:08
updated 2003-01-11
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-ldap_group.patch
workaround Use OpenLDAP 2.0.X.

Documentation update to remove stale reference to Squid-1.1 release notes

synopsis The documentation for refresh_pattern contained a stale reference to a Squid-1.1 release notes document which no longer exists
date 2003-01-10 23:16
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-relnote11.patch
workaround Don't bother looking for the Squid-1.1 release notes. The information found therein is not applicable to current Squid versions.

further safeguards for aufs compilation problems when not using --enable-pthreads

synopsis Squid 2.5 stable 2 will only allow aufs to be built with the _REENTRANT define enabled. This is to ensure correct threading operation on all platforms, and it's optionality led to some spurious bug reports and failure in 2.5 stable 1 and earlier.
date 2003-01-10 23:16
versions 2.5.STABLE1 and earlier
platforms none
patch squid-2.5.STABLE1-aufs_reentrant.patch
workaround make sure --enable-pthreads is used when compiling support for aufs

chroot_dir complains about all paths in squid.conf

synopsis When using chroot_dir Squid complains about all paths in squid.conf unless the same paths is accessible outside the chroot jail, even if they will actually be used only within the chroot.
date 2003-01-09 05:36
bugzilla #493, #151
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-chroot.patch
workaround create symlinks as needed

Segfault when using -S in combination with cache_dir coss/null

synopsis Segfault when using -S in combination with cache_dir coss/null
date 2003-01-09 05:36
bugzilla 488
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-S.patch
workaround Don't use -S if configured with a coss/null cache_dir

Stale cached data miss in offline_mode

synopsis Even in offline_mode expired content sometimes is processed as a cache miss. The intention of offline_mode is to make Squid very aggressively return cached content, assuming the Internet is not available for checking freshness.
date 2003-01-09 04:21
bugzilla #395
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-offline_mode.patch

Sometimes crashes while rebuilding dirty cache directories

synopsis In certain conditions Squid may crash while rebuilding dirty cache directories.
date 2003-01-09 03:46
bugzilla #465
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-rebuild_assert.patch
workaround always shut down Squid cleanly, or start Squid with the -F option to not accept requests while the cache index is beeing rebuilt.

RunCache/RunAccel scripts still looks for squid in bin

synopsis The RunCache/RunAccel scripts was not modified to look for Squid in it's new location 'sbin'.
date 2003-01-07 03:52
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-RunCache.patch
workaround Modify the script to look in sbin, or start squid directly

poor performance when using aufs

synopsis If Squid is configured to use aufs cache_dir type then performance may seem slow when Squid is only processing a few requests
date 2003-01-09 00:58
updated 2003-01-09
versions 2.5.STABLE1 and earlier
platforms All when configured to use aufs
patch squid-2.5.STABLE1-aufs_performance.patch
workaround give Squid more work to do. aufs is designed for busy caches. If you have a single user cache consider using ufs instead.

squid_ldap_group link failure

synopsis Compilation of squid_ldap_group fails with errors about undefined symbol "socket", "getpeername" and other networking related symbols.
date 2002-12-12 00:33
versions 2.5.STABLE1
platforms Solaris and others requiring special libraries for networking
patch squid-2.5.STABLE1-ldap_group-compile.patch
workaround Manually edit helpers/external_acl/ldap_group/Makefile to include the needed libraries last on the LDADD line

assertion failed: comm.c:646: "F->flags.open"

synopsis Squid sometimes crashes with 'assertion failed: comm.c:646: "F->flags.open"' logged to cache.log.
date 2002-12-09 16:38
bugzilla #466
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-flags_open.patch
workaround Deny the use of CONNECT

Impossible to define acls with spaces in them

synopsis It is impossible to define acls with spaces in them. Previously this have not been such a big problem, but with the addition of external acl checks and integration with various foreign user group systems such as Windows Domain this has became more of a problem.

This patch allows you to use the "include" function to define such acls.

date 2002-11-24 11:03
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-spaces.patch
workaround Make sure that all groups etc you need to refer to does not contain spaces.

Small typo in dnsserver error message on DNS overload

synopsis There is a small typo in the error message returned if the DNS queue overloads when Squid is compiled with --disable-internal-dns
date 2002-11-12 07:45
bugzilla #471
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-dnsserver.patch
workaround Do not compile Squid with --disable-internal-dns. The default internal DNS client is much more efficient and cannot be overloaded.

Filter out unproxyable authentication schemes

synopsis Microsoft "Integrated Login" authentiation schemes NTLM and Negotiate (SPNEGO) cannot be proxied due to a design flaw in these protocols, authenticating TCP connections rather than HTTP messages. Previously this was only a problem with IIS servers on the Internet but with the addition of NTLM support in Squid this is now also a problem in Squid cache hierarchies.
date 2002-11-11 21:01
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-auth-proxy.patch
workaround Make sure "Integrated Logon" is disabled on all parent proxies os web servers your users need to log on to.

cachemgr login & password revealed in HTTP server log files

synopsis If the HTTP server running cachemgr is configured to log query parameters then your cachemgr login & password may be revealed in the access logs. This patch changes cachemgr to use POST which should hide this information from most logs
date 2002-11-11 21:47
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-cachemgr.patch

make uninstall removes squid.conf

synopsis "make uninstall" removes squid.conf, and with it any local modifications which may have been done. This patch changes "make uninstall" to not remove squid.conf.
date 2002-11-11 22:57
bugzilla #453
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-uninstall.patch
workaround backup squid.conf before runnign "make uninstall" if you want to save a copy, or manually delete the unwanted files.

Segmentation fault if a external_acl helper exits prematurely

synopsis If a external_acl helper exist prematurely then Squid segfaults.

This patch makes Squid deal more gracefully with the situation and retry the request to next available helper. If too many of the helper instances dies then Squid will do a controlled restart.

date 2002-11-11 22:57
bugzilla #458
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-ext_acl_exit.patch
workaround Write crash proof external_acl helpers

Squid rejects GET/HEAD with request entities claimint error 411

synopsis Squid rejects requests having a request entity with error "411 Length Required". While the HTTP specification allows for such requests it also says the request entity must have no meaning.

This patch adds a new squid.conf directive "request_entities on/off" which can be used to enable support for such strange GET/HEAD requests is needed.

date 2002-11-11 22:57
bugzilla #463
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-request_entity.patch
workaround Don't use the proxy for devices sending such strange HTTP requests

external_acl.c compilation failure

synopsis Certain compilers complain about a extra comma in external_acl.c
date 2002-11-11 22:57
versions 2.5.STABLE1
platforms Compiler Speficic
patch squid-2.5.STABLE1-ext_acl_comma.patch
workaround Use GNU CC

memory leak of acl structures on "squid -k reconfigure"

synopsis Squid sometimes leaks acl structures on "squid -k reconfigure".
date 2002-11-10 03:58
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-acl_leak.patch

Occasional corruption of objects when using aufs

synopsis Due to a race condition in the aufs storeio implementation data corruption can occur if the client aborts a cache hit while aufs is reading data from the disk
date 2002-11-15 06:35
updated 2002-11-15
bugzilla #451
versions 2.5.STABLE1 and earlier
platforms All using aufs
patch squid-2.5.STABLE1-aufs.patch

Cachemgr "Total accounted:" memory statistics always report "-1"

synopsis The cachemgr "Total accounted:" statistics field always report "-1"
date 2002-11-10 17:00
updated 2002-11-10
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-memstat.patch

WCCP hash assignment can sometimes be missed by the router

synopsis In certain conditions the WCCP router might miss the hash assignment sent by Squid.
date 2002-11-09 09:59
bugzilla #462
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-wccp.patch

external_acl helper problem with spaces

synopsis A internal error in the strwordtok() function causes problems for external_acl if the last helper argument is quoted by Squid. For example if using a group helper and having groups with spaces in them.
date 2002-11-09 09:59
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-strwordtok.patch

--enable-async-io or --with-storeio=aufs fails to automatically enable --with-pthreads

synopsis If --enable-async-io or --with-storeio=aufs is used then configure attempts to automatically enable --with-pthreads. Unfortunately it only gets it half right, resulting in a unstable aufs storeio driver.
date 2002-11-14 08:26
versions 2.5.STABLE1
platforms All using aufs
patch squid-2.5.STABLE1-pthreads.patch
workaround Make sure to include --with-pthreads when building with the aufs storeio driver.

"make addlang" fails

synopsis The undocumented "make addlang" target does not work. This make target is intended to be used when adding additional languages to a installation where configure was instructed not to install all languages.
date 2002-11-09 09:59
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-addlang.patch
workaround Select the languages during the normal install procedure

Specifying LDAP servers last on the command line does not work

synopsis The command line syntax of specifying LDAP servers last on the command line does not work.
date 2002-10-18 09:50
bugzilla #460
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-ldap_auth.patch
workaround Make use of the -h option to specify LDAP servers.

Referer log not closed on shutdown

synopsis If the referer log file is enabled then Squid might complain about this log file being open on shutdown. This is the same problem as Bug #120 but for the referer log.
date 2002-10-13 17:04
versions 2.5.STABLE1 and earlier
platforms All
patch squid-2.5.STABLE1-referer_log.patch
workaround None needed. Ignore any complaints from Squid that the referer log is open

Many files missing from the contrib directory

synopsis Many files such as squid.rc were missing from the contrib directory.
versions 2.5.STABLE1
platforms All
workaround Copy the files from another Squid release

Segmentation fault if failing to load icons

synopsis If urlParse() fails in mimeLoadIconFile() (e.g., because the user put illegal characters in the visible_hostname), this patch makes Squid emit a fatal error message, rather than suffer a NULL pointer dereference.
date 2002-10-08 21:30
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-load_icons.patch
workaround Make sure visible_hostname has a correct value with only valid hostname characters, and that your icon files are readable by the user Squid is running as (cache_effective_user if started by root)

cache_dir documentation on recommended size

synopsis Iproved documentation on how to set the cache_dir size parameter
date 2002-10-08 12:59
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-cache_dir_docs.patch

max_user_ip and authenticate_ip_ttl documentation misleading

synopsis The documentation for max_user_ip and authenticate_ip_ttl is slightly misleading
date 2002-10-08 21:30
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-max_user_ip.patch

proxy_auth acls only work in http_access

synopsis proxy_auth (and other authentication acl types) only works in http_access.
date 2002-10-08 12:59
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-proxy_auth.patch

Compiler warning if --disable-http-violations is used

synopsis The compiler may warn about unused parse/dump/free_http_header_access function is the configure directive --disable-http-violations is used
date 2002-11-10 03:21
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-disable-http-violations.patch
workaround Ignore the warning. It is harmless.

Compiler warning if --disable-ident-lookups is used

synopsis The compiler may warn about a unused error label if the configure directive --disable-ident-lookups is used
date 2002-09-29 19:14
versions 2.5.STABLE1
platforms All
patch squid-2.5.STABLE1-disable-ident-lookups.patch
workaround Ignore the warning. It is harmless.

$Id: index.tmpl,v 1.350 2006/06/21 12:33:13 hno Exp hno $