The Squid Team are pleased to announce the release of Squid-3.2.6 for=20
-testing.
+The Squid Team are pleased to announce the release of Squid-3.2.13.
While this release is not deemed ready for production use, we believe it =
is ready for wider testing by the community.
+
+A large number of the show-stopper bugs have been fixed along with genera=
l improvements to the IPv6 support.
+While this release is not fully bug-free we believe it is ready for use in p=
roduction on many systems.
+
Although this release is deemed good enough for use in many setups, pleas=
e note the existence of=20
-open bugs against Squid-3.2.
+Some issues to note as currently known in this release which are not able=
to be fixed in the 3.2 series are:
@@ -160,7 +162,7 @@
DNS lookups to locate alternative DIRECT destinations will not be done.
=20
Known Issue: When non-strict validation fails Squid will relay the reques=
t, but can only do
-so safely to the orginal destination IP the client was contacting. The clien=
t original
+so safely to the original destination IP the client was contacting. The clie=
nt original
destination IP is lost when relaying to peers in a hierarchy. This means the=
upstream peers
are still at risk of causing same-origin bypass CVE-2009-0801 vulnerability.
Developer time is required to implement safe transit of these requests.
@@ -253,7 +255,7 @@
path and parameters as its own command parameters. The concurrency =
setting already
existing in Squid is used to configure how many child helpers it may run.
=20
-
- mswin_check_ad_group - ext_ad_group_acl - Check logged in users Group me=
mbership using Active Directory.
-- ip_user_check - ext_file_userip_acl - Restrict users to cetain IP addres=
ses, using a text file backend.
+- ip_user_check - ext_file_userip_acl - Restrict users to certain IP addre=
sses, using a text file backend.
- squid_kerb_ldap - ext_kerberos_ldap_group_acl - Check logged in Kerberos=
or NTLM users Group membership using LDAP.
- squid_ldap_group - ext_ldap_group_acl - Check logged in users Group memb=
ership using LDAP.
- mswin_check_lm_group - ext_lm_group_acl - Check logged in users Group me=
mbership using LanManager.
@@ -416,8 +418,8 @@
=20
Automatic detection and use of the pthreads library available from Solari=
s 10
=20
-The result of this addition means that faster more efficient AUFS cache s=
torage mechanisims
-are now available in Solaris 10.
+The result of this addition means that faster more efficient AUFS cache s=
torage mechanism
+is now available in Solaris 10.
=20
Support is experimental at this stage due to lack of feedback on the resu=
lts of enabling it.
We recommend giving AUFS a try for faster disk storage and encourage feedbac=
k.
@@ -431,14 +433,14 @@
feature support in Squid. This release opens Surrogate support to all revers=
e proxies.
=20
Reverse proxy requests sent on to the web server include the HTTP header =
Surrogate-Capabilities:
-specifying the capabilities of the reverse proxy along with an ID which can =
be used to target reponses with
+specifying the capabilities of the reverse proxy along with an ID which can =
be used to target responses with
a Surrogate-Control: HTTP header used instead of the Cache-Cont=
rol: header.
=20
The default surrogate ID is generated automatically from the Squid site-u=
nique hostname as found by the
automatic detection or manual configuration of visible_hostname alt=
hough can be configured
separately with the httpd_accel_surrogate_id option.
=20
-Security Considerations: Websites sould be careful of accepting =
any surrogate ID.
+
Security Considerations: Websites should be careful of accepting=
any surrogate ID.
Older releases of Squid leak the Surrogate-Control headers to external serve=
rs.
This 3.2 series of Squid will now prevent this leakage of its own ID destine=
d responses, however it is possible
and for some uses desirable to receive external reverse-proxies Surrogat=
e-Capabilities: headers.
@@ -553,7 +555,7 @@
- should contain a complete HTML page, with optional client-side scripting=
.
- must not contain server-side scripting.
-- will have macro substitution performed on it using the same macros as us=
ed by the error page tempates.
+- will have macro substitution performed on it using the same macros as us=
ed by the error page templates.
=20
@@ -588,32 +590,32 @@
headers or eCAP options to Squid ICAP requests or eCAP transactions.
=20
- adaptation_send_client_ip
-
-
Same as depricated icap_send_client_ip
+
Same as deprecated icap_send_client_ip
but applies to both ICAP and eCAP.
=20
- adaptation_send_username
-
-
Same as depricated icap_send_client_username
+
Same as deprecated icap_send_client_username
but applies to both ICAP and eCAP.
=20
- adaptation_uses_indirect_client
-
-
Same as depricated icap_uses_indirect_client
+
Same as deprecated icap_uses_indirect_client
but applies to both ICAP and eCAP.
=20
- client_delay_pools
-
-
New setting for client bandwith limits to specifies the number=20
+
New setting for client bandwidth limits to specifies the number=20
of client delay pools used.
=20
- client_delay_initial_bucket_level
-
-
New setting for client bandwith limits to determine the initial=20
+
New setting for client bandwidth limits to determine the initial=20
bucket size as a percentage of max_bucket_size from=20
client_delay_parameters.
=20
- client_delay_parameters
-
-
New setting for client bandwith limits to configures client-side=20
+
New setting for client bandwidth limits to configures client-side=20
bandwidth limits.
=20
- client_delay_access
-
-
New setting for client bandwith limits to determines the=20
+
New setting for client bandwidth limits to determines the=20
client-side delay pool for the request.
=20
- client_dst_passthru
-
@@ -727,17 +729,12 @@
New installs, or installs with no logs configured explicitly will use this m=
odule by default.
New tcp module to send each log line as text data to a TCP recei=
ver.
New udp module to send each log line as text data to a UDP recei=
ver.
-New format referrer to log with the format prevously used by ref=
erer_log directive.
-New format useragent to log with the format prevously used by us=
eragent_log directive.
+New format referrer to log with the format previously used by re=
ferer_log directive.
+New format useragent to log with the format previously used by u=
seragent_log directive.
=20
- - acl : random, localip, localport
-
+
- acl : random, urllogin
-
New type random. Pseudo-randomly match requests based on a confi=
gured probability.
-Renamed myip to localip. It matches the IP which the cl=
ient connected to.
-Renamed myport to localport. It matches the port which =
the client connected to.
Ported urllogin option from Squid 2.7, to match a regex pattern =
on the URL login field (if any).
-The localip/localport differ from earlier releases wher=
e they matched a mix of
-of an invalid IP and port 0, the client destination IP/port or the Squid lis=
tening IP/port.
-This definition is now consistent across all modes of traffic received by Sq=
uid.
The manager ACL requires adjustment to cover new cache manager a=
ccess. So it has now been
built-in as a predefined ACL name matching URLs equivalent to the following =
regular expression:
@@ -749,7 +746,7 @@
=20
- auth_param
-
New options for Basic, Digest, NTLM, Negotiate children settings.
-startup=3DN determins minimum number of helper processes used.
+startup=3DN determines minimum number of helper processes used.
idle=3DN determines how many helper to retain as buffer against sud=
den traffic loads.
concurrency=3DN previously called auth_param ... concurrency as a separate option.
Removed Basic, Digest, NTLM, Negotiate auth_param ... concurrency setting option.
@@ -783,8 +780,8 @@
%SRCEUI64 EUI-64 of clients with SLAAC address.
%EXT_LOG log=3D message returned by previous external ACL calls.=
An updated version may be returned.
%EXT_TAG tag=3D value returned by previous external ACL calls. T=
ag may not be altered once set.
-children-max=3DN determins maximum number of helper processes us=
ed.
-children-startup=3DN determins minimum number of helper processe=
s used.
+children-max=3DN determines maximum number of helper processes u=
sed.
+children-startup=3DN determines minimum number of helper process=
es used.
children-idle=3DN determines how many helper to retain as buffer=
against sudden traffic loads.
Deprecated children=3DN in favor of children-max=3DN.
=20
@@ -1024,16 +1021,16 @@
Replaced by --enable-eui
=20
- --enable-auth-basic-helpers
-
-
replaced by --enable-auth-basic.
+Replaced by --enable-auth-basic.
=20
- --enable-auth-digest-helpers
-
-
replaced by --enable-auth-digest.
+Replaced by --enable-auth-digest.
=20
- --enable-auth-negotiate-helpers
-
-
replaced by --enable-auth-negotiate.
+Replaced by --enable-auth-negotiate.
=20
- --enable-auth-ntlm-helpers
-
-
replaced by --enable-auth-ntlm.
+Replaced by --enable-auth-ntlm.
=20
- --enable-referer-log
-
Obsolete.
@@ -1066,7 +1063,7 @@
An external_acl_type helper may be used to bypass authentication if that is =
suitable.
=20
- cache_peer
-
-
http11 Obsolete.
+Option http11 obsolete.
=20
- external_acl_type
-
Format tag %{Header} replaced by %>{Header}
@@ -1076,9 +1073,9 @@
Replaced by request_header_access and reply_header_access
=20
- http_port
-
-
no-connection-auth replaced by connection-auth=3D[on|off]. Default is ON.
-transparent option replaced by intercept
-http11 obsolete.
+Option no-connection-auth replaced by connection-auth=3D[on|=
off]. Default is ON.
+Option transparent option replaced by intercept
+Option http11 obsolete.
=20
- http_access2
-
Replaced by adapted_http_access
@@ -1095,6 +1092,12 @@
- server_http11
-
Obsolete.
=20
+ - update_headers
-
+
Obsolete. The experimental actions enabled in 2.7 by this option have bee=
n integrated as default
+actions for the rock storage type and memory caches.
+The configuration option is no longer necessary and has been dropped.
+NOTE: It is not yet supported by ufs, aufs, or diskd storage.
+
- upgrade_http0.9
-
Obsolete.
=20
@@ -1275,9 +1278,6 @@
- storeurl_rewrite_program
-
Not yet ported from 2.7
=20
- - update_headers
-
-
Not yet fully ported from 2.7. Memory and rock storage caches support thi=
s natively. UFS caches do not support it.
-
++++++ squid-3.2.11.tar.bz2 -> squid-3.2.13.tar.bz2 ++++++
diff -urN '--exclude=3DCVS' '--exclude=3D.cvsignore' '--exclude=3D.svn' '--ex=
clude=3D.svnignore' old/squid-3.2.11/ChangeLog new/squid-3.2.13/ChangeLog
--- old/squid-3.2.11/ChangeLog 2013-04-30 06:47:06.000000000 +0200
+++ new/squid-3.2.13/ChangeLog 2013-07-13 15:22:32.000000000 +0200
@@ -1,4 +1,16 @@
=20
+Changes to squid-3.2.13 (13 Jul 2013):
+
+ - Bug 3869: assertion failed: MemBuf.cc:272: size < capacity
+ - Improved handling of port values in Host: header validation
+
+Changes to squid-3.2.12 (11 Jul 2013):
+
+ - Protect against buffer overrun in DNS query generation
+ - Avoid !closing assertions when helpers call comm_read during reconfigure.
+ - Fix several minor memory leaks during reconfigure
+ - Remove origin_tries limiter on forwarding and permit large max_forward_tr=
ies values
+
Changes to squid-3.2.11 (30 Apr 2013):
=20
- Regression Bug 3839: build error: src/tools.h: No such file or directory
diff -urN '--exclude=3DCVS' '--exclude=3D.cvsignore' '--exclude=3D.svn' '--ex=
clude=3D.svnignore' old/squid-3.2.11/RELEASENOTES.html new/squid-3.2.13/RELEA=
SENOTES.html
--- old/squid-3.2.11/RELEASENOTES.html 2013-04-30 07:08:31.000000000 +0200
+++ new/squid-3.2.13/RELEASENOTES.html 2013-07-13 15:48:45.000000000 +0200
@@ -1,11 +1,11 @@
-
- Squid 3.2.11 release notes
+
+ Squid 3.2.13 release notes
-Squid 3.2.11 release notes
+Squid 3.2.13 release notes
=20
Squid Developers
@@ -72,7 +72,7 @@
=20
-The Squid Team are pleased to announce the release of Squid-3.2.11.
+The Squid Team are pleased to announce the release of Squid-3.2.13.
This new release is available for download from=20
http://www.squid-cac=
he.org/Versions/v3/3.2/ or the
mirrors=
.
diff -urN '--exclude=3DCVS' '--exclude=3D.cvsignore' '--exclude=3D.svn' '--ex=
clude=3D.svnignore' old/squid-3.2.11/configure new/squid-3.2.13/configure
--- old/squid-3.2.11/configure 2013-04-30 06:47:59.000000000 +0200
+++ new/squid-3.2.13/configure 2013-07-13 15:23:28.000000000 +0200
@@ -1,7 +1,7 @@
#! /bin/sh
# From configure.ac Revision.
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.2.11.
+# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.2.13.
#
# Report bugs to .
#
@@ -575,8 +575,8 @@
# Identity of this package.
PACKAGE_NAME=3D'Squid Web Proxy'
PACKAGE_TARNAME=3D'squid'
-PACKAGE_VERSION=3D'3.2.11'
-PACKAGE_STRING=3D'Squid Web Proxy 3.2.11'
+PACKAGE_VERSION=3D'3.2.13'
+PACKAGE_STRING=3D'Squid Web Proxy 3.2.13'
PACKAGE_BUGREPORT=3D'http://bugs.squid-cache.org/'
PACKAGE_URL=3D''
=20
@@ -1571,7 +1571,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures Squid Web Proxy 3.2.11 to adapt to many kinds of sys=
tems.
+\`configure' configures Squid Web Proxy 3.2.13 to adapt to many kinds of sys=
tems.
=20
Usage: $0 [OPTION]... [VAR=3DVALUE]...
=20
@@ -1641,7 +1641,7 @@
=20
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of Squid Web Proxy 3.2.11:";;
+ short | recursive ) echo "Configuration of Squid Web Proxy 3.2.13:";;
esac
cat <<\_ACEOF
=20
@@ -2019,7 +2019,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-Squid Web Proxy configure 3.2.11
+Squid Web Proxy configure 3.2.13
generated by GNU Autoconf 2.68
=20
Copyright (C) 2010 Free Software Foundation, Inc.
@@ -3115,7 +3115,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
=20
-It was created by Squid Web Proxy $as_me 3.2.11, which was
+It was created by Squid Web Proxy $as_me 3.2.13, which was
generated by GNU Autoconf 2.68. Invocation command line was
=20
$ $0 $@
@@ -3934,7 +3934,7 @@
=20
# Define the identity of the package.
PACKAGE=3D'squid'
- VERSION=3D'3.2.11'
+ VERSION=3D'3.2.13'
=20
=20
cat >>confdefs.h <<_ACEOF
@@ -30894,7 +30894,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log=3D"
-This file was extended by Squid Web Proxy $as_me 3.2.11, which was
+This file was extended by Squid Web Proxy $as_me 3.2.13, which was
generated by GNU Autoconf 2.68. Invocation command line was
=20
CONFIG_FILES =3D $CONFIG_FILES
@@ -30960,7 +30960,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=3D1
ac_cs_config=3D"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\=
\\\&/g'`"
ac_cs_version=3D"\\
-Squid Web Proxy config.status 3.2.11
+Squid Web Proxy config.status 3.2.13
configured by $0, generated by GNU Autoconf 2.68,
with options \\"\$ac_cs_config\\"
=20
diff -urN '--exclude=3DCVS' '--exclude=3D.cvsignore' '--exclude=3D.svn' '--ex=
clude=3D.svnignore' old/squid-3.2.11/configure.ac new/squid-3.2.13/configure.=
ac
--- old/squid-3.2.11/configure.ac 2013-04-30 06:47:59.000000000 +0200
+++ new/squid-3.2.13/configure.ac 2013-07-13 15:23:28.000000000 +0200
@@ -1,4 +1,4 @@
-AC_INIT([Squid Web Proxy],[3.2.11],[http://bugs.squid-cache.org/],[squid])
+AC_INIT([Squid Web Proxy],[3.2.13],[http://bugs.squid-cache.org/],[squid])
AC_PREREQ(2.61)
AC_CONFIG_HEADERS([include/autoconf.h])
AC_CONFIG_AUX_DIR(cfgaux)
diff -urN '--exclude=3DCVS' '--exclude=3D.cvsignore' '--exclude=3D.svn' '--ex=
clude=3D.svnignore' old/squid-3.2.11/helpers/basic_auth/DB/basic_db_auth.8 ne=
w/squid-3.2.13/helpers/basic_auth/DB/basic_db_auth.8
--- old/squid-3.2.11/helpers/basic_auth/DB/basic_db_auth.8 2013-04-30 07:08:1=
5.000000000 +0200
+++ new/squid-3.2.13/helpers/basic_auth/DB/basic_db_auth.8 2013-07-13 15:48:3=
4.000000000 +0200
@@ -124,7 +124,7 @@
.\" =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
.\"
.IX Title "BASIC_DB_AUTH 1"
-.TH BASIC_DB_AUTH 1 "2013-04-29" "perl v5.10.1" "User Contributed Perl Docum=
entation"
+.TH BASIC_DB_AUTH 1 "2013-07-13" "perl v5.10.1" "User Contributed Perl Docum=
entation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -urN '--exclude=3DCVS' '--exclude=3D.cvsignore' '--exclude=3D.svn' '--ex=
clude=3D.svnignore' old/squid-3.2.11/helpers/external_acl/wbinfo_group/ext_wb=
info_group_acl.8 new/squid-3.2.13/helpers/external_acl/wbinfo_group/ext_wbinf=
o_group_acl.8
--- old/squid-3.2.11/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8=
2013-04-30 07:08:19.000000000 +0200
+++ new/squid-3.2.13/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8=
2013-07-13 15:48:36.000000000 +0200
@@ -124,7 +124,7 @@
.\" =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
.\"
.IX Title "EXT_WBINFO_GROUP_ACL.PL.IN 1"
-.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2013-04-29" "perl v5.10.1" "User Contribut=
ed Perl Documentation"
+.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2013-07-13" "perl v5.10.1" "User Contribut=
ed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -urN '--exclude=3DCVS' '--exclude=3D.cvsignore' '--exclude=3D.svn' '--ex=
clude=3D.svnignore' old/squid-3.2.11/include/version.h new/squid-3.2.13/inclu=
de/version.h
--- old/squid-3.2.11/include/version.h 2013-04-30 06:47:59.000000000 +0200
+++ new/squid-3.2.13/include/version.h 2013-07-13 15:23:28.000000000 +0200
@@ -9,7 +9,7 @@
*/
=20
#ifndef SQUID_RELEASE_TIME
-#define SQUID_RELEASE_TIME 1367297224
+#define SQUID_RELEASE_TIME 1373721750
#endif
=20
#ifndef APP_SHORTNAME
diff -urN '--exclude=3DCVS' '--exclude=3D.cvsignore' '--exclude=3D.svn' '--ex=
clude=3D.svnignore' old/squid-3.2.11/src/HttpHeader.cc new/squid-3.2.13/src/H=
ttpHeader.cc
--- old/squid-3.2.11/src/HttpHeader.cc 2013-04-30 06:47:06.000000000 +0200
+++ new/squid-3.2.13/src/HttpHeader.cc 2013-07-13 15:22:32.000000000 +0200
@@ -433,37 +433,37 @@
=20
PROF_start(HttpHeaderClean);
=20
- /*
- * An unfortunate bug. The entries array is initialized
- * such that count is set to zero. httpHeaderClean() seems to
- * be called both when 'hdr' is created, and destroyed. Thus,
- * we accumulate a large number of zero counts for 'hdr' before
- * it is ever used. Can't think of a good way to fix it, except
- * adding a state variable that indicates whether or not 'hdr'
- * has been used. As a hack, just never count zero-sized header
- * arrays.
- */
-
if (owner <=3D hoReply) {
+ /*
+ * An unfortunate bug. The entries array is initialized
+ * such that count is set to zero. httpHeaderClean() seems to
+ * be called both when 'hdr' is created, and destroyed. Thus,
+ * we accumulate a large number of zero counts for 'hdr' before
+ * it is ever used. Can't think of a good way to fix it, except
+ * adding a state variable that indicates whether or not 'hdr'
+ * has been used. As a hack, just never count zero-sized header
+ * arrays.
+ */
if (0 !=3D entries.count)
HttpHeaderStats[owner].hdrUCountDistr.count(entries.count);
=20
++ HttpHeaderStats[owner].destroyedCount;
=20
HttpHeaderStats[owner].busyDestroyedCount +=3D entries.count > 0;
+ } // if (owner <=3D hoReply)
=20
- while ((e =3D getEntry(&pos))) {
- /* tmp hack to try to avoid coredumps */
+ while ((e =3D getEntry(&pos))) {
+ /* tmp hack to try to avoid coredumps */
=20
- if (e->id < 0 || e->id >=3D HDR_ENUM_END) {
- debugs(55, 0, "HttpHeader::clean BUG: entry[" << pos << "] i=
s invalid (" << e->id << "). Ignored.");
- } else {
+ if (e->id < 0 || e->id >=3D HDR_ENUM_END) {
+ debugs(55, DBG_CRITICAL, "HttpHeader::clean BUG: entry[" << pos =
<< "] is invalid (" << e->id << "). Ignored.");
+ } else {
+ if (owner <=3D hoReply)
HttpHeaderStats[owner].fieldTypeDistr.count(e->id);
- /* yes, this deletion leaves us in an inconsistent state */
- delete e;
- }
+ /* yes, this deletion leaves us in an inconsistent state */
+ delete e;
}
- } // if (owner <=3D hoReply)
+ }
entries.clean();
httpHeaderMaskInit(&mask, 0);
len =3D 0;
diff -urN '--exclude=3DCVS' '--exclude=3D.cvsignore' '--exclude=3D.svn' '--ex=
clude=3D.svnignore' old/squid-3.2.11/src/MemBuf.h new/squid-3.2.13/src/MemBuf=
.h
--- old/squid-3.2.11/src/MemBuf.h 2013-04-30 06:47:06.000000000 +0200
+++ new/squid-3.2.13/src/MemBuf.h 2013-07-13 15:22:32.000000000 +0200
@@ -66,7 +66,7 @@
=20
/// these space-related methods assume no growth and allow 0-termination
char *space() { return buf + size; } // space to add data
- char *space(mb_size_t required) { if (size + required > capacity) grow(s=
ize + required); return buf + size; } // space to add data
+ char *space(mb_size_t required) { if (size + required >=3D capacity) gro=
w(size + required +1); return buf + size; } // space to add data
=20
mb_size_t spaceSize() const;
=20
diff -urN '--exclude=3DCVS' '--exclude=3D.cvsignore' '--exclude=3D.svn' '--ex=
clude=3D.svnignore' old/squid-3.2.11/src/client_db.cc new/squid-3.2.13/src/cl=
ient_db.cc
--- old/squid-3.2.11/src/client_db.cc 2013-04-30 06:47:06.000000000 +0200
+++ new/squid-3.2.13/src/client_db.cc 2013-07-13 15:22:32.000000000 +0200
@@ -72,8 +72,9 @@
clientdbAdd(const Ip::Address &addr)
{
ClientInfo *c;
- char *buf =3D new char[MAX_IPSTRLEN];
+ char *buf =3D static_cast(xmalloc(MAX_IPSTRLEN)); // becomes hash=
.key
c =3D (ClientInfo *)memAllocate(MEM_CLIENT_INFO);
+ debugs(77, 9, "ClientInfo constructed, this=3D" << c);
c->hash.key =3D addr.NtoA(buf,MAX_IPSTRLEN);
c->addr =3D addr;
#if USE_DELAY_POOLS
@@ -355,6 +356,7 @@
}
#endif
=20
+ debugs(77, 9, "ClientInfo destructed, this=3D" << c);
memFree(c, MEM_CLIENT_INFO);
}
=20
diff -urN '--exclude=3DCVS' '--exclude=3D.cvsignore' '--exclude=3D.svn' '--ex=
clude=3D.svnignore' old/squid-3.2.11/src/client_side_request.cc new/squid-3.2=
.13/src/client_side_request.cc
--- old/squid-3.2.11/src/client_side_request.cc 2013-04-30 06:47:06.000000000=
+0200
+++ new/squid-3.2.13/src/client_side_request.cc 2013-07-13 15:22:32.000000000=
+0200
@@ -641,8 +641,16 @@
uint16_t port =3D 0;
if (portStr) {
*portStr =3D '\0'; // strip the ':'
- if (*(++portStr) !=3D '\0')
- port =3D xatoi(portStr);
+ if (*(++portStr) !=3D '\0') {
+ char *end =3D NULL;
+ int64_t ret =3D strtoll(portStr, &end, 10);
+ if (end =3D=3D portStr || *end !=3D '\0' || ret < 1 || ret > 0xF=
FFF) {
+ // invalid port details. Replace the ':'
+ *(--portStr) =3D ':';
+ portStr =3D NULL;
+ } else
+ port =3D (ret & 0xFFFF);
+ }
}
=20
debugs(85, 3, HERE << "validate host=3D" << host << ", port=3D" << port =
<< ", portStr=3D" << (portStr?portStr:"NULL"));
diff -urN '--exclude=3DCVS' '--exclude=3D.cvsignore' '--exclude=3D.svn' '--ex=
clude=3D.svnignore' old/squid-3.2.11/src/dns_internal.cc new/squid-3.2.13/src=
/dns_internal.cc
--- old/squid-3.2.11/src/dns_internal.cc 2013-04-30 06:47:06.000000000 +0200
+++ new/squid-3.2.13/src/dns_internal.cc 2013-07-13 15:22:32.000000000 +0200
@@ -1660,23 +1660,29 @@
void
idnsALookup(const char *name, IDNSCB * callback, void *data)
{
- unsigned int i;
- int nd =3D 0;
- idns_query *q;
+ size_t nameLength =3D strlen(name);
+
+ // Prevent buffer overflow on q->name
+ if (nameLength > NS_MAXDNAME) {
+ debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perf=
orm lookup: '" << name << "'. see access.log for details.");
+ callback(data, NULL, 0, "Internal error");
+ return;
+ }
=20
if (idnsCachedLookup(name, callback, data))
return;
=20
- q =3D cbdataAlloc(idns_query);
+ idns_query *q =3D cbdataAlloc(idns_query);
// idns_query is POD so no constructors are called after allocation
q->xact_id.change();
q->query_id =3D idnsQueryID();
=20
- for (i =3D 0; i < strlen(name); ++i)
+ int nd =3D 0;
+ for (unsigned int i =3D 0; i < nameLength; ++i)
if (name[i] =3D=3D '.')
++nd;
=20
- if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] !=3D '.=
') {
+ if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] !=3D '.')=
{
q->do_searchpath =3D 1;
} else {
q->do_searchpath =3D 0;
diff -urN '--exclude=3DCVS' '--exclude=3D.cvsignore' '--exclude=3D.svn' '--ex=
clude=3D.svnignore' old/squid-3.2.11/src/forward.cc new/squid-3.2.13/src/forw=
ard.cc
--- old/squid-3.2.11/src/forward.cc 2013-04-30 06:47:06.000000000 +0200
+++ new/squid-3.2.13/src/forward.cc 2013-07-13 15:22:32.000000000 +0200
@@ -515,10 +515,7 @@
if (!entry->isEmpty())
return false;
=20
- if (n_tries > 10)
- return false;
-
- if (origin_tries > 2)
+ if (n_tries > Config.forward_max_tries)
return false;
=20
if (squid_curtime - start_t > Config.Timeout.forward)
@@ -940,9 +937,6 @@
debugs(17, 3, HERE << "reusing pconn " << serverConnection());
++n_tries;
=20
- if (!serverConnection()->getPeer())
- ++origin_tries;
-
comm_add_close_handler(serverConnection()->fd, fwdServerClosedWrappe=
r, this);
=20
/* Update server side TOS and Netfilter mark on the connection. */
@@ -1131,9 +1125,6 @@
if (n_tries > Config.forward_max_tries)
return 0;
=20
- if (origin_tries > 1)
- return 0;
-
if (request->bodyNibbled())
return 0;
=20
diff -urN '--exclude=3DCVS' '--exclude=3D.cvsignore' '--exclude=3D.svn' '--ex=
clude=3D.svnignore' old/squid-3.2.11/src/forward.h new/squid-3.2.13/src/forwa=
rd.h
--- old/squid-3.2.11/src/forward.h 2013-04-30 06:47:06.000000000 +0200
+++ new/squid-3.2.13/src/forward.h 2013-07-13 15:22:32.000000000 +0200
@@ -97,7 +97,6 @@
Comm::ConnectionPointer clientConn; ///< a possibly open connecti=
on to the client.
time_t start_t;
int n_tries;
- int origin_tries;
=20
// AsyncCalls which we set and may need cancelling.
struct {
diff -urN '--exclude=3DCVS' '--exclude=3D.cvsignore' '--exclude=3D.svn' '--ex=
clude=3D.svnignore' old/squid-3.2.11/src/helper.cc new/squid-3.2.13/src/helpe=
r.cc
--- old/squid-3.2.11/src/helper.cc 2013-04-30 06:47:06.000000000 +0200
+++ new/squid-3.2.13/src/helper.cc 2013-07-13 15:22:32.000000000 +0200
@@ -38,6 +38,7 @@
#include "comm/Connection.h"
#include "comm/Write.h"
#include "helper.h"
+#include "fde.h"
#include "format/Quoting.h"
#include "MemBuf.h"
#include "SquidMath.h"
@@ -750,7 +751,7 @@
safe_free(srv->requests);
=20
cbdataReferenceDone(srv->parent);
- cbdataFree(srv);
+ delete srv;
}
=20
static void
@@ -812,7 +813,7 @@
=20
cbdataReferenceDone(srv->parent);
=20
- cbdataFree(srv);
+ delete srv;
}
=20
/// Calls back with a pointer to the buffer with the helper output
@@ -920,7 +921,7 @@
helperReturnBuffer(i, srv, hlp, msg, t);
}
=20
- if (Comm::IsConnOpen(srv->readPipe)) {
+ if (Comm::IsConnOpen(srv->readPipe) && !fd_table[srv->readPipe->fd].clos=
ing()) {
int spaceSize =3D srv->rbuf_sz - srv->roffset - 1;
assert(spaceSize >=3D 0);
=20
@@ -1021,7 +1022,7 @@
helperStatefulReleaseServer(srv);
}
=20
- if (Comm::IsConnOpen(srv->readPipe)) {
+ if (Comm::IsConnOpen(srv->readPipe) && !fd_table[srv->readPipe->fd].clos=
ing()) {
int spaceSize =3D srv->rbuf_sz - srv->roffset - 1;
assert(spaceSize >=3D 0);
=20
++++++ squid-3.2.11.tar.bz2.asc -> squid-3.2.13.tar.bz2.asc ++++++
--- /work/SRC/openSUSE:Factory/squid/squid-3.2.11.tar.bz2.asc 2013-05-13 15:3=
7:19.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.squid.new/squid-3.2.13.tar.bz2.asc 2013-07-30=
16:48:26.000000000 +0200
@@ -1,8 +1,8 @@
-File: squid-3.2.11.tar.bz2
-Date: Tue Apr 30 05:08:44 UTC 2013
-Size: 2897354
-MD5 : cdd3612bed27e8d513b713004c78bf5b
-SHA1: 124c0af704f88afb2feb5054b36f253544173a4b
+File: squid-3.2.13.tar.bz2
+Date: Sat Jul 13 13:49:04 UTC 2013
+Size: 2898293
+MD5 : 367e59c9c25da7ebbfbf7cbc36d2444e
+SHA1: f253df4981981c297cc7e719908e07b046506952
Key : 0xFF5CF463
fingerprint =3D EA31 CC5E 9488 E516 8D2D CC5E B268 E706 FF5C F463
keyring =3D http://www.squid-cache.org/pgp.asc
@@ -10,11 +10,11 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
=20
-iQEcBAABAgAGBQJRf1OIAAoJELJo5wb/XPRjwg4H/iNZaKfeqRLVtpFOXT0RKY+l
-4+FVq1ptu6VLXRtkJWAj5RZfk6hmO9G+ZwZTnZWLf46c6kUvB/4Nlt0LD98FB9ng
-ZtWfcTSked7idj3pInjMvNNa7j0qeOy4tvjUvxKtPAg2ZiRJXoPOKkS6TXnyyGvf
-zlSWqmFUNvBsVULGALk9stq03jxqzf2CamNho8g2Tly//suJr8aHj38E8oMoCHWX
-SCjo9yVTRdZjaGa6RKkyMGYpPpM9Wh4qIixAGT6Ih94YxzXg/mcWpcl6A6Pwc8CT
-lrkKV2mDuGMoL1gGWYo8pUCEjvzKjRtoevu1wjzX/mqYbpilfLNnGg3vqZu7pfM=3D
-=3DmQwq
+iQEcBAABAgAGBQJR4VuSAAoJELJo5wb/XPRjDMsH+gN9MyL0RAegBfeJtScW7dOU
+E7ZPl8BjUqYTOoLPxXX95MTm6gJzzZ69S6ss8+db4fYd6kbGgkX/G05R0E5PBQJG
+2OnJU1LUUzBcqTedai1SCuL90gVgy7oqzke6qlT43SSzuKPzmvlrtnBOrXK1guy0
+xCFNFRtuZKIUVAyERlgE6tP0iPn5DZqSqGwGOx/lkNB20bgx83Amy7uav1F/d9Ps
+sillN9btek4azrPqyqDXoSv+Tqh0u3Ni+zSQJrbVJ59QGFA38OLdW3i3MphgNg5N
+/HkAGnfsCzJHQlxoM5kKz11U4caIv57gy9ZXIJ8peIIldOiLrfG1zcL/awyQVJc=3D
+=3DhNXf
-----END PGP SIGNATURE-----
--=20
To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-commit+help(a)opensuse.org
--===============1684288667224731763==--