Hello community,
here is the log from the commit of package squid3
checked in at Wed Jul 9 01:36:37 CEST 2008.
--------
--- squid3/squid3.changes 2008-05-26 15:02:07.000000000 +0200
+++ squid3/squid3.changes 2008-07-02 16:14:04.547308000 +0200
@@ -1,0 +2,15 @@
+Wed Jul 2 16:13:35 CEST 2008 - kssingvo@suse.de
+
+- update to version 3.0.STABLE7, which is mainly a bugfix version only:
+ * important fix for ASN.1 DoS (no CVE)
+ * spelling corrections
+ * assertion on ESI page
+ * in snmp reporting
+ * (extra) whitespaces in logfile
+ * added note that negative_ttl is a HTTP violation
+ * Memory allocation problem in restoreCapabilities(), tools.cc
+ * etc.
+ for full change list see:
+http://www.squid-cache.org/Versions/v3/3.0/changesets/SQUID_3_0_STABLE7.html
+
+-------------------------------------------------------------------
Old:
----
squid-3.0.STABLE6-RELEASENOTES.html
squid-3.0.STABLE6.tar.bz2
New:
----
squid-3.0.STABLE7-RELEASENOTES.html
squid-3.0.STABLE7.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ squid3.spec ++++++
--- /var/tmp/diff_new_pack.yB7698/_old 2008-07-09 01:35:24.000000000 +0200
+++ /var/tmp/diff_new_pack.yB7698/_new 2008-07-09 01:35:24.000000000 +0200
@@ -1,5 +1,5 @@
#
-# spec file for package squid3 (Version 3.0.STABLE6)
+# spec file for package squid3 (Version 3.0.STABLE7)
#
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
@@ -14,7 +14,7 @@
BuildRequires: db-devel expat gcc-c++ krb5-devel libexpat-devel libxml2-devel
BuildRequires: openldap2-devel opensp-devel pam-devel sharutils
Summary: Squid Version 3 WWW Proxy Server
-Version: 3.0.STABLE6
+Version: 3.0.STABLE7
Release: 1
License: GPL v2 or later
Url: http://www.squid-cache.org/Versions/v3
@@ -460,6 +460,18 @@
#%doc squid_ldapauth.conf
%changelog
+* Wed Jul 02 2008 kssingvo@suse.de
+- update to version 3.0.STABLE7, which is mainly a bugfix version only:
+ * important fix for ASN.1 DoS (no CVE)
+ * spelling corrections
+ * assertion on ESI page
+ * in snmp reporting
+ * (extra) whitespaces in logfile
+ * added note that negative_ttl is a HTTP violation
+ * Memory allocation problem in restoreCapabilities(), tools.cc
+ * etc.
+ for full change list see:
+ http://www.squid-cache.org/Versions/v3/3.0/changesets/SQUID_3_0_STABLE7.html
* Wed May 21 2008 kssingvo@suse.de
- update to version 3.0.STABLE5, which is mainly a bugfix version only:
* fix in parsing cachemgr.conf
++++++ squid-3.0.STABLE6.tar.bz2 -> squid-3.0.STABLE7.tar.bz2 ++++++
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/ChangeLog new/squid-3.0.STABLE7/ChangeLog
--- old/squid-3.0.STABLE6/ChangeLog 2008-05-20 17:01:06.000000000 +0200
+++ new/squid-3.0.STABLE7/ChangeLog 2008-06-22 05:35:44.000000000 +0200
@@ -1,3 +1,14 @@
+Changes to squid-3.0.STABLE7 (22 Jun 2008):
+
+ - Fix several ASN issues
+ - Fix SNMP reporting of counters
+ - Fix round-robin algorithms
+ - GCC 4.3 support
+ - Netfilter v1.4.0 bug workaround
+ - Bugs 2350 and 2323: memory issues
+ - Bugs 2384, 951, 1566: ESI assertions
+ - Various minor debug and documentation cleanups
+
Changes to squid-3.0.STABLE6 (20 May 2008):
- Bug 2254: umask Feature from 2.6 added
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/configure new/squid-3.0.STABLE7/configure
--- old/squid-3.0.STABLE6/configure 2008-05-20 17:01:16.000000000 +0200
+++ new/squid-3.0.STABLE7/configure 2008-06-22 05:35:54.000000000 +0200
@@ -1,7 +1,7 @@
#! /bin/sh
# From configure.in Revision: 1.488.2.3 .
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for Squid Web Proxy 3.0.STABLE6.
+# Generated by GNU Autoconf 2.61 for Squid Web Proxy 3.0.STABLE7.
#
# Report bugs to http://www.squid-cache.org/bugs/.
#
@@ -729,8 +729,8 @@
# Identity of this package.
PACKAGE_NAME='Squid Web Proxy'
PACKAGE_TARNAME='squid'
-PACKAGE_VERSION='3.0.STABLE6'
-PACKAGE_STRING='Squid Web Proxy 3.0.STABLE6'
+PACKAGE_VERSION='3.0.STABLE7'
+PACKAGE_STRING='Squid Web Proxy 3.0.STABLE7'
PACKAGE_BUGREPORT='http://www.squid-cache.org/bugs/'
ac_unique_file="src/main.cc"
@@ -1507,7 +1507,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures Squid Web Proxy 3.0.STABLE6 to adapt to many kinds of systems.
+\`configure' configures Squid Web Proxy 3.0.STABLE7 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1577,7 +1577,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of Squid Web Proxy 3.0.STABLE6:";;
+ short | recursive ) echo "Configuration of Squid Web Proxy 3.0.STABLE7:";;
esac
cat <<\_ACEOF
@@ -1886,7 +1886,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-Squid Web Proxy configure 3.0.STABLE6
+Squid Web Proxy configure 3.0.STABLE7
generated by GNU Autoconf 2.61
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1900,7 +1900,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by Squid Web Proxy $as_me 3.0.STABLE6, which was
+It was created by Squid Web Proxy $as_me 3.0.STABLE7, which was
generated by GNU Autoconf 2.61. Invocation command line was
$ $0 $@
@@ -2574,7 +2574,7 @@
# Define the identity of the package.
PACKAGE='squid'
- VERSION='3.0.STABLE6'
+ VERSION='3.0.STABLE7'
cat >>confdefs.h <<_ACEOF
@@ -22021,6 +22021,12 @@
_ACEOF
IPFW_TRANSPARENT="yes"
+ else
+
+cat >>confdefs.h <<\_ACEOF
+#define IPFW_TRANSPARENT 0
+_ACEOF
+
fi
fi
@@ -22036,6 +22042,12 @@
_ACEOF
IPF_TRANSPARENT="yes"
+ else
+
+cat >>confdefs.h <<\_ACEOF
+#define IPF_TRANSPARENT 0
+_ACEOF
+
fi
fi
@@ -22051,6 +22063,12 @@
_ACEOF
PF_TRANSPARENT="yes"
+ else
+
+cat >>confdefs.h <<\_ACEOF
+#define PF_TRANSPARENT 0
+_ACEOF
+
fi
fi
@@ -22066,6 +22084,12 @@
_ACEOF
LINUX_NETFILTER="yes"
+ else
+
+cat >>confdefs.h <<\_ACEOF
+#define LINUX_NETFILTER 0
+_ACEOF
+
fi
fi
@@ -22166,6 +22190,12 @@
echo "Linux-Netfilter Transparent Proxy automatically enabled"
LINUX_NETFILTER="yes"
fi
+ else
+
+cat >>confdefs.h <<\_ACEOF
+#define LINUX_TPROXY2 0
+_ACEOF
+
fi
fi
@@ -24511,6 +24541,10 @@
#if HAVE_LIMITS_H
#include
#endif
+/* Netfilter ip(6)tables v1.4.0 has broken headers */
+#if HAVE_NETINET_IN_H
+#include
+#endif
#include <$ac_header>
@@ -46007,7 +46041,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by Squid Web Proxy $as_me 3.0.STABLE6, which was
+This file was extended by Squid Web Proxy $as_me 3.0.STABLE7, which was
generated by GNU Autoconf 2.61. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -46060,7 +46094,7 @@
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
-Squid Web Proxy config.status 3.0.STABLE6
+Squid Web Proxy config.status 3.0.STABLE7
configured by $0, generated by GNU Autoconf 2.61,
with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/configure.in new/squid-3.0.STABLE7/configure.in
--- old/squid-3.0.STABLE6/configure.in 2008-05-20 17:01:16.000000000 +0200
+++ new/squid-3.0.STABLE7/configure.in 2008-06-22 05:35:54.000000000 +0200
@@ -5,7 +5,7 @@
dnl
dnl
dnl
-AC_INIT(Squid Web Proxy, 3.0.STABLE6, http://www.squid-cache.org/bugs/, squid)
+AC_INIT(Squid Web Proxy, 3.0.STABLE7, http://www.squid-cache.org/bugs/, squid)
AC_PREREQ(2.52)
AM_CONFIG_HEADER(include/autoconf.h)
AC_CONFIG_AUX_DIR(cfgaux)
@@ -1091,6 +1091,8 @@
echo "IPFW Transparent Proxy enabled"
AC_DEFINE(IPFW_TRANSPARENT,1,[Enable support for Transparent Proxy on systems using FreeBSD IPFW address redirection.])
IPFW_TRANSPARENT="yes"
+ else
+ AC_DEFINE(IPFW_TRANSPARENT,0,[Enable support for Transparent Proxy on systems using FreeBSD IPFW address redirection.])
fi
])
@@ -1103,6 +1105,8 @@
echo "IP-Filter Transparent Proxy enabled"
AC_DEFINE(IPF_TRANSPARENT,1,[Enable support for Transparent Proxy on systems using IP-Filter address redirection. This provides "masquerading" support for non Linux system.])
IPF_TRANSPARENT="yes"
+ else
+ AC_DEFINE(IPF_TRANSPARENT,0,[Enable support for Transparent Proxy on systems using IP-Filter address redirection. This provides "masquerading" support for non Linux system.])
fi
])
@@ -1115,6 +1119,8 @@
echo "PF Transparent Proxy enabled"
AC_DEFINE(PF_TRANSPARENT,1,[Enable support for Transparent Proxy on systems using PF address redirection. This provides "masquerading" support for OpenBSD.])
PF_TRANSPARENT="yes"
+ else
+ AC_DEFINE(PF_TRANSPARENT,0,[Enable support for Transparent Proxy on systems using PF address redirection. This provides "masquerading" support for OpenBSD.])
fi
])
@@ -1126,6 +1132,8 @@
echo "Linux (Netfilter) Transparent Proxy enabled"
AC_DEFINE(LINUX_NETFILTER,1,[Enable support for Transparent Proxy on Linux (Netfilter) systems])
LINUX_NETFILTER="yes"
+ else
+ AC_DEFINE(LINUX_NETFILTER,0,[Enable support for Transparent Proxy on Linux (Netfilter) systems])
fi
])
@@ -1239,6 +1247,8 @@
echo "Linux-Netfilter Transparent Proxy automatically enabled"
LINUX_NETFILTER="yes"
fi
+ else
+ AC_DEFINE(LINUX_TPROXY2, 0, [Enable real Transparent Proxy support for Netfilter TPROXY v2.])
fi
])
@@ -1929,6 +1939,10 @@
#if HAVE_LIMITS_H
#include
#endif
+/* Netfilter ip(6)tables v1.4.0 has broken headers */
+#if HAVE_NETINET_IN_H
+#include
+#endif
)
dnl *BSD dont include the depenencies for all their net/ and netinet/ files
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/include/autoconf.h.in new/squid-3.0.STABLE7/include/autoconf.h.in
--- old/squid-3.0.STABLE6/include/autoconf.h.in 2008-05-20 17:01:12.000000000 +0200
+++ new/squid-3.0.STABLE7/include/autoconf.h.in 2008-06-22 05:35:50.000000000 +0200
@@ -775,6 +775,9 @@
/* Enable real Transparent Proxy support for Netfilter TPROXY. */
#undef LINUX_TPROXY
+/* Enable real Transparent Proxy support for Netfilter TPROXY v2. */
+#undef LINUX_TPROXY2
+
/* If we need to declare sys_errlist[] as external */
#undef NEED_SYS_ERRLIST
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/include/version.h new/squid-3.0.STABLE7/include/version.h
--- old/squid-3.0.STABLE6/include/version.h 2008-05-20 17:01:16.000000000 +0200
+++ new/squid-3.0.STABLE7/include/version.h 2008-06-22 05:35:54.000000000 +0200
@@ -9,5 +9,5 @@
*/
#ifndef SQUID_RELEASE_TIME
-#define SQUID_RELEASE_TIME 1211295657
+#define SQUID_RELEASE_TIME 1214105735
#endif
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/lib/rfc1738.c new/squid-3.0.STABLE7/lib/rfc1738.c
--- old/squid-3.0.STABLE6/lib/rfc1738.c 2008-05-20 17:01:12.000000000 +0200
+++ new/squid-3.0.STABLE7/lib/rfc1738.c 2008-06-22 05:35:50.000000000 +0200
@@ -98,7 +98,7 @@
bufsize = strlen(url) * 3 + 1;
buf = xcalloc(bufsize, 1);
}
- for (p = url, q = buf; *p != '\0'; p++, q++) {
+ for (p = url, q = buf; *p != '\0' && q < (buf + bufsize - 1); p++, q++) {
do_escape = 0;
/* RFC 1738 defines these chars as unsafe */
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/RELEASENOTES.html new/squid-3.0.STABLE7/RELEASENOTES.html
--- old/squid-3.0.STABLE6/RELEASENOTES.html 2008-05-20 17:02:08.000000000 +0200
+++ new/squid-3.0.STABLE7/RELEASENOTES.html 2008-06-22 05:36:54.000000000 +0200
@@ -1,11 +1,11 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
- <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.21">
- <TITLE>Squid 3.0.STABLE6 release notes</TITLE>
+ <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.50">
+ <TITLE>Squid 3.0.STABLE7 release notes</TITLE>
</HEAD>
<BODY>
-<H1>Squid 3.0.STABLE6 release notes</H1>
+<H1>Squid 3.0.STABLE7 release notes</H1>
<H2>Squid Developers</H2>$Id: release-3.0.sgml,v 1.30.2.5 2008/02/28 00:26:31 amosjeffries Exp $
<HR>
@@ -15,7 +15,7 @@
<HR>
<H2><A NAME="s1">1. Notice</A></H2>
-<P>The Squid Team are pleased to announce the release of Squid-3.0.STABLE6.</P>
+<P>The Squid Team are pleased to announce the release of Squid-3.0.STABLE7.</P>
<P>This new release is available for download from
<A HREF="http://www.squid-cache.org/Versions/v3/3.0/">http://www.squid-cache.org/Versions/v3/3.0/</A> or the
<A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/snmplib/asn1.c new/squid-3.0.STABLE7/snmplib/asn1.c
--- old/squid-3.0.STABLE6/snmplib/asn1.c 2008-05-20 17:01:12.000000000 +0200
+++ new/squid-3.0.STABLE7/snmplib/asn1.c 2008-06-22 05:35:50.000000000 +0200
@@ -324,10 +324,10 @@
return (NULL);
}
integer = *intp;
- mask = (u_int) 0xFF << (8 * (sizeof(int) - 1));
- /* mask is 0xFF000000 on a big-endian machine */
- if ((u_char) ((integer & mask) >> (8 * (sizeof(int) - 1))) & 0x80) {
- /* if MSB is set */
+ mask = (u_int) 0x80 << (8 * (sizeof(int) - 1));
+ /* mask is 0x80000000 on a big-endian machine */
+ if ((integer & mask) != 0) {
+ /* add a null byte if MSB is set, to prevent sign extension */
add_null_byte = 1;
intsize++;
}
@@ -336,11 +336,11 @@
* this 2's complement integer.
* There should be no sequence of 9 consecutive 1's or 0's at the
* most significant end of the integer.
+ * The 1's case is taken care of above by adding a null byte.
*/
mask = (u_int) 0x1FF << ((8 * (sizeof(int) - 1)) - 1);
/* mask is 0xFF800000 on a big-endian machine */
- while ((((integer & mask) == 0)
- || ((integer & mask) == mask)) && intsize > 1) {
+ while (((integer & mask) == 0) && intsize > 1) {
intsize--;
integer <<= 8;
}
@@ -484,7 +484,7 @@
return (NULL);
header_len = bufp - data;
- if (header_len + asn_length > *datalength) {
+ if (header_len + asn_length > *datalength || asn_length > (u_int)(2 << 18) ) {
snmp_set_api_error(SNMPERR_ASN_DECODE);
return (NULL);
}
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/src/ACLMaxUserIP.cc new/squid-3.0.STABLE7/src/ACLMaxUserIP.cc
--- old/squid-3.0.STABLE6/src/ACLMaxUserIP.cc 2008-05-20 17:01:13.000000000 +0200
+++ new/squid-3.0.STABLE7/src/ACLMaxUserIP.cc 2008-06-22 05:35:51.000000000 +0200
@@ -163,7 +163,7 @@
ti = match(checklist->auth_user_request, checklist->src_addr);
- checklist->auth_user_request = NULL;
+ AUTHUSERREQUESTUNLOCK(checklist->auth_user_request, "ACLChecklist via ACLMaxUserIP");
return ti;
}
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/src/ACLProxyAuth.cc new/squid-3.0.STABLE7/src/ACLProxyAuth.cc
--- old/squid-3.0.STABLE6/src/ACLProxyAuth.cc 2008-05-20 17:01:13.000000000 +0200
+++ new/squid-3.0.STABLE7/src/ACLProxyAuth.cc 2008-06-22 05:35:51.000000000 +0200
@@ -215,7 +215,7 @@
/* check to see if we have matched the user-acl before */
int result = cacheMatchAcl(&checklist->auth_user_request->user()->
proxy_match_cache, checklist);
- checklist->auth_user_request = NULL;
+ AUTHUSERREQUESTUNLOCK(checklist->auth_user_request, "ACLChecklist via ACLProxyAuth");
return result;
}
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/src/cache_cf.cc new/squid-3.0.STABLE7/src/cache_cf.cc
--- old/squid-3.0.STABLE6/src/cache_cf.cc 2008-05-20 17:01:14.000000000 +0200
+++ new/squid-3.0.STABLE7/src/cache_cf.cc 2008-06-22 05:35:52.000000000 +0200
@@ -2850,8 +2850,6 @@
} else if (strncmp(token, "name=", 5) == 0) {
safe_free(s->name);
s->name = xstrdup(token + 5);
- } else if (strcmp(token, "transparent") == 0) {
- s->transparent = 1;
} else if (strcmp(token, "vhost") == 0) {
s->vhost = 1;
s->accel = 1;
@@ -2876,11 +2874,19 @@
else
self_destruct();
-#if LINUX_TPROXY
+ } else if (strcmp(token, "transparent") == 0) {
+ s->transparent = 1;
+ /* Log information regarding the port modes under interception. */
+ debugs(3, 1, "Starting Authentication on port " << inet_ntoa(s->s.sin_addr) << ":" << s->s.sin_port);
+ debugs(3, 1, "Disabling Authentication on port " << inet_ntoa(s->s.sin_addr) << ":" << s->s.sin_port << " (interception enabled)");
+#if LINUX_TPROXY
} else if (strcmp(token, "tproxy") == 0) {
s->tproxy = 1;
need_linux_tproxy = 1;
+ /* Log information regarding the port modes under transparency. */
+ debugs(3, 1, "Starting IP Spoofing on port " << inet_ntoa(s->s.sin_addr) << ":" << s->s.sin_port);
+ debugs(3, 1, "Disabling Authentication on port " << inet_ntoa(s->s.sin_addr) << ":" << s->s.sin_port << " (IP spoofing enabled)");
#endif
} else {
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/src/cf.data.pre new/squid-3.0.STABLE7/src/cf.data.pre
--- old/squid-3.0.STABLE6/src/cf.data.pre 2008-05-20 17:01:14.000000000 +0200
+++ new/squid-3.0.STABLE7/src/cf.data.pre 2008-06-22 05:35:53.000000000 +0200
@@ -106,6 +106,7 @@
proxy as the client then thinks it is talking to an origin server and
not the proxy. This is a limitation of bending the TCP/IP protocol to
transparently intercepting port 80, not a limitation in Squid.
+ Ports flagged 'transparent' or 'tproxy' have authentication disabled.
=== Parameters for the basic scheme follow. ===
@@ -464,6 +465,9 @@
By default, regular expressions are CASE-SENSITIVE. To make
them case-insensitive, use the -i option.
+
+ ***** ACL TYPES AVAILABLE *****
+
acl aclname src ip-address/netmask ... (clients IP address)
acl aclname src addr1-addr2/netmask ... (range of addresses)
acl aclname dst ip-address/netmask ... (URL host's IP address)
@@ -478,7 +482,7 @@
# the same subnet. If the client is on a different subnet, then Squid cannot
# find out its MAC address.
- acl aclname srcdomain .foo.com ... # reverse lookup, client IP
+ acl aclname srcdomain .foo.com ... # reverse lookup, from client IP
acl aclname dstdomain .foo.com ... # Destination server from URL
acl aclname srcdom_regex [-i] xxx ... # regex matching client name
acl aclname dstdom_regex [-i] xxx ... # regex matching server
@@ -486,7 +490,15 @@
# based URL is used and no match is found. The name "none" is used
# if the reverse lookup fails.
- acl aclname http_status 200 301 500- 400-403 ... # status code in reply
+ acl aclname src_as number ...
+ acl aclname dst_as number ...
+ # Except for access control, AS numbers can be used for
+ # routing of requests to specific caches. Here's an
+ # example for routing all requests for AS#1241 and only
+ # those to mycache.mydomain.net:
+ # acl asexample dst_as 1241
+ # cache_peer_access mycache.mydomain.net allow asexample
+ # cache_peer_access mycache_mydomain.net deny all
acl aclname time [day-abbrevs] [h1:m1-h2:m2]
day-abbrevs:
@@ -498,32 +510,32 @@
F - Friday
A - Saturday
h1:m1 must be less than h2:m2
+
acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
+
acl aclname port 80 70 21 ...
acl aclname port 0-1024 ... # ranges allowed
acl aclname myport 3128 ... # (local socket TCP port)
acl aclname myportname 3128 ... # http(s)_port name
+
acl aclname proto HTTP FTP ...
+
acl aclname method GET POST ...
+
+ acl aclname http_status 200 301 500- 400-403 ... # status code in reply
+
acl aclname browser [-i] regexp ...
# pattern match on User-Agent header (see also req_header below)
+
acl aclname referer_regex [-i] regexp ...
# pattern match on Referer header
# Referer is highly unreliable, so use with care
+
acl aclname ident username ...
acl aclname ident_regex [-i] pattern ...
# string match on ident output.
# use REQUIRED to accept any non-null ident.
- acl aclname src_as number ...
- acl aclname dst_as number ...
- # Except for access control, AS numbers can be used for
- # routing of requests to specific caches. Here's an
- # example for routing all requests for AS#1241 and only
- # those to mycache.mydomain.net:
- # acl asexample dst_as 1241
- # cache_peer_access mycache.mydomain.net allow asexample
- # cache_peer_access mycache_mydomain.net deny all
acl aclname proxy_auth [-i] username ...
acl aclname proxy_auth_regex [-i] pattern ...
@@ -538,8 +550,8 @@
# to check username/password combinations (see
# auth_param directive).
#
- # NOTE: proxy_auth can't be used in a transparent proxy as
- # the browser needs to be configured for using a proxy in order
+ # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
+ # as the browser needs to be configured for using a proxy in order
# to respond to proxy authentication.
acl aclname snmp_community string ...
@@ -565,7 +577,7 @@
# clients may appear to come from multiple addresses if they are
# going through proxy farms, so a limit of 1 may cause user problems.
- acl aclname req_mime_type mime-type1 ...
+ acl aclname req_mime_type [-i] mime-type1 ...
# regex match against the mime type of the request generated
# by the client. Can be used to detect file upload or some
# types HTTP tunneling requests.
@@ -577,7 +589,7 @@
# thought of as a superset of "browser", "referer" and "mime-type"
# ACLs.
- acl aclname rep_mime_type mime-type1 ...
+ acl aclname rep_mime_type [-i] mime-type1 ...
# regex match against the mime type of the reply received by
# squid. Can be used to detect file download or some
# types HTTP tunneling requests.
@@ -895,9 +907,11 @@
transparent Support for transparent interception of
outgoing requests without browser settings.
+ NP: disables authentication on the port.
tproxy Support Linux TPROXY for spoofing outgoing
connections using the client IP address.
+ NP: disables authentication on the port.
accel Accelerator mode. Also needs at least one of
vhost / vport / defaultsite.
@@ -1996,8 +2010,10 @@
a %Ss/%03Hs %a %Ss/%03Hs %h] [%a %Ss/%03Hs %a %Ss/%03Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh
DOC_END
@@ -2517,9 +2533,10 @@
refresh-ims
override-expire enforces min age even if the server
- sent a Expires: header. Doing this VIOLATES the HTTP
- standard. Enabling this feature could make you liable
- for problems which it causes.
+ sent an explicit expiry time (e.g., with the
+ Expires: header or Cache-Control: max-age). Doing this
+ VIOLATES the HTTP standard. Enabling this feature
+ could make you liable for problems which it causes.
override-lastmod enforces min age even on objects
that were modified recently.
@@ -2655,6 +2672,10 @@
negatively-cached for a configurable amount of time. The
default is 5 minutes. Note that this is different from
negative caching of DNS lookups.
+
+ WARNING: Doing this VIOLATES the HTTP standard. Enabling
+ this feature could make you liable for problems which it
+ causes.
DOC_END
NAME: positive_dns_ttl
@@ -2710,7 +2731,7 @@
DOC_START
The minimum caching time according to (Expires - Date)
Headers Squid honors if the object can't be revalidated
- defaults to 60 seconds. In reverse proxy enorinments it
+ defaults to 60 seconds. In reverse proxy environments it
might be desirable to honor shorter object lifetimes. It
is most likely better to make your server return a
meaningful Last-Modified header however. In ESI environments
@@ -3776,7 +3797,7 @@
The relevant WCCPv2 flags:
+ src_ip_hash, dst_ip_hash
- + source_port_hash, dest_port_hash
+ + source_port_hash, dst_port_hash
+ src_ip_alt_hash, dst_ip_alt_hash
+ src_port_alt_hash, dst_port_alt_hash
+ ports_source
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/src/ESI.cc new/squid-3.0.STABLE7/src/ESI.cc
--- old/squid-3.0.STABLE6/src/ESI.cc 2008-05-20 17:01:13.000000000 +0200
+++ new/squid-3.0.STABLE7/src/ESI.cc 2008-06-22 05:35:51.000000000 +0200
@@ -1435,12 +1435,9 @@
void
ESIContext::freeResources ()
{
- debugs(86, 5, "ESIContext::freeResources: Freeing for this=" << this);
+ debugs(86, 5, HERE << "Freeing for this=" << this);
- if (rep) {
- delete rep;
- rep = NULL;
- }
+ HTTPMSGUNLOCK(rep);
finishChildren ();
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/src/ESIInclude.cc new/squid-3.0.STABLE7/src/ESIInclude.cc
--- old/squid-3.0.STABLE6/src/ESIInclude.cc 2008-05-20 17:01:13.000000000 +0200
+++ new/squid-3.0.STABLE7/src/ESIInclude.cc 2008-06-22 05:35:52.000000000 +0200
@@ -67,14 +67,22 @@
clientStreamDetach (node, http);
}
-/*
- * Write a chunk of data to a client 'socket'.
- * If the reply is present, send the reply headers down the wire too,
- * and clean them up when finished.
- * Pre-condition:
+/**
+ * Write a chunk of data to a client 'socket'.
+ * If the reply is present, send the reply headers down the wire too.
+ *
+ * Pre-condition:
* The request is an internal ESI subrequest.
* data context is not NULL
* There are no more entries in the stream chain.
+ * The caller is responsible for creation and deletion of the Reply headers.
+ *
+ \note
+ * Bug 975, bug 1566 : delete rep; 2006/09/02: TS, #975
+ *
+ * This was causing double-deletes. Its possible that not deleting
+ * it here will cause memory leaks, but if so, this delete should
+ * not be reinstated or it will trigger bug #975 again - RBC 20060903
*/
void
esiBufferRecipient (clientStreamNode *node, ClientHttpRequest *http, HttpReply *rep, StoreIOBuffer receivedData)
@@ -97,7 +105,7 @@
assert (receivedData.length <= sizeof(esiStream->localbuffer->buf));
assert (!esiStream->finished);
- debugs (86,5, "esiBufferRecipient rep " << rep << " body " << receivedData.data << " len " << receivedData.length);
+ debugs (86,5, HERE << "rep " << rep << " body " << receivedData.data << " len " << receivedData.length);
assert (node->readBuffer.offset == receivedData.offset || receivedData.length == 0);
/* trivial case */
@@ -119,15 +127,6 @@
headersLog(0, 0, http->request->method, rep);
#endif
-
- /* delete rep; 2006/09/02: TS, #975
- *
- * This was causing double-deletes. Its possible that not deleting
- * it here will cause memory leaks, but if so, this delete should
- * not be reinstated or it will trigger bug #975 again - RBC
- * 20060903
- */
-
rep = NULL;
}
}
@@ -154,7 +153,7 @@
/* EOF / Read error / aborted entry */
if (rep == NULL && receivedData.data == NULL && receivedData.length == 0) {
/* TODO: get stream status to test the entry for aborts */
- debugs(86, 5, "Finished reading upstream data in subrequest");
+ debugs(86, 5, HERE << "Finished reading upstream data in subrequest");
esiStream->include->subRequestDone (esiStream, true);
esiStream->finished = 1;
httpRequestFree (http);
@@ -209,9 +208,8 @@
tempBuffer.length = sizeof (esiStream->buffer->buf);
tempBuffer.data = esiStream->buffer->buf;
/* now just read into 'buffer' */
- clientStreamRead (node,
- http, tempBuffer);
- debugs(86, 5, "esiBufferRecipient: Requested more data for ESI subrequest");
+ clientStreamRead (node, http, tempBuffer);
+ debugs(86, 5, HERE << "Requested more data for ESI subrequest");
}
break;
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/src/external_acl.cc new/squid-3.0.STABLE7/src/external_acl.cc
--- old/squid-3.0.STABLE6/src/external_acl.cc 2008-05-20 17:01:15.000000000 +0200
+++ new/squid-3.0.STABLE7/src/external_acl.cc 2008-06-22 05:35:53.000000000 +0200
@@ -654,7 +654,7 @@
key = makeExternalAclKey(ch, acl);
if (acl->def->require_auth)
- ch->auth_user_request = NULL;
+ AUTHUSERREQUESTUNLOCK(ch->auth_user_request, "ACLChecklist via aclMatchExternal");
if (!key) {
/* Not sufficient data to process */
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/src/neighbors.cc new/squid-3.0.STABLE7/src/neighbors.cc
--- old/squid-3.0.STABLE6/src/neighbors.cc 2008-05-20 17:01:15.000000000 +0200
+++ new/squid-3.0.STABLE7/src/neighbors.cc 2008-06-22 05:35:53.000000000 +0200
@@ -315,11 +315,16 @@
if (!peerHTTPOkay(p, request))
continue;
- if (p->weight == 1) {
- if (q && q->rr_count < p->rr_count)
- continue;
- } else if (p->weight == 0 || (q && q->rr_count < (p->rr_count / p->weight))) {
+ if (p->weight == 0)
continue;
+
+ if (q) {
+ if (p->weight == q->weight) {
+ if (q->rr_count < p->rr_count)
+ continue;
+ } else if ( (double) q->rr_count / q->weight < (double) p->rr_count / p->weight) {
+ continue;
+ }
}
q = p;
@@ -328,7 +333,7 @@
if (q)
q->rr_count++;
- debugs(15, 3, "getRoundRobinParent: returning " << (q ? q->host : "NULL"));
+ debugs(15, 3, HERE << "returning " << (q ? q->host : "NULL"));
return q;
}
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/src/snmp_core.cc new/squid-3.0.STABLE7/src/snmp_core.cc
--- old/squid-3.0.STABLE6/src/snmp_core.cc 2008-05-20 17:01:15.000000000 +0200
+++ new/squid-3.0.STABLE7/src/snmp_core.cc 2008-06-22 05:35:54.000000000 +0200
@@ -414,9 +414,7 @@
len = sizeof(struct sockaddr_in);
memset(&xaddr, '\0', len);
- x = getsockname(theOutSnmpConnection,
-
- (struct sockaddr *) &xaddr, &len);
+ x = getsockname(theOutSnmpConnection, (struct sockaddr *) &xaddr, &len);
if (x < 0)
debugs(51, 1, "theOutSnmpConnection FD " << theOutSnmpConnection << ": getsockname: " << xstrerror());
@@ -441,7 +439,8 @@
* and 'out' sockets might be just one FD. This prevents this
* function from executing repeatedly. When we are really ready to
* exit or restart, main will comm_close the 'out' descriptor.
- */ theInSnmpConnection = -1;
+ */
+ theInSnmpConnection = -1;
/*
* Normally we only write to the outgoing SNMP socket, but we
@@ -462,6 +461,8 @@
if (theOutSnmpConnection > -1) {
debugs(49, 1, "FD " << theOutSnmpConnection << " Closing SNMP socket");
comm_close(theOutSnmpConnection);
+ /* make sure the SNMP out connection is unset */
+ theOutSnmpConnection = -1;
}
}
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/src/String.cci new/squid-3.0.STABLE7/src/String.cci
--- old/squid-3.0.STABLE6/src/String.cci 2008-05-20 17:01:14.000000000 +0200
+++ new/squid-3.0.STABLE7/src/String.cci 2008-06-22 05:35:52.000000000 +0200
@@ -34,6 +34,7 @@
*/
#include "assert.h"
+#include <cstring>
String::String() : size_(0), len_(0), buf_ (NULL)
{
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/src/tools.cc new/squid-3.0.STABLE7/src/tools.cc
--- old/squid-3.0.STABLE6/src/tools.cc 2008-05-20 17:01:16.000000000 +0200
+++ new/squid-3.0.STABLE7/src/tools.cc 2008-06-22 05:35:54.000000000 +0200
@@ -462,6 +462,9 @@
void
fatal(const char *message)
{
+ /* suppress secondary errors from the dying */
+ shutting_down = 1;
+
releaseServerSockets();
/* check for store_dirs_rebuilding because fatal() is often
* used in early initialization phases, long before we ever
@@ -1354,18 +1357,21 @@
restoreCapabilities(int keep)
{
#if defined(_SQUID_LINUX_) && HAVE_SYS_CAPABILITY_H
- cap_user_header_t head = (cap_user_header_t) xcalloc(1, sizeof(cap_user_header_t));
- cap_user_data_t cap = (cap_user_data_t) xcalloc(1, sizeof(cap_user_data_t));
+#ifndef _LINUX_CAPABILITY_VERSION_1
+#define _LINUX_CAPABILITY_VERSION_1 _LINUX_CAPABILITY_VERSION
+#endif
+ cap_user_header_t head = (cap_user_header_t) xcalloc(1, sizeof(*head));
+ cap_user_data_t cap = (cap_user_data_t) xcalloc(1, sizeof(*cap));
- head->version = _LINUX_CAPABILITY_VERSION;
+ head->version = _LINUX_CAPABILITY_VERSION_1;
if (capget(head, cap) != 0) {
debugs(50, 1, "Can't get current capabilities");
goto nocap;
}
- if (head->version != _LINUX_CAPABILITY_VERSION) {
- debugs(50, 1, "Invalid capability version " << head->version << " (expected " << _LINUX_CAPABILITY_VERSION << ")");
+ if (head->version != _LINUX_CAPABILITY_VERSION_1) {
+ debugs(50, 1, "Invalid capability version " << head->version << " (expected " << _LINUX_CAPABILITY_VERSION_1 << ")");
goto nocap;
}
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/test-suite/debug.cc new/squid-3.0.STABLE7/test-suite/debug.cc
--- old/squid-3.0.STABLE6/test-suite/debug.cc 2008-05-20 17:01:16.000000000 +0200
+++ new/squid-3.0.STABLE7/test-suite/debug.cc 2008-06-22 05:35:54.000000000 +0200
@@ -71,7 +71,7 @@
}
int
-main (int argc, char *argv)
+main(int argc, char **argv)
{
Debug::Levels[1] = 8;
debugs (1,1,"test" << "string");
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/test-suite/mem_hdr_test.cc new/squid-3.0.STABLE7/test-suite/mem_hdr_test.cc
--- old/squid-3.0.STABLE6/test-suite/mem_hdr_test.cc 2008-05-20 17:01:16.000000000 +0200
+++ new/squid-3.0.STABLE7/test-suite/mem_hdr_test.cc 2008-06-22 05:35:54.000000000 +0200
@@ -116,7 +116,7 @@
}
int
-main (int argc, char *argv)
+main(int argc, char **argv)
{
assert (mem_node::InUseCount() == 0);
testLowAndHigh();
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/test-suite/mem_node_test.cc new/squid-3.0.STABLE7/test-suite/mem_node_test.cc
--- old/squid-3.0.STABLE6/test-suite/mem_node_test.cc 2008-05-20 17:01:16.000000000 +0200
+++ new/squid-3.0.STABLE7/test-suite/mem_node_test.cc 2008-06-22 05:35:54.000000000 +0200
@@ -46,7 +46,7 @@
}
int
-main (int argc, char *argv)
+main(int argc, char **argv)
{
mem_node *aNode = new mem_node(0);
assert (aNode);
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/test-suite/MemPoolTest.cc new/squid-3.0.STABLE7/test-suite/MemPoolTest.cc
--- old/squid-3.0.STABLE6/test-suite/MemPoolTest.cc 2008-05-20 17:01:16.000000000 +0200
+++ new/squid-3.0.STABLE7/test-suite/MemPoolTest.cc 2008-06-22 05:35:54.000000000 +0200
@@ -75,7 +75,7 @@
}
int
-main (int argc, char *argv)
+main (int argc, char **argv)
{
MemPoolTest aTest;
aTest.run();
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/test-suite/StackTest.cc new/squid-3.0.STABLE7/test-suite/StackTest.cc
--- old/squid-3.0.STABLE6/test-suite/StackTest.cc 2008-05-20 17:01:16.000000000 +0200
+++ new/squid-3.0.STABLE7/test-suite/StackTest.cc 2008-06-22 05:35:54.000000000 +0200
@@ -38,7 +38,7 @@
#include "Stack.h"
int
-main (int argc, char *argv)
+main(int argc, char **argv)
{
Stack<int> aStack;
assert (aStack.size() == 0);
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/test-suite/syntheticoperators.cc new/squid-3.0.STABLE7/test-suite/syntheticoperators.cc
--- old/squid-3.0.STABLE6/test-suite/syntheticoperators.cc 2008-05-20 17:01:16.000000000 +0200
+++ new/squid-3.0.STABLE7/test-suite/syntheticoperators.cc 2008-06-22 05:35:54.000000000 +0200
@@ -171,7 +171,7 @@
}
int
-main (int argc, char *argv)
+main(int argc, char **argv)
{
CheckHasExplicitWorks();
CheckSyntheticWorks();
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/squid-3.0.STABLE6/test-suite/VirtualDeleteOperator.cc new/squid-3.0.STABLE7/test-suite/VirtualDeleteOperator.cc
--- old/squid-3.0.STABLE6/test-suite/VirtualDeleteOperator.cc 2008-05-20 17:01:16.000000000 +0200
+++ new/squid-3.0.STABLE7/test-suite/VirtualDeleteOperator.cc 2008-06-22 05:35:54.000000000 +0200
@@ -114,7 +114,7 @@
ChildVirtual::~ChildVirtual(){}
int
-main (int argc, char *argv)
+main(int argc, char **argv)
{
assert (BaseVirtual::Calls.news() == 0);
assert (BaseVirtual::Calls.deletes() == 0);
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org