Red Hat Bugzilla – Bug 116476
RFE: upgrade to version 2.5.STABLE5
Last modified: 2014-08-31 19:25:53 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
Description of problem:
Please upgrade to 2.5.STABLE4.
Key changes squid-2.5.STABLE3 to 2.5.STABLE4:
* several memory leaks corrected
* segmentation fault if more than one deny_info corrected
* Lithuanian error messages added
* a crash related to ftpTimeout: timeout in SENT_PASV state corrected
* http_reply_access deny now logs the request with TCP_DENIED to
allow them to be accounted for properly in statistics
* minimum_retry_timeout configuration directive removed. If you
have this directive in your existing squid.conf you will need to
remove the line.
* Improvements to the (experimental) COSS storage scheme.
* Updates to allow Squid to be compiled with GCC-3.3
* POST now works well with NTLM and Digest authentication
* http_header_access now works in combination with cache_peer
* Most Squid generated errors are now logged as TCP_DENIED/XXX
rather than TCP_MISS/XXX or NONE/XXX. This to work around issues
relating to access controls.
* external_acl_type concurrency= option renamed to children= to
prepare for Squid-3 upgrade. The old syntax is still accepted but you
may want to upgrade your configuration now to save you from the
trouble when upgrading to Squid-3 later.
* a large number of minor bugfixes. See the list of
squid-2.5.STABLE3 patches and the ChangeLog file for details.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Date: Mon, 1 Mar 2004 12:37:00 +0100 (CET)
From: Henrik Nordstrom <firstname.lastname@example.org>
Subject: Squid-2.5.STABLE5 released [minor security / major bugfix
The Squid HTTP Proxy team is pleased to announce the availability of
the Squid-2.5.STABLE5 bugfix release.
This new release can be downloaded from our HTTP or FTP servers
or the mirrors (may take a while before all mirrors are updated).
For a list of mirror sites see
Squid-2.5.STABLE5 is a major bugfix release of Squid-2.5 and corrects
one minor security issue in url_regex access controls and several
major non-security related bugs found in the earlier Squid-2.5
releases. Users are recommended to upgrade to this new release,
especially if using any of the features mentioned below.
The most important bug-fixes in this release are:
[security] %00 in could be used in to bypass url_regex and
urlpath_regex access controls in certain configurations. Other acl
directives not affected. More information on this issue can be found
in the SQUID-2004:1 security advisory distributed separately
[major] Several NTLM related bugfixes and improvements fixing the
problem of random auth popups and account lockouts. Optional support
for the NEGOTIATE NTLM packet is also added to allow Samba-3.0.2 or
later to negotiate the use of NTLMv2 or NTLM2.
[major] Several authentication related bugfixes to allow
authentication to work in additional acl driven directives outside of
http_access, and a number of corrections to assertion or segmentation
faults and some memory leaks.
In addition there is a small number of new features or improvements
which enhances the functionality of Squid
[medium] redirector interface modified to work with login names
containing spaces or other odd characters. This is accomplished by
URL-encoding the login name before sent to redirectors. Note: Existing
redirectors or their configuration may need to be slightly modified in
how they process the ident column to support the new username format
(only applies to redirectors looking into the username)
[medium] various timeouts adjusted: connect_timeout 1 minute (was 2
minutes which is now forward_timeout), negative_dns_ttl 1 minute (was
5 minutes) and is now also used as minimum positive dns ttl,
dns_timeout 2 minutes (was 5 minutes)
[minor] "short_icon_urls on" can be used to simplify the URLs used for
icons etc to avoid issues with proxy host naming and authentication
when requesting icons.
[minor] A new "urllogin" ACL type has been introduced allowing regex
matches to the "login" component of Internet style URLs
[minor] Squid now respects the Telnet protocol on connections to FTP
servers. The ftp_telnet_protocol directice can be used to revert back
to the old incorrect implementation if required.
[minor] The default mime.conf has been updated with many new mime
types and a few minor corrections. In addition the download and view
links is used more frequently to allow view/download of different
ftp:// contents regardless of their mime type assignment.
in addition there is a large amount of minor and cosmetic bugfixes not
included in the above list. For a complete list of changes see the
ChangeLog and the Squid-2.5 Patches page
It is recommended to read the release notes when upgrading from an
earlier Squid release (including Squid-2.5.STABLE4) as there has been
some minorchanges in the configuration.
Thanks goes to MARA Systems AB who has been actively sponsoring this
bugfix release of Squid as part of their continuing effort to provide
both free and commercial support to the Squid community, and to all
users who have provided valuable bug reports and feedback via the
The Squid HTTP Proxy developer team
Fixed for rawhide, what about Red Hat Linux 9?
Erratum RHSA-2004:134 in progress.