The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.3 release!

This release is a bug fix release resolving several issues found in
the prior Squid releases.

The major changes to be aware of:

* Regression Bug #4206: connection close on Expect:100-continue

It was found that large POST and PUT requests using Expect:100-continue
to a Squid-3.5.1 or 3.5.2 would reset the TCP connection instead of
allowing the upload to proceed. The working Squid-3.4 behaviour has now
been restored.

* Regression Bug #4213: negotiate_kerberos_auth segmentation faults

After Squid-3.5.2 updates to the Kerberos support it was found that this
helper was frequently, but not always, encountering a segmentation
fault. That is now fully resolved.

Also fixed in this release is support for the latest Heimdal libraries
and some unused Kerberos related code is no longer built.

* Bug #2907: high CPU usage on CONNECT when using Delay Pools

When Delay Pools was enabled Squid CONNECT handling tunnel code could
quickly empty the available pool bandwidth and would then also not wait
for it to be replenished, but repeatedly attempt to keep sending. While
this is not quite an "infinite loop" problem it is very similar in
effect, with CPU consumption reaching 100% and service through the proxy
slowing down dramatically.

While this is very old bug, it is starting to make itself felt more as
the quantity of HTTPS CONNECT requests increases.

* Bug #3805: support shared memory on MacOS X

This bug completely prevented using SMP support on MacOS X. As of this
release it should now be possible to use workers, shared memory cache
and rock storage on MacOS X.

* Bug #4204: ./configure abort when required helpers cannot be built

Previously the Squid ./configure script would treat a user-supplied list
of helpers as an optional list to attempt building, ignoring helpers
that were available but not listed. Being an optional list it would also
only warn if some of the list entries could not be built.

It is now treated as a list of required helpers - with a hard failure if
any cannot be built. This prevents automated build systems going through
a long build process only to find missing binaries at the install phase.

* basic_nis_auth and basic_getpwnam_auth updated

Other software has recently been awarded CVE allocation for bad handling
of crypt() system call failures resulting in Denial of Service. These
two Squid helpers were performing very similar operations and might
encounter the same failures. Fortunately these Squid helpers are fairly
isolated and Basic auth in Squid contains mechanisms that make it very
difficult to affect more than one client.

This is a proactive security update to prevent any future issues that
could appear as a result.

 All users of Squid-3.5 with SMP features are urged to upgrade to this
release as soon as possible.

 All users of Delay Pools are urged to upgrade to this release as soon
as possible.

 All users of basic_nis_auth or basic_getpwnam_auth are urged to upgrade
to this release as soon as possible.

 All users of Squid are urged to upgrade to this release as soon as

 See the ChangeLog for the full list of changes in this and earlier

Please refer to the release notes at
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

or the mirrors. For a list of mirror sites see

If you encounter any issues with this release please file a bug report.

Amos Jeffries
squid-announce mailing list

Reply via email to