The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.11 release!

This release is a bug fix release resolving several issues found in the
prior Squid releases.

The major changes to be aware of:

* HTTP/1.1: unfold mime header block

HTTP/1.0 allowed headers to be whitespace folded, which can lead to
problems like CVE-2016-4553 fixed in the previous release. RFC 7230 for
HTTP/1.1 now prohibits the practice and requires proxies to remove the
folding. This release of Squid does so and thus hardens all HTTP traffic
flowing through it against such attacks.

The squidclient tool -H option has also been extended to accept more
shell-escape characters which are useful in testing for those type of

* HTTP/1.1 chunked encoding improvements

 - Bug #4492: chunked parser needs to accept BWS after chunk size

This fixes issues interoperating with IBM servers which have been
identified as sending whitespace padding in the chunked encoding size
field when they should not.

 - Allow chunking the last HTTP response on a connection.

Previous Squid did not use chunked encoding when prior knowledge
indicated that the connection was to be closed immediately after the
message payload. This made some sense in reducing workload and delays,
but also leads to difficulty identifying connection related errors
sending those objects.

Squid will now always chunked encode messages with unknown length
payloads. This should reduce the number of unexpectedly hung connections
or truncated objects.

* TLS improvements

This release adds significant performance improvements to the SSL-Bump
features 'peek' action locating client handshake details such as SNI.

Initial experimental GnuTLS support for some functionality within the
squid binary has been turned on. squid.conf settings which have been
renamed in Squid-4 to begin with 'tls' rather than 'ssl' moniker have
GnuTLS support as well as OpenSSL support.
 However, be aware that only a very limited set of background actions
actually use GnuTLS. The most visible effect is squid.conf support.
Features such as listening https_port's, ssl-bump and TLS connections
still require OpenSSL.

* ie_refresh directive is removed

This directive was a workaround hack for MSIE 3, 4 and 5 behaviour.
Since those browser versions appear to be no longer in any significant
amount of use this hack has been removed to simplify HTTP message

* Deprecating SMB LanMan helpers

The SMB LanMan helpers have now been removed from the set which are
auto-detected and built by default. For the present their code is
retained and can be built by explicitly listing "SMB_LM" in the Basic or
NTLM authentication helpers list.

The LanMan authentication protocols were deprecated sometime around
1996. Any installations still using either of these helpers are
strongely encouraged to upgrade to another authentication system.

* Memory allocation bugs

Several more issues in the deep memory allocation layer of Squid have
been resolved. Most of these probably show up as error when free'ing
memory. We expect this to greatly stabilize Squid-4 in many environments
which have had memory related troubles with the Squid-3 series.

 All users of Squid-4.0.x are encouraged to upgrade to this release.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.

 See the ChangeLog for the full list of changes in this and earlier

Please refer to the release notes at
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

or the mirrors. For a list of mirror sites see

If you encounter any issues with this release please file a bug report.

Amos Jeffries

squid-announce mailing list

Reply via email to