The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.21 release!

This release is a bug fix release resolving several issues found in the
prior Squid releases.

The major changes to be aware of:

* Bug #4534: assertion failure in xcalloc when using many cache_dir

Squid is documented as supporting up to 64 cache directories, but would
crash with a memory allocation error if more than a few were actually

* Bug #4542: authentication credentials IP TTL updated incorrectly

This bug caused error in max_user_ip ACL accounting to allow clients to
shift IP address more times than configured. This bug fix may have an
effect on IPv6 clients using "proviacy adressing" to rotate IPs.

* Bug #4428: mal-formed Cache-Control:stale-if-error header

This bug shows up as incorrect stale-if-error values being relayed by
Squid breaking the use of this feature in the recipients. Squid now
relays the header values correctly.

* Bug #3025: Proxy-Authenticate problem using ICAP server

With this change Squid now treats the ICAP REQMOD adaptation point as a
part of itself with regards to proxy authentication. The
Proxy-Authentication header received from the client is delivered as
part of the HTTP request headers in expectation that the ICAP service
may authenticate and/or produce 407 response itself.

Note that use of stateful or connection-oriented authentication schemes
is not possible. HTTP is designed to operate in a stateless way and any
deviation from that design requires Squid to perform special message

* HTTP: MUST always revalidate Cache-Control:no-cache responses.

This bug shows up as Squid not revalidating some responses until they
became stale according to refresh_pattern heuristic rules (specifically
the minimum caching age). Squid now revalidates these objects on every

* HTTP: do not allow Proxy-Connection to override Connection header

The Proxy-Connection: header is a long-deprecated experimental header.
For the past decade Squid has been actively stripping it out of relayed
traffic. This release continues the removal process by also preventing
it from having any effect on Squid client connection persistence when a
Connection: header is present.

* SSL CN wildcard must only match a single domain component [fragment].

This bug shows up as incorrect matching (or non-matching) of the
ss::server_name ACL against TLS certificate values. Squid now treats the
certificate CN fields according to X.509 domain matching requirements
instead of HTTP domain matching requirements.

 All users of Squid-3 are encouraged to upgrade to this release as
soon as possible.

 See the ChangeLog for the full list of changes in this and earlier

Please refer to the release notes at
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

or the mirrors. For a list of mirror sites see

If you encounter any issues with this release please file a bug report.

Amos Jeffries

squid-announce mailing list

Reply via email to