The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.21 release!

This release is a bug fix release resolving several issues found in the
prior Squid releases.

The major changes to be aware of:

* Regression Bug 4492: Chunk extension parser is too pedantic

With this fix Squid is back to ignoring some unusual message whitespace padding that senders should not have been doing, but which are generally harmless to the protocol. It is a regression specific to the Squid-4 release series, not affecting any other installations.

* Bug 1961 partial: Redesign urlParse API

The core changes for redesign work is largely finished now. As a result this release should have much lower memory use on url_rewrite API lookups which choose not to rewrite the URL.

* Collapse security_file_certgen requests

This helper API now collapses identical parallel lookups into a single helper message to reduce load, latency and as a result reduce pressure on the system crypto services. It still has some issues, but should now cope a lot better with sudden load peaks as seen from Browsers starting up.

* SSL-Bump: tproxy does not spoof spliced connections

This release now performs TPROXY spoofing properly when SSL-Bump logic selects splice action. Prior SSL-Bump would behave as if NAT intercept was being used, by replacing the sender IP as Squid one.

* Add a basic apparmour profile

This release bundles a basic apparmour profile contributed by Ubuntu developers. As with init system scripts this profile is not installed by default, packagers wishing to use it should pull the file from the sources during packaging.

Several major bug fixes shared with the future Squid-3.5.27 release are also worth mentioning:

* Bug 4464: Reduce "!Comm::MonitorsRead(serverConnection->fd)" assertions.

In Squid-3 this bug appeared as "fd_table[conn->fd].halfClosedReader != NULL" assertions.

Admin who have used the various config workarounds or patches to suppress those assertions will need to re-asses those temporary measures after upgrading to this release.

* Bug 2833: collapsed forwarding doesn't work with NOT MODIFIED response

The security fix for CVE-2016-10003 had a negative effect on collapsed forwarding. All "private" entries were considered automatically non-shareable among collapsed clients. However this is not true: there are many situations when collapsed forwarding should work despite of "private" (non-cacheable) entry status: 304/5xx responses are good examples of that.

This release adds a mechanism to mark some non-cached responses as being able to share with collapsed forwarding.

These changes also involved fixing incorrect delivery of 304 responses to a client when Squid was the agent performing revalidation instead of the client.

* Bug 4112: ssl_engine does not accept cryptodev

This directive has been broken for quite a long time, failing to recognize any of the default OpenSSL engines. This release restores support for the OpenSSL engines feature.

* Fix SMP query handoff to Coordinator.

Several issues related to SMP messages to the coordinator process have been fixed. Some of these are likely to have been resulting in hung connections for SNMP and mgr transactions. Others were resulting in garbage messages arriving at the coordinator.

 All users of Squid-4.x are encouraged to upgrade to this release as
soon as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.

 See the ChangeLog for the full list of changes in this and earlier

Please refer to the release notes at
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

or the mirrors. For a list of mirror sites see

If you encounter any issues with this release please file a bug report.

Amos Jeffries
squid-announce mailing list

Reply via email to