The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.22 release!

This release is a bug fix release resolving several issues found in the
prior Squid releases.

The major changes to be aware of:

* Regression: Relay peer CONNECT error status line and headers to clients

Our CVE-2015-5400 fix was aggressive -- it hid all peer errors behind a generic 502 (Bad Gateway) response. The intent was never to have that situation be permanent.

Subsequent changes to the CONNECT handling now allow us to safely relay client response status and header - but not yet the message payloads. The clients TCP connection will continue to be closed immediately after the initial message headers are delivered, allowing clients to safely detect the missing response payload (if any) as a connection error in addition to any HTTP error indicated by the response status.

This should resolve a lot of client issues

* Bug 4767: SMP breaks IPv6 SNMP and cache manager queries

This rather nasty bug appears as a Squid with SMP workers crashing whenever SNMP or cache manager queries are received over IPv6.

* Bug 4648: object revalidation for HTTPS scheme

Previous Squid have not been performing cache revalidation for responses to https:// URL requests. As can be expected with the increased use of revalidation in HTTP/1.1 this leads to rather low caching efficiency and extra bandwidth consumption on a lot of traffic.

* Bug 4616: "mem" assertion

This crash occurs primarily when Collapsed Forwarding was used, though may also occur at other rare times.

* Bug 2821: ignore Content-Range in non-206 responses

Squid used to honor Content-Range header in HTTP 200 OK (and possibly other non-206) responses, truncating (and possibly enlarging) some response bodies. RFC 7233 declares Content-Range meaningless for standard HTTP status codes other than 206 and 416. Squid now relays meaningless Content-Range as is, without using its value on these responses.

* TLS: certificate validation improvements

The experimental auto-download feature for missing CA certificates has now been optimized to skip downloading if the CA certificate has previously been downloaded, or can be validated using another issuer CA.

Also, when Squid or its helper could not validate a downloaded intermediate certificate (or the root certificate), Squid error page contained '[Not available]' instead of the broken certificate details, and '-1' instead of depth of broken certificate in logs.

* TLS: certificate generator improvements

SSL-Bump was found to be ignoring some origin server certificate changes or differences, incorrectly using the previously cached fake certificate (mimicking now-stale properties or properties of a slightly different certificate). Also, Squid was not detecting key collisions inside certificate caches.

* Fix backwards compatibility for Squid-3.5 external_acl_type formats

Previous Squid-4 releases omitted support for several external_acl_type format codes available in Squid-3. This has now been resolved and Squid-3 external_acl_type format configurations should remain working across an upgrade.

* Do not die silently when dying early

Squid previously could terminate silently- no log entries in cache.log nor syslog. If the reason for termination was due to some environment condition and discovered during the process environment setup. Squid should now catch these types of issues and deliver an error to the best available log output - usually that would syslog or the OS 'messages' log due to cache.log not being setup. If -X command line parameter is used stderr will be used instead.

* Docs: update translation files

As we are closing in on the final bug fixes for Squid-4 the i18n translation texts have been updated. This and other routine documentation additions form the majority of the size of this release difference from the previous release.

 All users of Squid-4.x are encouraged to upgrade to this release as
soon as possible.

 All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.

 See the ChangeLog for the full list of changes in this and earlier

Please refer to the release notes at
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

or the mirrors. For a list of mirror sites see

If you encounter any issues with this release please file a bug report.

Amos Jeffries
squid-announce mailing list

Reply via email to