Commit Message
For details I think its best to read the "ChangeLog". ;-)
The list of changes is long — several features
have been removed (e.g.), which require some
modifications to ‘proxy.cgi’ that still need to
be implemented.
Nevertheless, I got v7.5 running non-transparent
without seen problems - currently on Core 202.
But the 'proxy.cgi' still needs to be updated
accordingly. For me its ok but other milages
may differ...
Changes I made in rootfile:
* Entries for the now missing 'cache-manager',
'purge' and 'squidclient' have been removed.
Changes I made in lfs:
* Removed obsolete options '--disable-esi',
'--enable-ident-lookups' and '--without-netfilter-conntrack'.
* Added '--without-nettle'.
* Removed obsolete 'cachemgr'-lines.
With these changes I built 'squid 7.5' and got it running
since Core 199. No errors, no problems.
The most significant changes I'm aware of have been documented
in version 7.0.1.
These are (needs to be checked(!), perhaps there are more
which require updating 'proxy,cgi'):
"...
- Remove Edge Side Include (ESI) protocol
- Remove Ident protocol support
- Remove cache_object protocol support
- Remove cachemgr.cgi tool
- Remove tool 'purge' for management of UFS/AUFS/DiskD caches
- Remove squidclient
..."
The complete list since v6.13:
"Changes in squid-7.5 (12 Mar 2026):
- Bug 5501: Squid may exit when ACLs decode an invalid URI
- ICP: Fix HttpRequest lifetime for ICP v3 queries
- ICP: Fix validation of packet sizes and URLs
- Do not escape malformed URI twice when sending ICP errors
- ... and some code, CI, and documentation cleanups
Changes in squid-7.4 (19 Jan 2026):
- Do not create world-readable directories
- digest_edirectory_auth: Fix LDAPS memory leaks
- snmplib: Improve handling of zero-length ASN OCTET STRINGs
- Debug tls_read_method()/tls_write_method() errors
- ICMP: Harden echo paths, fix overflows, UB, and leaks
- Set SSL_OP_LEGACY_SERVER_CONNECT when peeking at servers
- security_file_certgen: Fix OPENSSL_malloc()/free(3) mismatch
- Detect FreeBSD ports Heimdal package
- Remove SQUID_CHECK_KRB5_HEIMDAL_BROKEN_KRB5_H macro
- Remove SQUID_CHECK_KRB5_SOLARIS_BROKEN_KRB5_H macro
- ext_kerberos_ldap_group_acl: Do not prohibit all LDFLAGS
- negotiate_sspi_auth: Respond with ERR when FormatMessage() fails
- ... and some code cleanups
- ... and some CI improvements
Changes in squid-7.3 (28 Oct 2025):
- Regression Bug 5520: ERR_INVALID_URL for CONNECT host with leading digit
- Quit NTLM authenticate() on missing NTLM authorization header
- Fix Auth::User::absorb() IP list transfer logic
- Fix type mismatch in new/delete of addrinfo::ai_addr
- Fix libntlmauth string parsing on big-endian machines
- ... and some code cleanups
- ... and some CI improvements
Changes in squid-7.2 (15 Oct 2025):
- Bug 3390: Proxy auth data visible to scripts
- Bug 5504: Document that Squid discards invalid rewrite-url
- Bug 5407: Support at least 1000 groups per Kerberos user
- Fix parsing of malformed quoted squid.conf strings
- Fix off-by-one in helper args count assertion
- Fix UDP log module opening and closing code
- Fix BodyPipe debugging in handleChunkedRequestBody()
- Fix debugging of Eui48::lookup() problems
- Fix memory leak when parsing deprecated %rG logformat code
- Fix SQUID_YESNO 'syntax error near unexpected token'
- DNS: fix RRPack memcpy
- DNS: Do not leak RR data upon RR data unpacking errors
- FTP: Avoid null dereferences when handling ftp_port traffic
- FTP: fix response parsing and error handling memory leaks
- HTCP: Check for too-small packed and too-large unpacked fields
- HTTP: fix purging of entries by relative [Content-]Location URLs
- SNMP: Improve parsing of malformed ASN.1 object identifiers
- SNMP: Check for objid memory allocation failures
- SNMP: Fix ASN.1 encoding of long OIDs
- SNMP: Do not assert when debugging requests with long OIDs
- SNMP: Match Var allocation/deallocation methods
- digest_edirectory_auth: null-terminate NMAS values array
- digest_edirectory_auth: safely return password
- ext_ad_group_acl: Fix domain lookup error handling
- ext_edirectory_userip_acl: Redact password from stdout
- ext_file_userip_acl: harden lookups and memory handling
- ext_kerberos_ldap_group_acl: avoid freeing getenv() pointer
- ext_kerberos_ldap_group_acl: Improve LDAPMessage freeing
- ext_ldap_group_acl: avoid infinite loop on login containing '%s'
- negotiate_kerberos_auth: Properly align NDR data
- negotiate_sspi_auth: Do not exit on the first request
- ntlm_sspi_auth: memcmp not memcpy, send newline, no uninit mem
- text_backend: avoid memory leaks when reload/clearing
- Reduce UDS/segment name clashes across same-service instances
- Reject eui64 ACL addresses with trailing garbage
- Validate raw-IPv4 when parsing hostnames
- Avoid memory leaks when logging to MS Windows syslog
- Flip configure --enable-arch-native default
- Support no-digest X509 certificate keys like ML-DSA/EdDSA
- Do not allow client_ip_max_connections+1 connections
- Remove bundled smblib and librfcnb
- ... and several code cleanups
- ... and some documentation improvements
Changes in squid-7.1 (10 Jul 2025):
- Bug 5497: Fix detection of duped IPs returned by getaddrinfo()
- Remove basic_smb_lm_auth and ntlm_smb_lm_auth helpers
- ... and several documentation improvements
- ... and some code cleanups
Changes in squid-7.0.2 (19 Jun 2025):
- Bug 5352: Do not get stuck in RESPMOD after pausing peer read(2)
- Bug 5316: Release note says version 6 still for testing
- Bug 5489: Fix "make check" linking on Solaris
- Do not duplicate received Surrogate-Capability in sent requests
- Fix GCC v13 LTO build [-Walloc-size-larger-than=]
- Fix OpenSSL build with GCC v15.1.1 [-Wformat-truncation=]
- Fix tls-dh support for DHE parameters with OpenSSL v3+
- Fix SNMP cacheNumObjCount -- number of cached objects
- Fix Mem::Segment::open() stub to fix build without shm_open()
- Disable EUI when arpreq is missing and cannot be defined
- MinGW: use nameless unions in ext_ad_group_acl
- MinGW: do not build ext_edirectory_userip_acl
- MinGW: add mkdir adapter
- MinGW: fix store/Controller.cc build
- MinGW: fix aio compatibility layer
- MinGW: add libnettle to negotiate_sspi_auth
- negotiate_sspi_auth: Fix command debugging (-v)
- ntlm_sspi_auth: Fix missing base64 symbol linkage
- ... and many portability and compatibility fixes
- ... and some code cleanup
Changes in squid-7.0.1 (2 Feb 2025):
- Remove Edge Side Include (ESI) protocol
- Remove Ident protocol support
- Remove cache_object protocol support
- Remove cachemgr.cgi tool
- Remove tool 'purge' for management of UFS/AUFS/DiskD caches
- Remove squidclient
- Remove disabled classful networks code
- Remove dead Multicast Miss Stream feature
- Remove broken and disabled icpPktDump()
- Remove deprecated string memory pools API
- Remove dead "binary HTTP header logging" code (-DHEADERS_LOG)
- Rename --with-gnugss to --with-gss
- Remove krb5_get_max_time_skew portability hack
- Remove PRIuSIZE macro
- Remove ADD_X_REQUEST_URI
- Bug 5390: Non-POD SquidConfig::ssl_client::sslContext exit crash
- Bug 5363: Handle IP-based X.509 SANs better
- Bug 5383: handleNegotiationResult() level-2 debugs() crash
- Bug 5449: Ignore SP and HTAB chars after chunk-size
- Bug 5428: Warn if pkg-config is not found
- Bug 5293: Security::CreateClientSession uses wrong TLS options
- Bug 5417: An empty annotation value does not match
- Bug 5322: Do not leak HttpReply when checking http_reply_access
- Bug 5329: cbdata.cc:276 "c->locks > 0" assertion on reconfigure
- Bug 5119: Null pointer dereference in makeMemNodeDataOffset()
- Bug 5254, part 1: Do not leak master process' cache.log to kids
- Bug 5312: Startup aborts if OPEN_MAX exceeds RLIMIT_NOFILE
- Bug 4156: comm.cc "!commHasHalfClosedMonitor(fd)" assertion
- ext_time_quota_acl: restore debug level feature and argument
- ext_ad_group_acl: fix dependency detection
- ext_time_quota_acl: convert to c++
- scripts/find-alive.pl: Auto-detect auto-added ctors/dtors names
- negotiate_wrapper_auth: protect from responses over 64KB
- negotiate_kerberos_auth: Support Kerberos PAC-ResourceGroups
- pinger: improve timer accuracy and resolution
- testheaders.sh: force-remove temporary files
- squid-conf-tests: Ignore tests with mismatching autoconf macro
- MinGW: Emulate fsync
- MinGW: fix winsock dependency issues
- MinGW-w64: enable native file locking
- Windows: Drop obsolete WinSock v1 library
- Windows: Improve PSAPI.dll detection
- basic_sspi_auth: MinGW build fixes
- HTTP: Protect just-parsed responses from accidental destruction
- WCCP: fix inverted range check
- Y2038: Fix cache_peer connect-timeout reporting
- Y2038: Use time_t for commSetConnTimeout() timeout parameter
- Work around some mgr:forward accounting/reporting bugs
- Fix: Ftp::Gateway may segfault in level-3 double-complete debugs()
- Do not mark successful FTP PUT entries with ENTRY_BAD_LENGTH
- Fix ENTRY_ABORTED assertion in sendClientOldEntry()
- Limit Server::inBuf growth
- Reject config with unknown directives before committing to it
- Fix and redefine meaning of total peering time (%<tt)
- Fix use-after-free in peerDigestFetchReply()
- Fix use-after-free in statefulhelper::submit() level-9 debug
- Fix PeerDigest lifetime management
- Fix Tokenizer::int64() parsing of "0" when guessing base
- Fix SMP mgr:userhash, mgr:sourcehash, and mgr:carp reports
- Fix reporting of unrecognized directives
- Do not blame cache_peer for CONNECT errors
- Fix heap buffer overead in ConfigParser::UnQuote()
- Do not die when parsing obsolete log_access and log_icap
- Extend in-use ACLs lifetime across reconfiguration
- Fix MemObject.cc:123: "!updatedReply_" assertion
- Avoid UB when packing a domain name
- Fix qos_flows confguration reporting
- Fix and improve annotation reporting
- Fix configuration crashes on malformed sslproxy_* directives
- Avoid UB when copying AnyP::Uri
- Fix and improve html_quote()
- Fix acl annotate_transaction reporting in mgr:config
- Fix ipv4 and expand ipv6 ACL parameter matching
- Fix Controller.cc TheRoot assertion during shutdown
- Fix Comm::TcpAcceptor::status() reporting of listening address
- Fix performance regressions with fastCheck() result copying
- Fix handling of zero cache_peers
- Fix cbdata assertion in carpInit()
- Fix: REQMOD stuck when adapted request (body) is not forwarded
- Fix rock/RockSwapDir.cc "slot->sameKey()" assertion
- Fix dupe handling in Splay ACLs: src, dst, http_status, etc.
- Protect ACLFilledChecklist heap allocations from leaking
- Stop leaking PeerDigests on reconfiguration
- Handle helper program startup failure as its death
- Kill helpers that speak without being spoken to
- annotate_client and annotate_transaction ACLs must always match
- Restrict squid.conf preprocessor space characters to SP and HT
- Drop helpless helper requests
- Improve Tunnel Server RESPONSE dumps
- Do not lookup IP addresses of X509 certificate subject CNs
- Report cache_peer context in probe and standby pool messages
- Treat responses to collapsed requests as fresh
- Do not TLS close_notify when resetting a TCP connection
- Simplified quick_abort_pct code and improved its docs
- Update HTTP status codes
- Report all refreshCheck() outcomes and entry gist
- Prohibit bad --enable-linux-netfilter combinations
- Use ERR_ACCESS_DENIED for HTTP 403 (Forbidden) errors
- Scaffolding for YAML-formatted cache manager reports
- Improve ErrorState debugging
- Stop zeroing huge memAllocBuf() buffers
- Enable EDNS for DNS A queries and reverse IPv4 lookups
- Format mgr:pconn as YAML
- Use ERR_READ_ERROR for read-from-client I/O errors
- Use AnyP::Uri::Decode() for urllogin and url_regex checks
- Throw, not self_destruct(), on qos_flow configuration errors
- Add %byte{value} logformat code for logging or sending any byte
- Do not report bogus/empty SMP cache_dir indexing stats
- Report/abort on any catastrophic rock cache_dir indexing failure
- Recognize internal requests created by adaptation/redirection
- Log %err_code for ERR_RELAY_REMOTE transactions
- Restore errno in %err_detail for ERR_CONNECT_FAIL
- Report all AsyncJob objects (mgr:jobs)
- Cover OnTerminate() calls unrelated to exception handling
- Keep ::helper objects alive while in use by helper_servers
- Add SQUID_CHECK_LIB_WORKS autoconf macro
- Reject more CONNECT requests with malformed targets
- Forget non-peer access details
- Do not report DNS answers without A/AAAA records by default
- Destroy an idle PeerDigest after its CachePeer disappears
- Do not apply custom debugs() format to Debug::Extra lines
- Do not check store_status when checking ENTRY_BAD_LENGTH
- Add buffered_logs OFF support to UDP logger
- ... and many documentation improvements
- ... and many portability and compatibility fixes
- ... and many code cleanups
- ... and improvements to unit tests
- ... and some error page translation improvements
- ... and all fixes from 6.13"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
config/rootfiles/common/squid | 9 ---------
lfs/squid | 15 ++++-----------
2 files changed, 4 insertions(+), 20 deletions(-)
@@ -1,6 +1,4 @@
#etc/squid
-etc/squid/cachemgr.conf
-#etc/squid/cachemgr.conf.default
etc/squid/errorpage.css
#etc/squid/errorpage.css.default
etc/squid/errors
@@ -9,11 +7,8 @@ etc/squid/mime.conf
etc/squid/squid.conf
#etc/squid/squid.conf.default
#etc/squid/squid.conf.documented
-srv/web/ipfire/cgi-bin/cachemgr.cgi
srv/web/ipfire/html/proxy.pac
srv/web/ipfire/html/wpad.dat
-usr/bin/purge
-usr/bin/squidclient
#usr/lib/squid
usr/lib/squid/auth
usr/lib/squid/basic_db_auth
@@ -27,7 +22,6 @@ usr/lib/squid/basic_radius_auth
usr/lib/squid/basic_sasl_auth
usr/lib/squid/basic_smb_auth
usr/lib/squid/basic_smb_auth.sh
-#usr/lib/squid/cachemgr.cgi
usr/lib/squid/digest_edirectory_auth
usr/lib/squid/digest_file_auth
usr/lib/squid/digest_ldap_auth
@@ -2304,8 +2298,6 @@ usr/lib/squid/url_fake_rewrite.sh
usr/lib/squid/url_lfs_rewrite
usr/sbin/squid
usr/sbin/updxlrator
-#usr/share/man/man1/purge.1
-#usr/share/man/man1/squidclient.1
#usr/share/man/man8/basic_db_auth.8
#usr/share/man/man8/basic_getpwnam_auth.8
#usr/share/man/man8/basic_ldap_auth.8
@@ -2314,7 +2306,6 @@ usr/sbin/updxlrator
#usr/share/man/man8/basic_pop3_auth.8
#usr/share/man/man8/basic_radius_auth.8
#usr/share/man/man8/basic_sasl_auth.8
-#usr/share/man/man8/cachemgr.cgi.8
#usr/share/man/man8/digest_file_auth.8
#usr/share/man/man8/ext_delayer_acl.8
#usr/share/man/man8/ext_edirectory_userip_acl.8
@@ -24,7 +24,7 @@
include Config
-VER = 6.14
+VER = 7.5
THISAPP = squid-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -46,7 +46,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = baa40c8e7dd63d1606feadf6f0b616b3f958f684e03fa8f313afc8175f6f57890e0343228c5d66c56292c905f31036209643451e8908f5cfd2e7b4cb408b2e61
+$(DL_FILE)_BLAKE2 = 3ceb6f9da34e9fdbf421de0058e211d1e71dcd2bffd6c26e139c01a272cdfe580b41ed4f3b11abd6a819fbeb6e37c8418824590a56058c369a8ca3efb5dbc5f3
install : $(TARGET)
@@ -95,11 +95,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
--disable-wccp \
--disable-wccpv2 \
--disable-kqueue \
- --disable-esi \
--disable-arch-native \
--disable-strict-error-checking \
--enable-poll \
- --enable-ident-lookups \
--enable-storeio=aufs,diskd,ufs \
--enable-underscores \
--enable-http-violations \
@@ -131,15 +129,13 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
--with-dl \
--with-large-files \
--without-gnutls \
- --without-netfilter-conntrack \
- --without-nettle
+ --without-netfilter-conntrack
+
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
rm -f /etc/squid/squid.conf
ln -sf /var/ipfire/proxy/squid.conf /etc/squid/squid.conf
- rm -f /etc/squid/cachemgr.conf
- ln -sf /var/ipfire/proxy/cachemgr.conf /etc/squid/cachemgr.conf
rm -f /etc/squid/errors
ln -sf /usr/lib/squid/errors/en /etc/squid/errors
@@ -147,9 +143,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
touch /var/log/squid/access.log
chown -R squid:squid /var/log/squid /var/log/cache /var/log/updatexlrator
- cp /usr/lib/squid/cachemgr.cgi /srv/web/ipfire/cgi-bin/cachemgr.cgi
- chown root:root /srv/web/ipfire/cgi-bin/cachemgr.cgi
-
cp -f $(DIR_SRC)/config/updxlrator/updxlrator /usr/sbin/updxlrator
cp -f $(DIR_SRC)/config/updxlrator/checkup /var/ipfire/updatexlrator/bin/checkup
cp -f $(DIR_SRC)/config/updxlrator/download /var/ipfire/updatexlrator/bin/download