From patchwork Sat May 23 11:50:28 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Matthias Fischer X-Patchwork-Id: 9854 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4gN0pg396Pz3wmL for ; Sat, 23 May 2026 11:51:07 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4gN0pg1tt1z5fW for ; Sat, 23 May 2026 11:51:07 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4gN0pg1733z2ykC for ; Sat, 23 May 2026 11:51:07 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4gN0pc4dKXz2x9b for ; Sat, 23 May 2026 11:51:04 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4gN0pb0LS1z7D; Sat, 23 May 2026 11:51:02 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1779537063; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1p3nkLSzDE0bnSSZ64JtOLEiHJiYezJNDUurA3VPj9A=; b=hHpnTwR3Ib9Y1mu8GVT2v5tqzEY9a6n+ew2MoRISD2dz4VT0c+HpKitjNDJOwOPTSjQM9x asZ8KRXVFQSk4uDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1779537063; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1p3nkLSzDE0bnSSZ64JtOLEiHJiYezJNDUurA3VPj9A=; b=kbNkGRWk37p7F5ht8WXAzQyR0ntZYttr9kaWXzbvCEdXjwYZOhi+qEqf3lqU8xHZ4nVPoM jkA1p5VKlo1M13LTXSGyDQnbZaHwKTPRTLc+yelP47rYYr/yCitBDZeINgzHOzxmVPJZ9c mMFaNLa8zFS44kYOhQYv1L4Zn2Y8a8jqlgXXmqzxw+kVvqSREZ5lv8th7wTGeS07oDvC5T gATM9pco8oaWUhPHLFImIuQuqGocANvae4KGAXuYpGyteZ7+cvsUB28v+OXxj/8Pj89CKG RqnFJA4CTLzUPJ5ACp61e78mV0yBeZDKKBn6krWsJs7F1AZZytihMS0xg1yPHg== From: Matthias Fischer To: development@lists.ipfire.org Cc: Matthias Fischer Subject: [PATCH] squid: Update to 7.5 Date: Sat, 23 May 2026 13:50:28 +0200 Message-ID: <20260523115054.3436343-1-matthias.fischer@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 For details I think its best to read the "ChangeLog". ;-) The list of changes is long — several features have been removed (e.g.), which require some modifications to ‘proxy.cgi’ that still need to be implemented. Nevertheless, I got v7.5 running non-transparent without seen problems - currently on Core 202. But the 'proxy.cgi' still needs to be updated accordingly. For me its ok but other milages may differ... Changes I made in rootfile: * Entries for the now missing 'cache-manager', 'purge' and 'squidclient' have been removed. Changes I made in lfs: * Removed obsolete options '--disable-esi', '--enable-ident-lookups' and '--without-netfilter-conntrack'. * Added '--without-nettle'. * Removed obsolete 'cachemgr'-lines. With these changes I built 'squid 7.5' and got it running since Core 199. No errors, no problems. The most significant changes I'm aware of have been documented in version 7.0.1. These are (needs to be checked(!), perhaps there are more which require updating 'proxy,cgi'): "... - Remove Edge Side Include (ESI) protocol - Remove Ident protocol support - Remove cache_object protocol support - Remove cachemgr.cgi tool - Remove tool 'purge' for management of UFS/AUFS/DiskD caches - Remove squidclient ..." The complete list since v6.13: "Changes in squid-7.5 (12 Mar 2026): - Bug 5501: Squid may exit when ACLs decode an invalid URI - ICP: Fix HttpRequest lifetime for ICP v3 queries - ICP: Fix validation of packet sizes and URLs - Do not escape malformed URI twice when sending ICP errors - ... and some code, CI, and documentation cleanups Changes in squid-7.4 (19 Jan 2026): - Do not create world-readable directories - digest_edirectory_auth: Fix LDAPS memory leaks - snmplib: Improve handling of zero-length ASN OCTET STRINGs - Debug tls_read_method()/tls_write_method() errors - ICMP: Harden echo paths, fix overflows, UB, and leaks - Set SSL_OP_LEGACY_SERVER_CONNECT when peeking at servers - security_file_certgen: Fix OPENSSL_malloc()/free(3) mismatch - Detect FreeBSD ports Heimdal package - Remove SQUID_CHECK_KRB5_HEIMDAL_BROKEN_KRB5_H macro - Remove SQUID_CHECK_KRB5_SOLARIS_BROKEN_KRB5_H macro - ext_kerberos_ldap_group_acl: Do not prohibit all LDFLAGS - negotiate_sspi_auth: Respond with ERR when FormatMessage() fails - ... and some code cleanups - ... and some CI improvements Changes in squid-7.3 (28 Oct 2025): - Regression Bug 5520: ERR_INVALID_URL for CONNECT host with leading digit - Quit NTLM authenticate() on missing NTLM authorization header - Fix Auth::User::absorb() IP list transfer logic - Fix type mismatch in new/delete of addrinfo::ai_addr - Fix libntlmauth string parsing on big-endian machines - ... and some code cleanups - ... and some CI improvements Changes in squid-7.2 (15 Oct 2025): - Bug 3390: Proxy auth data visible to scripts - Bug 5504: Document that Squid discards invalid rewrite-url - Bug 5407: Support at least 1000 groups per Kerberos user - Fix parsing of malformed quoted squid.conf strings - Fix off-by-one in helper args count assertion - Fix UDP log module opening and closing code - Fix BodyPipe debugging in handleChunkedRequestBody() - Fix debugging of Eui48::lookup() problems - Fix memory leak when parsing deprecated %rG logformat code - Fix SQUID_YESNO 'syntax error near unexpected token' - DNS: fix RRPack memcpy - DNS: Do not leak RR data upon RR data unpacking errors - FTP: Avoid null dereferences when handling ftp_port traffic - FTP: fix response parsing and error handling memory leaks - HTCP: Check for too-small packed and too-large unpacked fields - HTTP: fix purging of entries by relative [Content-]Location URLs - SNMP: Improve parsing of malformed ASN.1 object identifiers - SNMP: Check for objid memory allocation failures - SNMP: Fix ASN.1 encoding of long OIDs - SNMP: Do not assert when debugging requests with long OIDs - SNMP: Match Var allocation/deallocation methods - digest_edirectory_auth: null-terminate NMAS values array - digest_edirectory_auth: safely return password - ext_ad_group_acl: Fix domain lookup error handling - ext_edirectory_userip_acl: Redact password from stdout - ext_file_userip_acl: harden lookups and memory handling - ext_kerberos_ldap_group_acl: avoid freeing getenv() pointer - ext_kerberos_ldap_group_acl: Improve LDAPMessage freeing - ext_ldap_group_acl: avoid infinite loop on login containing '%s' - negotiate_kerberos_auth: Properly align NDR data - negotiate_sspi_auth: Do not exit on the first request - ntlm_sspi_auth: memcmp not memcpy, send newline, no uninit mem - text_backend: avoid memory leaks when reload/clearing - Reduce UDS/segment name clashes across same-service instances - Reject eui64 ACL addresses with trailing garbage - Validate raw-IPv4 when parsing hostnames - Avoid memory leaks when logging to MS Windows syslog - Flip configure --enable-arch-native default - Support no-digest X509 certificate keys like ML-DSA/EdDSA - Do not allow client_ip_max_connections+1 connections - Remove bundled smblib and librfcnb - ... and several code cleanups - ... and some documentation improvements Changes in squid-7.1 (10 Jul 2025): - Bug 5497: Fix detection of duped IPs returned by getaddrinfo() - Remove basic_smb_lm_auth and ntlm_smb_lm_auth helpers - ... and several documentation improvements - ... and some code cleanups Changes in squid-7.0.2 (19 Jun 2025): - Bug 5352: Do not get stuck in RESPMOD after pausing peer read(2) - Bug 5316: Release note says version 6 still for testing - Bug 5489: Fix "make check" linking on Solaris - Do not duplicate received Surrogate-Capability in sent requests - Fix GCC v13 LTO build [-Walloc-size-larger-than=] - Fix OpenSSL build with GCC v15.1.1 [-Wformat-truncation=] - Fix tls-dh support for DHE parameters with OpenSSL v3+ - Fix SNMP cacheNumObjCount -- number of cached objects - Fix Mem::Segment::open() stub to fix build without shm_open() - Disable EUI when arpreq is missing and cannot be defined - MinGW: use nameless unions in ext_ad_group_acl - MinGW: do not build ext_edirectory_userip_acl - MinGW: add mkdir adapter - MinGW: fix store/Controller.cc build - MinGW: fix aio compatibility layer - MinGW: add libnettle to negotiate_sspi_auth - negotiate_sspi_auth: Fix command debugging (-v) - ntlm_sspi_auth: Fix missing base64 symbol linkage - ... and many portability and compatibility fixes - ... and some code cleanup Changes in squid-7.0.1 (2 Feb 2025): - Remove Edge Side Include (ESI) protocol - Remove Ident protocol support - Remove cache_object protocol support - Remove cachemgr.cgi tool - Remove tool 'purge' for management of UFS/AUFS/DiskD caches - Remove squidclient - Remove disabled classful networks code - Remove dead Multicast Miss Stream feature - Remove broken and disabled icpPktDump() - Remove deprecated string memory pools API - Remove dead "binary HTTP header logging" code (-DHEADERS_LOG) - Rename --with-gnugss to --with-gss - Remove krb5_get_max_time_skew portability hack - Remove PRIuSIZE macro - Remove ADD_X_REQUEST_URI - Bug 5390: Non-POD SquidConfig::ssl_client::sslContext exit crash - Bug 5363: Handle IP-based X.509 SANs better - Bug 5383: handleNegotiationResult() level-2 debugs() crash - Bug 5449: Ignore SP and HTAB chars after chunk-size - Bug 5428: Warn if pkg-config is not found - Bug 5293: Security::CreateClientSession uses wrong TLS options - Bug 5417: An empty annotation value does not match - Bug 5322: Do not leak HttpReply when checking http_reply_access - Bug 5329: cbdata.cc:276 "c->locks > 0" assertion on reconfigure - Bug 5119: Null pointer dereference in makeMemNodeDataOffset() - Bug 5254, part 1: Do not leak master process' cache.log to kids - Bug 5312: Startup aborts if OPEN_MAX exceeds RLIMIT_NOFILE - Bug 4156: comm.cc "!commHasHalfClosedMonitor(fd)" assertion - ext_time_quota_acl: restore debug level feature and argument - ext_ad_group_acl: fix dependency detection - ext_time_quota_acl: convert to c++ - scripts/find-alive.pl: Auto-detect auto-added ctors/dtors names - negotiate_wrapper_auth: protect from responses over 64KB - negotiate_kerberos_auth: Support Kerberos PAC-ResourceGroups - pinger: improve timer accuracy and resolution - testheaders.sh: force-remove temporary files - squid-conf-tests: Ignore tests with mismatching autoconf macro - MinGW: Emulate fsync - MinGW: fix winsock dependency issues - MinGW-w64: enable native file locking - Windows: Drop obsolete WinSock v1 library - Windows: Improve PSAPI.dll detection - basic_sspi_auth: MinGW build fixes - HTTP: Protect just-parsed responses from accidental destruction - WCCP: fix inverted range check - Y2038: Fix cache_peer connect-timeout reporting - Y2038: Use time_t for commSetConnTimeout() timeout parameter - Work around some mgr:forward accounting/reporting bugs - Fix: Ftp::Gateway may segfault in level-3 double-complete debugs() - Do not mark successful FTP PUT entries with ENTRY_BAD_LENGTH - Fix ENTRY_ABORTED assertion in sendClientOldEntry() - Limit Server::inBuf growth - Reject config with unknown directives before committing to it - Fix and redefine meaning of total peering time (%sameKey()" assertion - Fix dupe handling in Splay ACLs: src, dst, http_status, etc. - Protect ACLFilledChecklist heap allocations from leaking - Stop leaking PeerDigests on reconfiguration - Handle helper program startup failure as its death - Kill helpers that speak without being spoken to - annotate_client and annotate_transaction ACLs must always match - Restrict squid.conf preprocessor space characters to SP and HT - Drop helpless helper requests - Improve Tunnel Server RESPONSE dumps - Do not lookup IP addresses of X509 certificate subject CNs - Report cache_peer context in probe and standby pool messages - Treat responses to collapsed requests as fresh - Do not TLS close_notify when resetting a TCP connection - Simplified quick_abort_pct code and improved its docs - Update HTTP status codes - Report all refreshCheck() outcomes and entry gist - Prohibit bad --enable-linux-netfilter combinations - Use ERR_ACCESS_DENIED for HTTP 403 (Forbidden) errors - Scaffolding for YAML-formatted cache manager reports - Improve ErrorState debugging - Stop zeroing huge memAllocBuf() buffers - Enable EDNS for DNS A queries and reverse IPv4 lookups - Format mgr:pconn as YAML - Use ERR_READ_ERROR for read-from-client I/O errors - Use AnyP::Uri::Decode() for urllogin and url_regex checks - Throw, not self_destruct(), on qos_flow configuration errors - Add %byte{value} logformat code for logging or sending any byte - Do not report bogus/empty SMP cache_dir indexing stats - Report/abort on any catastrophic rock cache_dir indexing failure - Recognize internal requests created by adaptation/redirection - Log %err_code for ERR_RELAY_REMOTE transactions - Restore errno in %err_detail for ERR_CONNECT_FAIL - Report all AsyncJob objects (mgr:jobs) - Cover OnTerminate() calls unrelated to exception handling - Keep ::helper objects alive while in use by helper_servers - Add SQUID_CHECK_LIB_WORKS autoconf macro - Reject more CONNECT requests with malformed targets - Forget non-peer access details - Do not report DNS answers without A/AAAA records by default - Destroy an idle PeerDigest after its CachePeer disappears - Do not apply custom debugs() format to Debug::Extra lines - Do not check store_status when checking ENTRY_BAD_LENGTH - Add buffered_logs OFF support to UDP logger - ... and many documentation improvements - ... and many portability and compatibility fixes - ... and many code cleanups - ... and improvements to unit tests - ... and some error page translation improvements - ... and all fixes from 6.13" Signed-off-by: Matthias Fischer --- config/rootfiles/common/squid | 9 --------- lfs/squid | 15 ++++----------- 2 files changed, 4 insertions(+), 20 deletions(-) diff --git a/config/rootfiles/common/squid b/config/rootfiles/common/squid index 50c77a114..4589829ec 100644 --- a/config/rootfiles/common/squid +++ b/config/rootfiles/common/squid @@ -1,6 +1,4 @@ #etc/squid -etc/squid/cachemgr.conf -#etc/squid/cachemgr.conf.default etc/squid/errorpage.css #etc/squid/errorpage.css.default etc/squid/errors @@ -9,11 +7,8 @@ etc/squid/mime.conf etc/squid/squid.conf #etc/squid/squid.conf.default #etc/squid/squid.conf.documented -srv/web/ipfire/cgi-bin/cachemgr.cgi srv/web/ipfire/html/proxy.pac srv/web/ipfire/html/wpad.dat -usr/bin/purge -usr/bin/squidclient #usr/lib/squid usr/lib/squid/auth usr/lib/squid/basic_db_auth @@ -27,7 +22,6 @@ usr/lib/squid/basic_radius_auth usr/lib/squid/basic_sasl_auth usr/lib/squid/basic_smb_auth usr/lib/squid/basic_smb_auth.sh -#usr/lib/squid/cachemgr.cgi usr/lib/squid/digest_edirectory_auth usr/lib/squid/digest_file_auth usr/lib/squid/digest_ldap_auth @@ -2304,8 +2298,6 @@ usr/lib/squid/url_fake_rewrite.sh usr/lib/squid/url_lfs_rewrite usr/sbin/squid usr/sbin/updxlrator -#usr/share/man/man1/purge.1 -#usr/share/man/man1/squidclient.1 #usr/share/man/man8/basic_db_auth.8 #usr/share/man/man8/basic_getpwnam_auth.8 #usr/share/man/man8/basic_ldap_auth.8 @@ -2314,7 +2306,6 @@ usr/sbin/updxlrator #usr/share/man/man8/basic_pop3_auth.8 #usr/share/man/man8/basic_radius_auth.8 #usr/share/man/man8/basic_sasl_auth.8 -#usr/share/man/man8/cachemgr.cgi.8 #usr/share/man/man8/digest_file_auth.8 #usr/share/man/man8/ext_delayer_acl.8 #usr/share/man/man8/ext_edirectory_userip_acl.8 diff --git a/lfs/squid b/lfs/squid index a4de8adb4..b4b2c44bd 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@ include Config -VER = 6.14 +VER = 7.5 THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -46,7 +46,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = baa40c8e7dd63d1606feadf6f0b616b3f958f684e03fa8f313afc8175f6f57890e0343228c5d66c56292c905f31036209643451e8908f5cfd2e7b4cb408b2e61 +$(DL_FILE)_BLAKE2 = 3ceb6f9da34e9fdbf421de0058e211d1e71dcd2bffd6c26e139c01a272cdfe580b41ed4f3b11abd6a819fbeb6e37c8418824590a56058c369a8ca3efb5dbc5f3 install : $(TARGET) @@ -95,11 +95,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --disable-wccp \ --disable-wccpv2 \ --disable-kqueue \ - --disable-esi \ --disable-arch-native \ --disable-strict-error-checking \ --enable-poll \ - --enable-ident-lookups \ --enable-storeio=aufs,diskd,ufs \ --enable-underscores \ --enable-http-violations \ @@ -131,15 +129,13 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --with-dl \ --with-large-files \ --without-gnutls \ - --without-netfilter-conntrack \ - --without-nettle + --without-netfilter-conntrack + cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install rm -f /etc/squid/squid.conf ln -sf /var/ipfire/proxy/squid.conf /etc/squid/squid.conf - rm -f /etc/squid/cachemgr.conf - ln -sf /var/ipfire/proxy/cachemgr.conf /etc/squid/cachemgr.conf rm -f /etc/squid/errors ln -sf /usr/lib/squid/errors/en /etc/squid/errors @@ -147,9 +143,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) touch /var/log/squid/access.log chown -R squid:squid /var/log/squid /var/log/cache /var/log/updatexlrator - cp /usr/lib/squid/cachemgr.cgi /srv/web/ipfire/cgi-bin/cachemgr.cgi - chown root:root /srv/web/ipfire/cgi-bin/cachemgr.cgi - cp -f $(DIR_SRC)/config/updxlrator/updxlrator /usr/sbin/updxlrator cp -f $(DIR_SRC)/config/updxlrator/checkup /var/ipfire/updatexlrator/bin/checkup cp -f $(DIR_SRC)/config/updxlrator/download /var/ipfire/updatexlrator/bin/download