The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.22 release!
This release is a bug fix release resolving several issues found in the
prior Squid releases.
The major changes to be aware of:
* Regression: Relay peer CONNECT error status line and headers to clients
Our CVE-2015-5400 fix was aggressive -- it hid all peer errors behind a
generic 502 (Bad Gateway) response. The intent was never to have that
situation be permanent.
Subsequent changes to the CONNECT handling now allow us to safely relay
client response status and header - but not yet the message payloads.
The clients TCP connection will continue to be closed immediately after
the initial message headers are delivered, allowing clients to safely
detect the missing response payload (if any) as a connection error in
addition to any HTTP error indicated by the response status.
This should resolve a lot of client issues
* Bug 4767: SMP breaks IPv6 SNMP and cache manager queries
This rather nasty bug appears as a Squid with SMP workers crashing
whenever SNMP or cache manager queries are received over IPv6.
* Bug 4648: object revalidation for HTTPS scheme
Previous Squid have not been performing cache revalidation for responses
to https:// URL requests. As can be expected with the increased use of
revalidation in HTTP/1.1 this leads to rather low caching efficiency and
extra bandwidth consumption on a lot of traffic.
* Bug 4616: store_client.cc:92: "mem" assertion
This crash occurs primarily when Collapsed Forwarding was used, though
may also occur at other rare times.
* Bug 2821: ignore Content-Range in non-206 responses
Squid used to honor Content-Range header in HTTP 200 OK (and possibly
other non-206) responses, truncating (and possibly enlarging) some
response bodies. RFC 7233 declares Content-Range meaningless for
standard HTTP status codes other than 206 and 416. Squid now relays
meaningless Content-Range as is, without using its value on these responses.
* TLS: certificate validation improvements
The experimental auto-download feature for missing CA certificates has
now been optimized to skip downloading if the CA certificate has
previously been downloaded, or can be validated using another issuer CA.
Also, when Squid or its helper could not validate a downloaded
intermediate certificate (or the root certificate), Squid error page
contained '[Not available]' instead of the broken certificate details,
and '-1' instead of depth of broken certificate in logs.
* TLS: certificate generator improvements
SSL-Bump was found to be ignoring some origin server certificate changes
or differences, incorrectly using the previously cached fake certificate
(mimicking now-stale properties or properties of a slightly different
certificate). Also, Squid was not detecting key collisions inside
* Fix backwards compatibility for Squid-3.5 external_acl_type formats
Previous Squid-4 releases omitted support for several external_acl_type
format codes available in Squid-3. This has now been resolved and
Squid-3 external_acl_type format configurations should remain working
across an upgrade.
* Do not die silently when dying early
Squid previously could terminate silently- no log entries in cache.log
nor syslog. If the reason for termination was due to some environment
condition and discovered during the process environment setup. Squid
should now catch these types of issues and deliver an error to the best
available log output - usually that would syslog or the OS 'messages'
log due to cache.log not being setup. If -X command line parameter is
used stderr will be used instead.
* Docs: update translation files
As we are closing in on the final bug fixes for Squid-4 the i18n
translation texts have been updated. This and other routine
documentation additions form the majority of the size of this release
difference from the previous release.
All users of Squid-4.x are encouraged to upgrade to this release as
soon as possible.
All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.
See the ChangeLog for the full list of changes in this and earlier
Please refer to the release notes at
when you are ready to make the switch to Squid-4
This new release can be downloaded from our HTTP or FTP servers
or the mirrors. For a list of mirror sites see
If you encounter any issues with this release please file a bug report.
squid-announce mailing list
|Free forum by Nabble||Edit this page|