diff -u -r -N squid-3.5.24/ChangeLog squid-3.5.25/ChangeLog
--- squid-3.5.24/ChangeLog 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/ChangeLog 2017-04-03 01:04:18.000000000 +1200
@@ -1,3 +1,15 @@
+Changes to squid-3.5.25 (02 Apr 2017):
+
+ - Bug 4688: various typo error(s) in man page(s)
+ - Bug 4508: Host forgery stalls intercepted being-spliced connections
+ - Native FTP relay: NAT and TPROXY interception fixes
+ - Fix missing CRLF on FTP timeout ABORT commands
+ - TLS: Bump client on errors encountered before ssl_bump evaluation
+ - ext_kerberos_ldap_group_acl: fix unused value warnings
+ - Fix crash when configuring with invalid delay_parameters restore value.
+ - Check that -k argument is provided before trying to use it.
+ - ... and some build fixes
+
Changes to squid-3.5.24 (28 Jan 2017):
- Regression Bug 3940: Make 'cache deny' do what is documented
diff -u -r -N squid-3.5.24/compat/compat.h squid-3.5.25/compat/compat.h
--- squid-3.5.24/compat/compat.h 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/compat/compat.h 2017-04-03 01:04:18.000000000 +1200
@@ -11,7 +11,7 @@
/*
* From discussions it was chosen to push compat code as far down as possible.
- * That means we can have a seperate compat for most
+ * That means we can have a separate compat for most
* compatability and portability hacks and resolutions.
*
* This file is meant to collate all those hacks files together and
diff -u -r -N squid-3.5.24/configure squid-3.5.25/configure
--- squid-3.5.24/configure 2017-01-28 16:57:15.000000000 +1300
+++ squid-3.5.25/configure 2017-04-03 01:07:29.000000000 +1200
@@ -1,7 +1,7 @@
#! /bin/sh
# From configure.ac Revision.
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for Squid Web Proxy 3.5.24.
+# Generated by GNU Autoconf 2.69 for Squid Web Proxy 3.5.25.
#
# Report bugs to .
#
@@ -595,8 +595,8 @@
# Identity of this package.
PACKAGE_NAME='Squid Web Proxy'
PACKAGE_TARNAME='squid'
-PACKAGE_VERSION='3.5.24'
-PACKAGE_STRING='Squid Web Proxy 3.5.24'
+PACKAGE_VERSION='3.5.25'
+PACKAGE_STRING='Squid Web Proxy 3.5.25'
PACKAGE_BUGREPORT='http://bugs.squid-cache.org/'
PACKAGE_URL=''
@@ -1636,7 +1636,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures Squid Web Proxy 3.5.24 to adapt to many kinds of systems.
+\`configure' configures Squid Web Proxy 3.5.25 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1707,7 +1707,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of Squid Web Proxy 3.5.24:";;
+ short | recursive ) echo "Configuration of Squid Web Proxy 3.5.25:";;
esac
cat <<\_ACEOF
@@ -2119,7 +2119,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-Squid Web Proxy configure 3.5.24
+Squid Web Proxy configure 3.5.25
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -3223,7 +3223,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by Squid Web Proxy $as_me 3.5.24, which was
+It was created by Squid Web Proxy $as_me 3.5.25, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -4090,7 +4090,7 @@
# Define the identity of the package.
PACKAGE='squid'
- VERSION='3.5.24'
+ VERSION='3.5.25'
cat >>confdefs.h <<_ACEOF
@@ -41876,7 +41876,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by Squid Web Proxy $as_me 3.5.24, which was
+This file was extended by Squid Web Proxy $as_me 3.5.25, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -41942,7 +41942,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-Squid Web Proxy config.status 3.5.24
+Squid Web Proxy config.status 3.5.25
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -u -r -N squid-3.5.24/configure.ac squid-3.5.25/configure.ac
--- squid-3.5.24/configure.ac 2017-01-28 16:57:15.000000000 +1300
+++ squid-3.5.25/configure.ac 2017-04-03 01:07:28.000000000 +1200
@@ -5,7 +5,7 @@
## Please see the COPYING and CONTRIBUTORS files for details.
##
-AC_INIT([Squid Web Proxy],[3.5.24],[http://bugs.squid-cache.org/],[squid])
+AC_INIT([Squid Web Proxy],[3.5.25],[http://bugs.squid-cache.org/],[squid])
AC_PREREQ(2.61)
AC_CONFIG_HEADERS([include/autoconf.h])
AC_CONFIG_AUX_DIR(cfgaux)
diff -u -r -N squid-3.5.24/doc/release-notes/release-3.5.html squid-3.5.25/doc/release-notes/release-3.5.html
--- squid-3.5.24/doc/release-notes/release-3.5.html 2017-01-28 21:09:58.000000000 +1300
+++ squid-3.5.25/doc/release-notes/release-3.5.html 2017-04-03 05:10:43.000000000 +1200
@@ -2,10 +2,10 @@
- Squid 3.5.24 release notes
+ Squid 3.5.25 release notes
-Squid 3.5.24 release notes
+Squid 3.5.25 release notes
Squid Developers
@@ -64,7 +64,7 @@
-The Squid Team are pleased to announce the release of Squid-3.5.24.
+The Squid Team are pleased to announce the release of Squid-3.5.25.
This new release is available for download from
http://www.squid-cache.org/Versions/v3/3.5/ or the
mirrors.
diff -u -r -N squid-3.5.24/helpers/basic_auth/DB/basic_db_auth.8 squid-3.5.25/helpers/basic_auth/DB/basic_db_auth.8
--- squid-3.5.24/helpers/basic_auth/DB/basic_db_auth.8 2017-01-28 21:10:01.000000000 +1300
+++ squid-3.5.25/helpers/basic_auth/DB/basic_db_auth.8 2017-04-03 05:10:47.000000000 +1200
@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "BASIC_DB_AUTH 8"
-.TH BASIC_DB_AUTH 8 "2017-01-28" "perl v5.24.1" "User Contributed Perl Documentation"
+.TH BASIC_DB_AUTH 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -143,8 +143,8 @@
.Vb 1
\& basic_db_auth [options]
.Ve
-.SH "DESCRIPTOIN"
-.IX Header "DESCRIPTOIN"
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
This program verifies username & password to a database
.SH "OPTIONS"
.IX Header "OPTIONS"
@@ -209,7 +209,7 @@
Copyright (C) 2007 Henrik Nordstrom
Copyright (C) 2010 Luis Daniel Lucio Quiroz (Joomla support)
This program is free software. You may redistribute copies of it under the
-terms of the \s-1GNU\s0 General Public License version 2, or (at youropinion) any
+terms of the \s-1GNU\s0 General Public License version 2, or (at your opinion) any
later version.
.SH "QUESTIONS"
.IX Header "QUESTIONS"
diff -u -r -N squid-3.5.24/helpers/basic_auth/DB/basic_db_auth.pl.in squid-3.5.25/helpers/basic_auth/DB/basic_db_auth.pl.in
--- squid-3.5.24/helpers/basic_auth/DB/basic_db_auth.pl.in 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/helpers/basic_auth/DB/basic_db_auth.pl.in 2017-04-03 01:04:18.000000000 +1200
@@ -14,7 +14,7 @@
basic_db_auth [options]
-=head1 DESCRIPTOIN
+=head1 DESCRIPTION
This program verifies username & password to a database
@@ -97,7 +97,7 @@
Copyright (C) 2007 Henrik Nordstrom
Copyright (C) 2010 Luis Daniel Lucio Quiroz (Joomla support)
This program is free software. You may redistribute copies of it under the
-terms of the GNU General Public License version 2, or (at youropinion) any
+terms of the GNU General Public License version 2, or (at your opinion) any
later version.
=head1 QUESTIONS
diff -u -r -N squid-3.5.24/helpers/basic_auth/LDAP/basic_ldap_auth.8 squid-3.5.25/helpers/basic_auth/LDAP/basic_ldap_auth.8
--- squid-3.5.24/helpers/basic_auth/LDAP/basic_ldap_auth.8 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/helpers/basic_auth/LDAP/basic_ldap_auth.8 2017-04-03 01:04:18.000000000 +1200
@@ -98,7 +98,7 @@
.B Note:
This can only be done if all your users are located directly under
the same position in the LDAP tree and the login name is used for naming
-each user object. If your LDAP tree does not match these criterias or if
+each user object. If your LDAP tree does not match these criteria or if
you want to filter who are valid users then you need to use a search filter
to search for your users DN (
.B \-f
@@ -186,15 +186,15 @@
.B never
dereference aliases (default),
.B always
-dereference aliases, only while
-.B search ing
+dereference aliases, only during a
+.B search
or only to
.B find
the base object.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B "\-H ldap_uri
-Specity the LDAP server to connect to by LDAP URI (requires OpenLDAP libraries).
+Specify the LDAP server to connect to by LDAP URI (requires OpenLDAP libraries).
Servers can also be specified last on the command line.
.
.if !'po4a'hide' .TP
diff -u -r -N squid-3.5.24/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8 squid-3.5.25/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8
--- squid-3.5.24/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8 2017-01-28 21:10:06.000000000 +1300
+++ squid-3.5.25/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8 2017-04-03 05:10:51.000000000 +1200
@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "BASIC_MSNT_MULTI_DOMAIN_AUTH 1"
-.TH BASIC_MSNT_MULTI_DOMAIN_AUTH 1 "2017-01-28" "perl v5.24.1" "User Contributed Perl Documentation"
+.TH BASIC_MSNT_MULTI_DOMAIN_AUTH 1 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-3.5.24/helpers/basic_auth/POP3/basic_pop3_auth.8 squid-3.5.25/helpers/basic_auth/POP3/basic_pop3_auth.8
--- squid-3.5.24/helpers/basic_auth/POP3/basic_pop3_auth.8 2017-01-28 21:10:11.000000000 +1300
+++ squid-3.5.25/helpers/basic_auth/POP3/basic_pop3_auth.8 2017-04-03 05:10:55.000000000 +1200
@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "BASIC_POP3_AUTH 8"
-.TH BASIC_POP3_AUTH 8 "2017-01-28" "perl v5.24.1" "User Contributed Perl Documentation"
+.TH BASIC_POP3_AUTH 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-3.5.24/helpers/digest_auth/eDirectory/digest_pw_auth.cc squid-3.5.25/helpers/digest_auth/eDirectory/digest_pw_auth.cc
--- squid-3.5.24/helpers/digest_auth/eDirectory/digest_pw_auth.cc 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/helpers/digest_auth/eDirectory/digest_pw_auth.cc 2017-04-03 01:04:18.000000000 +1200
@@ -30,7 +30,7 @@
* the file format. However storing such a triple does little to
* improve security: If compromised the username:realm:HA1 combination
* is "plaintext equivalent" - for the purposes of digest authentication
- * they allow the user access. Password syncronisation is not tackled
+ * they allow the user access. Password synchronization is not tackled
* by digest - just preventing on the wire compromise.
*
* Copyright (c) 2003 Robert Collins
diff -u -r -N squid-3.5.24/helpers/digest_auth/file/digest_file_auth.8 squid-3.5.25/helpers/digest_auth/file/digest_file_auth.8
--- squid-3.5.24/helpers/digest_auth/file/digest_file_auth.8 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/helpers/digest_auth/file/digest_file_auth.8 2017-04-03 01:04:18.000000000 +1200
@@ -15,7 +15,7 @@
is an installed binary authentication program for Squid. It handles digest
authentication protocol and authenticates against a text file backend.
.
-This program will automatically detect the existence of a concurrecy channel-ID and adjust appropriately.
+This program will automatically detect the existence of a concurrency channel-ID and adjust appropriately.
It may be used with any value 0 or above for the auth_param children concurrency= parameter.
.
.SH OPTIONS
@@ -54,7 +54,7 @@
improve security: If compromised the
.B username:realm:HA1
combination is "plaintext equivalent" - for the purposes of digest authentication
-they allow the user access. Password syncronisation is not tackled
+they allow the user access. Password synchronization is not tackled
by digest - just preventing on the wire compromise.
.
.SH AUTHOR
diff -u -r -N squid-3.5.24/helpers/digest_auth/file/digest_file_auth.cc squid-3.5.25/helpers/digest_auth/file/digest_file_auth.cc
--- squid-3.5.24/helpers/digest_auth/file/digest_file_auth.cc 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/helpers/digest_auth/file/digest_file_auth.cc 2017-04-03 01:04:18.000000000 +1200
@@ -33,7 +33,7 @@
* the file format. However storing such a triple does little to
* improve security: If compromised the username:realm:HA1 combination
* is "plaintext equivalent" - for the purposes of digest authentication
- * they allow the user access. Password syncronisation is not tackled
+ * they allow the user access. Password synchronization is not tackled
* by digest - just preventing on the wire compromise.
*
* Copyright (c) 2003 Robert Collins
diff -u -r -N squid-3.5.24/helpers/digest_auth/file/text_backend.cc squid-3.5.25/helpers/digest_auth/file/text_backend.cc
--- squid-3.5.24/helpers/digest_auth/file/text_backend.cc 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/helpers/digest_auth/file/text_backend.cc 2017-04-03 01:04:18.000000000 +1200
@@ -29,7 +29,7 @@
* the file format. However storing such a triple does little to
* improve security: If compromised the username:realm:HA1 combination
* is "plaintext equivalent" - for the purposes of digest authentication
- * they allow the user access. Password syncronisation is not tackled
+ * they allow the user access. Password synchronization is not tackled
* by digest - just preventing on the wire compromise.
*
* Copyright (c) 2003 Robert Collins
diff -u -r -N squid-3.5.24/helpers/digest_auth/LDAP/digest_pw_auth.cc squid-3.5.25/helpers/digest_auth/LDAP/digest_pw_auth.cc
--- squid-3.5.24/helpers/digest_auth/LDAP/digest_pw_auth.cc 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/helpers/digest_auth/LDAP/digest_pw_auth.cc 2017-04-03 01:04:18.000000000 +1200
@@ -30,7 +30,7 @@
* the file format. However storing such a triple does little to
* improve security: If compromised the username:realm:HA1 combination
* is "plaintext equivalent" - for the purposes of digest authentication
- * they allow the user access. Password syncronisation is not tackled
+ * they allow the user access. Password synchronization is not tackled
* by digest - just preventing on the wire compromise.
*
* Copyright (c) 2003 Robert Collins
diff -u -r -N squid-3.5.24/helpers/external_acl/delayer/ext_delayer_acl.8 squid-3.5.25/helpers/external_acl/delayer/ext_delayer_acl.8
--- squid-3.5.24/helpers/external_acl/delayer/ext_delayer_acl.8 2017-01-28 21:10:25.000000000 +1300
+++ squid-3.5.25/helpers/external_acl/delayer/ext_delayer_acl.8 2017-04-03 05:11:10.000000000 +1200
@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "EXT_DELAYER_ACL 8"
-.TH EXT_DELAYER_ACL 8 "2017-01-28" "perl v5.24.1" "User Contributed Perl Documentation"
+.TH EXT_DELAYER_ACL 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-3.5.24/helpers/external_acl/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8 squid-3.5.25/helpers/external_acl/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8
--- squid-3.5.24/helpers/external_acl/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/helpers/external_acl/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8 2017-04-03 01:04:18.000000000 +1200
@@ -163,7 +163,7 @@
.if !'po4a'hide' .ft
.
If you use a different Kerberos domain than the machine itself is in you can point squid to
-the seperate Kerberos config file by setting the following environmnet variable in the startup
+the separate Kerberos config file by setting the following environment variable in the startup
script.
.if !'po4a'hide' .P
.if !'po4a'hide' .ft CR
diff -u -r -N squid-3.5.24/helpers/external_acl/kerberos_ldap_group/README squid-3.5.25/helpers/external_acl/kerberos_ldap_group/README
--- squid-3.5.24/helpers/external_acl/kerberos_ldap_group/README 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/helpers/external_acl/kerberos_ldap_group/README 2017-04-03 01:04:18.000000000 +1200
@@ -65,7 +65,7 @@
export KRB5_KTNAME
If you use a different Kerberos domain than the machine itself is in you can point squid to
-the seperate Kerberos config file by setting the following environmnet variable in the startup
+the separate Kerberos config file by setting the following environment variable in the startup
script.
KRB5_CONFIG=/etc/krb5-squid.conf
diff -u -r -N squid-3.5.24/helpers/external_acl/kerberos_ldap_group/support_ldap.cc squid-3.5.25/helpers/external_acl/kerberos_ldap_group/support_ldap.cc
--- squid-3.5.24/helpers/external_acl/kerberos_ldap_group/support_ldap.cc 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/helpers/external_acl/kerberos_ldap_group/support_ldap.cc 2017-04-03 01:04:18.000000000 +1200
@@ -919,8 +919,8 @@
/*
* Initialise ldap
*/
- ldap_debug = 127 /* LDAP_DEBUG_TRACE */ ;
- ldap_debug = -1 /* LDAP_DEBUG_ANY */ ;
+// ldap_debug = 127 /* LDAP_DEBUG_TRACE */ ;
+// ldap_debug = -1 /* LDAP_DEBUG_ANY */ ;
ldap_debug = 0;
(void) ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldap_debug);
#endif
diff -u -r -N squid-3.5.24/helpers/external_acl/LDAP_group/ext_ldap_group_acl.8 squid-3.5.25/helpers/external_acl/LDAP_group/ext_ldap_group_acl.8
--- squid-3.5.24/helpers/external_acl/LDAP_group/ext_ldap_group_acl.8 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/helpers/external_acl/LDAP_group/ext_ldap_group_acl.8 2017-04-03 01:04:18.000000000 +1200
@@ -52,8 +52,8 @@
.BI never
dereference aliases (default),
.BI always
-dereference aliases, only while
-.BR search ing
+dereference aliases, only during a
+.BR search
or only to
.B find
the base object
@@ -143,7 +143,7 @@
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI \-H " ldapuri"
-Specity the LDAP server to connect to by a LDAP URI (requires OpenLDAP libraries)
+Specify the LDAP server to connect to by a LDAP URI (requires OpenLDAP libraries)
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI \-K
diff -u -r -N squid-3.5.24/helpers/external_acl/session/ext_session_acl.8 squid-3.5.25/helpers/external_acl/session/ext_session_acl.8
--- squid-3.5.24/helpers/external_acl/session/ext_session_acl.8 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/helpers/external_acl/session/ext_session_acl.8 2017-04-03 01:04:18.000000000 +1200
@@ -21,7 +21,7 @@
) or a fixed period of time (
.B \-T
). The former is suitable for displaying terms and conditions to a user; the
-latter is suitable for the display of advertisments or other notices (both as a
+latter is suitable for the display of advertisements or other notices (both as a
splash page \- see config examples in the wiki online). The session helper can also be used
to force users to re\-authenticate if the
.B %LOGIN
@@ -55,7 +55,7 @@
environment is created within the directory. The advantage of the latter
is better database support between multiple instances of the session
helper. Using multiple instances of the session helper with a single
-database file will cause synchronisation problems between processes.
+database file will cause synchronization problems between processes.
If this option is not specified the session details will be kept in
memory only and all sessions will reset each time Squid restarts its
helpers (Squid restart or rotation of logs).
diff -u -r -N squid-3.5.24/helpers/external_acl/SQL_session/ext_sql_session_acl.8 squid-3.5.25/helpers/external_acl/SQL_session/ext_sql_session_acl.8
--- squid-3.5.24/helpers/external_acl/SQL_session/ext_sql_session_acl.8 2017-01-28 21:10:33.000000000 +1300
+++ squid-3.5.25/helpers/external_acl/SQL_session/ext_sql_session_acl.8 2017-04-03 05:11:18.000000000 +1200
@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "EXT_SQL_SESSION_ACL 8"
-.TH EXT_SQL_SESSION_ACL 8 "2017-01-28" "perl v5.24.1" "User Contributed Perl Documentation"
+.TH EXT_SQL_SESSION_ACL 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-3.5.24/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 squid-3.5.25/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8
--- squid-3.5.24/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2017-01-28 21:10:36.000000000 +1300
+++ squid-3.5.25/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2017-04-03 05:11:21.000000000 +1200
@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "EXT_WBINFO_GROUP_ACL 8"
-.TH EXT_WBINFO_GROUP_ACL 8 "2017-01-28" "perl v5.24.1" "User Contributed Perl Documentation"
+.TH EXT_WBINFO_GROUP_ACL 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-3.5.24/helpers/log_daemon/DB/log_db_daemon.8 squid-3.5.25/helpers/log_daemon/DB/log_db_daemon.8
--- squid-3.5.24/helpers/log_daemon/DB/log_db_daemon.8 2017-01-28 21:10:39.000000000 +1300
+++ squid-3.5.25/helpers/log_daemon/DB/log_db_daemon.8 2017-04-03 05:11:24.000000000 +1200
@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "LOG_DB_DAEMON 8"
-.TH LOG_DB_DAEMON 8 "2017-01-28" "perl v5.24.1" "User Contributed Perl Documentation"
+.TH LOG_DB_DAEMON 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -139,8 +139,8 @@
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
log_db_daemon \s-1DSN\s0 [options]
-.SH "DESCRIPTOIN"
-.IX Header "DESCRIPTOIN"
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
This program writes Squid access.log entries to a database.
Presently only accepts the \fBsquid\fR native format
.IP "\fB\s-1DSN\s0\fR" 8
@@ -341,7 +341,7 @@
\& WHERE squid_request_status LIKE \*(Aq%MISS%\*(Aq)
\& /
\& (SELECT COUNT(*) FROM access_log)*100
-\& AS pecentage;
+\& AS percentage;
.Ve
.IP "Response time ranges" 4
.IX Item "Response time ranges"
@@ -401,7 +401,7 @@
.IX Subsection "Table cleanup"
This script currently implements only the \f(CW\*(C`L\*(C'\fR (i.e. \*(L"append a line to the log\*(R") command, therefore the log lines are never purged from the table. This approach has an obvious scalability problem.
.PP
-One solution would be to implement e.g. the \*(L"rotate log\*(R" command in a way that would calculate some summary values, put them in a \*(L"summary table\*(R" and then delete the lines used to caluclate those values.
+One solution would be to implement e.g. the \*(L"rotate log\*(R" command in a way that would calculate some summary values, put them in a \*(L"summary table\*(R" and then delete the lines used to calculate those values.
.PP
Similar cleanup code could be implemented in an external script and run periodically independently from squid log commands.
.SS "Testing"
diff -u -r -N squid-3.5.24/helpers/log_daemon/DB/log_db_daemon.pl.in squid-3.5.25/helpers/log_daemon/DB/log_db_daemon.pl.in
--- squid-3.5.24/helpers/log_daemon/DB/log_db_daemon.pl.in 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/helpers/log_daemon/DB/log_db_daemon.pl.in 2017-04-03 01:04:18.000000000 +1200
@@ -18,7 +18,7 @@
log_db_daemon DSN [options]
-=head1 DESCRIPTOIN
+=head1 DESCRIPTION
This program writes Squid access.log entries to a database.
Presently only accepts the B native format
@@ -373,7 +373,7 @@
WHERE squid_request_status LIKE '%MISS%')
/
(SELECT COUNT(*) FROM access_log)*100
- AS pecentage;
+ AS percentage;
=item Response time ranges
@@ -433,7 +433,7 @@
This script currently implements only the C (i.e. "append a line to the log") command, therefore the log lines are never purged from the table. This approach has an obvious scalability problem.
-One solution would be to implement e.g. the "rotate log" command in a way that would calculate some summary values, put them in a "summary table" and then delete the lines used to caluclate those values.
+One solution would be to implement e.g. the "rotate log" command in a way that would calculate some summary values, put them in a "summary table" and then delete the lines used to calculate those values.
Similar cleanup code could be implemented in an external script and run periodically independently from squid log commands.
diff -u -r -N squid-3.5.24/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8 squid-3.5.25/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8
--- squid-3.5.24/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8 2017-04-03 01:04:18.000000000 +1200
@@ -69,7 +69,7 @@
export KRB5_KTNAME
If you use a different Kerberos domain than the machine itself is in you can point squid to
-the seperate Kerberos config file by setting the following environmnet variable in the startup
+the separate Kerberos config file by setting the following environment variable in the startup
script.
KRB5_CONFIG=/etc/krb5\-squid.conf
diff -u -r -N squid-3.5.24/helpers/negotiate_auth/kerberos/README squid-3.5.25/helpers/negotiate_auth/kerberos/README
--- squid-3.5.24/helpers/negotiate_auth/kerberos/README 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/helpers/negotiate_auth/kerberos/README 2017-04-03 01:04:18.000000000 +1200
@@ -53,7 +53,7 @@
export KRB5_KTNAME
If you use a different Kerberos domain than the machine itself is in you can point squid to
-the seperate Kerberos config file by setting the following environmnet variable in the startup
+the separate Kerberos config file by setting the following environment variable in the startup
script.
KRB5_CONFIG=/etc/krb-squid5.conf
diff -u -r -N squid-3.5.24/helpers/storeid_rewrite/file/storeid_file_rewrite.8 squid-3.5.25/helpers/storeid_rewrite/file/storeid_file_rewrite.8
--- squid-3.5.24/helpers/storeid_rewrite/file/storeid_file_rewrite.8 2017-01-28 21:10:53.000000000 +1300
+++ squid-3.5.25/helpers/storeid_rewrite/file/storeid_file_rewrite.8 2017-04-03 05:11:38.000000000 +1200
@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "STOREID_FILE_REWRITE 8"
-.TH STOREID_FILE_REWRITE 8 "2017-01-28" "perl v5.24.1" "User Contributed Perl Documentation"
+.TH STOREID_FILE_REWRITE 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -158,7 +158,7 @@
Rewrite rules are matched in the same order as they appear in the rules file.
So for best performance, sort it in order of frequency of occurrence.
.PP
-This program will automatically detect the existence of a concurrecy channel-ID and adjust appropriately.
+This program will automatically detect the existence of a concurrency channel-ID and adjust appropriately.
It may be used with any value 0 or above for the store_id_children concurrency= parameter.
.SH "OPTIONS"
.IX Header "OPTIONS"
diff -u -r -N squid-3.5.24/helpers/storeid_rewrite/file/storeid_file_rewrite.pl.in squid-3.5.25/helpers/storeid_rewrite/file/storeid_file_rewrite.pl.in
--- squid-3.5.24/helpers/storeid_rewrite/file/storeid_file_rewrite.pl.in 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/helpers/storeid_rewrite/file/storeid_file_rewrite.pl.in 2017-04-03 01:04:18.000000000 +1200
@@ -29,7 +29,7 @@
Rewrite rules are matched in the same order as they appear in the rules file.
So for best performance, sort it in order of frequency of occurrence.
-This program will automatically detect the existence of a concurrecy channel-ID and adjust appropriately.
+This program will automatically detect the existence of a concurrency channel-ID and adjust appropriately.
It may be used with any value 0 or above for the store_id_children concurrency= parameter.
=head1 OPTIONS
diff -u -r -N squid-3.5.24/include/version.h squid-3.5.25/include/version.h
--- squid-3.5.24/include/version.h 2017-01-28 16:57:15.000000000 +1300
+++ squid-3.5.25/include/version.h 2017-04-03 01:07:29.000000000 +1200
@@ -7,7 +7,7 @@
*/
#ifndef SQUID_RELEASE_TIME
-#define SQUID_RELEASE_TIME 1485575679
+#define SQUID_RELEASE_TIME 1491138248
#endif
/*
diff -u -r -N squid-3.5.24/lib/libTrie/Makefile.am squid-3.5.25/lib/libTrie/Makefile.am
--- squid-3.5.24/lib/libTrie/Makefile.am 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/lib/libTrie/Makefile.am 2017-04-03 01:04:18.000000000 +1200
@@ -8,8 +8,8 @@
include $(top_srcdir)/src/Common.am
include $(top_srcdir)/src/TestHeaders.am
-DIST_SUBDIRS = test
-SUBDIRS = test
+DIST_SUBDIRS = . test
+SUBDIRS = . test
noinst_LIBRARIES = libTrie.a
diff -u -r -N squid-3.5.24/lib/libTrie/Makefile.in squid-3.5.25/lib/libTrie/Makefile.in
--- squid-3.5.24/lib/libTrie/Makefile.in 2017-01-28 16:56:37.000000000 +1300
+++ squid-3.5.25/lib/libTrie/Makefile.in 2017-04-03 01:06:39.000000000 +1200
@@ -740,8 +740,8 @@
@ENABLE_XPROF_STATS_TRUE@LIBPROFILER = $(top_builddir)/lib/profiler/libprofiler.la
COMPAT_LIB = $(top_builddir)/compat/libcompat-squid.la $(LIBPROFILER)
subst_perlshell = sed -e 's,[@]PERL[@],$(PERL),g' <$(srcdir)/$@.pl.in >$@ || ($(RM) -f $@ ; exit 1)
-DIST_SUBDIRS = test
-SUBDIRS = test
+DIST_SUBDIRS = . test
+SUBDIRS = . test
noinst_LIBRARIES = libTrie.a
noinst_HEADERS = Trie.h TrieNode.h TrieCharTransform.h
libTrie_a_SOURCES = Trie.cc \
diff -u -r -N squid-3.5.24/RELEASENOTES.html squid-3.5.25/RELEASENOTES.html
--- squid-3.5.24/RELEASENOTES.html 2017-01-28 21:09:58.000000000 +1300
+++ squid-3.5.25/RELEASENOTES.html 2017-04-03 05:10:43.000000000 +1200
@@ -2,10 +2,10 @@
- Squid 3.5.24 release notes
+ Squid 3.5.25 release notes
-Squid 3.5.24 release notes
+Squid 3.5.25 release notes
Squid Developers
@@ -64,7 +64,7 @@
-The Squid Team are pleased to announce the release of Squid-3.5.24.
+The Squid Team are pleased to announce the release of Squid-3.5.25.
This new release is available for download from
http://www.squid-cache.org/Versions/v3/3.5/ or the
mirrors.
diff -u -r -N squid-3.5.24/src/cf.data.pre squid-3.5.25/src/cf.data.pre
--- squid-3.5.24/src/cf.data.pre 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/src/cf.data.pre 2017-04-03 01:04:18.000000000 +1200
@@ -5401,7 +5401,9 @@
will be considered fresh.
'Max' is an upper limit on how long objects without an explicit
- expiry time will be considered fresh.
+ expiry time will be considered fresh. The value is also used
+ to form Cache-Control: max-age header for a request sent from
+ Squid to origin/parent.
options: override-expire
override-lastmod
diff -u -r -N squid-3.5.24/src/clients/FtpGateway.cc squid-3.5.25/src/clients/FtpGateway.cc
--- squid-3.5.24/src/clients/FtpGateway.cc 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/src/clients/FtpGateway.cc 2017-04-03 01:04:18.000000000 +1200
@@ -1775,7 +1775,7 @@
// ABORT on timeouts. server may be waiting on a broken TCP link.
if (io.xerrno == Comm::TIMEOUT)
- writeCommand("ABOR");
+ writeCommand("ABOR\r\n");
// try another connection attempt with some other method
ftpSendPassive(this);
diff -u -r -N squid-3.5.24/src/client_side.cc squid-3.5.25/src/client_side.cc
--- squid-3.5.24/src/client_side.cc 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/src/client_side.cc 2017-04-03 01:04:18.000000000 +1200
@@ -4376,7 +4376,12 @@
fd_table[connState->clientConnection->fd].read_method = &default_read_method;
fd_table[connState->clientConnection->fd].write_method = &default_write_method;
+ ClientSocketContext::Pointer context = connState->getCurrentContext();
+ Must(context != NULL);
if (connState->transparent()) {
+ // If we are going to fake the second CONNECT, clear the first one.
+ context->connIsFinished();
+
// fake a CONNECT request to force connState to tunnel
// XXX: copy from MemBuf reallocates, not a regression since old code did too
SBuf temp;
@@ -4385,7 +4390,6 @@
} else {
// in.buf still has the "CONNECT ..." request data, reset it to SSL hello message
connState->in.buf.append(rbuf.content(), rbuf.contentSize());
- ClientSocketContext::Pointer context = connState->getCurrentContext();
ClientHttpRequest *http = context->http;
tunnelStart(http, &http->out.size, &http->al->http.code, http->al);
}
diff -u -r -N squid-3.5.24/src/client_side_request.cc squid-3.5.25/src/client_side_request.cc
--- squid-3.5.24/src/client_side_request.cc 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/src/client_side_request.cc 2017-04-03 01:04:18.000000000 +1200
@@ -561,6 +561,7 @@
debugs(85, DBG_IMPORTANT, "SECURITY ALERT: on URL: " << urlCanonical(http->request));
// IP address validation for Host: failed. reject the connection.
+ http->getConn()->quitAfterError(http->request);
clientStreamNode *node = (clientStreamNode *)http->client_stream.tail->prev->data;
clientReplyContext *repContext = dynamic_cast(node->data.getRaw());
assert (repContext);
@@ -1450,6 +1451,13 @@
return false;
}
+ if (error) {
+ debugs(85, 5, "SslBump applies. Force bump action on error " << err_type_str[(error->type >= ERR_NONE && error->type < ERR_MAX) ? error->type : ERR_NONE]);
+ http->sslBumpNeed(Ssl::bumpBump);
+ http->al->ssl.bumpMode = Ssl::bumpBump;
+ return false;
+ }
+
debugs(85, 5, HERE << "SslBump possible, checking ACL");
ACLFilledChecklist *aclChecklist = clientAclChecklistCreate(Config.accessList.ssl_bump, http);
@@ -1781,8 +1789,9 @@
}
#if USE_OPENSSL
- // We need to check for SslBump even if the calloutContext->error is set
- // because bumping may require delaying the error until after CONNECT.
+ // Even with calloutContext->error, we call sslBumpAccessCheck() to decide
+ // whether SslBump applies to this transaction. If it applies, we will
+ // attempt to bump the client to serve the error.
if (!calloutContext->sslBumpCheckDone) {
calloutContext->sslBumpCheckDone = true;
if (calloutContext->sslBumpAccessCheck())
diff -u -r -N squid-3.5.24/src/DelaySpec.cc squid-3.5.25/src/DelaySpec.cc
--- squid-3.5.24/src/DelaySpec.cc 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/src/DelaySpec.cc 2017-04-03 01:04:18.000000000 +1200
@@ -55,7 +55,7 @@
// parse the first digits into restore_bps
const char *p = NULL;
- if (!StringToInt(token, restore_bps, &p, 10) && *p != '/') {
+ if (!StringToInt(token, restore_bps, &p, 10) || *p != '/') {
debugs(77, DBG_CRITICAL, "ERROR: invalid delay rate '" << token << "'. Expecting restore/max or 'none'.");
self_destruct();
}
diff -u -r -N squid-3.5.24/src/ipcache.cc squid-3.5.25/src/ipcache.cc
--- squid-3.5.24/src/ipcache.cc 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/src/ipcache.cc 2017-04-03 01:04:18.000000000 +1200
@@ -50,7 +50,7 @@
\defgroup IPCacheInternal IP Cache Internals
\ingroup IPCacheAPI
\todo when IP cache is provided as a class. These sub-groups will be obsolete
- * for now they are used to seperate the public and private functions.
+ * for now they are used to separate the public and private functions.
* with the private ones all being in IPCachInternal and public in IPCacheAPI
*
\section InternalOperation Internal Operation
diff -u -r -N squid-3.5.24/src/main.cc squid-3.5.25/src/main.cc
--- squid-3.5.24/src/main.cc 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/src/main.cc 2017-04-03 01:04:18.000000000 +1200
@@ -425,11 +425,11 @@
/** \par k
* Run the administrative action given following the option */
- /** \li When its an unknown option display the usage help. */
- if ((int) strlen(optarg) < 1)
+ /** \li When it is missing or an unknown option display the usage help. */
+ if (!optarg || strlen(optarg) < 1)
usage();
- if (!strncmp(optarg, "reconfigure", strlen(optarg)))
+ else if (!strncmp(optarg, "reconfigure", strlen(optarg)))
/** \li On reconfigure send SIGHUP. */
opt_send_signal = SIGHUP;
else if (!strncmp(optarg, "rotate", strlen(optarg)))
diff -u -r -N squid-3.5.24/src/servers/FtpServer.cc squid-3.5.25/src/servers/FtpServer.cc
--- squid-3.5.24/src/servers/FtpServer.cc 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/src/servers/FtpServer.cc 2017-04-03 01:04:18.000000000 +1200
@@ -1454,9 +1454,33 @@
Comm::ConnectionPointer conn = new Comm::Connection();
conn->flags |= COMM_DOBIND;
- // Use local IP address of the control connection as the source address
- // of the active data connection, or some clients will refuse to accept.
- conn->setAddrs(clientConnection->local, cltAddr);
+ if (clientConnection->flags & COMM_INTERCEPTION) {
+ // In the case of NAT interception conn->local value is not set
+ // because the TCP stack will automatically pick correct source
+ // address for the data connection. We must only ensure that IP
+ // version matches client's address.
+ conn->local.setAnyAddr();
+
+ if (cltAddr.isIPv4())
+ conn->local.setIPv4();
+
+ conn->remote = cltAddr;
+ } else {
+ // In the case of explicit-proxy the local IP of the control connection
+ // is the Squid IP the client is knowingly talking to.
+ //
+ // In the case of TPROXY the IP address of the control connection is
+ // server IP the client is connecting to, it can be spoofed by Squid.
+ //
+ // In both cases some clients may refuse to accept data connections if
+ // these control connectin local-IP's are not used.
+ conn->setAddrs(clientConnection->local, cltAddr);
+
+ // Using non-local addresses in TPROXY mode requires appropriate socket option.
+ if (clientConnection->flags & COMM_TRANSPARENT)
+ conn->flags |= COMM_TRANSPARENT;
+ }
+
// RFC 959 requires active FTP connections to originate from port 20
// but that would preclude us from supporting concurrent transfers! (XXX?)
conn->local.port(0);
diff -u -r -N squid-3.5.24/src/ssl/ssl_crtd.8 squid-3.5.25/src/ssl/ssl_crtd.8
--- squid-3.5.24/src/ssl/ssl_crtd.8 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/src/ssl/ssl_crtd.8 2017-04-03 01:04:18.000000000 +1200
@@ -33,7 +33,7 @@
Because the generation and signing of SSL certificates takes time
Squid must use external process to handle the work.
.
-This process generates new SSL certificates and uses a disk cache of certificatess
+This process generates new SSL certificates and uses a disk cache of certificates
to improve response times on repeated requests.
Communication occurs via TCP sockets bound to the loopback interface.
.
@@ -122,7 +122,7 @@
.
.PP
For simple configuration the helper defaults can be used.
-Only HTTP listening port options are required to enable generation and set the signign CA certificate.
+Only HTTP listening port options are required to enable generation and set the signing CA certificate.
For Example:
.if !'po4a'hide' .RS
.if !'po4a'hide' .B http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/www.sample.com.pem
diff -u -r -N squid-3.5.24/src/StoreFileSystem.h squid-3.5.25/src/StoreFileSystem.h
--- squid-3.5.24/src/StoreFileSystem.h 2017-01-28 16:54:46.000000000 +1300
+++ squid-3.5.25/src/StoreFileSystem.h 2017-04-03 01:04:18.000000000 +1200
@@ -47,7 +47,7 @@
\par
* configure will take a list of storage types through the
* --enable-store-io parameter. This parameter takes a list of
- * space seperated storage types. For example,
+ * space separated storage types. For example,
* --enable-store-io="ufs aufs" .
*
\par