For details see: http://www.squid-cache.org/Versions/v4/changesets/
In July 2018, 'squid 4' was "released for production use", see: https://wiki.squid-cache.org/Squid-4
"The features have been set and large code changes are reserved for later versions."
I've tested almost all 4.x-versions and patch series before with good results. Right now, 4.4 is running here with no seen problems together with 'squidclamav', 'squidguard' and 'privoxy'.
I too would declare this version stable.
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org --- lfs/squid | 12 ++-- ...via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch | 72 ------------------- ...ry_leak_when_parsing_SNMP_packet_313.patch | 22 ------ ... squid-4.4-fix-max-file-descriptors.patch} | 4 +- 4 files changed, 8 insertions(+), 102 deletions(-) delete mode 100644 src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch delete mode 100644 src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch rename src/patches/squid/{squid-4.3-fix-max-file-descriptors.patch => squid-4.4-fix-max-file-descriptors.patch} (92%)
diff --git a/lfs/squid b/lfs/squid index 11b84d719..e5e799111 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@
include Config
-VER = 3.5.28 +VER = 4.4
THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -42,7 +42,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 9367e0375ea53ba0e99f77054d4402c5 +$(DL_FILE)_MD5 = 892504ca9700e1f139a53f84098613bd
install : $(TARGET)
@@ -72,9 +72,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5.28-fix-max-file-descriptors.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi cd $(DIR_APP)/libltdl && autoreconf -vfi @@ -125,7 +123,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --enable-zph-qos \ --with-dl \ --with-filedescriptors=$$(( 16384 * 64 )) \ - --with-large-files + --with-large-files \ + --without-gnutls \ + --without-netfilter-conntrack
cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install diff --git a/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch b/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch deleted file mode 100644 index fadb1d48c..000000000 --- a/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch +++ /dev/null @@ -1,72 +0,0 @@ -commit f1657a9decc820f748fa3aff68168d3145258031 -Author: Christos Tsantilas christos@chtsanti.net -Date: 2018-10-17 15:14:07 +0000 - - Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL (#306) - - %ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL template. This bug affects all - ERR_SECURE_CONNECT_FAIL page templates containing %D, including the default template. - - Other error pages are not vulnerable because Squid does not populate %D with certificate details in other contexts (yet). - - Thanks to Nikolas Lohmann [eBlocker] for identifying the problem. - - TODO: If those certificate details become needed for ACL checks or other non-HTML purposes, make their HTML-escaping conditional. - - This is a Measurement Factory project. - -diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc -index b5030e3..314e998 100644 ---- a/src/ssl/ErrorDetail.cc -+++ b/src/ssl/ErrorDetail.cc -@@ -8,6 +8,8 @@ - - #include "squid.h" - #include "errorpage.h" -+#include "fatal.h" -+#include "html_quote.h" - #include "ssl/ErrorDetail.h" - - #include <climits> -@@ -432,8 +434,11 @@ const char *Ssl::ErrorDetail::subject() const - { - if (broken_cert.get()) { - static char tmpBuffer[256]; // A temporary buffer -- if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) -- return tmpBuffer; -+ if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) { -+ // quote to avoid possible html code injection through -+ // certificate subject -+ return html_quote(tmpBuffer); -+ } - } - return "[Not available]"; - } -@@ -461,8 +466,11 @@ const char *Ssl::ErrorDetail::cn() const - static String tmpStr; ///< A temporary string buffer - tmpStr.clean(); - Ssl::matchX509CommonNames(broken_cert.get(), &tmpStr, copy_cn); -- if (tmpStr.size()) -- return tmpStr.termedBuf(); -+ if (tmpStr.size()) { -+ // quote to avoid possible html code injection through -+ // certificate subject -+ return html_quote(tmpStr.termedBuf()); -+ } - } - return "[Not available]"; - } -@@ -474,8 +482,11 @@ const char *Ssl::ErrorDetail::ca_name() const - { - if (broken_cert.get()) { - static char tmpBuffer[256]; // A temporary buffer -- if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) -- return tmpBuffer; -+ if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) { -+ // quote to avoid possible html code injection through -+ // certificate issuer subject -+ return html_quote(tmpBuffer); -+ } - } - return "[Not available]"; - } diff --git a/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch b/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch deleted file mode 100644 index 2ae034c20..000000000 --- a/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch +++ /dev/null @@ -1,22 +0,0 @@ -commit bc9786119f058a76ddf0625424bc33d36460b9a2 (refs/remotes/origin/v3.5) -Author: flozilla fishyflow@gmail.com -Date: 2018-10-24 14:12:01 +0200 - - Fix memory leak when parsing SNMP packet (#313) - - SNMP queries denied by snmp_access rules and queries with certain - unsupported SNMPv2 commands were leaking a few hundred bytes each. Such - queries trigger "SNMP agent query DENIED from..." WARNINGs in cache.log. - -diff --git a/src/snmp_core.cc b/src/snmp_core.cc -index c4d21c1..16c2993 100644 ---- a/src/snmp_core.cc -+++ b/src/snmp_core.cc -@@ -409,6 +409,7 @@ snmpDecodePacket(SnmpRequest * rq) - snmpConstructReponse(rq); - } else { - debugs(49, DBG_IMPORTANT, "WARNING: SNMP agent query DENIED from : " << rq->from); -+ snmp_free_pdu(PDU); - } - xfree(Community); - diff --git a/src/patches/squid/squid-4.3-fix-max-file-descriptors.patch b/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch similarity index 92% rename from src/patches/squid/squid-4.3-fix-max-file-descriptors.patch rename to src/patches/squid/squid-4.4-fix-max-file-descriptors.patch index a46390c1e..8d1a4e03a 100644 --- a/src/patches/squid/squid-4.3-fix-max-file-descriptors.patch +++ b/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch @@ -1,6 +1,6 @@ --- configure.ac.~ Wed Apr 20 14:26:07 2016 +++ configure.ac Fri Apr 22 17:20:46 2016 -@@ -3149,6 +3149,9 @@ +@@ -3156,6 +3156,9 @@ ;; esac
@@ -10,7 +10,7 @@ dnl --with-maxfd present for compatibility with Squid-2. dnl undocumented in ./configure --help to encourage using the Squid-3 directive AC_ARG_WITH(maxfd,, -@@ -3179,8 +3182,6 @@ +@@ -3186,8 +3189,6 @@ esac ])