[squid-users] Squid-2.5.STABLE5 released [minor security / major bugfix release]
The Squid HTTP Proxy team is pleased to announce the availability of the
Squid-2.5.STABLE5 bugfix release.
This new release can be downloaded from our HTTP or FTP servers
or the mirrors (may take a while before all mirrors are updated).
For a list of mirror sites see
Squid-2.5.STABLE5 is a major bugfix release of Squid-2.5 and corrects one
minor security issue in url_regex access controls and several major
non-security related bugs found in the earlier Squid-2.5 releases. Users
are recommended to upgrade to this new release, especially if using any of
the features mentioned below.
The most important bug-fixes in this release are:
[security] %00 in could be used in to bypass url_regex and urlpath_regex
access controls in certain configurations. Other acl directives not
affected. More information on this issue can be found in the SQUID-2004:1
security advisory distributed separately
[major] Several NTLM related bugfixes and improvements fixing the problem
of random auth popups and account lockouts. Optional support for the
NEGOTIATE NTLM packet is also added to allow Samba-3.0.2 or later to
negotiate the use of NTLMv2 or NTLM2.
[major] Several authentication related bugfixes to allow authentication to
work in additional acl driven directives outside of http_access, and a
number of corrections to assertion or segmentation faults and some memory
In addition there is a small number of new features or improvements which
enhances the functionality of Squid
[medium] redirector interface modified to work with login names containing
spaces or other odd characters. This is accomplished by URL-encoding the
login name before sent to redirectors. Note: Existing redirectors or their
configuration may need to be slightly modified in how they process the
ident column to support the new username format (only applies to
redirectors looking into the username)
[medium] various timeouts adjusted: connect_timeout 1 minute (was 2
minutes which is now forward_timeout), negative_dns_ttl 1 minute (was 5
minutes) and is now also used as minimum positive dns ttl, dns_timeout 2
minutes (was 5 minutes)
[minor] "short_icon_urls on" can be used to simplify the URLs used for
icons etc to avoid issues with proxy host naming and authentication when
[minor] A new "urllogin" ACL type has been introduced allowing regex
matches to the "login" component of Internet style URLs
[minor] Squid now respects the Telnet protocol on connections to FTP
servers. The ftp_telnet_protocol directice can be used to revert back to
the old incorrect implementation if required.
[minor] The default mime.conf has been updated with many new mime types
and a few minor corrections. In addition the download and view links is
used more frequently to allow view/download of different ftp:// contents
regardless of their mime type assignment.
in addition there is a large amount of minor and cosmetic bugfixes not
included in the above list. For a complete list of changes see the
ChangeLog and the Squid-2.5 Patches page
It is recommended to read the release notes when upgrading from an earlier
Squid release (including Squid-2.5.STABLE4) as there has been some minor
changes in the configuration.
Thanks goes to MARA Systems AB who has been actively sponsoring this
bugfix release of Squid as part of their continuing effort to provide both
free and commercial support to the Squid community, and to all users who
have provided valuable bug reports and feedback via the Squid bug
The Squid HTTP Proxy developer team