- integrate most of the vendor patches available from
<http://www.squid-cache.org/Versions/v2/2.6/changesets/> up to
changeset 11066
- replace the FTP mirror at progeny.com (which seems to be gone and is
no longer listed on <http://www.squid-cache.org/Mirrors/ftp-mirrors.html>)
with the one hosted by Vistech
- remove a redundant / from PATCH_SITE_SUBDIR
- update the ICAP patchsets to current ICAP CVS
- add an extra patch that adds a decription of how to remap the threading
library to the documentation of the aufs file system in squid.conf when
Squid is built with aufs support on FreeBSD >= 5.1
- make the rc script pass ${squid_flags} in the shutdown and reconfigure
case (ports/100510)
- fix a path description in pkg-message (pointed out by
"Tuc at the Beach House")
- use "Squid" in the pseudo-user's description, too
PR: ports/105022
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
Sponsored by: FreeBSD Bug-a-thon #2
- update the ICAP core patchset to CVS as of 2006-08-13 and correct
the name of the CVS branch used in creating the diff
- remove a superfluous hunk from the ICAP bootstrap patchset
PR: ports/102274
Submitted by: Thomas-Martin Seck <tmseck(at)netcologne.de>
Approved by: krion (mentor)
- Include most of the post-STABLE2 changes/bugfixes published at
<http://www.squid-cache.org/Versions/v2/2.6/changesets/>.
- Remove the local fix for the problem that ipfw(4) support was not
working because the problem was fixed upstream.
- Remove the SQUID_IPFW option again, ipfw(4) should now work out
of the box as in earlier Squid versions.
- Add ICAP support.
PR: ports/101422
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
stable Squid release. Because of the large amount changes introduced
in 2.6, we keep 2.5 as www/squid and make www/squid26.
New OPTIONS:
- WITH_/WITHOUT_SQUID_KQUEUE: use kqueue(2) support (defaults to yes)
- WITH_/WITHOUT_SQUID_WCCPV2: enable WCCPv2 support (defaults to no)
- WITH_/WITHOUT_SQUID_REFERER_LOG: enable referer-header logging (default no)
- make WITH_DEBUG a synonym for WITH_SQUID_STACKTRACES
Removed OPTIONS:
- WITH_SQUID_CUSTOM_LOG: the code is now part of mainline squid and can
be configured via squid.conf
- WITH_/WITHOUT_SQUID_UNDERSCORES: no longer configurable
- WITH_/WITHOUT_SQUID_CHECK_HOSTNAME: no longer configurable
- WITH_/WITHOUT_SQUID_RCNG: the start script is now rc.d only
Changed default:
- CARP support is enabled by default in squid 2.6 and needs to be
explicitly disabled defining WITHOUT_SQUID_CARP
Port infrastructural changes:
- no longer check for invalid user/group id; this problem should no longer
be an issue (if it ever was one, but you never know) and remove the
'changeuser:' target
- use files/squid.in instead of files/squid.sh.in as template
- remove ancient information about Harvest from pkg-descr, tighten COMMENT
- add some HTTP mirror sites taken from
<http://www.squid-cache.org/Mirrors/http-mirrors.html> as additional
PATCH_SITES (thanks to Robert Backhaus for the initial submission)
- ICAP support is not yet available, the squid-devel CVS is not synchronized
with mainline squid as I write this so mark WITH_SQUID_ICAP as IGNORE for
now. I'll add the necessary patches ASAP.
- spell "squid" as "Squid" when referring to the project as this seems to be
the spelling the Squid project prefers
- some cosmetic changes in macro definitions
PR: ports/99750
Submitted by: Thomas-Martin Seck <tmseck_at_netcologne.de> (squid maintainer)
- accept 7-CURRENT's WITHOUT_NIS switch as a synonym for NO_NIS
- add a missing "/" in files/pkg-message.in
- update the ICAP core patchset to the latest CVS (2006-05-21)
- update the custom logfile patchset to the latest CVS (2006-05-21)
PR: ports/97607
Submitted by: maintainer
- simplify definition of the SQUIDHOSTNAMELEN constant (squid bug #1434)
- correct display of mime icons when visible_hostname contains only the plain
hostname without a domain (squid bug #1532)
- plug a memory leak in the HTCP client code (squid bug #1553)
- plug a memory leak in the ident processing code (squid bug #1557)
- Bump PORTREVISION
[1] http://www.squid-cache.org/Versions/v2/2.5/bugs/
PR: 97356
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
- Implement a new option WITH_SQUID_SASL_AUTH, off by default
- Update the ICAP core patchset to the latest CVS
- Extensive portlintification and cleanups
PR: ports/94642
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
to that of Apache LogFormat and CustomLog configuration directives.
This also allows for output in multiple formats to different log files.
See http://devel.squid-cache.org/customlog/ for more information.
PR: ports/92522
Submitted by: Matthew Will <mwill@spingen.com>
Approved by: maintainer
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:
- Fix wbinfo_group.pl to correctly work with the wbinfo command
from samba-3.0.21 (squid bug #1472)
- Fix a crash when accessing async IO function counters via the
cachemgr CGI in cases where squid was compiled for aufs support
but not actually using it (squid bug #1464)
While at it, remove an unneeded patch from the ICAP core patchset.
PR: ports/91831
Submitted by: maintainer
- Fix rc(8) preamble in the squid run script
- Use the .sh suffix only for the old style script
- Do not refer to "rcNG" in pkg-install anymore, rcNG is the default
rc style by now
- Bump PORTREVISION (to mark this change and because the package content
changes)
PR: ports/90858
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de>
--enable-ntlm-fail-open was specified as an additional configuration
option (squid bug #1022).
The port does not enable this option by default; document it, while at it.
- Add SHA256 checksum for the squid tarball
- Integrate ICAP client support based upon the icap project's CVS repository,
turned off by default.
To activate it, build the port with WITH_SQUID_ICAP defined or rerun
'make config'.
- Bump PORTREVISION
PR: ports/90688
Submitted by: maintainer
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:
- document that tcp_outgoing_xxx works badly in combination with
server_persistent_connections (squid bug #454)
- add more tracing in test mode of squid_ldap_auth (squid bug #1395)
- fix breakage of accel_single_host when combined with
server_persistent_connection (squid bug #1402)
- correctly implement the CACHE_HTTP_PORT configuration directive
(squid bug #1403)
- fix the problem that CNAME addresses were remembered with a wrong TTL
(squid bug #1404)
- fix incorrect handling of squid-internal-dynamic/netdb in conjunction with
httpd_accel/transparent proxies (squid bug #1410)
- properly revalidate the cache on HEAD requests (squid bug #1411)
- correct handling of Set-Cookie headers on cache refreshes (squid bug #1419)
- fix a vulnerability in the FTP parsing code (squid bug #1426)
PR: ports/87637
Submitted by: maintainer
- LDAP helpers do not work with TLS (-Z option)
(squid bug #1389)
- Incorrect store dir selection debug message on objects >2G
(squid bug #1343)
- Enums cannot be assumed to be signed ints
(squid bug #1343)
- Allow leaving core dumps on Linux
(squid bug #1335)
- Do not let clients bypass delay pools by faking a cache hit
(squid bug #500)
- Fix problems regarding CONNECT requests when squid is configured with
"pipeline_prefetch on"
- Fix a possible DOS condition which may be triggered by certain NTLM
authentication requests
(squid bug #1391)
- Remove patching relevant to recently removed pf from ports option
PR: ports/86179
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
- FTP listings use "BASE HREF" much more than necessary (squid bug #1204)
- Cleanups for 64bit architectures (squid bug #1316)
- Allow wb_ntlm_auth to run more silent (squid bug #518)
- Add a new 'mail_program' configuration option
- Fix a possible denial of service condition regarding sslConnectTimeout
(squid bug #1355, Secunia Advisory SA16674)
- Avoid a possible assertion failure in StatHist.c (squid bug #1325)
- Fix issues regarding chroot'ed installations on 'squid -k reconfigure'
(squid bug #1331)
- Make URLs in error pages more consistent and less confusing (squid bug #1342)
- Fix compilation when _FORTIFY_SOURCE is defined (squid bug #1344)
- Fix handling of unexpected 250 replies from certain odd FTP servers
(squid bug #1348)
- Add Greek error pages (squid bug #1351)
- Fix a possible denial of service condition with regards to aborted requests
(squid bug #1368)
- Fix the -U option of squid_ldap_auth (squid bug #1370)
- Fix the output of the SNMP cacheClientTable for IP adresses that consist of
16 digits (squid bug #1375)
- Make the From: field of mails sent from squid configurable to avoid
mails getting lost due to spam filtering (squid bug #1380)
PR: ports/85688
Submitted by: maintainer
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:
+ double content-length often harmless (squid bug #1305)
+ update spanish error pages
+ squid internal icons were served with slightly incorrect headers
(squid bug #1275)
+ squid -k fails in combination with chroot (squid bug #1307)
+ core dump with --enable-ipf-transparent if access to NAT device is denied
(squid bug #1313)
+ http_accel_single_host incompatible with redirection (squid bug #1314)
+ squid -k reconfigure caused data corruption when a cache_dir type had been
changed (squid bug #1308)
+ SNMP getnext failed if the given OID was outside the squid MIB (squid bug
#1317)
PR: ports/82703
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
- remove local patch that is now incorporated into the corresponding
vendor patch (with slightly different wording)
PR: ports/80367
Submitted by: maintainer
squid bugs #1283, 1287 and 1288 (assertion failed in store_client.c:343).
(already committed)
- Bump portrevision as a datapoint for this bugfix.
PR: 80163
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:
- Correct several minor aufs issues (squid bug #671)
- Basic authentification fails when login+password totalled to more than
64 characters (squid bug #1171)
- Fix an assertion that could occur when traffic other than HTTPS was
tunneled through squid via the CONNECT method (squid bug #1269)
- Make the --disable-hostname-check configuration option actually work
(squid bug #1270)
- Fix aufs warning about open filedescriptors when the cache was shut down
(squid bug #671)
- Allow squid to process requests for files larger than 2GB in size
(squid bug #437)
Introduce a new OPTION "WITH_SQUID_LARGEFILE", default to off to match
squid's default behaviour.
Rebuild squid with -DWITH_SQUID_LARGEFILE or run 'make config' and
select this new option.
- Add two new cachemgr actions: "pending_objects" and "client_objects"
- Make external acls that require authentication request new credentials
after access had been denied (squid bug #1278)
- Make squid use "daemon" instead of "local4" as syslog facility (squid bug
#1227)
PR: 80028
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:
+ Handle odd data formats (squid bug #321)
+ reload_into_ims fails to revalidate negatively cached entries
(squid bug #1159)
+ Clarify delay_access function (squid bug #1245)
+ Check several squid.conf directives for int overflows (squid bug #1247)
+ Use memset(3) instead of bzero(3) (squid bug #1256)
+ Fix compile warnings due to pid_t not being an int (squid bug #1257)
+ Fix incorrect use of ctype functions (squid bug #1259)
+ Defer digest fetch if the peer is not allowed to be used (squid bug #1262)
+ Extend relaxed_header_parser to work around "excess data from" errors from
many major web servers (squid bug #1265)
- Enable IPFilter based transparent proxying on all FreeBSD versions where
IPFilter headers are part of the base system (i.e. RELENG_4 < 4.7-RELEASE,
RELENG_5 and 6-CURRENT). Create a new OPTION WITH_SQUID_IPFILTER for this
purpose. Thanks to sem@ for keeping track of this issue!
PR: ports/78780
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
- correct a race condition related to the Set-Cookie header
- correct the FTP parser with regards to the EPLF format
(squid bug #1252)
- correct FTP listing output when the URL was requested without a trailing
slash (squid bug #1253)
- make ACL configuration errors fatal (squid bug #1255)
PR: ports/78446
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
- fix some cross-platform build format warnings
- allow high characters in generated FTP and Gopher directory listings
(squid bug #1220)
- cleanup generation of FTP URLs
- relax the newly introduced strict HTTP parser slightly to work around some
more malformed HTTP responses (squid bug #1242)
PR: ports/77779
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
- Integrate a vendor patch from:
http://www.squid-cache.org/Versions/v2/2.5/bugs/
it fixes a major problem regarding the handling of invalid DNS responses
PR: ports/77423
Submitted by: maintainer
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:
+ Reject malformed HTTP requests and responses that conflict with the HTTP
specifications
This issue is qualified as a security issue by the vendor.
+ PURGE is allowed to delete internal objects (squid bug #1112)
+ Disable Path-MTU discovery on intercepted requests (squid bug #1154)
(VuXML vid=b4d94fa0-6e38-11d9-9e1e-c296ac722cb3)
- Clean up and correct package list generation. Now installed files
and directories are visible via PLIST_FILES and PLIST_DIRS.
- Don't claim that squid related files or directories are still present
after deinstallation when in fact they are not.
- Add "-g" to CFLAGS when WITH_SQUID_STACKTRACES is defined to make this
option actually useful.
PR: ports/76628
Submitted by: maintainer
attack and other patches
Integrate vendor patches as published on
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:
- FTP data connection fails on some FTP servers when requesting
a directory without a trailing slash (squid bug #1194)
- Icons fail to load on non-anonymous FTP when using the
short_icons_url configuration directive (squid bug #1203)
- Strengthen squid against HTTP response splitting cache pollution
attacks (squid bug #1200), classified as security issue by
the vendor
Proposed VuXML information, entry date left to be filled in:
(Note: I added only a publically accessible link to the Sanctum,
Inc. whitepaper, the squid bug tracker contains a deep link
to the PDF itself; if we are allowed to publish it, it could
instead be used as reference because Sanctum, Inc. wants you
to register with them before you get access to their whitepapers.)
PR: ports/76550
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de>
Integrate vendor patches as published on
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:
- Sanity check usernames in squid_ldap_auth (squid bug #1187),
classified as minor security issue by the vendor, see below for VuXML
information
- FQDN names truncated on compressed DNS responses (squid bug #1136)
- Internal DNS memory leak on malformed responses (squid bug #1197)
PR: ports/76364
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de>
<http://www.squid-cache.org/Versions/v2/2.5/bugs/> for the following
issues:
+ Prevent a possible denial of service attack via WCCP messages (squid bug
#1190), classified as security issue by the vendor
+ Fix a buffer overflow in the Gopher to HTML conversion routine (squid bug
#1189), classified as security issue by the vendor
+ Fix a null pointer access and plug memory leaks in the fake_auth NTLM
helper (squid bug #1183) (this helper app is not installed by default by
the port)
+ Stop closing open filedescriptors beyond stdin, stdout and stderr on
startup (squid bug #1177)
- Unbreak the port on NO_NIS systems (thanks to "Alexander <freebsd AT
nagilum.de>" for reporting this)
- Document the two security issues in VuXML.
PR: ports/76173
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
Approved by: erwin (mentor)