Bayan shekaru uku na haɓakawa, an gabatar da tabbataccen sakin sabar wakili na Squid 5.1, shirye don amfani akan tsarin samarwa (sakin 5.0.x yana da matsayin nau'ikan beta). Bayan an ba da reshe na 5.x matsayi mai tsayi, daga yanzu kawai za a yi gyaran gyare-gyare na rashin ƙarfi da matsalolin kwanciyar hankali a cikinsa, kuma an ba da izini ga ƙananan haɓakawa. Za a gudanar da haɓaka sabbin abubuwa a cikin sabon reshe na gwaji 6.0. Ana shawartar masu amfani da reshen 4.x na barga da ya gabata da su shirya yin ƙaura zuwa reshen 5.x.
Babban sabbin abubuwa a cikin Squid 5:
- Aiwatar da ICAP (Internet Content Adaptation Protocol), da aka yi amfani da shi don haɗawa tare da tsarin tabbatar da abun ciki na waje, ya ƙara goyon baya ga tsarin haɗin bayanai (trailer), wanda ke ba ka damar haɗa ƙarin masu kai tare da metadata zuwa amsa, sanya bayan saƙon. jiki (misali, zaku iya aika da lissafin kuɗi da cikakkun bayanai game da matsalolin da aka gano).
- Lokacin tura buƙatun, ana amfani da algorithm "Happy Eyeballs", wanda nan da nan yana amfani da adireshin IP da aka karɓa, ba tare da jiran duk adireshin IPv4 da IPv6 masu yuwuwa a warware su ba. Maimakon amfani da saitin "dns_v4_first" don sanin ko ana amfani da adireshin IPv4 ko IPv6 iyali, ana yin la'akari da oda na amsawar DNS: idan amsawar DNS AAAA ya fara zuwa lokacin jiran adireshin IP don warwarewa, sannan Za a yi amfani da adireshin IPv6 sakamakon. Don haka, saita dangin adireshin da aka fi so yanzu ana yin su a Tacewar zaɓi, DNS ko matakin farawa tare da zaɓin “- disable-ipv6”. Canjin da aka tsara yana ba mu damar hanzarta saita lokacin haɗin TCP da rage tasirin aikin jinkiri yayin ƙudurin DNS.
- Don amfani a cikin umarnin "external_acl", an ƙara mai sarrafa "ext_kerberos_sid_group_acl" don tantancewa tare da duba rukuni a cikin Active Directory ta amfani da Kerberos. Don neman sunan ƙungiyar, yi amfani da kayan aikin ldapsearch wanda kunshin OpenLDAP ya bayar.
- Goyon baya ga tsarin Berkeley DB an soke shi saboda batutuwan lasisi. Ba a kula da reshen Berkeley DB 5.x na shekaru da yawa kuma ya kasance tare da raunin da ba a taɓa gani ba, kuma ana hana canzawa zuwa sabbin sakewa ta hanyar canjin lasisi zuwa AGPLv3, abubuwan da ake buƙata kuma sun shafi aikace-aikacen da ke amfani da BerkeleyDB ta hanyar ɗakin karatu - Ana ba da Squid ƙarƙashin lasisin GPLv2, kuma AGPL bai dace da GPLv2 ba. Maimakon Berkeley DB, an canza aikin zuwa amfani da TrivialDB DBMS, wanda, ba kamar Berkeley DB ba, an inganta shi don samun dama ta layi daya zuwa bayanan bayanai. Ana riƙe tallafin Berkeley DB a yanzu, amma "ext_session_acl" da "ext_time_quota_acl" masu kulawa yanzu suna ba da shawarar amfani da nau'in ma'ajin "libtdb" maimakon "libdb".
- Ƙara goyon baya ga CDN-Loop HTTP header, wanda aka ayyana a cikin RFC 8586, wanda ke ba ku damar gano madaukai yayin amfani da hanyoyin sadarwar abun ciki (mai taken yana ba da kariya daga yanayi lokacin da buƙatun kan aiwatar da juyawa tsakanin CDNs don wasu dalilai ya dawo zuwa ga CDN na asali, ƙirƙirar madauki mara iyaka).
- Tsarin SSL-Bump, wanda ke ba ku damar kutse abubuwan da ke cikin ɓoyayyun zaman HTTPS, ya ƙara tallafi don tura buƙatun HTTPS da aka ɓoye (sake rufaffen) ta wasu sabar wakili da aka ƙayyade a cikin cache_peer, ta amfani da rami na yau da kullun dangane da hanyar HTTP CONNECT ( Ba a tallafawa watsa ta HTTPS, tunda Squid ba zai iya jigilar TLS ba a cikin TLS). SSL-Bump yana ba ku damar kafa haɗin TLS tare da uwar garken manufa bayan karɓar buƙatun HTTPS na farko da aka kama kuma ku sami takaddun shaida. Bayan wannan, Squid yana amfani da sunan mai masauki daga ainihin takardar shaidar da aka karɓa daga uwar garken kuma yana ƙirƙirar takaddun shaida, wanda yake kwaikwayon uwar garken da ake buƙata lokacin hulɗa tare da abokin ciniki, yayin da yake ci gaba da amfani da haɗin TLS da aka kafa tare da uwar garken manufa don karɓar bayanai ( sabõda haka, musanya ba ya kai ga fitarwa gargadi a browser a kan abokin ciniki gefen, kana bukatar ka ƙara your takardar shaidar amfani da su samar da fictitious takaddun shaida zuwa tushen takardar shaidar kantin sayar da).
- Ƙara mark_client_connection da mark_client_pack umarni don ɗaure alamun Netfilter (CONNMARK) zuwa haɗin TCP abokin ciniki ko fakiti ɗaya.
Mai zafi a kan dugadugan su, an buga fitar da Squid 5.2 da Squid 4.17, wanda aka gyara raunin:
- CVE-2021-28116 - Yabo bayanai lokacin sarrafa saƙon WCCPv2 na musamman. Rashin lahani yana bawa maharin damar lalata jerin sanannun mashahuran hanyoyin sadarwa na WCCP da karkatar da zirga-zirga daga abokan cinikin uwar garken wakili zuwa mai masaukinsu. Matsalar tana bayyana ne kawai a cikin saiti tare da goyon bayan WCCPv2 da kuma lokacin da zai yiwu a zubar da adireshin IP na na'ura mai ba da hanya tsakanin hanyoyin sadarwa.
- CVE-2021-41611 - Batu a cikin takaddun shaida na TLS yana ba da damar shiga ta amfani da takaddun shaida marasa amana.
source: budenet.ru