Re: Squid-3.0.PRE4 release plan

From: Doug Dixon <doug.dixon@dont-contact.us>
Date: Wed, 10 May 2006 10:21:15 +1200

Hopefully this finalises our list of PRE4 bugs

On 9 May 2006, at 08:43, Henrik Nordstrom wrote:

> mån 2006-05-08 klockan 10:32 +1200 skrev Doug Dixon:
>
>> 1200 (HTTP Response Splitting attack) - patched in 2.5 - is this an
>> easy port?
>
> It's a bit of work, and not very important for the PRE4 release. It's
> sufficient to have it documented as a known weakness, and thereby
> discouraging people from running PRE4 in production as a Internet
> proxy
> on "innocent" users who likes to visit "bad" sites..

OK, won't add to PRE4, we'll append a suitable warning to the PRE4
release notes

>
>> 1265 (httpReadReply: Excess data from ... can be silenced in many
>> cases) - patched in 2.5 - is this an easy port?
>
> Yes, but definitely not a blocker. It's about making Squid shut up
> about
> non-compliant HTTP servers. A PRE release should be noisy about things
> it doesn't like as these cases triggers code paths seldom exercised on
> the normal traffic which means there is a high risk of bugs in related
> areas..
>
> If worried you can always chain with a 2.5.STABLE14 parent to fix this
> class of HTTP pollution malware (both 1200 and 1265).

OK, won't add to PRE4, it's an enhancement. But please forward port
when you can :)

>
>> First, I think we should probably push the ESI bugs forward to PRE5.
>
> Sounds reasonable. Well, if 1088 (segfault in string handling) is
> easily
> diagnosed it's probably beneficial to fix this, but 975 (long
> documents)
> defenitely can be kicked forward if you ask me.
>
>> * 1125 (although, is this really 1028 which is already in there?)
>
> Looks the same to me to me.
Marked as duplicate. 1125 is now the PRE4 bug (not 1028 any more)

>
>> Bugs to potentially remove from the list:
>> * 942 (squid-3.0-PRE3-20040309 uncached 304's broken)
>
> defenitely. Should perhaps be kicked forward to 3.1 even.. unless I
> have
> completely misunderstood the bug report.

Removed from PRE4
>
>> * 897 (Extra CRLF Added After Headers)
>
> no problem to kick this forward to next PRE release for me, but it
> might
> be a bit annoying to the users who get bitten by it (random images
> broken etc.. usually but not always fixed by a forced reload)
>
Removed from PRE4

>> * 951 (Assert failure in ESIInclude.cc:563: "parent.getRaw()")
>
> Natural per the above decision..
Removed from PRE4

>
>> Are we happy to defer ESI stuff (951, 975, 1088) to PRE5?
>
> I am.
Done

>
>> Are we happy to defer 801
>
> Yes.
>
>> and 1494 to PRE5?
>
> Not sufficient info in this report. Missing stack trace. So yes.
>
>> Are we happy to remove 942 and 897 from PRE4?
>
> What you mean by remove?
I mean remove them from the PRE4 critical path - which I have done
(above)

>
> See above for my comments on these bugs.
>
> Regards
> Henrik

I have also added these to PRE4 as agreed:
    * 1089 (PATCH25)
    * 1465
    * 1468

As if by magic, our list is still nine bugs long, but they're
probably now the right ones to concentrate on.

Cheers
Doug
Received on Tue May 09 2006 - 16:48:19 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Jun 01 2006 - 12:00:04 MDT