From lkarsten at varnish-software.com  Mon Mar 23 14:08:16 2015
From: lkarsten at varnish-software.com (Lasse Karstensen)
Date: Mon, 23 Mar 2015 15:08:16 +0100
Subject: Varnish 3.0.7 released.
Message-ID: <20150323140815.GA21219@immer.varnish-software.com>

Dear Varnish community.

Varnish Cache 3.0.7 have just been released:

    http://repo.varnish-cache.org/source/varnish-3.0.7.tar.gz

List of changes:

* Requests with multiple Content-Length headers will now fail.

* Stop recognizing a single CR (r) as a HTTP line separator. This opened
up a possible cache poisioning attack in stacked installations where
sslterminator/varnish/backend had different CR handling.

* Improved error detection on master-child process communication, leading
to faster recovery (child restart) if communication loses sync.

* Fix a corner-case where Content-Length was wrong for HTTP 1.0 clients,
when using gzip and streaming. Bug 1627.

* More robust handling of hop-by-hop headers.

* [packaging] Coherent Redhat pidfile in init script. Bug #1690.

* Avoid memory leak when adding bans.


All users are recommended to upgrade to Varnish 4.0, or this new
3.0.7 if you can't upgrade just yet.

Please note that ordinary support for Varnish Cache 3.0 ends in April
2015.

Binary packages will be uploaded to repo.varnish-cache.org shortly.

-- 
Lasse Karstensen
Varnish Software AS