- Regression Bug 5520: ERR_INVALID_URL for CONNECT host with leading digit
- Quit NTLM authenticate() on missing NTLM authorization header
- Fix Auth::User::absorb() IP list transfer logic
- Fix type mismatch in new/delete of addrinfo::ai_addr
- Fix libntlmauth string parsing on big-endian machines
- ... and some code cleanups
- ... and some CI improvements

- Bug 3390: Proxy auth data visible to scripts
- Bug 5504: Document that Squid discards invalid rewrite-url
- Bug 5407: Support at least 1000 groups per Kerberos user
- Fix parsing of malformed quoted squid.conf strings
- Fix off-by-one in helper args count assertion
- Fix UDP log module opening and closing code
- Fix BodyPipe debugging in handleChunkedRequestBody()
- Fix debugging of Eui48::lookup() problems
- Fix memory leak when parsing deprecated %rG logformat code
- Fix SQUID_YESNO 'syntax error near unexpected token'
- DNS: fix RRPack memcpy
- DNS: Do not leak RR data upon RR data unpacking errors
- FTP: Avoid null dereferences when handling ftp_port traffic
- FTP: fix response parsing and error handling memory leaks
- HTCP: Check for too-small packed and too-large unpacked fields
- HTTP: fix purging of entries by relative [Content-]Location URLs
- SNMP: Improve parsing of malformed ASN.1 object identifiers
- SNMP: Check for objid memory allocation failures
- SNMP: Fix ASN.1 encoding of long OIDs
- SNMP: Do not assert when debugging requests with long OIDs
- SNMP: Match Var allocation/deallocation methods
- digest_edirectory_auth: null-terminate NMAS values array
- digest_edirectory_auth: safely return password
- ext_ad_group_acl: Fix domain lookup error handling
- ext_edirectory_userip_acl: Redact password from stdout
- ext_file_userip_acl: harden lookups and memory handling
- ext_kerberos_ldap_group_acl: avoid freeing getenv() pointer
- ext_kerberos_ldap_group_acl: Improve LDAPMessage freeing
- ext_ldap_group_acl: avoid infinite loop on login containing '%s'
- negotiate_kerberos_auth: Properly align NDR data
- negotiate_sspi_auth: Do not exit on the first request
- ntlm_sspi_auth: memcmp not memcpy, send newline, no uninit mem
- text_backend: avoid memory leaks when reload/clearing
- Reduce UDS/segment name clashes across same-service instances
- Reject eui64 ACL addresses with trailing garbage
- Validate raw-IPv4 when parsing hostnames
- Avoid memory leaks when logging to MS Windows syslog
- Flip configure --enable-arch-native default
- Support no-digest X509 certificate keys like ML-DSA/EdDSA
- Do not allow client_ip_max_connections+1 connections
- Remove bundled smblib and librfcnb
- ... and several code cleanups
- ... and some documentation improvements

- Bug 5497: Fix detection of duped IPs returned by getaddrinfo()
- Remove basic_smb_lm_auth and ntlm_smb_lm_auth helpers
- ... and several documentation improvements
- ... and some code cleanups

- Bug 5352: Do not get stuck in RESPMOD after pausing peer read(2)
- Bug 5316: Release note says version 6 still for testing
- Bug 5489: Fix "make check" linking on Solaris
- Do not duplicate received Surrogate-Capability in sent requests
- Fix GCC v13 LTO build [-Walloc-size-larger-than=]
- Fix OpenSSL build with GCC v15.1.1 [-Wformat-truncation=]
- Fix tls-dh support for DHE parameters with OpenSSL v3+
- Fix SNMP cacheNumObjCount -- number of cached objects
- Fix Mem::Segment::open() stub to fix build without shm_open()
- Disable EUI when arpreq is missing and cannot be defined
- MinGW: use nameless unions in ext_ad_group_acl
- MinGW: do not build ext_edirectory_userip_acl
- MinGW: add mkdir adapter
- MinGW: fix store/Controller.cc build
- MinGW: fix aio compatibility layer
- MinGW: add libnettle to negotiate_sspi_auth
- negotiate_sspi_auth: Fix command debugging (-v)
- ntlm_sspi_auth: Fix missing base64 symbol linkage
- ... and many portability and compatibility fixes
- ... and some code cleanup

- Bug 5352: Do not get stuck in RESPMOD after pausing peer read(2)
- Bug 5489: Fix "make check" linking on Solaris
- Fix SNMP cacheNumObjCount -- number of cached objects
- Do not duplicate received Surrogate-Capability in sent requests
- Fix Mem::Segment::open() stub to fix build without shm_open()
- ... and CI and documentation updates

- Remove Edge Side Include (ESI) protocol
- Remove Ident protocol support
- Remove cache_object protocol support
- Remove cachemgr.cgi tool
- Remove tool 'purge' for management of UFS/AUFS/DiskD caches
- Remove squidclient
- Remove disabled classful networks code
- Remove dead Multicast Miss Stream feature
- Remove broken and disabled icpPktDump()
- Remove deprecated string memory pools API
- Remove dead "binary HTTP header logging" code (-DHEADERS_LOG)
- Rename --with-gnugss to --with-gss
- Remove krb5_get_max_time_skew portability hack
- Remove PRIuSIZE macro
- Remove ADD_X_REQUEST_URI
- Bug 5390: Non-POD SquidConfig::ssl_client::sslContext exit crash
- Bug 5363: Handle IP-based X.509 SANs better
- Bug 5383: handleNegotiationResult() level-2 debugs() crash
- Bug 5449: Ignore SP and HTAB chars after chunk-size
- Bug 5428: Warn if pkg-config is not found
- Bug 5293: Security::CreateClientSession uses wrong TLS options
- Bug 5417: An empty annotation value does not match
- Bug 5322: Do not leak HttpReply when checking http_reply_access
- Bug 5329: cbdata.cc:276 "c->locks > 0" assertion on reconfigure
- Bug 5119: Null pointer dereference in makeMemNodeDataOffset()
- Bug 5254, part 1: Do not leak master process' cache.log to kids
- Bug 5312: Startup aborts if OPEN_MAX exceeds RLIMIT_NOFILE
- Bug 4156: comm.cc "!commHasHalfClosedMonitor(fd)" assertion
- ext_time_quota_acl: restore debug level feature and argument
- ext_ad_group_acl: fix dependency detection
- ext_time_quota_acl: convert to c++
- scripts/find-alive.pl: Auto-detect auto-added ctors/dtors names
- negotiate_wrapper_auth: protect from responses over 64KB
- negotiate_kerberos_auth: Support Kerberos PAC-ResourceGroups
- pinger: improve timer accuracy and resolution
- testheaders.sh: force-remove temporary files
- squid-conf-tests: Ignore tests with mismatching autoconf macro
- MinGW: Emulate fsync
- MinGW: fix winsock dependency issues
- MinGW-w64: enable native file locking
- Windows: Drop obsolete WinSock v1 library
- Windows: Improve PSAPI.dll detection
- basic_sspi_auth: MinGW build fixes
- HTTP: Protect just-parsed responses from accidental destruction
- WCCP: fix inverted range check
- Y2038: Fix cache_peer connect-timeout reporting
- Y2038: Use time_t for commSetConnTimeout() timeout parameter
- Work around some mgr:forward accounting/reporting bugs
- Fix: Ftp::Gateway may segfault in level-3 double-complete debugs()
- Do not mark successful FTP PUT entries with ENTRY_BAD_LENGTH
- Fix ENTRY_ABORTED assertion in sendClientOldEntry()
- Limit Server::inBuf growth
- Reject config with unknown directives before committing to it
- Fix and redefine meaning of total peering time (%<tt)
- Fix use-after-free in peerDigestFetchReply()
- Fix use-after-free in statefulhelper::submit() level-9 debug
- Fix PeerDigest lifetime management
- Fix Tokenizer::int64() parsing of "0" when guessing base
- Fix SMP mgr:userhash, mgr:sourcehash, and mgr:carp reports
- Fix reporting of unrecognized directives
- Do not blame cache_peer for CONNECT errors
- Fix heap buffer overead in ConfigParser::UnQuote()
- Do not die when parsing obsolete log_access and log_icap
- Extend in-use ACLs lifetime across reconfiguration
- Fix MemObject.cc:123: "!updatedReply_" assertion
- Avoid UB when packing a domain name
- Fix qos_flows confguration reporting
- Fix and improve annotation reporting
- Fix configuration crashes on malformed sslproxy_* directives
- Avoid UB when copying AnyP::Uri
- Fix and improve html_quote()
- Fix acl annotate_transaction reporting in mgr:config
- Fix ipv4 and expand ipv6 ACL parameter matching
- Fix Controller.cc TheRoot assertion during shutdown
- Fix Comm::TcpAcceptor::status() reporting of listening address
- Fix performance regressions with fastCheck() result copying
- Fix handling of zero cache_peers
- Fix cbdata assertion in carpInit()
- Fix: REQMOD stuck when adapted request (body) is not forwarded
- Fix rock/RockSwapDir.cc "slot->sameKey()" assertion
- Fix dupe handling in Splay ACLs: src, dst, http_status, etc.
- Protect ACLFilledChecklist heap allocations from leaking
- Stop leaking PeerDigests on reconfiguration
- Handle helper program startup failure as its death
- Kill helpers that speak without being spoken to
- annotate_client and annotate_transaction ACLs must always match
- Restrict squid.conf preprocessor space characters to SP and HT
- Drop helpless helper requests
- Improve Tunnel Server RESPONSE dumps
- Do not lookup IP addresses of X509 certificate subject CNs
- Report cache_peer context in probe and standby pool messages
- Treat responses to collapsed requests as fresh
- Do not TLS close_notify when resetting a TCP connection
- Simplified quick_abort_pct code and improved its docs
- Update HTTP status codes
- Report all refreshCheck() outcomes and entry gist
- Prohibit bad --enable-linux-netfilter combinations
- Use ERR_ACCESS_DENIED for HTTP 403 (Forbidden) errors
- Scaffolding for YAML-formatted cache manager reports
- Improve ErrorState debugging
- Stop zeroing huge memAllocBuf() buffers
- Enable EDNS for DNS A queries and reverse IPv4 lookups
- Format mgr:pconn as YAML
- Use ERR_READ_ERROR for read-from-client I/O errors
- Use AnyP::Uri::Decode() for urllogin and url_regex checks
- Throw, not self_destruct(), on qos_flow configuration errors
- Add %byte{value} logformat code for logging or sending any byte
- Do not report bogus/empty SMP cache_dir indexing stats
- Report/abort on any catastrophic rock cache_dir indexing failure
- Recognize internal requests created by adaptation/redirection
- Log %err_code for ERR_RELAY_REMOTE transactions
- Restore errno in %err_detail for ERR_CONNECT_FAIL
- Report all AsyncJob objects (mgr:jobs)
- Cover OnTerminate() calls unrelated to exception handling
- Keep ::helper objects alive while in use by helper_servers
- Add SQUID_CHECK_LIB_WORKS autoconf macro
- Reject more CONNECT requests with malformed targets
- Forget non-peer access details
- Do not report DNS answers without A/AAAA records by default
- Destroy an idle PeerDigest after its CachePeer disappears
- Do not apply custom debugs() format to Debug::Extra lines
- Do not check store_status when checking ENTRY_BAD_LENGTH
- Add buffered_logs OFF support to UDP logger
- ... and many documentation improvements
- ... and many portability and compatibility fixes
- ... and many code cleanups
- ... and improvements to unit tests
- ... and some error page translation improvements
- ... and all fixes from 6.13

- Bug 5352: Do not get stuck when RESPMOD is slower than read(2)
- Bug 5405: Large uploads fill request buffer and die
- Bug 5093: List http_port params that https_port/ftp_port lack
- Bug 5311: clarify configuration byte units
- Bug 5091: document that changes to workers require restart
- Bug 5481: Fix GCC v14 build [-Wmaybe-uninitialized]
- Nil request dereference in ACLExtUser and SourceDomainCheck ACLs
- Fix GCC v14 [-Wanalyzer-null-dereference] warnings in Kerberos
- Clarify --enable-ecap failure on missing shared library support
- Fix syntax error in configure.ac
- Remove GNU'ism in release notes Makefile
- Annotate PoolMalloc memory in valgrind builds
- Fix systemd startup sequence to require active Local Filesystem
- Display Linux variant at ./configure time
- Refactor peerRefreshDNS() to clarify its (void*)1 logic
- Portability: remove explicit check for libdl
- ext_time_quota_acl: remove -l option
- ... and some documentation updates
- ... and some CI updates