[PATCH] squid: Update to 3.5.20 with latest patches (14067-14075) - Development

19 Aug 2016

For details, see:
http://www.squid-cache.org/Versions/v3/3.5/changesets/
Since there were problems with "trailing white spaces" I started a new 'squid_3'
branch from scratch, based on current 'next'.
I hope this is what is needed and that it helps.
This one was built without errors and is running here without seen problems.
Best,
Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
---
 lfs/squid                                          |  21 +-
 ...=> squid-3.5.20-fix-max-file-descriptors.patch} |   4 +-
 src/patches/squid/squid-3.5-14051.patch            |  63 ----
 src/patches/squid/squid-3.5-14052.patch            |  34 --
 src/patches/squid/squid-3.5-14053.patch            |  46 ---
 src/patches/squid/squid-3.5-14054.patch            |  37 --
 src/patches/squid/squid-3.5-14055.patch            |  39 ---
 src/patches/squid/squid-3.5-14056.patch            |  36 --
 src/patches/squid/squid-3.5-14067.patch            | 381 +++++++++++++++++++++
 src/patches/squid/squid-3.5-14068.patch            |  35 ++
 src/patches/squid/squid-3.5-14069.patch            |  30 ++
 src/patches/squid/squid-3.5-14070.patch            |  44 +++
 src/patches/squid/squid-3.5-14071.patch            |  70 ++++
 src/patches/squid/squid-3.5-14072.patch            |  33 ++
 src/patches/squid/squid-3.5-14073.patch            | 151 ++++++++
 src/patches/squid/squid-3.5-14074.patch            |  55 +++
 src/patches/squid/squid-3.5-14075.patch            |  38 ++
 17 files changed, 851 insertions(+), 266 deletions(-)
 rename src/patches/{squid-3.5.17-fix-max-file-descriptors.patch => squid-3.5.20-fix-max-file-descriptors.patch} (92%)
 delete mode 100644 src/patches/squid/squid-3.5-14051.patch
 delete mode 100644 src/patches/squid/squid-3.5-14052.patch
 delete mode 100644 src/patches/squid/squid-3.5-14053.patch
 delete mode 100644 src/patches/squid/squid-3.5-14054.patch
 delete mode 100644 src/patches/squid/squid-3.5-14055.patch
 delete mode 100644 src/patches/squid/squid-3.5-14056.patch
 create mode 100644 src/patches/squid/squid-3.5-14067.patch
 create mode 100644 src/patches/squid/squid-3.5-14068.patch
 create mode 100644 src/patches/squid/squid-3.5-14069.patch
 create mode 100644 src/patches/squid/squid-3.5-14070.patch
 create mode 100644 src/patches/squid/squid-3.5-14071.patch
 create mode 100644 src/patches/squid/squid-3.5-14072.patch
 create mode 100644 src/patches/squid/squid-3.5-14073.patch
 create mode 100644 src/patches/squid/squid-3.5-14074.patch
 create mode 100644 src/patches/squid/squid-3.5-14075.patch

diff --git a/lfs/squid b/lfs/squid
index edaf943..2d9c596 100644
--- a/lfs/squid
+++ b/lfs/squid
@@ -24,7 +24,7 @@
include Config
-VER        = 3.5.19
+VER        = 3.5.20
THISAPP    = squid-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = a1d990284c429a63ee85d80ee5b3b8b9
+$(DL_FILE)_MD5 = 48fb18679a30606de98882528beab3a7
install : $(TARGET)
@@ -70,13 +70,16 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
    @$(PREBUILD)
    @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
-	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14051.patch
-	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14052.patch
-	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14053.patch
-	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14054.patch
-	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14055.patch
-	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14056.patch
-	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.17-fix-max-file-descriptors.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14067.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14068.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14069.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14070.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14071.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14072.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14073.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14074.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14075.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.20-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi
    cd $(DIR_APP)/libltdl && autoreconf -vfi
diff --git a/src/patches/squid-3.5.17-fix-max-file-descriptors.patch b/src/patches/squid-3.5.20-fix-max-file-descriptors.patch
similarity index 92%
rename from src/patches/squid-3.5.17-fix-max-file-descriptors.patch
rename to src/patches/squid-3.5.20-fix-max-file-descriptors.patch
index b0efa76..b740b61 100644
--- a/src/patches/squid-3.5.17-fix-max-file-descriptors.patch
+++ b/src/patches/squid-3.5.20-fix-max-file-descriptors.patch
@@ -1,6 +1,6 @@
 --- configure.ac.~	Wed Apr 20 14:26:07 2016
 +++ configure.ac	Fri Apr 22 17:20:46 2016
-@@ -3131,6 +3131,9 @@
+@@ -3135,6 +3135,9 @@
      ;;
  esac
@@ -10,7 +10,7 @@
  dnl --with-maxfd present for compatibility with Squid-2.
  dnl undocumented in ./configure --help  to encourage using the Squid-3 directive
  AC_ARG_WITH(maxfd,,
-@@ -3161,8 +3164,6 @@
+@@ -3165,8 +3168,6 @@
      esac
  ])
diff --git a/src/patches/squid/squid-3.5-14051.patch b/src/patches/squid/squid-3.5-14051.patch
deleted file mode 100644
index 58892dc..0000000
--- a/src/patches/squid/squid-3.5-14051.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-------------------------------------------------------------
-revno: 14051
-revision-id: squid3@treenet.co.nz-20160517145850-uos9z00nrt7xd9ik
-parent: squid3@treenet.co.nz-20160508124125-fytgvn68zppfr8ix
-author: Steve Hill steve@opendium.com
-committer: Amos Jeffries squid3@treenet.co.nz
-branch nick: 3.5
-timestamp: Wed 2016-05-18 02:58:50 +1200
-message:
-  Support unified EUI format code in external_acl_type
-  
-  Squid supports %>eui as a logformat specifier, which produces an EUI-48 
-  for IPv4 clients and an EUI-64 for IPv6 clients.  However, This is not 
-  allowed as a format specifier for the external ACLs, and you have to use 
-  %SRCEUI48 and %SRCEUI64 instead.  %SRCEUI48 is only useful for IPv4 
-  clients and %SRCEUI64 is only useful for IPv6 clients, so supporting 
-  both v4 and v6 is a bit messy.
-  
-  Adds the %>eui specifier for external ACLs and behaves in the same way
-  as the logformat specifier.
-------------------------------------------------------------
-# Bazaar merge directive format 2 (Bazaar 0.90)
-# revision_id: squid3@treenet.co.nz-20160517145850-uos9z00nrt7xd9ik
-# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
-# testament_sha1: ad0743717948a65cfd4f306acc2bbaa9343e9a76
-# timestamp: 2016-05-17 15:50:54 +0000
-# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
-# base_revision_id: squid3@treenet.co.nz-20160508124125-\
-#   fytgvn68zppfr8ix
-# 
-# Begin patch
-=== modified file 'src/external_acl.cc'
---- src/external_acl.cc	2016-01-01 00:14:27 +0000
-+++ src/external_acl.cc	2016-05-17 14:58:50 +0000
-@@ -356,6 +356,8 @@
-         else if (strcmp(token, "%SRCPORT") == 0 || strcmp(token, "%>p") == 0)
-             format->type = Format::LFT_CLIENT_PORT;
- #if USE_SQUID_EUI
-+        else if (strcmp(token, "%>eui") == 0)
-+            format->type = Format::LFT_CLIENT_EUI;
-         else if (strcmp(token, "%SRCEUI48") == 0)
-             format->type = Format::LFT_EXT_ACL_CLIENT_EUI48;
-         else if (strcmp(token, "%SRCEUI64") == 0)
-@@ -944,6 +946,18 @@
-             break;
- 
- #if USE_SQUID_EUI
-+        case Format::LFT_CLIENT_EUI:
-+            // TODO make the ACL checklist have a direct link to any TCP details.
-+            if (request->clientConnectionManager.valid() && request->clientConnectionManager->clientConnection != NULL)
-+            {
-+                if (request->clientConnectionManager->clientConnection->remote.isIPv4())
-+                    request->clientConnectionManager->clientConnection->remoteEui48.encode(buf, sizeof(buf));
-+                else
-+                    request->clientConnectionManager->clientConnection->remoteEui64.encode(buf, sizeof(buf));
-+                str = buf;
-+            }
-+	    break;
-+
-         case Format::LFT_EXT_ACL_CLIENT_EUI48:
-             if (request->clientConnectionManager.valid() && request->clientConnectionManager->clientConnection != NULL &&
-                     request->clientConnectionManager->clientConnection->remoteEui48.encode(buf, sizeof(buf)))
-
diff --git a/src/patches/squid/squid-3.5-14052.patch b/src/patches/squid/squid-3.5-14052.patch
deleted file mode 100644
index 4fba159..0000000
--- a/src/patches/squid/squid-3.5-14052.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-------------------------------------------------------------
-revno: 14052
-revision-id: squidadm@squid-cache.org-20160517181416-sfrjdosd9dhx7u8o
-parent: squid3@treenet.co.nz-20160517145850-uos9z00nrt7xd9ik
-committer: Source Maintenance squidadm@squid-cache.org
-branch nick: 3.5
-timestamp: Tue 2016-05-17 18:14:16 +0000
-message:
-  SourceFormat Enforcement
-------------------------------------------------------------
-# Bazaar merge directive format 2 (Bazaar 0.90)
-# revision_id: squidadm@squid-cache.org-20160517181416-\
-#   sfrjdosd9dhx7u8o
-# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
-# testament_sha1: e30c12805cacdb559925da08cc6a25fe4a39c19b
-# timestamp: 2016-05-17 18:51:06 +0000
-# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
-# base_revision_id: squid3@treenet.co.nz-20160517145850-\
-#   uos9z00nrt7xd9ik
-# 
-# Begin patch
-=== modified file 'src/external_acl.cc'
---- src/external_acl.cc	2016-05-17 14:58:50 +0000
-+++ src/external_acl.cc	2016-05-17 18:14:16 +0000
-@@ -956,7 +956,7 @@
-                     request->clientConnectionManager->clientConnection->remoteEui64.encode(buf, sizeof(buf));
-                 str = buf;
-             }
--	    break;
-+            break;
- 
-         case Format::LFT_EXT_ACL_CLIENT_EUI48:
-             if (request->clientConnectionManager.valid() && request->clientConnectionManager->clientConnection != NULL &&
-
diff --git a/src/patches/squid/squid-3.5-14053.patch b/src/patches/squid/squid-3.5-14053.patch
deleted file mode 100644
index f669449..0000000
--- a/src/patches/squid/squid-3.5-14053.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-------------------------------------------------------------
-revno: 14053
-revision-id: squid3@treenet.co.nz-20160521130058-zq8zugw0fohwfu3z
-parent: squidadm@squid-cache.org-20160517181416-sfrjdosd9dhx7u8o
-committer: Amos Jeffries squid3@treenet.co.nz
-branch nick: 3.5
-timestamp: Sun 2016-05-22 01:00:58 +1200
-message:
-  Do not override user defined -std option
-------------------------------------------------------------
-# Bazaar merge directive format 2 (Bazaar 0.90)
-# revision_id: squid3@treenet.co.nz-20160521130058-zq8zugw0fohwfu3z
-# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
-# testament_sha1: a75245a622ccfa385ef5e4722f9a9fb438a16135
-# timestamp: 2016-05-21 13:08:06 +0000
-# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
-# base_revision_id: squidadm@squid-cache.org-20160517181416-\
-#   sfrjdosd9dhx7u8o
-# 
-# Begin patch
-=== modified file 'configure.ac'
---- configure.ac	2016-05-08 12:41:25 +0000
-+++ configure.ac	2016-05-21 13:00:58 +0000
-@@ -95,6 +95,9 @@
- # Guess the compiler type (sets squid_cv_compiler)
- SQUID_CC_GUESS_VARIANT
- 
-+# If the user did not specify a C++ version.
-+user_cxx=`echo "$PRESET_CXXFLAGS" | grep -o -E "-std="`
-+if test "x$user_cxx" = "x"; then
- # Check for C++11 compiler support
- #
- # BUG 3613: when clang -std=c++0x is used, it activates a "strict mode"
-@@ -103,8 +106,9 @@
- #
- # Similar POSIX issues on MinGW 32-bit and Cygwin
- #
--if ! test "x$squid_host_os" = "xmingw" -o "x$squid_host_os" = "xcygwin" -o "x$squid_cv_compiler" = "xclang"; then
--  AX_CXX_COMPILE_STDCXX_11([noext],[optional])
-+  if ! test "x$squid_host_os" = "xmingw" -o "x$squid_host_os" = "xcygwin" -o "x$squid_cv_compiler" = "xclang"; then
-+    AX_CXX_COMPILE_STDCXX_11([noext],[optional])
-+  fi
- fi
- 
- # test for programs
-
diff --git a/src/patches/squid/squid-3.5-14054.patch b/src/patches/squid/squid-3.5-14054.patch
deleted file mode 100644
index 90b34c1..0000000
--- a/src/patches/squid/squid-3.5-14054.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-------------------------------------------------------------
-revno: 14054
-revision-id: squid3@treenet.co.nz-20160521130144-6xtcayieij00fm5v
-parent: squid3@treenet.co.nz-20160521130058-zq8zugw0fohwfu3z
-committer: Amos Jeffries squid3@treenet.co.nz
-branch nick: 3.5
-timestamp: Sun 2016-05-22 01:01:44 +1200
-message:
-  Fix OpenSSL detection on FreeBSD
-------------------------------------------------------------
-# Bazaar merge directive format 2 (Bazaar 0.90)
-# revision_id: squid3@treenet.co.nz-20160521130144-6xtcayieij00fm5v
-# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
-# testament_sha1: 3d8c0d7a9f1886523ac55d79e4d3e8f0340e2ec9
-# timestamp: 2016-05-21 13:08:08 +0000
-# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
-# base_revision_id: squid3@treenet.co.nz-20160521130058-\
-#   zq8zugw0fohwfu3z
-# 
-# Begin patch
-=== modified file 'configure.ac'
---- configure.ac	2016-05-21 13:00:58 +0000
-+++ configure.ac	2016-05-21 13:01:44 +0000
-@@ -1348,10 +1348,10 @@
- 
-     AC_CHECK_LIB(crypto,[CRYPTO_new_ex_data],[LIBOPENSSL_LIBS="-lcrypto $LIBOPENSSL_LIBS"],[
-       AC_MSG_ERROR([library 'crypto' is required for OpenSSL])
--    ])
-+    ],$LIBOPENSSL_LIBS)
-     AC_CHECK_LIB(ssl,[SSL_library_init],[LIBOPENSSL_LIBS="-lssl $LIBOPENSSL_LIBS"],[
-       AC_MSG_ERROR([library 'ssl' is required for OpenSSL])
--    ])
-+    ],$LIBOPENSSL_LIBS)
-   ])
- 
-   # This is a workaround for RedHat 9 brain damage..
-
diff --git a/src/patches/squid/squid-3.5-14055.patch b/src/patches/squid/squid-3.5-14055.patch
deleted file mode 100644
index ac04bb6..0000000
--- a/src/patches/squid/squid-3.5-14055.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-------------------------------------------------------------
-revno: 14055
-revision-id: squid3@treenet.co.nz-20160521155202-pp53utwamdhkugvg
-parent: squid3@treenet.co.nz-20160521130144-6xtcayieij00fm5v
-author: Alex Rousskov rousskov@measurement-factory.com
-committer: Amos Jeffries squid3@treenet.co.nz
-branch nick: 3.5
-timestamp: Sun 2016-05-22 03:52:02 +1200
-message:
-  Fix icons loading speed.
-  
-  Since trunk r14100 (Bug 3875: bad mimeLoadIconFile error handling), each
-  icon was read from disk and written to Store one character at a time. I
-  did not measure startup delays in production, but in debugging runs,
-  fixing this bug sped up icons loading from 1 minute to 4 seconds.
-------------------------------------------------------------
-# Bazaar merge directive format 2 (Bazaar 0.90)
-# revision_id: squid3@treenet.co.nz-20160521155202-pp53utwamdhkugvg
-# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
-# testament_sha1: 79b78480d81666c15406d23837608ba9a578da4b
-# timestamp: 2016-05-21 16:51:00 +0000
-# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
-# base_revision_id: squid3@treenet.co.nz-20160521130144-\
-#   6xtcayieij00fm5v
-# 
-# Begin patch
-=== modified file 'src/mime.cc'
---- src/mime.cc	2016-01-01 00:14:27 +0000
-+++ src/mime.cc	2016-05-21 15:52:02 +0000
-@@ -430,7 +430,7 @@
-         /* read the file into the buffer and append it to store */
-         int n;
-         char *buf = (char *)memAllocate(MEM_4K_BUF);
--        while ((n = FD_READ_METHOD(fd, buf, sizeof(*buf))) > 0)
-+        while ((n = FD_READ_METHOD(fd, buf, 4096)) > 0)
-             e->append(buf, n);
- 
-         file_close(fd);
-
diff --git a/src/patches/squid/squid-3.5-14056.patch b/src/patches/squid/squid-3.5-14056.patch
deleted file mode 100644
index 4ea3808..0000000
--- a/src/patches/squid/squid-3.5-14056.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-------------------------------------------------------------
-revno: 14056
-revision-id: squid3@treenet.co.nz-20160521172919-du6cbdirqcxdjbtr
-parent: squid3@treenet.co.nz-20160521155202-pp53utwamdhkugvg
-author: Christos Tsantilas chtsanti@users.sourceforge.net
-committer: Amos Jeffries squid3@treenet.co.nz
-branch nick: 3.5
-timestamp: Sun 2016-05-22 05:29:19 +1200
-message:
-  Increase debug level in a peek-and-splice related debug message
-  
-  It may produced one debugging line for each SSL transaction in some cases
-------------------------------------------------------------
-# Bazaar merge directive format 2 (Bazaar 0.90)
-# revision_id: squid3@treenet.co.nz-20160521172919-du6cbdirqcxdjbtr
-# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
-# testament_sha1: 76c2e864289dabb1065c470c954f9fc5ec4c7b4f
-# timestamp: 2016-05-21 17:50:54 +0000
-# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
-# base_revision_id: squid3@treenet.co.nz-20160521155202-\
-#   pp53utwamdhkugvg
-# 
-# Begin patch
-=== modified file 'src/ssl/PeerConnector.cc'
---- src/ssl/PeerConnector.cc	2016-02-15 11:29:50 +0000
-+++ src/ssl/PeerConnector.cc	2016-05-21 17:29:19 +0000
-@@ -598,7 +598,7 @@
- 
-     case SSL_ERROR_WANT_WRITE:
-         if ((srvBio->bumpMode() == Ssl::bumpPeek || srvBio->bumpMode() == Ssl::bumpStare) && srvBio->holdWrite()) {
--            debugs(81, DBG_IMPORTANT, "hold write on SSL connection on FD " << fd);
-+            debugs(81, 3, "hold write on SSL connection on FD " << fd);
-             checkForPeekAndSplice();
-             return;
-         }
-
diff --git a/src/patches/squid/squid-3.5-14067.patch b/src/patches/squid/squid-3.5-14067.patch
new file mode 100644
index 0000000..8d9cb21
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14067.patch
@@ -0,0 +1,381 @@
+------------------------------------------------------------
+revno: 14067
+revision-id: squid3@treenet.co.nz-20160723071620-1wzqpbyi1rk5w6vg
+parent: squid3@treenet.co.nz-20160701113616-vpjak1pq4uecadd2
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4534
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Sat 2016-07-23 19:16:20 +1200
+message:
+  Bug 4534: assertion failure in xcalloc when using many cache_dir
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20160723071620-1wzqpbyi1rk5w6vg
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: fcd663f0fd4a24d505f81eb94ef95d627a4ca363
+# timestamp: 2016-07-23 07:24:01 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20160701113616-\
+#   vpjak1pq4uecadd2
+# 
+# Begin patch
+=== modified file 'src/CacheDigest.cc'
+--- src/CacheDigest.cc	2016-01-01 00:14:27 +0000
++++ src/CacheDigest.cc	2016-07-23 07:16:20 +0000
+@@ -35,12 +35,12 @@
+ static uint32_t hashed_keys[4];
+ 
+ static void
+-cacheDigestInit(CacheDigest * cd, int capacity, int bpe)
++cacheDigestInit(CacheDigest * cd, uint64_t capacity, uint8_t bpe)
+ {
+-    const size_t mask_size = cacheDigestCalcMaskSize(capacity, bpe);
++    const uint32_t mask_size = cacheDigestCalcMaskSize(capacity, bpe);
+     assert(cd);
+     assert(capacity > 0 && bpe > 0);
+-    assert(mask_size > 0);
++    assert(mask_size != 0);
+     cd->capacity = capacity;
+     cd->bits_per_entry = bpe;
+     cd->mask_size = mask_size;
+@@ -50,7 +50,7 @@
+ }
+ 
+ CacheDigest *
+-cacheDigestCreate(int capacity, int bpe)
++cacheDigestCreate(uint64_t capacity, uint8_t bpe)
+ {
+     CacheDigest *cd = (CacheDigest *)memAllocate(MEM_CACHE_DIGEST);
+     assert(SQUID_MD5_DIGEST_LENGTH == 16);  /* our hash functions rely on 16 byte keys */
+@@ -97,7 +97,7 @@
+ 
+ /* changes mask size, resets bits to 0, preserves "cd" pointer */
+ void
+-cacheDigestChangeCap(CacheDigest * cd, int new_cap)
++cacheDigestChangeCap(CacheDigest * cd, uint64_t new_cap)
+ {
+     assert(cd);
+     cacheDigestClean(cd);
+@@ -278,12 +278,12 @@
+     storeAppendPrintf(e, "%s digest: size: %d bytes\n",
+                       label ? label : "", stats.bit_count / 8
+                      );
+-    storeAppendPrintf(e, "\t entries: count: %d capacity: %d util: %d%%\n",
++    storeAppendPrintf(e, "\t entries: count: %" PRIu64 " capacity: %" PRIu64 " util: %d%%\n",
+                       cd->count,
+                       cd->capacity,
+                       xpercentInt(cd->count, cd->capacity)
+                      );
+-    storeAppendPrintf(e, "\t deletion attempts: %d\n",
++    storeAppendPrintf(e, "\t deletion attempts: %" PRIu64 "\n",
+                       cd->del_count
+                      );
+     storeAppendPrintf(e, "\t bits: per entry: %d on: %d capacity: %d util: %d%%\n",
+@@ -297,16 +297,18 @@
+                      );
+ }
+ 
+-size_t
+-cacheDigestCalcMaskSize(int cap, int bpe)
++uint32_t
++cacheDigestCalcMaskSize(uint64_t cap, uint8_t bpe)
+ {
+-    return (size_t) (cap * bpe + 7) / 8;
++    uint64_t bitCount = (cap * bpe) + 7;
++    assert(bitCount < INT_MAX); // dont 31-bit overflow later
++    return static_cast<uint32_t>(bitCount / 8);
+ }
+ 
+ static void
+ cacheDigestHashKey(const CacheDigest * cd, const cache_key * key)
+ {
+-    const unsigned int bit_count = cd->mask_size * 8;
++    const uint32_t bit_count = cd->mask_size * 8;
+     unsigned int tmp_keys[4];
+     /* we must memcpy to ensure alignment */
+     memcpy(tmp_keys, key, sizeof(tmp_keys));
+
+=== modified file 'src/CacheDigest.h'
+--- src/CacheDigest.h	2016-01-01 00:14:27 +0000
++++ src/CacheDigest.h	2016-07-23 07:16:20 +0000
+@@ -22,23 +22,23 @@
+ {
+ public:
+     /* public, read-only */
+-    char *mask;         /* bit mask */
+-    int mask_size;      /* mask size in bytes */
+-    int capacity;       /* expected maximum for .count, not a hard limit */
+-    int bits_per_entry;     /* number of bits allocated for each entry from capacity */
+-    int count;          /* number of digested entries */
+-    int del_count;      /* number of deletions performed so far */
++    uint64_t count;          /* number of digested entries */
++    uint64_t del_count;      /* number of deletions performed so far */
++    uint64_t capacity;       /* expected maximum for .count, not a hard limit */
++    char *mask;              /* bit mask */
++    uint32_t mask_size;      /* mask size in bytes */
++    int8_t bits_per_entry;   /* number of bits allocated for each entry from capacity */
+ };
+ 
+-CacheDigest *cacheDigestCreate(int capacity, int bpe);
++CacheDigest *cacheDigestCreate(uint64_t capacity, uint8_t bpe);
+ void cacheDigestDestroy(CacheDigest * cd);
+ CacheDigest *cacheDigestClone(const CacheDigest * cd);
+ void cacheDigestClear(CacheDigest * cd);
+-void cacheDigestChangeCap(CacheDigest * cd, int new_cap);
++void cacheDigestChangeCap(CacheDigest * cd, uint64_t new_cap);
+ int cacheDigestTest(const CacheDigest * cd, const cache_key * key);
+ void cacheDigestAdd(CacheDigest * cd, const cache_key * key);
+ void cacheDigestDel(CacheDigest * cd, const cache_key * key);
+-size_t cacheDigestCalcMaskSize(int cap, int bpe);
++uint32_t cacheDigestCalcMaskSize(uint64_t cap, uint8_t bpe);
+ int cacheDigestBitUtil(const CacheDigest * cd);
+ void cacheDigestGuessStatsUpdate(CacheDigestGuessStats * stats, int real_hit, int guess_hit);
+ void cacheDigestGuessStatsReport(const CacheDigestGuessStats * stats, StoreEntry * sentry, const char *label);
+
+=== modified file 'src/PeerDigest.h'
+--- src/PeerDigest.h	2016-01-01 00:14:27 +0000
++++ src/PeerDigest.h	2016-07-23 07:16:20 +0000
+@@ -52,7 +52,7 @@
+     store_client *old_sc;
+     HttpRequest *request;
+     int offset;
+-    int mask_offset;
++    uint32_t mask_offset;
+     time_t start_time;
+     time_t resp_time;
+     time_t expires;
+
+=== modified file 'src/peer_digest.cc'
+--- src/peer_digest.cc	2016-01-01 00:14:27 +0000
++++ src/peer_digest.cc	2016-07-23 07:16:20 +0000
+@@ -754,7 +754,7 @@
+     if (!reason && !size) {
+         if (!pd->cd)
+             reason = "null digest?!";
+-        else if (fetch->mask_offset != (int)pd->cd->mask_size)
++        else if (fetch->mask_offset != pd->cd->mask_size)
+             reason = "premature end of digest?!";
+         else if (!peerDigestUseful(pd))
+             reason = "useless digest";
+
+=== modified file 'src/store_digest.cc'
+--- src/store_digest.cc	2016-01-01 00:14:27 +0000
++++ src/store_digest.cc	2016-07-23 07:16:20 +0000
+@@ -76,36 +76,63 @@
+ static void storeDigestRewriteFinish(StoreEntry * e);
+ static EVH storeDigestSwapOutStep;
+ static void storeDigestCBlockSwapOut(StoreEntry * e);
+-static int storeDigestCalcCap(void);
+-static int storeDigestResize(void);
+ static void storeDigestAdd(const StoreEntry *);
+ 
++/// calculates digest capacity
++static uint64_t
++storeDigestCalcCap()
++{
++    /*
++     * To-Do: Bloom proved that the optimal filter utilization is 50% (half of
++     * the bits are off). However, we do not have a formula to calculate the
++     * number of _entries_ we want to pre-allocate for.
++     */
++    const uint64_t hi_cap = Store::Root().maxSize() / Config.Store.avgObjectSize;
++    const uint64_t lo_cap = 1 + Store::Root().currentSize() / Config.Store.avgObjectSize;
++    const uint64_t e_count = StoreEntry::inUseCount();
++    uint64_t cap = e_count ? e_count : hi_cap;
++    debugs(71, 2, "have: " << e_count << ", want " << cap <<
++           " entries; limits: [" << lo_cap << ", " << hi_cap << "]");
++
++    if (cap < lo_cap)
++        cap = lo_cap;
++
++    /* do not enforce hi_cap limit, average-based estimation may be wrong
++     *if (cap > hi_cap)
++     *  cap = hi_cap;
++     */
++
++    // Bug 4534: we still have to set an upper-limit at some reasonable value though.
++    // this matches cacheDigestCalcMaskSize doing (cap*bpe)+7 < INT_MAX
++    const uint64_t absolute_max = (INT_MAX -8) / Config.digest.bits_per_entry;
++    if (cap > absolute_max) {
++        static time_t last_loud = 0;
++        if (last_loud < squid_curtime - 86400) {
++            debugs(71, DBG_IMPORTANT, "WARNING: Cache Digest cannot store " << cap << " entries. Limiting to " << absolute_max);
++            last_loud = squid_curtime;
++        } else {
++            debugs(71, 3, "WARNING: Cache Digest cannot store " << cap << " entries. Limiting to " << absolute_max);
++        }
++        cap = absolute_max;
++    }
++
++    return cap;
++}
+ #endif /* USE_CACHE_DIGESTS */
+ 
+-static void
+-storeDigestRegisterWithCacheManager(void)
++void
++storeDigestInit(void)
+ {
+     Mgr::RegisterAction("store_digest", "Store Digest", storeDigestReport, 0, 1);
+-}
+-
+-/*
+- * PUBLIC FUNCTIONS
+- */
+-
+-void
+-storeDigestInit(void)
+-{
+-    storeDigestRegisterWithCacheManager();
+ 
+ #if USE_CACHE_DIGESTS
+-    const int cap = storeDigestCalcCap();
+-
+     if (!Config.onoff.digest_generation) {
+         store_digest = NULL;
+         debugs(71, 3, "Local cache digest generation disabled");
+         return;
+     }
+ 
++    const uint64_t cap = storeDigestCalcCap();
+     store_digest = cacheDigestCreate(cap, Config.digest.bits_per_entry);
+     debugs(71, DBG_IMPORTANT, "Local cache digest enabled; rebuild/rewrite every " <<
+            (int) Config.digest.rebuild_period << "/" <<
+@@ -290,6 +317,31 @@
+     storeDigestRebuildResume();
+ }
+ 
++/// \returns true if we actually resized the digest
++static bool
++storeDigestResize()
++{
++    const uint64_t cap = storeDigestCalcCap();
++    assert(store_digest);
++    uint64_t diff;
++    if (cap > store_digest->capacity)
++        diff = cap - store_digest->capacity;
++    else
++        diff = store_digest->capacity - cap;
++    debugs(71, 2, store_digest->capacity << " -> " << cap << "; change: " <<
++           diff << " (" << xpercentInt(diff, store_digest->capacity) << "%)" );
++    /* avoid minor adjustments */
++
++    if (diff <= store_digest->capacity / 10) {
++        debugs(71, 2, "small change, will not resize.");
++        return false;
++    } else {
++        debugs(71, 2, "big change, resizing.");
++        cacheDigestChangeCap(store_digest, cap);
++    }
++    return true;
++}
++
+ /* called be Rewrite to push Rebuild forward */
+ static void
+ storeDigestRebuildResume(void)
+@@ -439,7 +491,7 @@
+     assert(e);
+     /* _add_ check that nothing bad happened while we were waiting @?@ @?@ */
+ 
+-    if (sd_state.rewrite_offset + chunk_size > store_digest->mask_size)
++    if (static_cast<uint32_t>(sd_state.rewrite_offset + chunk_size) > store_digest->mask_size)
+         chunk_size = store_digest->mask_size - sd_state.rewrite_offset;
+ 
+     e->append(store_digest->mask + sd_state.rewrite_offset, chunk_size);
+@@ -451,7 +503,7 @@
+     sd_state.rewrite_offset += chunk_size;
+ 
+     /* are we done ? */
+-    if (sd_state.rewrite_offset >= store_digest->mask_size)
++    if (static_cast<uint32_t>(sd_state.rewrite_offset) >= store_digest->mask_size)
+         storeDigestRewriteFinish(e);
+     else
+         eventAdd("storeDigestSwapOutStep", storeDigestSwapOutStep, data, 0.0, 1, false);
+@@ -467,60 +519,10 @@
+     sd_state.cblock.count = htonl(store_digest->count);
+     sd_state.cblock.del_count = htonl(store_digest->del_count);
+     sd_state.cblock.mask_size = htonl(store_digest->mask_size);
+-    sd_state.cblock.bits_per_entry = (unsigned char)
+-                                     Config.digest.bits_per_entry;
++    sd_state.cblock.bits_per_entry = Config.digest.bits_per_entry;
+     sd_state.cblock.hash_func_count = (unsigned char) CacheDigestHashFuncCount;
+     e->append((char *) &sd_state.cblock, sizeof(sd_state.cblock));
+ }
+ 
+-/* calculates digest capacity */
+-static int
+-storeDigestCalcCap(void)
+-{
+-    /*
+-     * To-Do: Bloom proved that the optimal filter utilization is 50% (half of
+-     * the bits are off). However, we do not have a formula to calculate the
+-     * number of _entries_ we want to pre-allocate for.
+-     */
+-    const int hi_cap = Store::Root().maxSize() / Config.Store.avgObjectSize;
+-    const int lo_cap = 1 + Store::Root().currentSize() / Config.Store.avgObjectSize;
+-    const int e_count = StoreEntry::inUseCount();
+-    int cap = e_count ? e_count :hi_cap;
+-    debugs(71, 2, "storeDigestCalcCap: have: " << e_count << ", want " << cap <<
+-           " entries; limits: [" << lo_cap << ", " << hi_cap << "]");
+-
+-    if (cap < lo_cap)
+-        cap = lo_cap;
+-
+-    /* do not enforce hi_cap limit, average-based estimation may be wrong
+-     *if (cap > hi_cap)
+-     *  cap = hi_cap;
+-     */
+-    return cap;
+-}
+-
+-/* returns true if we actually resized the digest */
+-static int
+-storeDigestResize(void)
+-{
+-    const int cap = storeDigestCalcCap();
+-    int diff;
+-    assert(store_digest);
+-    diff = abs(cap - store_digest->capacity);
+-    debugs(71, 2, "storeDigestResize: " <<
+-           store_digest->capacity << " -> " << cap << "; change: " <<
+-           diff << " (" << xpercentInt(diff, store_digest->capacity) << "%)" );
+-    /* avoid minor adjustments */
+-
+-    if (diff <= store_digest->capacity / 10) {
+-        debugs(71, 2, "storeDigestResize: small change, will not resize.");
+-        return 0;
+-    } else {
+-        debugs(71, 2, "storeDigestResize: big change, resizing.");
+-        cacheDigestChangeCap(store_digest, cap);
+-        return 1;
+-    }
+-}
+-
+ #endif /* USE_CACHE_DIGESTS */
+ 
+
+=== modified file 'src/tests/stub_CacheDigest.cc'
+--- src/tests/stub_CacheDigest.cc	2016-01-01 00:14:27 +0000
++++ src/tests/stub_CacheDigest.cc	2016-07-23 07:16:20 +0000
+@@ -16,11 +16,11 @@
+ class CacheDigestGuessStats;
+ class StoreEntry;
+ 
+-CacheDigest * cacheDigestCreate(int, int) STUB_RETVAL(NULL)
++CacheDigest * cacheDigestCreate(uint64_t, uint8_t) STUB_RETVAL(NULL)
+ void cacheDigestDestroy(CacheDigest *) STUB
+ CacheDigest * cacheDigestClone(const CacheDigest *) STUB_RETVAL(NULL)
+ void cacheDigestClear(CacheDigest * ) STUB
+-void cacheDigestChangeCap(CacheDigest *,int) STUB
++void cacheDigestChangeCap(CacheDigest *,uint64_t) STUB
+ int cacheDigestTest(const CacheDigest *, const cache_key *) STUB_RETVAL(1)
+ void cacheDigestAdd(CacheDigest *, const cache_key *) STUB
+ void cacheDigestDel(CacheDigest *, const cache_key *) STUB
+@@ -28,5 +28,4 @@
+ void cacheDigestGuessStatsUpdate(CacheDigestGuessStats *, int, int) STUB
+ void cacheDigestGuessStatsReport(const CacheDigestGuessStats *, StoreEntry *, const char *) STUB
+ void cacheDigestReport(CacheDigest *, const char *, StoreEntry *) STUB
+-size_t cacheDigestCalcMaskSize(int, int) STUB_RETVAL(1)
+-
++uint32_t cacheDigestCalcMaskSize(uint64_t, uint8_t) STUB_RETVAL(1)
+
diff --git a/src/patches/squid/squid-3.5-14068.patch b/src/patches/squid/squid-3.5-14068.patch
new file mode 100644
index 0000000..4766e00
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14068.patch
@@ -0,0 +1,35 @@
+------------------------------------------------------------
+revno: 14068
+revision-id: squid3@treenet.co.nz-20160723071930-cemledcltg8pkc28
+parent: squid3@treenet.co.nz-20160723071620-1wzqpbyi1rk5w6vg
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4542
+author: Anonymous bigparrot@pirateperfection.com
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Sat 2016-07-23 19:19:30 +1200
+message:
+  Bug #4542: authentication credentials IP TTL updated incorrectly
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20160723071930-cemledcltg8pkc28
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: ee0c6aab5414532d9554ef338cce049263902fd8
+# timestamp: 2016-07-23 07:24:05 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20160723071620-\
+#   1wzqpbyi1rk5w6vg
+# 
+# Begin patch
+=== modified file 'src/auth/User.cc'
+--- src/auth/User.cc	2016-01-01 00:14:27 +0000
++++ src/auth/User.cc	2016-07-23 07:19:30 +0000
+@@ -284,7 +284,7 @@
+             /* This ip has already been seen. */
+             found = 1;
+             /* update IP ttl */
+-            ipdata->ip_expiretime = squid_curtime;
++            ipdata->ip_expiretime = squid_curtime + ::Config.authenticateIpTTL;
+         } else if (ipdata->ip_expiretime <= squid_curtime) {
+             /* This IP has expired - remove from the seen list */
+             dlinkDelete(&ipdata->node, &ip_list);
+
diff --git a/src/patches/squid/squid-3.5-14069.patch b/src/patches/squid/squid-3.5-14069.patch
new file mode 100644
index 0000000..15ca37a
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14069.patch
@@ -0,0 +1,30 @@
+------------------------------------------------------------
+revno: 14069
+revision-id: squidadm@squid-cache.org-20160723121351-iuc8hwstrqd0l1dv
+parent: squid3@treenet.co.nz-20160723071930-cemledcltg8pkc28
+committer: Source Maintenance squidadm@squid-cache.org
+branch nick: 3.5
+timestamp: Sat 2016-07-23 12:13:51 +0000
+message:
+  SourceFormat Enforcement
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squidadm@squid-cache.org-20160723121351-\
+#   iuc8hwstrqd0l1dv
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: c9e37a723686ae2ee489ba7ec2e981ae153bda28
+# timestamp: 2016-07-23 12:50:56 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20160723071930-\
+#   cemledcltg8pkc28
+# 
+# Begin patch
+=== modified file 'src/tests/stub_CacheDigest.cc'
+--- src/tests/stub_CacheDigest.cc	2016-07-23 07:16:20 +0000
++++ src/tests/stub_CacheDigest.cc	2016-07-23 12:13:51 +0000
+@@ -29,3 +29,4 @@
+ void cacheDigestGuessStatsReport(const CacheDigestGuessStats *, StoreEntry *, const char *) STUB
+ void cacheDigestReport(CacheDigest *, const char *, StoreEntry *) STUB
+ uint32_t cacheDigestCalcMaskSize(uint64_t, uint8_t) STUB_RETVAL(1)
++
+
diff --git a/src/patches/squid/squid-3.5-14070.patch b/src/patches/squid/squid-3.5-14070.patch
new file mode 100644
index 0000000..5fcc39f
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14070.patch
@@ -0,0 +1,44 @@
+------------------------------------------------------------
+revno: 14070
+revision-id: squid3@treenet.co.nz-20160805145933-0cpyy47o8955lamx
+parent: squidadm@squid-cache.org-20160723121351-iuc8hwstrqd0l1dv
+author: Christos Tsantilas chtsanti@users.sourceforge.net
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Sat 2016-08-06 02:59:33 +1200
+message:
+  Squid segfault via Ftp::Client::readControlReply().
+  
+  Ftp::Client::scheduleReadControlReply(), which may called from the
+  asynchronous start() or readControlReply()/handleControlReply()
+  handlers, does not check whether the control connection is still usable
+  before using it.
+  
+  This is a Measurement Factory project.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20160805145933-0cpyy47o8955lamx
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 1c21ce821f9cbc22b3e8ff2b1029f7084b5f0643
+# timestamp: 2016-08-05 15:00:22 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squidadm@squid-cache.org-20160723121351-\
+#   iuc8hwstrqd0l1dv
+# 
+# Begin patch
+=== modified file 'src/clients/FtpClient.cc'
+--- src/clients/FtpClient.cc	2016-02-19 23:15:41 +0000
++++ src/clients/FtpClient.cc	2016-08-05 14:59:33 +0000
+@@ -314,6 +314,11 @@
+         /* We've already read some reply data */
+         handleControlReply();
+     } else {
++
++        if (!Comm::IsConnOpen(ctrl.conn)) {
++            debugs(9, 3, "cannot read without ctrl " << ctrl.conn);
++            return;
++        }
+         /*
+          * Cancel the timeout on the Data socket (if any) and
+          * establish one on the control socket.
+
diff --git a/src/patches/squid/squid-3.5-14071.patch b/src/patches/squid/squid-3.5-14071.patch
new file mode 100644
index 0000000..6b353ea
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14071.patch
@@ -0,0 +1,70 @@
+------------------------------------------------------------
+revno: 14071
+revision-id: squid3@treenet.co.nz-20160817025501-e66sjxm0bfy3ksn3
+parent: squid3@treenet.co.nz-20160805145933-0cpyy47o8955lamx
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4428
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Wed 2016-08-17 14:55:01 +1200
+message:
+  Bug 4428: mal-formed Cache-Control:stale-if-error header
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20160817025501-e66sjxm0bfy3ksn3
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: b3b3ef13c45062a97bd5cc88c934019fe4af7a3c
+# timestamp: 2016-08-17 02:55:20 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20160805145933-\
+#   0cpyy47o8955lamx
+# 
+# Begin patch
+=== modified file 'src/HttpHdrCc.cc'
+--- src/HttpHdrCc.cc	2016-01-01 00:14:27 +0000
++++ src/HttpHdrCc.cc	2016-08-17 02:55:01 +0000
+@@ -257,6 +257,27 @@
+ 
+             /* for all options having values, "=value" after the name */
+             switch (flag) {
++            case CC_BADHDR:
++                break;
++            case CC_PUBLIC:
++                break;
++            case CC_PRIVATE:
++                if (Private().size())
++                    packerPrintf(p, "="" SQUIDSTRINGPH """, SQUIDSTRINGPRINT(Private()));
++                break;
++
++            case CC_NO_CACHE:
++                if (noCache().size())
++                    packerPrintf(p, "="" SQUIDSTRINGPH """, SQUIDSTRINGPRINT(noCache()));
++                break;
++            case CC_NO_STORE:
++                break;
++            case CC_NO_TRANSFORM:
++                break;
++            case CC_MUST_REVALIDATE:
++                break;
++            case CC_PROXY_REVALIDATE:
++                break;
+             case CC_MAX_AGE:
+                 packerPrintf(p, "=%d", (int) maxAge());
+                 break;
+@@ -272,8 +293,14 @@
+             case CC_MIN_FRESH:
+                 packerPrintf(p, "=%d", (int) minFresh());
+                 break;
+-            default:
+-                /* do nothing, directive was already printed */
++            case CC_ONLY_IF_CACHED:
++                break;
++            case CC_STALE_IF_ERROR:
++                packerPrintf(p, "=%d", staleIfError());
++                break;
++            case CC_OTHER:
++            case CC_ENUM_END:
++                // done below after the loop
+                 break;
+             }
+ 
+
diff --git a/src/patches/squid/squid-3.5-14072.patch b/src/patches/squid/squid-3.5-14072.patch
new file mode 100644
index 0000000..228e773
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14072.patch
@@ -0,0 +1,33 @@
+------------------------------------------------------------
+revno: 14072
+revision-id: squid3@treenet.co.nz-20160817025828-s4102klt2ei25tsm
+parent: squid3@treenet.co.nz-20160817025501-e66sjxm0bfy3ksn3
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Wed 2016-08-17 14:58:28 +1200
+message:
+  Fix SSL-Bump failure results in SEGFAULT
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20160817025828-s4102klt2ei25tsm
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 73877d276fba41282aeb5973207d02851d5eb784
+# timestamp: 2016-08-17 03:50:56 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20160817025501-\
+#   e66sjxm0bfy3ksn3
+# 
+# Begin patch
+=== modified file 'src/client_side_request.cc'
+--- src/client_side_request.cc	2016-05-06 08:24:29 +0000
++++ src/client_side_request.cc	2016-08-17 02:58:28 +0000
+@@ -1811,7 +1811,7 @@
+             repContext->setReplyToStoreEntry(e, "immediate SslBump error");
+             errorAppendEntry(e, calloutContext->error);
+             calloutContext->error = NULL;
+-            if (calloutContext->readNextRequest)
++            if (calloutContext->readNextRequest && getConn())
+                 getConn()->flags.readMore = true; // resume any pipeline reads.
+             node = (clientStreamNode *)client_stream.tail->data;
+             clientStreamRead(node, this, node->readBuffer);
+
diff --git a/src/patches/squid/squid-3.5-14073.patch b/src/patches/squid/squid-3.5-14073.patch
new file mode 100644
index 0000000..b7915a4
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14073.patch
@@ -0,0 +1,151 @@
+------------------------------------------------------------
+revno: 14073
+revision-id: squid3@treenet.co.nz-20160817051037-p0kaj2iw2u4u8iqj
+parent: squid3@treenet.co.nz-20160817025828-s4102klt2ei25tsm
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4563
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Wed 2016-08-17 17:10:37 +1200
+message:
+  Bug 4563: duplicate code in httpMakeVaryMark
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20160817051037-p0kaj2iw2u4u8iqj
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: bba9a17715b8759e9d70db2c75f70f3c6152ae8a
+# timestamp: 2016-08-17 05:50:53 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20160817025828-\
+#   s4102klt2ei25tsm
+# 
+# Begin patch
+=== modified file 'src/http.cc'
+--- src/http.cc	2016-04-01 06:15:31 +0000
++++ src/http.cc	2016-08-17 05:10:37 +0000
+@@ -572,6 +572,38 @@
+     /* NOTREACHED */
+ }
+ 
++/// assemble a variant key (vary-mark) from the given Vary header and HTTP request
++static void
++assembleVaryKey(String &vary, SBuf &vstr, const HttpRequest &request)
++{
++    static const SBuf asterisk("*");
++    const char *pos = nullptr;
++    const char *item = nullptr;
++    int ilen = 0;
++
++    while (strListGetItem(&vary, ',', &item, &ilen, &pos)) {
++        SBuf name(item, ilen);
++        if (name == asterisk) {
++            vstr.clear();
++            break;
++        }
++        name.toLower();
++        if (!vstr.isEmpty())
++            vstr.append(", ", 2);
++        vstr.append(name);
++        String hdr(request.header.getByName(name.c_str()));
++        const char *value = hdr.termedBuf();
++        if (value) {
++            value = rfc1738_escape_part(value);
++            vstr.append("="", 2);
++            vstr.append(value);
++            vstr.append(""", 1);
++        }
++
++        hdr.clean();
++    }
++}
++
+ /*
+  * For Vary, store the relevant request headers as
+  * virtual headers in the reply
+@@ -580,81 +612,16 @@
+ SBuf
+ httpMakeVaryMark(HttpRequest * request, HttpReply const * reply)
+ {
+-    String vary, hdr;
+-    const char *pos = NULL;
+-    const char *item;
+-    const char *value;
+-    int ilen;
+     SBuf vstr;
+-    static const SBuf asterisk("*");
++    String vary;
+ 
+     vary = reply->header.getList(HDR_VARY);
+-
+-    while (strListGetItem(&vary, ',', &item, &ilen, &pos)) {
+-        char *name = (char *)xmalloc(ilen + 1);
+-        xstrncpy(name, item, ilen + 1);
+-        Tolower(name);
+-
+-        if (strcmp(name, "*") == 0) {
+-            /* Can not handle "Vary: *" withtout ETag support */
+-            safe_free(name);
+-            vstr.clear();
+-            break;
+-        }
+-
+-        if (!vstr.isEmpty())
+-            vstr.append(", ", 2);
+-        vstr.append(name);
+-        hdr = request->header.getByName(name);
+-        safe_free(name);
+-        value = hdr.termedBuf();
+-
+-        if (value) {
+-            value = rfc1738_escape_part(value);
+-            vstr.append("="", 2);
+-            vstr.append(value);
+-            vstr.append(""", 1);
+-        }
+-
+-        hdr.clean();
+-    }
+-
++    assembleVaryKey(vary, vstr, *request);
++
++#if X_ACCELERATOR_VARY
+     vary.clean();
+-#if X_ACCELERATOR_VARY
+-
+-    pos = NULL;
+     vary = reply->header.getList(HDR_X_ACCELERATOR_VARY);
+-
+-    while (strListGetItem(&vary, ',', &item, &ilen, &pos)) {
+-        char *name = (char *)xmalloc(ilen + 1);
+-        xstrncpy(name, item, ilen + 1);
+-        Tolower(name);
+-
+-        if (strcmp(name, "*") == 0) {
+-            /* Can not handle "Vary: *" withtout ETag support */
+-            safe_free(name);
+-            vstr.clear();
+-            break;
+-        }
+-
+-        if (!vstr.isEmpty())
+-            vstr.append(", ", 2);
+-        vstr.append(name);
+-        hdr = request->header.getByName(name);
+-        safe_free(name);
+-        value = hdr.termedBuf();
+-
+-        if (value) {
+-            value = rfc1738_escape_part(value);
+-            vstr.append("="", 2);
+-            vstr.append(value);
+-            vstr.append(""", 1);
+-        }
+-
+-        hdr.clean();
+-    }
+-
+-    vary.clean();
++    assembleVaryKey(vary, vstr, *request);
+ #endif
+ 
+     debugs(11, 3, vstr);
+
diff --git a/src/patches/squid/squid-3.5-14074.patch b/src/patches/squid/squid-3.5-14074.patch
new file mode 100644
index 0000000..dbafbf0
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14074.patch
@@ -0,0 +1,55 @@
+------------------------------------------------------------
+revno: 14074
+revision-id: squid3@treenet.co.nz-20160817054829-rl7q49ysi40sj01i
+parent: squid3@treenet.co.nz-20160817051037-p0kaj2iw2u4u8iqj
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3025
+author: mkishi mkishi@104.net
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Wed 2016-08-17 17:48:29 +1200
+message:
+  Bug 3025: Proxy-Authenticate problem using ICAP server
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20160817054829-rl7q49ysi40sj01i
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: f4eb1b35dc72bba74a398070900a0951257e547e
+# timestamp: 2016-08-17 05:50:56 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20160817051037-\
+#   p0kaj2iw2u4u8iqj
+# 
+# Begin patch
+=== modified file 'src/client_side_reply.cc'
+--- src/client_side_reply.cc	2016-04-01 06:15:31 +0000
++++ src/client_side_reply.cc	2016-08-17 05:48:29 +0000
+@@ -1305,8 +1305,14 @@
+ 
+     // if there is not configured a peer proxy with login=PASS or login=PASSTHRU option enabled
+     // remove the Proxy-Authenticate header
+-    if ( !request->peer_login || (strcmp(request->peer_login,"PASS") != 0 && strcmp(request->peer_login,"PASSTHRU") != 0))
+-        reply->header.delById(HDR_PROXY_AUTHENTICATE);
++    if ( !request->peer_login || (strcmp(request->peer_login,"PASS") != 0 && strcmp(request->peer_login,"PASSTHRU") != 0)) {
++#if USE_ADAPTATION
++        // but allow adaptation services to authenticate clients
++        // via request satisfaction
++        if (!http->requestSatisfactionMode())
++#endif
++            reply->header.delById(HDR_PROXY_AUTHENTICATE);
++    }
+ 
+     reply->header.removeHopByHopEntries();
+ 
+
+=== modified file 'src/client_side_request.h'
+--- src/client_side_request.h	2016-01-01 00:14:27 +0000
++++ src/client_side_request.h	2016-08-17 05:48:29 +0000
+@@ -140,6 +140,7 @@
+ 
+ public:
+     void startAdaptation(const Adaptation::ServiceGroupPointer &g);
++    bool requestSatisfactionMode() const { return request_satisfaction_mode; }
+ 
+     // private but exposed for ClientRequestContext
+     void handleAdaptationFailure(int errDetail, bool bypassable = false);
+
diff --git a/src/patches/squid/squid-3.5-14075.patch b/src/patches/squid/squid-3.5-14075.patch
new file mode 100644
index 0000000..8c0b5a3
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14075.patch
@@ -0,0 +1,38 @@
+------------------------------------------------------------
+revno: 14075
+revision-id: squid3@treenet.co.nz-20160817133413-vdmm0d6kvo8bfszk
+parent: squid3@treenet.co.nz-20160817054829-rl7q49ysi40sj01i
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Thu 2016-08-18 01:34:13 +1200
+message:
+  Fix logic error in rev.13930
+  
+   Using !=0 on both string compares means any login= value will permit
+   40x responses through. Only PASS and PASSTHRU should be doing that.
+  
+   Detected by Coverity Scan. Issue 1364711
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20160817133413-vdmm0d6kvo8bfszk
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 31f0c4e0f435e0aa994ffe8937e4d4c58fed37f5
+# timestamp: 2016-08-17 13:34:59 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20160817054829-\
+#   rl7q49ysi40sj01i
+# 
+# Begin patch
+=== modified file 'src/tunnel.cc'
+--- src/tunnel.cc	2016-01-01 00:14:27 +0000
++++ src/tunnel.cc	2016-08-17 13:34:13 +0000
+@@ -476,7 +476,7 @@
+ 
+     // we need to relay the 401/407 responses when login=PASS(THRU)
+     const char *pwd = server.conn->getPeer()->login;
+-    const bool relay = pwd && (strcmp(pwd, "PASS") != 0 || strcmp(pwd, "PASSTHRU") != 0) &&
++    const bool relay = pwd && (strcmp(pwd, "PASS") == 0 || strcmp(pwd, "PASSTHRU") == 0) &&
+                        (*status_ptr == Http::scProxyAuthenticationRequired ||
+                         *status_ptr == Http::scUnauthorized);
+ 
+
-- 
2.9.3


    