[git.ipfire.org] IPFire 2.x development tree branch, master, updated. b26b242a9c5f9bc5b0a941782b2d57465dc69565

13 Dec 2016

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, master has been updated
       via  b26b242a9c5f9bc5b0a941782b2d57465dc69565 (commit)
       via  a5f09f8e5b8639564b9ca4c4d06b3cfcaafa3ed2 (commit)
       via  d15c59e6e52e51d6319c3cd3ca4fbad7038f88a2 (commit)
       via  6426c4066f85a9c706df2c141fbf9604739a78c3 (commit)
       via  4ce082a4dd427ea9a9d94241f1f2ce04e72d98a6 (commit)
       via  262c48be60bbfaa1f190aeacffd303800f3090cf (commit)
       via  cc8f79f95fea8a2eb87f888c472c311df585035e (commit)
       via  cc2a2209d8797569013c9dec58ff10e49dfabec5 (commit)
       via  67214dc2eb6b0a7c1b0f43e049a0aad6802a8db1 (commit)
       via  31986a351cc54a07a2205f5426e80e143afa87c5 (commit)
       via  6268c62384c17112f10cb0c6acc3b0951eb81f2c (commit)
       via  2aa15dee660214bfe4f402ff7c34c28b9bb068bc (commit)
       via  cd812106b19a146d175fc2e13efcdc68ad04754e (commit)
       via  adb11e90dfe701fa0e29bcc80aeb998719d99797 (commit)
       via  b7f2fe819b1ecf0e0c04e0059b64b67127073d44 (commit)
       via  0b5b6a594cbe71d0a206176216d0ab1d749ef978 (commit)
       via  49750f72dee50a2103ead403b16630b67a838231 (commit)
       via  e2b19d984cfa7510edcffc7788ef53cb086cdffb (commit)
       via  86e9d04bfb73eb256682a567e187fe1e5cdcc3ca (commit)
       via  bc4a68812bb131be6a8413f69909bf6a3d5a89a2 (commit)
       via  c6bc0fb03e0dbb9f1ba34d42195d0601b55891c1 (commit)
       via  f8aa041f1a957f782c47c441c6b403e65707dd85 (commit)
      from  34f6a3f1b56e724062897d480d102d81e4e47298 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit b26b242a9c5f9bc5b0a941782b2d57465dc69565
Author: Arne Fitzenreiter arne_f@ipfire.org
Date:   Tue Dec 13 23:29:21 2016 +0100
finish core108
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit a5f09f8e5b8639564b9ca4c4d06b3cfcaafa3ed2
Author: Matthias Fischer matthias.fischer@ipfire.org
Date:   Sat Dec 10 18:44:03 2016 +0100
squid 3.5.22: latest patches (14119-14122)
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
    Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d15c59e6e52e51d6319c3cd3ca4fbad7038f88a2
Author: Matthias Fischer matthias.fischer@ipfire.org
Date:   Sun Dec 11 01:22:51 2016 +0100
nano: Update to 2.7.1
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
    Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6426c4066f85a9c706df2c141fbf9604739a78c3
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Tue Dec 6 14:20:16 2016 +0000
core108: Ship updated squid
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4ce082a4dd427ea9a9d94241f1f2ce04e72d98a6
Author: Matthias Fischer matthias.fischer@ipfire.org
Date:   Fri Dec 2 23:22:22 2016 +0100
squid 3.5.22: latest patches (14114-14118)
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
    Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 262c48be60bbfaa1f190aeacffd303800f3090cf
Author: Matthias Fischer matthias.fischer@ipfire.org
Date:   Wed Nov 30 18:50:05 2016 +0100
squid 3.5.22: latest patches (14103-14113)
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
    Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit cc8f79f95fea8a2eb87f888c472c311df585035e
Author: Matthias Fischer matthias.fischer@ipfire.org
Date:   Fri Oct 28 09:49:32 2016 +0200
squid 3.5.22: latest patches (14100-14102)
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
    Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit cc2a2209d8797569013c9dec58ff10e49dfabec5
Author: Matthias Fischer matthias.fischer@ipfire.org
Date:   Fri Oct 21 20:30:29 2016 +0200
squid 3.5.22: latest patch (14099)
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
    Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 67214dc2eb6b0a7c1b0f43e049a0aad6802a8db1
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Tue Dec 6 14:17:05 2016 +0000
core108: Ship updated NTP
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 31986a351cc54a07a2205f5426e80e143afa87c5
Author: Matthias Fischer matthias.fischer@ipfire.org
Date:   Thu Dec 1 18:32:31 2016 +0100
ntp: Update to 4.2.8p9
"It addresses 1 high-, 2 medium-, 2 medium-/low-, and 5 low-severity
    security issues, 28 bugfixes, and contains other improvements over 4.2.8p8."
For a complete list, see:
    http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
    Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6268c62384c17112f10cb0c6acc3b0951eb81f2c
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Sat Dec 3 13:30:02 2016 +0000
tor: Update to 0.2.8.10
Brings various major bugfixes and privacy enhancements
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 2aa15dee660214bfe4f402ff7c34c28b9bb068bc
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Thu Dec 1 17:13:07 2016 +0000
unbound: Fix DNS forwarder test
The previous version aborted when the validation test
    suceeded, but this is not always sufficient in case a
    provider filters any DNSKEY, DS or RRSIG records.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit cd812106b19a146d175fc2e13efcdc68ad04754e
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Tue Nov 29 12:26:34 2016 +0000
unbound: Do not try removing forwarders when unbound is not running
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit adb11e90dfe701fa0e29bcc80aeb998719d99797
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Tue Nov 29 12:18:41 2016 +0000
Always enable asynchronous logging
This patch always enables asynchronous logging which slows
    down the system a lot on slow storage and some virtual environments.
It also removes the configuration options in the web
    user interface, since this is not configurable any more.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b7f2fe819b1ecf0e0c04e0059b64b67127073d44
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Mon Nov 28 21:51:13 2016 +0000
core108: Ship updated ddns
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0b5b6a594cbe71d0a206176216d0ab1d749ef978
Author: Stefan Schantl stefan.schantl@ipfire.org
Date:   Fri Oct 28 15:48:22 2016 +0200
ddns: Import patches for schokokeks.org support.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
    Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 49750f72dee50a2103ead403b16630b67a838231
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Mon Nov 28 21:48:21 2016 +0000
Start Core Update 108
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e2b19d984cfa7510edcffc7788ef53cb086cdffb
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Mon Nov 28 21:38:29 2016 +0000
strongswan: Update to 5.5.1
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 86e9d04bfb73eb256682a567e187fe1e5cdcc3ca
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Fri Nov 25 17:45:39 2016 +0000
unbound: Deactivate qname-minimization & harden-below-nxdomain
This causes trouble when you try to resolve a record like
    a.b.blah.com where b.blah.com responds with NXDOMAIN. unbound
    won't try to resolve a.b.blah.com because it is assumed that
    everything longer than b.blah.com does not exist which is
    probably not good usability.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit bc4a68812bb131be6a8413f69909bf6a3d5a89a2
Author: Alexander Marx alexander.marx@ipfire.org
Date:   Mon Oct 31 12:19:15 2016 +0100
BUG11242: Fix for adding 2 VPN Hosts/network with same name
If one has an IPSec network named "aaa" and an OpenVPn Host with the same name
    it was not possible to group them together because of the same name.
    Now the Network type is also checked wich allows Entries with same name, but different networks.
Fixes: #11242
Signed-off-by: Alexander Marx alexander.marx@ipfire.org
    Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c6bc0fb03e0dbb9f1ba34d42195d0601b55891c1
Merge: f8aa041 34f6a3f
Author: Arne Fitzenreiter arne_f@ipfire.org
Date:   Fri Nov 4 21:12:25 2016 +0100
Merge remote-tracking branch 'origin/master' into next
commit f8aa041f1a957f782c47c441c6b403e65707dd85
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Wed Nov 2 15:42:40 2016 +0000
unbound: Fix for DNS forwarding of .local zones
These are traditionally used for Windows domains and should not
    be used for that. However if they are used like this, DNSSEC
    validation cannot be used.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes:
 config/etc/syslog.conf                             |   6 +-
 config/rootfiles/common/strongswan                 |   1 +
 config/rootfiles/{oldcore/106 => core/108}/exclude |   0
 .../{oldcore/95 => core/108}/filelists/ddns        |   0
 config/rootfiles/core/108/filelists/files          |   7 +
 .../108}/filelists/i586/strongswan-padlock         |   0
 .../{oldcore/96 => core/108}/filelists/ntp         |   0
 config/rootfiles/core/{107 => 108}/filelists/squid |   0
 .../{oldcore/96 => core/108}/filelists/strongswan  |   0
 config/rootfiles/core/{107 => 108}/meta            |   0
 .../rootfiles/{oldcore/105 => core/108}/update.sh  |  28 +--
 config/rootfiles/{core => oldcore}/107/exclude     |   0
 .../107/filelists/armv5tel/linux-kirkwood          |   0
 .../107/filelists/armv5tel/linux-multi             |   0
 .../107/filelists/armv5tel/linux-rpi               |   0
 .../{core => oldcore}/107/filelists/files          |   0
 .../{core => oldcore}/107/filelists/hdparm         |   0
 .../{core => oldcore}/107/filelists/i586/linux     |   0
 .../{core => oldcore}/107/filelists/libjpeg        |   0
 .../{core => oldcore}/107/filelists/libjpeg-compat |   0
 .../rootfiles/oldcore/{94 => 107}/filelists/squid  |   0
 .../{core => oldcore}/107/filelists/x86_64/linux   |   0
 config/rootfiles/oldcore/{99 => 107}/meta          |   0
 config/rootfiles/{core => oldcore}/107/update.sh   |   0
 config/unbound/unbound.conf                        |   2 -
 doc/language_issues.de                             |   3 +
 doc/language_issues.en                             |   3 +
 doc/language_issues.es                             |   3 +-
 doc/language_issues.fr                             |   3 +
 doc/language_issues.it                             |   3 +
 doc/language_issues.nl                             |   3 +
 doc/language_issues.pl                             |   3 +-
 doc/language_issues.ru                             |   3 +
 doc/language_issues.tr                             |   3 +
 html/cgi-bin/fwhosts.cgi                           |   4 +-
 html/cgi-bin/logs.cgi/config.dat                   |  20 ---
 lfs/ddns                                           |   3 +
 lfs/nano                                           |   6 +-
 lfs/ntp                                            |   6 +-
 lfs/squid                                          |  24 +++
 lfs/strongswan                                     |   4 +-
 lfs/tor                                            |   6 +-
 make.sh                                            |   4 +-
 src/initscripts/init.d/unbound                     |  17 +-
 src/misc-progs/syslogdctrl.c                       |  23 ---
 .../ddns-0001-New-provider-Schokokeks.org.patch    |  47 +++++
 ...2-Schokokeks.org-Fix-malformed-update-URL.patch |  55 ++++++
 src/patches/squid/squid-3.5-14099.patch            |  65 +++++++
 src/patches/squid/squid-3.5-14100.patch            |  39 ++++
 src/patches/squid/squid-3.5-14101.patch            |  59 ++++++
 src/patches/squid/squid-3.5-14102.patch            |  38 ++++
 src/patches/squid/squid-3.5-14103.patch            |  61 +++++++
 src/patches/squid/squid-3.5-14104.patch            |  66 +++++++
 src/patches/squid/squid-3.5-14105.patch            |  48 +++++
 src/patches/squid/squid-3.5-14106.patch            |  34 ++++
 src/patches/squid/squid-3.5-14107.patch            |  56 ++++++
 src/patches/squid/squid-3.5-14108.patch            |  33 ++++
 src/patches/squid/squid-3.5-14109.patch            | 167 +++++++++++++++++
 src/patches/squid/squid-3.5-14110.patch            | 102 +++++++++++
 src/patches/squid/squid-3.5-14111.patch            |  43 +++++
 src/patches/squid/squid-3.5-14112.patch            |  60 +++++++
 src/patches/squid/squid-3.5-14113.patch            |  47 +++++
 src/patches/squid/squid-3.5-14114.patch            |  46 +++++
 src/patches/squid/squid-3.5-14115.patch            | 197 +++++++++++++++++++++
 src/patches/squid/squid-3.5-14116.patch            |  38 ++++
 src/patches/squid/squid-3.5-14117.patch            | 152 ++++++++++++++++
 src/patches/squid/squid-3.5-14118.patch            |  55 ++++++
 src/patches/squid/squid-3.5-14119.patch            | 184 +++++++++++++++++++
 src/patches/squid/squid-3.5-14120.patch            |  62 +++++++
 src/patches/squid/squid-3.5-14121.patch            |  36 ++++
 src/patches/squid/squid-3.5-14122.patch            |  34 ++++
 71 files changed, 1929 insertions(+), 83 deletions(-)
 copy config/rootfiles/{oldcore/106 => core/108}/exclude (100%)
 copy config/rootfiles/{oldcore/95 => core/108}/filelists/ddns (100%)
 create mode 100644 config/rootfiles/core/108/filelists/files
 copy config/rootfiles/{oldcore/96 => core/108}/filelists/i586/strongswan-padlock (100%)
 copy config/rootfiles/{oldcore/96 => core/108}/filelists/ntp (100%)
 rename config/rootfiles/core/{107 => 108}/filelists/squid (100%)
 copy config/rootfiles/{oldcore/96 => core/108}/filelists/strongswan (100%)
 rename config/rootfiles/core/{107 => 108}/meta (100%)
 copy config/rootfiles/{oldcore/105 => core/108}/update.sh (86%)
 rename config/rootfiles/{core => oldcore}/107/exclude (100%)
 rename config/rootfiles/{core => oldcore}/107/filelists/armv5tel/linux-kirkwood (100%)
 rename config/rootfiles/{core => oldcore}/107/filelists/armv5tel/linux-multi (100%)
 rename config/rootfiles/{core => oldcore}/107/filelists/armv5tel/linux-rpi (100%)
 rename config/rootfiles/{core => oldcore}/107/filelists/files (100%)
 rename config/rootfiles/{core => oldcore}/107/filelists/hdparm (100%)
 rename config/rootfiles/{core => oldcore}/107/filelists/i586/linux (100%)
 rename config/rootfiles/{core => oldcore}/107/filelists/libjpeg (100%)
 rename config/rootfiles/{core => oldcore}/107/filelists/libjpeg-compat (100%)
 copy config/rootfiles/oldcore/{94 => 107}/filelists/squid (100%)
 rename config/rootfiles/{core => oldcore}/107/filelists/x86_64/linux (100%)
 copy config/rootfiles/oldcore/{99 => 107}/meta (100%)
 rename config/rootfiles/{core => oldcore}/107/update.sh (100%)
 create mode 100644 src/patches/ddns-0001-New-provider-Schokokeks.org.patch
 create mode 100644 src/patches/ddns-0002-Schokokeks.org-Fix-malformed-update-URL.patch
 create mode 100644 src/patches/squid/squid-3.5-14099.patch
 create mode 100644 src/patches/squid/squid-3.5-14100.patch
 create mode 100644 src/patches/squid/squid-3.5-14101.patch
 create mode 100644 src/patches/squid/squid-3.5-14102.patch
 create mode 100644 src/patches/squid/squid-3.5-14103.patch
 create mode 100644 src/patches/squid/squid-3.5-14104.patch
 create mode 100644 src/patches/squid/squid-3.5-14105.patch
 create mode 100644 src/patches/squid/squid-3.5-14106.patch
 create mode 100644 src/patches/squid/squid-3.5-14107.patch
 create mode 100644 src/patches/squid/squid-3.5-14108.patch
 create mode 100644 src/patches/squid/squid-3.5-14109.patch
 create mode 100644 src/patches/squid/squid-3.5-14110.patch
 create mode 100644 src/patches/squid/squid-3.5-14111.patch
 create mode 100644 src/patches/squid/squid-3.5-14112.patch
 create mode 100644 src/patches/squid/squid-3.5-14113.patch
 create mode 100644 src/patches/squid/squid-3.5-14114.patch
 create mode 100644 src/patches/squid/squid-3.5-14115.patch
 create mode 100644 src/patches/squid/squid-3.5-14116.patch
 create mode 100644 src/patches/squid/squid-3.5-14117.patch
 create mode 100644 src/patches/squid/squid-3.5-14118.patch
 create mode 100644 src/patches/squid/squid-3.5-14119.patch
 create mode 100644 src/patches/squid/squid-3.5-14120.patch
 create mode 100644 src/patches/squid/squid-3.5-14121.patch
 create mode 100644 src/patches/squid/squid-3.5-14122.patch
Difference in files:

diff --git a/config/etc/syslog.conf b/config/etc/syslog.conf
index b1b7ec8..cdef756 100644
--- a/config/etc/syslog.conf
+++ b/config/etc/syslog.conf
@@ -5,10 +5,10 @@
 # Log anything (except mail) of level info or higher.
 # Don't log private authentication messages!
 # local0.* any dhcpcd log (even debug) in messages
-cron.none;daemon.*;local0.*;local2.*;*.info;mail.none;authpriv.*	/var/log/messages
+cron.none;daemon.*;local0.*;local2.*;*.info;mail.none;authpriv.*	-/var/log/messages
# Log crons
-#cron.*										/var/log/cron.log
+#cron.*										-/var/log/cron.log
# Everybody gets emergency messages
 *.emerg										*
@@ -20,4 +20,4 @@ cron.none;daemon.*;local0.*;local2.*;*.info;mail.none;authpriv.*	/var/log/messag
 #*.*											@hostname.domain
# Postfix logs
-mail.*										/var/log/mail
+mail.*										-/var/log/mail
diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/strongswan
index f81a9c8..38da986 100644
--- a/config/rootfiles/common/strongswan
+++ b/config/rootfiles/common/strongswan
@@ -72,6 +72,7 @@ etc/swanctl/bliss
 etc/swanctl/ecdsa
 etc/swanctl/pkcs12
 etc/swanctl/pkcs8
+etc/swanctl/private
 etc/swanctl/pubkey
 etc/swanctl/rsa
 etc/swanctl/swanctl.conf
diff --git a/config/rootfiles/core/107/exclude b/config/rootfiles/core/107/exclude
deleted file mode 100644
index 1d8d74e..0000000
--- a/config/rootfiles/core/107/exclude
+++ /dev/null
@@ -1,29 +0,0 @@
-boot/config.txt
-boot/grub/grub.cfg
-boot/grub/grubenv
-etc/alternatives
-etc/collectd.custom
-etc/default/grub
-etc/ipsec.conf
-etc/ipsec.secrets
-etc/ipsec.user.conf
-etc/ipsec.user.secrets
-etc/localtime
-etc/shadow
-etc/snort/snort.conf
-etc/ssh/ssh_config
-etc/ssh/sshd_config
-etc/ssl/openssl.cnf
-etc/sudoers
-etc/sysconfig/firewall.local
-etc/sysconfig/rc.local
-etc/udev/rules.d/30-persistent-network.rules
-srv/web/ipfire/html/proxy.pac
-var/ipfire/dma
-var/ipfire/time
-var/ipfire/ovpn
-var/lib/alternatives
-var/lib/unbound/root.key
-var/log/cache
-var/state/dhcp/dhcpd.leases
-var/updatecache
diff --git a/config/rootfiles/core/107/filelists/armv5tel/linux-kirkwood b/config/rootfiles/core/107/filelists/armv5tel/linux-kirkwood
deleted file mode 120000
index 7217107..0000000
--- a/config/rootfiles/core/107/filelists/armv5tel/linux-kirkwood
+++ /dev/null
@@ -1 +0,0 @@
-../../../../common/armv5tel/linux-kirkwood
\ No newline at end of file
diff --git a/config/rootfiles/core/107/filelists/armv5tel/linux-multi b/config/rootfiles/core/107/filelists/armv5tel/linux-multi
deleted file mode 120000
index 204eb4c..0000000
--- a/config/rootfiles/core/107/filelists/armv5tel/linux-multi
+++ /dev/null
@@ -1 +0,0 @@
-../../../../common/armv5tel/linux-multi
\ No newline at end of file
diff --git a/config/rootfiles/core/107/filelists/armv5tel/linux-rpi b/config/rootfiles/core/107/filelists/armv5tel/linux-rpi
deleted file mode 120000
index a651a49..0000000
--- a/config/rootfiles/core/107/filelists/armv5tel/linux-rpi
+++ /dev/null
@@ -1 +0,0 @@
-../../../../common/armv5tel/linux-rpi
\ No newline at end of file
diff --git a/config/rootfiles/core/107/filelists/files b/config/rootfiles/core/107/filelists/files
deleted file mode 100644
index 94704cf..0000000
--- a/config/rootfiles/core/107/filelists/files
+++ /dev/null
@@ -1,8 +0,0 @@
-etc/system-release
-etc/issue
-etc/unbound/unbound.conf
-etc/rc.d/init.d/unbound
-etc/rc.d/init.d/ntp
-srv/web/ipfire/cgi-bin/logs.cgi/log.dat
-srv/web/ipfire/cgi-bin/traffic.cgi
-var/ipfire/langs
diff --git a/config/rootfiles/core/107/filelists/hdparm b/config/rootfiles/core/107/filelists/hdparm
deleted file mode 120000
index b644751..0000000
--- a/config/rootfiles/core/107/filelists/hdparm
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/hdparm
\ No newline at end of file
diff --git a/config/rootfiles/core/107/filelists/i586/linux b/config/rootfiles/core/107/filelists/i586/linux
deleted file mode 120000
index 693ec4b..0000000
--- a/config/rootfiles/core/107/filelists/i586/linux
+++ /dev/null
@@ -1 +0,0 @@
-../../../../common/i586/linux
\ No newline at end of file
diff --git a/config/rootfiles/core/107/filelists/libjpeg b/config/rootfiles/core/107/filelists/libjpeg
deleted file mode 120000
index 3b1a782..0000000
--- a/config/rootfiles/core/107/filelists/libjpeg
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/libjpeg
\ No newline at end of file
diff --git a/config/rootfiles/core/107/filelists/libjpeg-compat b/config/rootfiles/core/107/filelists/libjpeg-compat
deleted file mode 120000
index e6ff86d..0000000
--- a/config/rootfiles/core/107/filelists/libjpeg-compat
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/libjpeg-compat
\ No newline at end of file
diff --git a/config/rootfiles/core/107/filelists/squid b/config/rootfiles/core/107/filelists/squid
deleted file mode 120000
index 2dc8372..0000000
--- a/config/rootfiles/core/107/filelists/squid
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/squid
\ No newline at end of file
diff --git a/config/rootfiles/core/107/filelists/x86_64/linux b/config/rootfiles/core/107/filelists/x86_64/linux
deleted file mode 120000
index 0615b5b..0000000
--- a/config/rootfiles/core/107/filelists/x86_64/linux
+++ /dev/null
@@ -1 +0,0 @@
-../../../../common/x86_64/linux
\ No newline at end of file
diff --git a/config/rootfiles/core/107/meta b/config/rootfiles/core/107/meta
deleted file mode 100644
index d547fa8..0000000
--- a/config/rootfiles/core/107/meta
+++ /dev/null
@@ -1 +0,0 @@
-DEPS=""
diff --git a/config/rootfiles/core/107/update.sh b/config/rootfiles/core/107/update.sh
deleted file mode 100644
index 276dae5..0000000
--- a/config/rootfiles/core/107/update.sh
+++ /dev/null
@@ -1,253 +0,0 @@
-#!/bin/bash
-############################################################################
-#                                                                          #
-# This file is part of the IPFire Firewall.                                #
-#                                                                          #
-# IPFire is free software; you can redistribute it and/or modify           #
-# it under the terms of the GNU General Public License as published by     #
-# the Free Software Foundation; either version 3 of the License, or        #
-# (at your option) any later version.                                      #
-#                                                                          #
-# IPFire is distributed in the hope that it will be useful,                #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of           #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
-# GNU General Public License for more details.                             #
-#                                                                          #
-# You should have received a copy of the GNU General Public License        #
-# along with IPFire; if not, write to the Free Software                    #
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA #
-#                                                                          #
-# Copyright (C) 2016 IPFire-Team info@ipfire.org.                        #
-#                                                                          #
-############################################################################
-#
-. /opt/pakfire/lib/functions.sh
-/usr/local/bin/backupctrl exclude >/dev/null 2>&1
-
-function find_device() {
-	local mountpoint="${1}"
-
-	local root
-	local dev mp fs flags rest
-	while read -r dev mp fs flags rest; do
-		# Skip unwanted entries
-		[ "${dev}" = "rootfs" ] && continue
-
-		if [ "${mp}" = "${mountpoint}" ] && [ -b "${dev}" ]; then
-			root="$(basename "${dev}")"
-			break
-		fi
-	done < /proc/mounts
-
-	# Get the actual device from the partition that holds /
-	while [ -n "${root}" ]; do
-		if [ -e "/sys/block/${root}" ]; then
-			echo "${root}"
-			return 0
-		fi
-
-		# Remove last character
-		root="${root::-1}"
-	done
-
-	return 1
-}
-
-
-core=107
-
-function exit_with_error() {
-	# Set last succesfull installed core.
-	echo $(($core-1)) > /opt/pakfire/db/core/mine
-	/usr/bin/logger -p syslog.emerg -t ipfire \
-		"core-update-${core}: $1"
-	exit $2
-}
-
-# Remove old core updates from pakfire cache to save space...
-for (( i=1; i<=$core; i++ ))
-do
-	rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
-done
-
-#
-# Do some sanity checks.
-case $(uname -r) in
-	*-ipfire* )
-		# Ok.
-		;;
-	* )
-		exit_with_error "ERROR cannot update. No IPFire Kernel." 1
-	;;
-esac
-
-
-#
-#
-KVER="xxxKVERxxx"
-
-# Check diskspace on root
-ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
-
-if [ $ROOTSPACE -lt 100000 ]; then
-	exit_with_error "ERROR cannot update because not enough free space on root." 2
-	exit 2
-fi
-
-echo
-echo Update Kernel to $KVER ...
-#
-# Remove old kernel, configs, initrd, modules, dtb's ...
-#
-rm -rf /boot/System.map-*
-rm -rf /boot/config-*
-rm -rf /boot/ipfirerd-*
-rm -rf /boot/initramfs-*
-rm -rf /boot/vmlinuz-*
-rm -rf /boot/uImage-ipfire-*
-rm -rf /boot/zImage-ipfire-*
-rm -rf /boot/uInit-ipfire-*
-rm -rf /boot/dtb-*-ipfire-*
-rm -rf /lib/modules
-
-case "$(uname -m)" in
-	armv*)
-		# Backup uEnv.txt if exist
-		if [ -e /boot/uEnv.txt ]; then
-			cp -vf /boot/uEnv.txt /boot/uEnv.txt.org
-		fi
-
-		# work around the u-boot folder detection bug
-		mkdir -pv /boot/dtb-$KVER-ipfire-kirkwood
-		mkdir -pv /boot/dtb-$KVER-ipfire-multi
-		touch /boot/uImage-ipfire-kirkwood
-		touch /boot/zImage-ipfire-multi
-		touch /boot/uIinit-ipfire-kirkwood
-		touch /boot/uIinit-ipfire-multi
-		;;
-esac
-
-# Stop services
-/etc/init.d/collectd stop
-/etc/init.d/snort stop
-/etc/init.d/squid stop
-/etc/init.d/ipsec stop
-/etc/init.d/apache stop
-
-# Extract files
-tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p --numeric-owner -C /
-
-# Remove some old files
-rm -f /etc/unbound/interfaces.conf
-
-# update linker config
-ldconfig
-
-# Check diskspace on boot
-BOOTSPACE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
-
-if [ $BOOTSPACE -lt 1000 ]; then
-	case $(uname -r) in
-		*-ipfire-kirkwood )
-			# Special handling for old kirkwood images.
-			# (install only kirkwood kernel)
-			rm -rf /boot/*
-			# work around the u-boot folder detection bug
-			mkdir -pv /boot/dtb-$KVER-ipfire-kirkwood
-			tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p \
-				--numeric-owner -C / --wildcards 'boot/*-kirkwood*'
-			;;
-		* )
-			/etc/init.d/apache start
-			exit_with_error "FATAL-ERROR space run out on boot. System is not bootable..." 4
-			;;
-	esac
-fi
-
-# Update Language cache
-/usr/local/bin/update-lang-cache
-
-#
-# Start services
-#
-/etc/init.d/collectd start
-/etc/init.d/apache start
-/etc/init.d/squid start
-/etc/init.d/snort start
-if [ `grep "ENABLED=on" /var/ipfire/vpn/settings` ]; then
-	/etc/init.d/ipsec start
-fi
-
-# Restart unbound to activate configuration changes
-/etc/init.d/unbound restart
-
-# Delete old QoS enabled indicator
-rm -f /var/ipfire/qos/enable
-
-# Upadate Kernel version uEnv.txt
-if [ -e /boot/uEnv.txt ]; then
-	sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt
-fi
-
-# call user update script (needed for some arm boards)
-if [ -e /boot/pakfire-kernel-update ]; then
-	/boot/pakfire-kernel-update ${KVER}
-fi
-
-case "$(uname -m)" in
-	i?86)
-		# Force (re)install pae kernel if pae is supported
-		rm -rf /opt/pakfire/db/installed/meta-linux-pae
-		if [ ! "$(grep "^flags.* pae " /proc/cpuinfo)" == "" ]; then
-			ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
-			BOOTSPACE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
-			if [ $BOOTSPACE -lt 12000 -o $ROOTSPACE -lt 90000 ]; then
-				/usr/bin/logger -p syslog.emerg -t ipfire \
-				"core-update-${core}: WARNING not enough space for pae kernel."
-			else
-				echo "Name: linux-pae" > /opt/pakfire/db/installed/meta-linux-pae
-				echo "ProgVersion: 0" >> /opt/pakfire/db/installed/meta-linux-pae
-				echo "Release: 0"     >> /opt/pakfire/db/installed/meta-linux-pae
-			fi
-		fi
-		;;
-esac
-#
-# After pakfire has ended run it again and update the lists and do upgrade
-#
-echo '#!/bin/bash'                                        >  /tmp/pak_update
-echo 'while [ "$(ps -A | grep " update.sh")" != "" ]; do' >> /tmp/pak_update
-echo '    sleep 1'                                        >> /tmp/pak_update
-echo 'done'                                               >> /tmp/pak_update
-echo 'while [ "$(ps -A | grep " pakfire")" != "" ]; do'   >> /tmp/pak_update
-echo '    sleep 1'                                        >> /tmp/pak_update
-echo 'done'                                               >> /tmp/pak_update
-echo '/opt/pakfire/pakfire update -y --force'             >> /tmp/pak_update
-echo '/opt/pakfire/pakfire upgrade -y'                    >> /tmp/pak_update
-echo '/opt/pakfire/pakfire upgrade -y'                    >> /tmp/pak_update
-echo '/opt/pakfire/pakfire upgrade -y'                    >> /tmp/pak_update
-echo '/usr/bin/logger -p syslog.emerg -t ipfire "Core-upgrade finished. If you use a customized grub/uboot config"' >> /tmp/pak_update
-echo '/usr/bin/logger -p syslog.emerg -t ipfire "Check it before reboot !!!"' >> /tmp/pak_update
-echo '/usr/bin/logger -p syslog.emerg -t ipfire " *** Please reboot... *** "' >> /tmp/pak_update
-echo 'touch /var/run/need_reboot ' >> /tmp/pak_update
-#
-killall -KILL pak_update
-chmod +x /tmp/pak_update
-/tmp/pak_update &
-
-sync
-
-# This update need a reboot...
-touch /var/run/need_reboot
-
-# Finish
-/etc/init.d/fireinfo start
-sendprofile
-# Update grub config to display new core version
-if [ -e /boot/grub/grub.cfg ]; then
-	grub-mkconfig -o /boot/grub/grub.cfg
-fi
-sync
-
-# Don't report the exitcode last command
-exit 0
diff --git a/config/rootfiles/core/108/exclude b/config/rootfiles/core/108/exclude
new file mode 100644
index 0000000..7ddeae0
--- /dev/null
+++ b/config/rootfiles/core/108/exclude
@@ -0,0 +1,28 @@
+boot/config.txt
+boot/grub/grub.cfg
+boot/grub/grubenv
+etc/alternatives
+etc/collectd.custom
+etc/default/grub
+etc/ipsec.conf
+etc/ipsec.secrets
+etc/ipsec.user.conf
+etc/ipsec.user.secrets
+etc/localtime
+etc/shadow
+etc/snort/snort.conf
+etc/ssh/ssh_config
+etc/ssh/sshd_config
+etc/ssl/openssl.cnf
+etc/sudoers
+etc/sysconfig/firewall.local
+etc/sysconfig/rc.local
+etc/udev/rules.d/30-persistent-network.rules
+srv/web/ipfire/html/proxy.pac
+var/ipfire/dma
+var/ipfire/time
+var/ipfire/ovpn
+var/lib/alternatives
+var/log/cache
+var/state/dhcp/dhcpd.leases
+var/updatecache
diff --git a/config/rootfiles/core/108/filelists/ddns b/config/rootfiles/core/108/filelists/ddns
new file mode 120000
index 0000000..7395164
--- /dev/null
+++ b/config/rootfiles/core/108/filelists/ddns
@@ -0,0 +1 @@
+../../../common/ddns
\ No newline at end of file
diff --git a/config/rootfiles/core/108/filelists/files b/config/rootfiles/core/108/filelists/files
new file mode 100644
index 0000000..6cce4ea
--- /dev/null
+++ b/config/rootfiles/core/108/filelists/files
@@ -0,0 +1,7 @@
+etc/system-release
+etc/issue
+etc/rc.d/init.d/unbound
+etc/syslog.conf
+etc/unbound/unbound.conf
+srv/web/ipfire/cgi-bin/fwhosts.cgi
+srv/web/ipfire/cgi-bin/logs.cgi/config.dat
diff --git a/config/rootfiles/core/108/filelists/i586/strongswan-padlock b/config/rootfiles/core/108/filelists/i586/strongswan-padlock
new file mode 120000
index 0000000..2412824
--- /dev/null
+++ b/config/rootfiles/core/108/filelists/i586/strongswan-padlock
@@ -0,0 +1 @@
+../../../../common/i586/strongswan-padlock
\ No newline at end of file
diff --git a/config/rootfiles/core/108/filelists/ntp b/config/rootfiles/core/108/filelists/ntp
new file mode 120000
index 0000000..7542d86
--- /dev/null
+++ b/config/rootfiles/core/108/filelists/ntp
@@ -0,0 +1 @@
+../../../common/ntp
\ No newline at end of file
diff --git a/config/rootfiles/core/108/filelists/squid b/config/rootfiles/core/108/filelists/squid
new file mode 120000
index 0000000..2dc8372
--- /dev/null
+++ b/config/rootfiles/core/108/filelists/squid
@@ -0,0 +1 @@
+../../../common/squid
\ No newline at end of file
diff --git a/config/rootfiles/core/108/filelists/strongswan b/config/rootfiles/core/108/filelists/strongswan
new file mode 120000
index 0000000..90c727e
--- /dev/null
+++ b/config/rootfiles/core/108/filelists/strongswan
@@ -0,0 +1 @@
+../../../common/strongswan
\ No newline at end of file
diff --git a/config/rootfiles/core/108/meta b/config/rootfiles/core/108/meta
new file mode 100644
index 0000000..d547fa8
--- /dev/null
+++ b/config/rootfiles/core/108/meta
@@ -0,0 +1 @@
+DEPS=""
diff --git a/config/rootfiles/core/108/update.sh b/config/rootfiles/core/108/update.sh
new file mode 100644
index 0000000..7a4bcd3
--- /dev/null
+++ b/config/rootfiles/core/108/update.sh
@@ -0,0 +1,73 @@
+#!/bin/bash
+############################################################################
+#                                                                          #
+# This file is part of the IPFire Firewall.                                #
+#                                                                          #
+# IPFire is free software; you can redistribute it and/or modify           #
+# it under the terms of the GNU General Public License as published by     #
+# the Free Software Foundation; either version 3 of the License, or        #
+# (at your option) any later version.                                      #
+#                                                                          #
+# IPFire is distributed in the hope that it will be useful,                #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of           #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
+# GNU General Public License for more details.                             #
+#                                                                          #
+# You should have received a copy of the GNU General Public License        #
+# along with IPFire; if not, write to the Free Software                    #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA #
+#                                                                          #
+# Copyright (C) 2016 IPFire-Team info@ipfire.org.                        #
+#                                                                          #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+/usr/local/bin/backupctrl exclude >/dev/null 2>&1
+
+core=108
+
+# Remove old core updates from pakfire cache to save space...
+for (( i=1; i<=$core; i++ )); do
+	rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
+done
+
+# Stop services
+/etc/init.d/ipsec stop
+/etc/init.d/squid stop
+
+# Extract files
+extract_files
+
+# update linker config
+ldconfig
+
+# Update Language cache
+#/usr/local/bin/update-lang-cache
+
+# Reload unbound upstream name servers
+/etc/init.d/unbound update-forwarders
+
+# Start services
+/etc/init.d/sysklogd restart
+if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then
+	/etc/init.d/ipsec start
+fi
+/etc/init.d/ntp restart
+/etc/init.d/squid start
+
+# This update need a reboot...
+#touch /var/run/need_reboot
+
+# Finish
+/etc/init.d/fireinfo start
+sendprofile
+
+# Update grub config to display new core version
+if [ -e /boot/grub/grub.cfg ]; then
+	grub-mkconfig -o /boot/grub/grub.cfg
+fi
+
+sync
+
+# Don't report the exitcode last command
+exit 0
diff --git a/config/rootfiles/oldcore/107/exclude b/config/rootfiles/oldcore/107/exclude
new file mode 100644
index 0000000..1d8d74e
--- /dev/null
+++ b/config/rootfiles/oldcore/107/exclude
@@ -0,0 +1,29 @@
+boot/config.txt
+boot/grub/grub.cfg
+boot/grub/grubenv
+etc/alternatives
+etc/collectd.custom
+etc/default/grub
+etc/ipsec.conf
+etc/ipsec.secrets
+etc/ipsec.user.conf
+etc/ipsec.user.secrets
+etc/localtime
+etc/shadow
+etc/snort/snort.conf
+etc/ssh/ssh_config
+etc/ssh/sshd_config
+etc/ssl/openssl.cnf
+etc/sudoers
+etc/sysconfig/firewall.local
+etc/sysconfig/rc.local
+etc/udev/rules.d/30-persistent-network.rules
+srv/web/ipfire/html/proxy.pac
+var/ipfire/dma
+var/ipfire/time
+var/ipfire/ovpn
+var/lib/alternatives
+var/lib/unbound/root.key
+var/log/cache
+var/state/dhcp/dhcpd.leases
+var/updatecache
diff --git a/config/rootfiles/oldcore/107/filelists/armv5tel/linux-kirkwood b/config/rootfiles/oldcore/107/filelists/armv5tel/linux-kirkwood
new file mode 120000
index 0000000..7217107
--- /dev/null
+++ b/config/rootfiles/oldcore/107/filelists/armv5tel/linux-kirkwood
@@ -0,0 +1 @@
+../../../../common/armv5tel/linux-kirkwood
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/107/filelists/armv5tel/linux-multi b/config/rootfiles/oldcore/107/filelists/armv5tel/linux-multi
new file mode 120000
index 0000000..204eb4c
--- /dev/null
+++ b/config/rootfiles/oldcore/107/filelists/armv5tel/linux-multi
@@ -0,0 +1 @@
+../../../../common/armv5tel/linux-multi
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/107/filelists/armv5tel/linux-rpi b/config/rootfiles/oldcore/107/filelists/armv5tel/linux-rpi
new file mode 120000
index 0000000..a651a49
--- /dev/null
+++ b/config/rootfiles/oldcore/107/filelists/armv5tel/linux-rpi
@@ -0,0 +1 @@
+../../../../common/armv5tel/linux-rpi
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/107/filelists/files b/config/rootfiles/oldcore/107/filelists/files
new file mode 100644
index 0000000..94704cf
--- /dev/null
+++ b/config/rootfiles/oldcore/107/filelists/files
@@ -0,0 +1,8 @@
+etc/system-release
+etc/issue
+etc/unbound/unbound.conf
+etc/rc.d/init.d/unbound
+etc/rc.d/init.d/ntp
+srv/web/ipfire/cgi-bin/logs.cgi/log.dat
+srv/web/ipfire/cgi-bin/traffic.cgi
+var/ipfire/langs
diff --git a/config/rootfiles/oldcore/107/filelists/hdparm b/config/rootfiles/oldcore/107/filelists/hdparm
new file mode 120000
index 0000000..b644751
--- /dev/null
+++ b/config/rootfiles/oldcore/107/filelists/hdparm
@@ -0,0 +1 @@
+../../../common/hdparm
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/107/filelists/i586/linux b/config/rootfiles/oldcore/107/filelists/i586/linux
new file mode 120000
index 0000000..693ec4b
--- /dev/null
+++ b/config/rootfiles/oldcore/107/filelists/i586/linux
@@ -0,0 +1 @@
+../../../../common/i586/linux
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/107/filelists/libjpeg b/config/rootfiles/oldcore/107/filelists/libjpeg
new file mode 120000
index 0000000..3b1a782
--- /dev/null
+++ b/config/rootfiles/oldcore/107/filelists/libjpeg
@@ -0,0 +1 @@
+../../../common/libjpeg
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/107/filelists/libjpeg-compat b/config/rootfiles/oldcore/107/filelists/libjpeg-compat
new file mode 120000
index 0000000..e6ff86d
--- /dev/null
+++ b/config/rootfiles/oldcore/107/filelists/libjpeg-compat
@@ -0,0 +1 @@
+../../../common/libjpeg-compat
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/107/filelists/squid b/config/rootfiles/oldcore/107/filelists/squid
new file mode 120000
index 0000000..2dc8372
--- /dev/null
+++ b/config/rootfiles/oldcore/107/filelists/squid
@@ -0,0 +1 @@
+../../../common/squid
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/107/filelists/x86_64/linux b/config/rootfiles/oldcore/107/filelists/x86_64/linux
new file mode 120000
index 0000000..0615b5b
--- /dev/null
+++ b/config/rootfiles/oldcore/107/filelists/x86_64/linux
@@ -0,0 +1 @@
+../../../../common/x86_64/linux
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/107/meta b/config/rootfiles/oldcore/107/meta
new file mode 100644
index 0000000..d547fa8
--- /dev/null
+++ b/config/rootfiles/oldcore/107/meta
@@ -0,0 +1 @@
+DEPS=""
diff --git a/config/rootfiles/oldcore/107/update.sh b/config/rootfiles/oldcore/107/update.sh
new file mode 100644
index 0000000..276dae5
--- /dev/null
+++ b/config/rootfiles/oldcore/107/update.sh
@@ -0,0 +1,253 @@
+#!/bin/bash
+############################################################################
+#                                                                          #
+# This file is part of the IPFire Firewall.                                #
+#                                                                          #
+# IPFire is free software; you can redistribute it and/or modify           #
+# it under the terms of the GNU General Public License as published by     #
+# the Free Software Foundation; either version 3 of the License, or        #
+# (at your option) any later version.                                      #
+#                                                                          #
+# IPFire is distributed in the hope that it will be useful,                #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of           #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
+# GNU General Public License for more details.                             #
+#                                                                          #
+# You should have received a copy of the GNU General Public License        #
+# along with IPFire; if not, write to the Free Software                    #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA #
+#                                                                          #
+# Copyright (C) 2016 IPFire-Team info@ipfire.org.                        #
+#                                                                          #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+/usr/local/bin/backupctrl exclude >/dev/null 2>&1
+
+function find_device() {
+	local mountpoint="${1}"
+
+	local root
+	local dev mp fs flags rest
+	while read -r dev mp fs flags rest; do
+		# Skip unwanted entries
+		[ "${dev}" = "rootfs" ] && continue
+
+		if [ "${mp}" = "${mountpoint}" ] && [ -b "${dev}" ]; then
+			root="$(basename "${dev}")"
+			break
+		fi
+	done < /proc/mounts
+
+	# Get the actual device from the partition that holds /
+	while [ -n "${root}" ]; do
+		if [ -e "/sys/block/${root}" ]; then
+			echo "${root}"
+			return 0
+		fi
+
+		# Remove last character
+		root="${root::-1}"
+	done
+
+	return 1
+}
+
+
+core=107
+
+function exit_with_error() {
+	# Set last succesfull installed core.
+	echo $(($core-1)) > /opt/pakfire/db/core/mine
+	/usr/bin/logger -p syslog.emerg -t ipfire \
+		"core-update-${core}: $1"
+	exit $2
+}
+
+# Remove old core updates from pakfire cache to save space...
+for (( i=1; i<=$core; i++ ))
+do
+	rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
+done
+
+#
+# Do some sanity checks.
+case $(uname -r) in
+	*-ipfire* )
+		# Ok.
+		;;
+	* )
+		exit_with_error "ERROR cannot update. No IPFire Kernel." 1
+	;;
+esac
+
+
+#
+#
+KVER="xxxKVERxxx"
+
+# Check diskspace on root
+ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
+
+if [ $ROOTSPACE -lt 100000 ]; then
+	exit_with_error "ERROR cannot update because not enough free space on root." 2
+	exit 2
+fi
+
+echo
+echo Update Kernel to $KVER ...
+#
+# Remove old kernel, configs, initrd, modules, dtb's ...
+#
+rm -rf /boot/System.map-*
+rm -rf /boot/config-*
+rm -rf /boot/ipfirerd-*
+rm -rf /boot/initramfs-*
+rm -rf /boot/vmlinuz-*
+rm -rf /boot/uImage-ipfire-*
+rm -rf /boot/zImage-ipfire-*
+rm -rf /boot/uInit-ipfire-*
+rm -rf /boot/dtb-*-ipfire-*
+rm -rf /lib/modules
+
+case "$(uname -m)" in
+	armv*)
+		# Backup uEnv.txt if exist
+		if [ -e /boot/uEnv.txt ]; then
+			cp -vf /boot/uEnv.txt /boot/uEnv.txt.org
+		fi
+
+		# work around the u-boot folder detection bug
+		mkdir -pv /boot/dtb-$KVER-ipfire-kirkwood
+		mkdir -pv /boot/dtb-$KVER-ipfire-multi
+		touch /boot/uImage-ipfire-kirkwood
+		touch /boot/zImage-ipfire-multi
+		touch /boot/uIinit-ipfire-kirkwood
+		touch /boot/uIinit-ipfire-multi
+		;;
+esac
+
+# Stop services
+/etc/init.d/collectd stop
+/etc/init.d/snort stop
+/etc/init.d/squid stop
+/etc/init.d/ipsec stop
+/etc/init.d/apache stop
+
+# Extract files
+tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p --numeric-owner -C /
+
+# Remove some old files
+rm -f /etc/unbound/interfaces.conf
+
+# update linker config
+ldconfig
+
+# Check diskspace on boot
+BOOTSPACE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
+
+if [ $BOOTSPACE -lt 1000 ]; then
+	case $(uname -r) in
+		*-ipfire-kirkwood )
+			# Special handling for old kirkwood images.
+			# (install only kirkwood kernel)
+			rm -rf /boot/*
+			# work around the u-boot folder detection bug
+			mkdir -pv /boot/dtb-$KVER-ipfire-kirkwood
+			tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p \
+				--numeric-owner -C / --wildcards 'boot/*-kirkwood*'
+			;;
+		* )
+			/etc/init.d/apache start
+			exit_with_error "FATAL-ERROR space run out on boot. System is not bootable..." 4
+			;;
+	esac
+fi
+
+# Update Language cache
+/usr/local/bin/update-lang-cache
+
+#
+# Start services
+#
+/etc/init.d/collectd start
+/etc/init.d/apache start
+/etc/init.d/squid start
+/etc/init.d/snort start
+if [ `grep "ENABLED=on" /var/ipfire/vpn/settings` ]; then
+	/etc/init.d/ipsec start
+fi
+
+# Restart unbound to activate configuration changes
+/etc/init.d/unbound restart
+
+# Delete old QoS enabled indicator
+rm -f /var/ipfire/qos/enable
+
+# Upadate Kernel version uEnv.txt
+if [ -e /boot/uEnv.txt ]; then
+	sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt
+fi
+
+# call user update script (needed for some arm boards)
+if [ -e /boot/pakfire-kernel-update ]; then
+	/boot/pakfire-kernel-update ${KVER}
+fi
+
+case "$(uname -m)" in
+	i?86)
+		# Force (re)install pae kernel if pae is supported
+		rm -rf /opt/pakfire/db/installed/meta-linux-pae
+		if [ ! "$(grep "^flags.* pae " /proc/cpuinfo)" == "" ]; then
+			ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
+			BOOTSPACE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
+			if [ $BOOTSPACE -lt 12000 -o $ROOTSPACE -lt 90000 ]; then
+				/usr/bin/logger -p syslog.emerg -t ipfire \
+				"core-update-${core}: WARNING not enough space for pae kernel."
+			else
+				echo "Name: linux-pae" > /opt/pakfire/db/installed/meta-linux-pae
+				echo "ProgVersion: 0" >> /opt/pakfire/db/installed/meta-linux-pae
+				echo "Release: 0"     >> /opt/pakfire/db/installed/meta-linux-pae
+			fi
+		fi
+		;;
+esac
+#
+# After pakfire has ended run it again and update the lists and do upgrade
+#
+echo '#!/bin/bash'                                        >  /tmp/pak_update
+echo 'while [ "$(ps -A | grep " update.sh")" != "" ]; do' >> /tmp/pak_update
+echo '    sleep 1'                                        >> /tmp/pak_update
+echo 'done'                                               >> /tmp/pak_update
+echo 'while [ "$(ps -A | grep " pakfire")" != "" ]; do'   >> /tmp/pak_update
+echo '    sleep 1'                                        >> /tmp/pak_update
+echo 'done'                                               >> /tmp/pak_update
+echo '/opt/pakfire/pakfire update -y --force'             >> /tmp/pak_update
+echo '/opt/pakfire/pakfire upgrade -y'                    >> /tmp/pak_update
+echo '/opt/pakfire/pakfire upgrade -y'                    >> /tmp/pak_update
+echo '/opt/pakfire/pakfire upgrade -y'                    >> /tmp/pak_update
+echo '/usr/bin/logger -p syslog.emerg -t ipfire "Core-upgrade finished. If you use a customized grub/uboot config"' >> /tmp/pak_update
+echo '/usr/bin/logger -p syslog.emerg -t ipfire "Check it before reboot !!!"' >> /tmp/pak_update
+echo '/usr/bin/logger -p syslog.emerg -t ipfire " *** Please reboot... *** "' >> /tmp/pak_update
+echo 'touch /var/run/need_reboot ' >> /tmp/pak_update
+#
+killall -KILL pak_update
+chmod +x /tmp/pak_update
+/tmp/pak_update &
+
+sync
+
+# This update need a reboot...
+touch /var/run/need_reboot
+
+# Finish
+/etc/init.d/fireinfo start
+sendprofile
+# Update grub config to display new core version
+if [ -e /boot/grub/grub.cfg ]; then
+	grub-mkconfig -o /boot/grub/grub.cfg
+fi
+sync
+
+# Don't report the exitcode last command
+exit 0
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 3f724d8..c9b01b8 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -42,7 +42,6 @@ server:
    # Privacy Options
    hide-identity: yes
    hide-version: yes
-	qname-minimisation: yes
    minimal-responses: yes
# DNSSEC
@@ -56,7 +55,6 @@ server:
    harden-short-bufsize: no
    harden-large-queries: yes
    harden-dnssec-stripped: yes
-	harden-below-nxdomain: yes
    harden-referral-path: yes
    harden-algo-downgrade: no
    use-caps-for-id: no
diff --git a/doc/language_issues.de b/doc/language_issues.de
index 101411e..48d7f6a 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -1,3 +1,4 @@
+WARNING: translation string unused: Async logging enabled
 WARNING: translation string unused: ConnSched scheduler
 WARNING: translation string unused: ConnSched select profile
 WARNING: translation string unused: HDD temperature
@@ -335,6 +336,7 @@ WARNING: translation string unused: local hard disk
 WARNING: translation string unused: localkey
 WARNING: translation string unused: localkeyfile
 WARNING: translation string unused: log enabled
+WARNING: translation string unused: log var messages
 WARNING: translation string unused: log viewer
 WARNING: translation string unused: logging
 WARNING: translation string unused: loosedirectorychecking
@@ -361,6 +363,7 @@ WARNING: translation string unused: mbmon fan in
 WARNING: translation string unused: mbmon graphs
 WARNING: translation string unused: mbmon temp in
 WARNING: translation string unused: mbmon value
+WARNING: translation string unused: messages logging
 WARNING: translation string unused: min size
 WARNING: translation string unused: missing dat
 WARNING: translation string unused: missing gz
diff --git a/doc/language_issues.en b/doc/language_issues.en
index 596cf71..0362802 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -1,3 +1,4 @@
+WARNING: translation string unused: Async logging enabled
 WARNING: translation string unused: ConnSched scheduler
 WARNING: translation string unused: ConnSched select profile
 WARNING: translation string unused: HDD temperature
@@ -361,6 +362,7 @@ WARNING: translation string unused: local hard disk
 WARNING: translation string unused: localkey
 WARNING: translation string unused: localkeyfile
 WARNING: translation string unused: log enabled
+WARNING: translation string unused: log var messages
 WARNING: translation string unused: log viewer
 WARNING: translation string unused: logging
 WARNING: translation string unused: loosedirectorychecking
@@ -387,6 +389,7 @@ WARNING: translation string unused: mbmon fan in
 WARNING: translation string unused: mbmon graphs
 WARNING: translation string unused: mbmon temp in
 WARNING: translation string unused: mbmon value
+WARNING: translation string unused: messages logging
 WARNING: translation string unused: min size
 WARNING: translation string unused: missing dat
 WARNING: translation string unused: missing gz
diff --git a/doc/language_issues.es b/doc/language_issues.es
index ad64380..60ba499 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -305,6 +305,7 @@ WARNING: translation string unused: local hard disk
 WARNING: translation string unused: localkey
 WARNING: translation string unused: localkeyfile
 WARNING: translation string unused: log enabled
+WARNING: translation string unused: log var messages
 WARNING: translation string unused: log viewer
 WARNING: translation string unused: logging
 WARNING: translation string unused: loosedirectorychecking
@@ -331,6 +332,7 @@ WARNING: translation string unused: mbmon fan in
 WARNING: translation string unused: mbmon graphs
 WARNING: translation string unused: mbmon temp in
 WARNING: translation string unused: mbmon value
+WARNING: translation string unused: messages logging
 WARNING: translation string unused: min size
 WARNING: translation string unused: missing dat
 WARNING: translation string unused: missing gz
@@ -616,7 +618,6 @@ WARNING: translation string unused: xtaccess all error
 WARNING: translation string unused: xtaccess bad transfert
 WARNING: translation string unused: year-graph
 WARNING: translation string unused: yearly firewallhits
-WARNING: untranslated string: Async logging enabled
 WARNING: untranslated string: ConnSched dial
 WARNING: untranslated string: ConnSched hangup
 WARNING: untranslated string: ConnSched reboot
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index 28e80c9..863b529 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -1,3 +1,4 @@
+WARNING: translation string unused: Async logging enabled
 WARNING: translation string unused: Client status and controlc
 WARNING: translation string unused: ConnSched scheduler
 WARNING: translation string unused: ConnSched select profile
@@ -302,6 +303,7 @@ WARNING: translation string unused: local hard disk
 WARNING: translation string unused: localkey
 WARNING: translation string unused: localkeyfile
 WARNING: translation string unused: log enabled
+WARNING: translation string unused: log var messages
 WARNING: translation string unused: log viewer
 WARNING: translation string unused: logging
 WARNING: translation string unused: loosedirectorychecking
@@ -328,6 +330,7 @@ WARNING: translation string unused: mbmon fan in
 WARNING: translation string unused: mbmon graphs
 WARNING: translation string unused: mbmon temp in
 WARNING: translation string unused: mbmon value
+WARNING: translation string unused: messages logging
 WARNING: translation string unused: min size
 WARNING: translation string unused: missing dat
 WARNING: translation string unused: missing gz
diff --git a/doc/language_issues.it b/doc/language_issues.it
index d221534..6efef40 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -1,3 +1,4 @@
+WARNING: translation string unused: Async logging enabled
 WARNING: translation string unused: Client status and controlc
 WARNING: translation string unused: ConnSched scheduler
 WARNING: translation string unused: ConnSched select profile
@@ -353,6 +354,7 @@ WARNING: translation string unused: local hard disk
 WARNING: translation string unused: localkey
 WARNING: translation string unused: localkeyfile
 WARNING: translation string unused: log enabled
+WARNING: translation string unused: log var messages
 WARNING: translation string unused: log viewer
 WARNING: translation string unused: logging
 WARNING: translation string unused: loosedirectorychecking
@@ -379,6 +381,7 @@ WARNING: translation string unused: mbmon fan in
 WARNING: translation string unused: mbmon graphs
 WARNING: translation string unused: mbmon temp in
 WARNING: translation string unused: mbmon value
+WARNING: translation string unused: messages logging
 WARNING: translation string unused: min size
 WARNING: translation string unused: missing dat
 WARNING: translation string unused: missing gz
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 1dfc968..c9b10dc 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -1,3 +1,4 @@
+WARNING: translation string unused: Async logging enabled
 WARNING: translation string unused: Client status and controlc
 WARNING: translation string unused: ConnSched scheduler
 WARNING: translation string unused: ConnSched select profile
@@ -352,6 +353,7 @@ WARNING: translation string unused: local hard disk
 WARNING: translation string unused: localkey
 WARNING: translation string unused: localkeyfile
 WARNING: translation string unused: log enabled
+WARNING: translation string unused: log var messages
 WARNING: translation string unused: log viewer
 WARNING: translation string unused: logging
 WARNING: translation string unused: loosedirectorychecking
@@ -378,6 +380,7 @@ WARNING: translation string unused: mbmon fan in
 WARNING: translation string unused: mbmon graphs
 WARNING: translation string unused: mbmon temp in
 WARNING: translation string unused: mbmon value
+WARNING: translation string unused: messages logging
 WARNING: translation string unused: min size
 WARNING: translation string unused: missing dat
 WARNING: translation string unused: missing gz
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index ad64380..60ba499 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -305,6 +305,7 @@ WARNING: translation string unused: local hard disk
 WARNING: translation string unused: localkey
 WARNING: translation string unused: localkeyfile
 WARNING: translation string unused: log enabled
+WARNING: translation string unused: log var messages
 WARNING: translation string unused: log viewer
 WARNING: translation string unused: logging
 WARNING: translation string unused: loosedirectorychecking
@@ -331,6 +332,7 @@ WARNING: translation string unused: mbmon fan in
 WARNING: translation string unused: mbmon graphs
 WARNING: translation string unused: mbmon temp in
 WARNING: translation string unused: mbmon value
+WARNING: translation string unused: messages logging
 WARNING: translation string unused: min size
 WARNING: translation string unused: missing dat
 WARNING: translation string unused: missing gz
@@ -616,7 +618,6 @@ WARNING: translation string unused: xtaccess all error
 WARNING: translation string unused: xtaccess bad transfert
 WARNING: translation string unused: year-graph
 WARNING: translation string unused: yearly firewallhits
-WARNING: untranslated string: Async logging enabled
 WARNING: untranslated string: ConnSched dial
 WARNING: untranslated string: ConnSched hangup
 WARNING: untranslated string: ConnSched reboot
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 31855fa..255df2f 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1,3 +1,4 @@
+WARNING: translation string unused: Async logging enabled
 WARNING: translation string unused: Client status and controlc
 WARNING: translation string unused: ConnSched scheduler
 WARNING: translation string unused: ConnSched select profile
@@ -297,6 +298,7 @@ WARNING: translation string unused: local hard disk
 WARNING: translation string unused: localkey
 WARNING: translation string unused: localkeyfile
 WARNING: translation string unused: log enabled
+WARNING: translation string unused: log var messages
 WARNING: translation string unused: log viewer
 WARNING: translation string unused: logging
 WARNING: translation string unused: loosedirectorychecking
@@ -323,6 +325,7 @@ WARNING: translation string unused: mbmon fan in
 WARNING: translation string unused: mbmon graphs
 WARNING: translation string unused: mbmon temp in
 WARNING: translation string unused: mbmon value
+WARNING: translation string unused: messages logging
 WARNING: translation string unused: min size
 WARNING: translation string unused: missing dat
 WARNING: translation string unused: missing gz
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index 6629cd6..8cf2dfe 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -1,3 +1,4 @@
+WARNING: translation string unused: Async logging enabled
 WARNING: translation string unused: ConnSched scheduler
 WARNING: translation string unused: ConnSched select profile
 WARNING: translation string unused: HDD temperature
@@ -361,6 +362,7 @@ WARNING: translation string unused: local hard disk
 WARNING: translation string unused: localkey
 WARNING: translation string unused: localkeyfile
 WARNING: translation string unused: log enabled
+WARNING: translation string unused: log var messages
 WARNING: translation string unused: log viewer
 WARNING: translation string unused: logging
 WARNING: translation string unused: loosedirectorychecking
@@ -387,6 +389,7 @@ WARNING: translation string unused: mbmon fan in
 WARNING: translation string unused: mbmon graphs
 WARNING: translation string unused: mbmon temp in
 WARNING: translation string unused: mbmon value
+WARNING: translation string unused: messages logging
 WARNING: translation string unused: min size
 WARNING: translation string unused: missing dat
 WARNING: translation string unused: missing gz
diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
index 35afad3..1b0fe07 100644
--- a/html/cgi-bin/fwhosts.cgi
+++ b/html/cgi-bin/fwhosts.cgi
@@ -624,9 +624,9 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
    	}
    	#check if host/net exists in grp
    	
-		my $test="$grp,$fwhostsettings{'oldremark'},@target";
+		my $test="$grp,$fwhostsettings{'oldremark'},@target,$type";
    	foreach my $key (keys %customgrp) {
-			my $test1="$customgrp{$key}[0],$customgrp{$key}[1],$customgrp{$key}[2]";
+			my $test1="$customgrp{$key}[0],$customgrp{$key}[1],$customgrp{$key}[2],$customgrp{$key}[3]";
    		if ($test1 eq $test){
    			$errormessage=$Lang::tr{'fwhost err isingrp'};
    			$fwhostsettings{'update'} = 'on';
diff --git a/html/cgi-bin/logs.cgi/config.dat b/html/cgi-bin/logs.cgi/config.dat
index 1f97a17..789341d 100644
--- a/html/cgi-bin/logs.cgi/config.dat
+++ b/html/cgi-bin/logs.cgi/config.dat
@@ -32,9 +32,7 @@ $logsettings{'LOGWATCH_LEVEL'} = 'Low';
 $logsettings{'LOGWATCH_KEEP'} = '56';
 my @VS = ('15','50','100','150','250','500');
 $logsettings{'ENABLE_REMOTELOG'} = 'off';
-$logsettings{'ENABLE_ASYNCLOG'} = 'off';
 $logsettings{'REMOTELOG_ADDR'} = '';
-$logsettings{'VARMESSAGES'} = 'cron.none;daemon.*;local0.*;local2.*;*.info;mail.none;authpriv.*';
 $logsettings{'ACTION'} = '';
 &Header::getcgihash(%logsettings);
@@ -67,10 +65,6 @@ if ($logsettings{'ACTION'} eq $Lang::tr{'save'})
&General::readhash("${General::swroot}/logging/settings", %logsettings);
-$checked{'ENABLE_ASYNCLOG'}{'off'} = '';
-$checked{'ENABLE_ASYNCLOG'}{'on'} = '';
-$checked{'ENABLE_ASYNCLOG'}{$logsettings{'ENABLE_ASYNCLOG'}} = "checked='checked'";
-
 $checked{'ENABLE_REMOTELOG'}{'off'} = '';
 $checked{'ENABLE_REMOTELOG'}{'on'} = '';
 $checked{'ENABLE_REMOTELOG'}{$logsettings{'ENABLE_REMOTELOG'}} = "checked='checked'";
@@ -151,20 +145,6 @@ END
 ;
 &Header::closebox();
-&Header::openbox('100%', 'left', $Lang::tr{'messages logging'});
-print <<END
-<table width='100%'>
-<tr>
-  <td class='base' colspan='2'><input type='checkbox' name='ENABLE_ASYNCLOG' $checked{'ENABLE_ASYNCLOG'}{'on'} />$Lang::tr{'Async logging enabled'}</td>
-<tr>
-</tr>
-  <td>$Lang::tr{'log var messages'}</td><td><input type='text' name='VARMESSAGES' size='50' value='$logsettings{'VARMESSAGES'}' /></td>
-</tr>
-</table>
-END
-;
-&Header::closebox();
-
 print <<END
 <div align='center'>
 <table width='60%'>
diff --git a/lfs/ddns b/lfs/ddns
index 422f8e3..3d7efa5 100644
--- a/lfs/ddns
+++ b/lfs/ddns
@@ -71,6 +71,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
    @$(PREBUILD)
    @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ddns-0001-New-provider-Schokokeks.org.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ddns-0002-Schokokeks.org-Fix-malformed-update-URL.patch
+
    cd $(DIR_APP) && [ -x "configure" ] || sh ./autogen.sh
    cd $(DIR_APP) && ./configure \
    	--prefix=/usr \
diff --git a/lfs/nano b/lfs/nano
index 5dcf484..fbe88bd 100644
--- a/lfs/nano
+++ b/lfs/nano
@@ -24,7 +24,7 @@
include Config
-VER        = 2.6.3
+VER        = 2.7.1
THISAPP    = nano-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = nano
-PAK_VER    = 11
+PAK_VER    = 12
DEPS       = ""
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 1213c7f17916e65afefc95054c1f90f9
+$(DL_FILE)_MD5 = 6d6aea789dd15171d8d05d2359c52f23
install : $(TARGET)
diff --git a/lfs/ntp b/lfs/ntp
index 536a4a8..572bb88 100644
--- a/lfs/ntp
+++ b/lfs/ntp
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2016  Michael Tremer & Christian Schmidt                      #
+# Copyright (C) 2007-2016  IPFire Team  info@ipfire.org                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@
include Config
-VER        = 4.2.8p8
+VER        = 4.2.8p9
THISAPP    = ntp-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 4a8636260435b230636f053ffd070e34
+$(DL_FILE)_MD5 = 857452b05f5f2e033786f77ade1974ed
install : $(TARGET)
diff --git a/lfs/squid b/lfs/squid
index 269c663..70d90d8 100644
--- a/lfs/squid
+++ b/lfs/squid
@@ -70,6 +70,30 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
    @$(PREBUILD)
    @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14099.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14100.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14101.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14102.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14103.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14104.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14105.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14106.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14107.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14108.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14109.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14110.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14111.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14112.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14113.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14114.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14115.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14116.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14117.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14118.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14119.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14120.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14121.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14122.patch
    cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.22-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi
diff --git a/lfs/strongswan b/lfs/strongswan
index 17c1a01..9e8f155 100644
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -24,7 +24,7 @@
include Config
-VER        = 5.5.0
+VER        = 5.5.1
THISAPP    = strongswan-$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -48,7 +48,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = a96fa7eb6c62b40143dadb064b6bd586
+$(DL_FILE)_MD5 = 4eba9474f7dc6c8c8d7037261358e68d
install : $(TARGET)
diff --git a/lfs/tor b/lfs/tor
index a00ff25..5f39d78 100644
--- a/lfs/tor
+++ b/lfs/tor
@@ -24,7 +24,7 @@
include Config
-VER        = 0.2.7.6
+VER        = 0.2.8.10
THISAPP    = tor-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = tor
-PAK_VER    = 17
+PAK_VER    = 18
DEPS       = ""
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = cc19107b57136a68e8c563bf2d35b072
+$(DL_FILE)_MD5 = f5762c9eeb7bc68a6405cd5d6a53b5d7
install : $(TARGET)
diff --git a/make.sh b/make.sh
index 4b7beb8..390c719 100755
--- a/make.sh
+++ b/make.sh
@@ -25,8 +25,8 @@
 NAME="IPFire"							# Software name
 SNAME="ipfire"							# Short name
 VERSION="2.19"							# Version number
-CORE="107"							# Core Level (Filename)
-PAKFIRE_CORE="107"						# Core Level (PAKFIRE)
+CORE="108"							# Core Level (Filename)
+PAKFIRE_CORE="108"						# Core Level (PAKFIRE)
 GIT_BRANCH=`git rev-parse --abbrev-ref HEAD`			# Git Branch
 SLOGAN="www.ipfire.org"						# Software slogan
 CONFIG_ROOT=/var/ipfire						# Configuration rootdir
diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound
index 01a560d..6c7be6c 100644
--- a/src/initscripts/init.d/unbound
+++ b/src/initscripts/init.d/unbound
@@ -259,9 +259,6 @@ test_name_server() {
    # Exit when the server is not reachable
    ns_is_online ${ns} || return 1
-	# Return 0 if validating
-	ns_is_validating ${ns} && return 0
-
    local errors
    for rr in DNSKEY DS RRSIG; do
    	if ! ns_forwards_${rr} ${ns}; then
@@ -274,8 +271,13 @@ test_name_server() {
    	return 3
    fi
-	# Is DNSSEC-aware
-	return 2
+	if ns_is_validating ${ns}; then
+		# Return 0 if validating
+		return 0
+	else
+		# Is DNSSEC-aware
+		return 2
+	fi
 }
# Sends an A query to the nameserver w/o DNSSEC
@@ -366,6 +368,11 @@ case "$1" in
    	;;
update-forwarders)
+		# Do not try updating forwarders when unbound is not running
+		if ! pgrep unbound &>/dev/null; then
+			exit 0
+		fi
+
    	update_forwarders
    	;;
diff --git a/src/misc-progs/syslogdctrl.c b/src/misc-progs/syslogdctrl.c
index 8111c84..5271902 100644
--- a/src/misc-progs/syslogdctrl.c
+++ b/src/misc-progs/syslogdctrl.c
@@ -67,19 +67,6 @@ int main(void)
       exit(ERR_SETTINGS);
    }
-   if (!findkey(kv, "ENABLE_ASYNCLOG", asynclog))
-   {
-      fprintf(stderr, "Cannot read ENABLE_ASYNCLOG\n");
-      exit(ERR_SETTINGS);
-   }
-
-   
-   if (!findkey(kv, "VARMESSAGES", varmessages))
-   {
-      fprintf(stderr, "Cannot read VARMESSAGES\n");
-      exit(ERR_SETTINGS);
-   }
-
    if (strspn(hostname, VALID_FQDN) != strlen(hostname))
    {
       fprintf(stderr, "Bad REMOTELOG_ADDR: %s\n", hostname);
@@ -133,16 +120,6 @@ int main(void)
    }
    close(config_fd);
-   /* Replace the logging option*/
-     safe_system("grep -v '/var/log/messages' < /etc/syslog.conf.new > /etc/syslog.conf.tmp && mv /etc/syslog.conf.tmp /etc/syslog.conf.new");
-   
-   if (!strcmp(asynclog,"on"))
-     snprintf(command, STRING_SIZE - 1, "printf '%s     -/var/log/messages' >> /etc/syslog.conf.new", varmessages );
-   else
-     snprintf(command, STRING_SIZE - 1, "printf '%s     /var/log/messages' >> /etc/syslog.conf.new", varmessages );
-
-     safe_system(command);
-
    if (rename("/etc/syslog.conf.new", "/etc/syslog.conf") == -1)
    {
       perror("Unable to replace old config file");
diff --git a/src/patches/ddns-0001-New-provider-Schokokeks.org.patch b/src/patches/ddns-0001-New-provider-Schokokeks.org.patch
new file mode 100644
index 0000000..be123a5
--- /dev/null
+++ b/src/patches/ddns-0001-New-provider-Schokokeks.org.patch
@@ -0,0 +1,47 @@
+From 521c9d90f4e879ef3d9e1590f29e27990011ae46 Mon Sep 17 00:00:00 2001
+From: Steffen Peters sauron99@gmx.de
+Date: Mon, 4 Jul 2016 22:14:10 +0200
+Subject: [PATCH 185/185] New provider: Schokokeks.org
+
+Signed-off-by: Steffen Peters sauron99@gmx.de
+Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
+---
+ README                |  1 +
+ src/ddns/providers.py | 12 ++++++++++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/README b/README
+index d8027a4..cedbf21 100644
+--- a/README
++++ b/README
+@@ -75,6 +75,7 @@ SUPPORTED PROVIDERS:
+ 	opendns.com
+ 	ovh.com
+ 	regfish.com
++	schokokeks.org
+ 	selfhost.de
+ 	spdns.org
+ 	strato.com
+diff --git a/src/ddns/providers.py b/src/ddns/providers.py
+index 6b25cb6..c482dad 100644
+--- a/src/ddns/providers.py
++++ b/src/ddns/providers.py
+@@ -1687,3 +1687,15 @@ class DDNSProviderZZZZ(DDNSProvider):
+ 
+ 		# If we got here, some other update error happened.
+ 		raise DDNSUpdateError
++
++class DDNSProviderSchokokeksDNS(DDNSProtocolDynDNS2, DDNSProvider):
++       handle    = "schokokeks.org"
++       name      = "Schokokeks"
++       website   = "http://www.schokokeks.org/"
++       protocols = ("ipv4",)
++
++       # Information about the format of the request is to be found
++       # https://wiki.schokokeks.org/DynDNS
++
++       url = "https://dyndns.schokokeks.org/nic/update?myip=<ipaddr>"
++
+-- 
+2.7.4
+
diff --git a/src/patches/ddns-0002-Schokokeks.org-Fix-malformed-update-URL.patch b/src/patches/ddns-0002-Schokokeks.org-Fix-malformed-update-URL.patch
new file mode 100644
index 0000000..e00dcf6
--- /dev/null
+++ b/src/patches/ddns-0002-Schokokeks.org-Fix-malformed-update-URL.patch
@@ -0,0 +1,55 @@
+From f77e6bc92825d65e881d5dc7fc443139278c0d5f Mon Sep 17 00:00:00 2001
+From: Stefan Schantl stefan.schantl@ipfire.org
+Date: Fri, 28 Oct 2016 12:35:20 +0200
+Subject: [PATCH 3/3] Schockokeks.org: Fix malformed update URL.
+
+* Move Provider Class into correct alphabetical order.
+
+Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
+Reviewed-by: Michael Tremer michael.tremer@ipfire.org
+Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
+---
+ src/ddns/providers.py | 23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/src/ddns/providers.py b/src/ddns/providers.py
+index c482dad..2c30d42 100644
+--- a/src/ddns/providers.py
++++ b/src/ddns/providers.py
+@@ -1424,6 +1424,17 @@ class DDNSProviderRegfish(DDNSProvider):
+ 		raise DDNSUpdateError
+ 
+ 
++class DDNSProviderSchokokeksDNS(DDNSProtocolDynDNS2, DDNSProvider):
++	handle    = "schokokeks.org"
++	name      = "Schokokeks"
++	website   = "http://www.schokokeks.org/"
++	protocols = ("ipv4",)
++
++	# Information about the format of the request is to be found
++	# https://wiki.schokokeks.org/DynDNS
++	url = "https://dyndns.schokokeks.org/nic/update"
++
++
+ class DDNSProviderSelfhost(DDNSProtocolDynDNS2, DDNSProvider):
+ 	handle    = "selfhost.de"
+ 	name      = "Selfhost.de"
+@@ -1687,15 +1698,3 @@ class DDNSProviderZZZZ(DDNSProvider):
+ 
+ 		# If we got here, some other update error happened.
+ 		raise DDNSUpdateError
+-
+-class DDNSProviderSchokokeksDNS(DDNSProtocolDynDNS2, DDNSProvider):
+-       handle    = "schokokeks.org"
+-       name      = "Schokokeks"
+-       website   = "http://www.schokokeks.org/"
+-       protocols = ("ipv4",)
+-
+-       # Information about the format of the request is to be found
+-       # https://wiki.schokokeks.org/DynDNS
+-
+-       url = "https://dyndns.schokokeks.org/nic/update?myip=<ipaddr>"
+-
+-- 
+2.7.4
+
diff --git a/src/patches/squid/squid-3.5-14099.patch b/src/patches/squid/squid-3.5-14099.patch
new file mode 100644
index 0000000..0e10eff
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14099.patch
@@ -0,0 +1,65 @@
+------------------------------------------------------------
+revno: 14099
+revision-id: squid3@treenet.co.nz-20161015042024-jagzafukd2t6gcr0
+parent: squid3@treenet.co.nz-20161009195739-pcju9hl8vqwijt26
+author: Alex Rousskov rousskov@measurement-factory.com
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Sat 2016-10-15 17:20:24 +1300
+message:
+  Fix build with eCAP but without ICAP support.
+  
+  That is, when ./configured with --enable-ecap --disable-icap-client.
+  
+  AccessLogEntry::icap requires ICAP_CLIENT, not just USE_ADAPTATION.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161015042024-jagzafukd2t6gcr0
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 4cd2e7bf4e2be0acd252963afc107537b17450fc
+# timestamp: 2016-10-15 04:52:07 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161009195739-\
+#   pcju9hl8vqwijt26
+# 
+# Begin patch
+=== modified file 'src/format/Format.cc'
+--- src/format/Format.cc	2016-09-16 11:53:28 +0000
++++ src/format/Format.cc	2016-10-15 04:20:24 +0000
+@@ -318,7 +318,7 @@
+ actualReplyHeader(const AccessLogEntry::Pointer &al)
+ {
+     const HttpMsg *msg = al->reply;
+-#if USE_ADAPTATION
++#if ICAP_CLIENT
+     // al->icap.reqMethod is methodNone in access.log context
+     if (!msg && al->icap.reqMethod == Adaptation::methodReqmod)
+         msg = al->adapted_request;
+@@ -331,7 +331,7 @@
+ static const HttpMsg *
+ actualRequestHeader(const AccessLogEntry::Pointer &al)
+ {
+-#if USE_ADAPTATION
++#if ICAP_CLIENT
+     // al->icap.reqMethod is methodNone in access.log context
+     if (al->icap.reqMethod == Adaptation::methodRespmod) {
+         // XXX: for now AccessLogEntry lacks virgin response headers
+@@ -819,7 +819,7 @@
+         break;
+ 
+         case LFT_REQUEST_ALL_HEADERS:
+-#if USE_ADAPTATION
++#if ICAP_CLIENT
+             if (al->icap.reqMethod == Adaptation::methodRespmod) {
+                 // XXX: since AccessLogEntry::Headers lacks virgin response
+                 // headers, do nothing for now
+@@ -843,7 +843,7 @@
+ 
+         case LFT_REPLY_ALL_HEADERS:
+             out = al->headers.reply;
+-#if USE_ADAPTATION
++#if ICAP_CLIENT
+             if (!out && al->icap.reqMethod == Adaptation::methodReqmod)
+                 out = al->headers.adapted_request;
+ #endif
+
diff --git a/src/patches/squid/squid-3.5-14100.patch b/src/patches/squid/squid-3.5-14100.patch
new file mode 100644
index 0000000..7e5335a
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14100.patch
@@ -0,0 +1,39 @@
+------------------------------------------------------------
+revno: 14100
+revision-id: squid3@treenet.co.nz-20161025081949-3sxzd0n4snmadlke
+parent: squid3@treenet.co.nz-20161015042024-jagzafukd2t6gcr0
+author: Christos Tsantilas chtsanti@users.sourceforge.net
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Tue 2016-10-25 21:19:49 +1300
+message:
+  Fix regression bug introduced by r14089.
+    
+  Squid crashed because HttpMsg::body_pipe was used without check that it
+  was initialized. The message lacks body pipe when it has no body or
+  empty body.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161025081949-3sxzd0n4snmadlke
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 50468130801fc3ebf75129c103bcfe4be9b6d4b7
+# timestamp: 2016-10-25 08:28:30 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161015042024-\
+#   jagzafukd2t6gcr0
+# 
+# Begin patch
+=== modified file 'src/adaptation/icap/ModXact.cc'
+--- src/adaptation/icap/ModXact.cc	2016-09-16 18:50:04 +0000
++++ src/adaptation/icap/ModXact.cc	2016-10-25 08:19:49 +0000
+@@ -1303,7 +1303,8 @@
+         virgin_msg = virgin_request_;
+     assert(virgin_msg != virgin.cause);
+     al.http.clientRequestSz.header = virgin_msg->hdr_sz;
+-    al.http.clientRequestSz.payloadData = virgin_msg->body_pipe->producedSize();
++    if (virgin_msg->body_pipe != NULL)
++        al.http.clientRequestSz.payloadData = virgin_msg->body_pipe->producedSize();
+ 
+     // leave al.icap.bodyBytesRead negative if no body
+     if (replyHttpHeaderSize >= 0 || replyHttpBodySize >= 0) {
+
diff --git a/src/patches/squid/squid-3.5-14101.patch b/src/patches/squid/squid-3.5-14101.patch
new file mode 100644
index 0000000..92ff4d4
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14101.patch
@@ -0,0 +1,59 @@
+------------------------------------------------------------
+revno: 14101
+revision-id: squid3@treenet.co.nz-20161025082349-4gds2nic8qcahkem
+parent: squid3@treenet.co.nz-20161025081949-3sxzd0n4snmadlke
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Tue 2016-10-25 21:23:49 +1300
+message:
+  Fix external_acl_type default children documentations
+  
+  The max children has always been 5, not 20.
+  
+  Also, make mgr:config report dumper actually hide only the real default
+  values. (sync with helper/ChildConfig.cc defaults)
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161025082349-4gds2nic8qcahkem
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 02234eff0589032ea31d911c20f792617eeb18a9
+# timestamp: 2016-10-25 08:28:32 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161025081949-\
+#   3sxzd0n4snmadlke
+# 
+# Begin patch
+=== modified file 'src/cf.data.pre'
+--- src/cf.data.pre	2016-09-23 15:28:42 +0000
++++ src/cf.data.pre	2016-10-25 08:23:49 +0000
+@@ -678,7 +678,7 @@
+ 
+ 	  children-max=n
+ 			Maximum number of acl helper processes spawned to service
+-			external acl lookups of this type. (default 20)
++			external acl lookups of this type. (default 5)
+ 
+ 	  children-startup=n
+ 			Minimum number of acl helper processes to spawn during
+
+=== modified file 'src/external_acl.cc'
+--- src/external_acl.cc	2016-05-17 18:14:16 +0000
++++ src/external_acl.cc	2016-10-25 08:23:49 +0000
+@@ -474,13 +474,13 @@
+         if (node->children.n_max != DEFAULT_EXTERNAL_ACL_CHILDREN)
+             storeAppendPrintf(sentry, " children-max=%d", node->children.n_max);
+ 
+-        if (node->children.n_startup != 1)
++        if (node->children.n_startup != 0) // sync with helper/ChildConfig.cc default
+             storeAppendPrintf(sentry, " children-startup=%d", node->children.n_startup);
+ 
+-        if (node->children.n_idle != (node->children.n_max + node->children.n_startup) )
++        if (node->children.n_idle != 1) // sync with helper/ChildConfig.cc default
+             storeAppendPrintf(sentry, " children-idle=%d", node->children.n_idle);
+ 
+-        if (node->children.concurrency)
++        if (node->children.concurrency != 0)
+             storeAppendPrintf(sentry, " concurrency=%d", node->children.concurrency);
+ 
+         if (node->cache)
+
diff --git a/src/patches/squid/squid-3.5-14102.patch b/src/patches/squid/squid-3.5-14102.patch
new file mode 100644
index 0000000..f592531
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14102.patch
@@ -0,0 +1,38 @@
+------------------------------------------------------------
+revno: 14102
+revision-id: squid3@treenet.co.nz-20161025082530-do632qnr9bwyk5et
+parent: squid3@treenet.co.nz-20161025082349-4gds2nic8qcahkem
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4620
+author: Takahiro Kambe taca@back-street.net
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Tue 2016-10-25 21:25:30 +1300
+message:
+  Bug 4620: NetBSD build error with --enable-ipf-transparent
+  
+  On NetBSD sys/param.h must be included before netinet/ip_compat.h
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161025082530-do632qnr9bwyk5et
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: eedfc8764a631aa008fd4aba589ca08ee161c3a5
+# timestamp: 2016-10-25 08:28:35 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161025082349-\
+#   4gds2nic8qcahkem
+# 
+# Begin patch
+=== modified file 'src/ip/Intercept.cc'
+--- src/ip/Intercept.cc	2016-10-09 00:14:14 +0000
++++ src/ip/Intercept.cc	2016-10-25 08:25:30 +0000
+@@ -25,6 +25,9 @@
+ #define IPFILTER_VERSION        5000004
+ #endif
+ 
++#if HAVE_SYS_PARAM_H
++#include <sys/param.h>
++#endif
+ #if HAVE_SYS_IOCCOM_H
+ #include <sys/ioccom.h>
+ #endif
+
diff --git a/src/patches/squid/squid-3.5-14103.patch b/src/patches/squid/squid-3.5-14103.patch
new file mode 100644
index 0000000..816aa91
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14103.patch
@@ -0,0 +1,61 @@
+------------------------------------------------------------
+revno: 14103
+revision-id: squid3@treenet.co.nz-20161029232628-1y2u918re62uqs3v
+parent: squid3@treenet.co.nz-20161025082530-do632qnr9bwyk5et
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4627
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Sun 2016-10-30 12:26:28 +1300
+message:
+  Bug 4627: fix generate-host-certificates and dynamic_cert_mem_cache_size docs
+  
+  For Squid-3 the fix is just to update the documentation.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161029232628-1y2u918re62uqs3v
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: ea728cefc977ea5489da01b7a742821121c29476
+# timestamp: 2016-10-29 23:51:13 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161025082530-\
+#   do632qnr9bwyk5et
+# 
+# Begin patch
+=== modified file 'src/cf.data.pre'
+--- src/cf.data.pre	2016-10-25 08:23:49 +0000
++++ src/cf.data.pre	2016-10-29 23:26:28 +0000
+@@ -1787,13 +1787,12 @@
+ 			certificate equals lifetime of the CA certificate. If
+ 			generated certificate is selfsigned lifetime is three 
+ 			years.
+-			This option is enabled by default when ssl-bump is used.
+-			See the ssl-bump option above for more information.
++			This option is disabled by default. See the ssl-bump
++			option above for more information.
+ 			
+ 	   dynamic_cert_mem_cache_size=SIZE
+ 			Approximate total RAM size spent on cached generated
+-			certificates. If set to zero, caching is disabled. The
+-			default value is 4MB.
++			certificates. If set to zero, caching is disabled.
+ 
+ 	TLS / SSL Options:
+ 
+@@ -2063,13 +2062,12 @@
+ 			certificate equals lifetime of CA certificate. If
+ 			generated certificate is selfsigned lifetime is three
+ 			years.
+-			This option is enabled by default when SslBump is used.
+-			See the sslBump option above for more information.
++			This option is disabled by default. See the ssl-bump
++			option above for more information.
+ 
+ 	   dynamic_cert_mem_cache_size=SIZE
+ 			Approximate total RAM size spent on cached generated
+-			certificates. If set to zero, caching is disabled. The
+-			default value is 4MB.
++			certificates. If set to zero, caching is disabled.
+ 
+ 	See http_port for a list of available options.
+ DOC_END
+
diff --git a/src/patches/squid/squid-3.5-14104.patch b/src/patches/squid/squid-3.5-14104.patch
new file mode 100644
index 0000000..c5d6ed0
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14104.patch
@@ -0,0 +1,66 @@
+------------------------------------------------------------
+revno: 14104
+revision-id: squid3@treenet.co.nz-20161030093816-7vwnk5zrrql2p5ks
+parent: squid3@treenet.co.nz-20161029232628-1y2u918re62uqs3v
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Sun 2016-10-30 22:38:16 +1300
+message:
+  Copyright: add some missing blurbs and contributor details
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161030093816-7vwnk5zrrql2p5ks
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 8d44709a8f9c34926ce569e58aef82603a3d514b
+# timestamp: 2016-10-30 09:40:44 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161029232628-\
+#   1y2u918re62uqs3v
+# 
+# Begin patch
+=== modified file 'CONTRIBUTORS'
+--- CONTRIBUTORS	2016-01-06 14:27:36 +0000
++++ CONTRIBUTORS	2016-10-30 09:38:16 +0000
+@@ -211,6 +211,8 @@
+     Joe Ramey ramey@jello.csc.ti.com
+     Joerg Lehrke jlehrke@noc.de
+     Johnathan Conley johnathan.conley@gmail.com
++    John@MCC.ac.uk
++    John@Pharmweb.NET
+     John Dilley jad@hpl.hp.com
+     John M Cooper john.cooper@yourcommunications.co.uk
+     John Saunders johns@rd.scitec.com.au
+
+=== modified file 'contrib/url-normalizer.pl'
+--- contrib/url-normalizer.pl	1996-12-07 00:54:31 +0000
++++ contrib/url-normalizer.pl	2016-10-30 09:38:16 +0000
+@@ -1,4 +1,11 @@
+ #!/usr/local/bin/perl -Tw
++#
++# * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
++# *
++# * Squid software is distributed under GPLv2+ license and includes
++# * contributions from numerous individuals and organizations.
++# * Please see the COPYING and CONTRIBUTORS files for details.
++#
+ 
+ # From:    Markus Gyger mgyger@itr.ch
+ #
+
+=== modified file 'contrib/user-agents.pl'
+--- contrib/user-agents.pl	1996-12-07 00:28:56 +0000
++++ contrib/user-agents.pl	2016-10-30 09:38:16 +0000
+@@ -1,5 +1,13 @@
+ #!/usr/bin/perl
+ #
++# * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
++# *
++# * Squid software is distributed under GPLv2+ license and includes
++# * contributions from numerous individuals and organizations.
++# * Please see the COPYING and CONTRIBUTORS files for details.
++#
++
++#
+ # John@MCC.ac.uk
+ # John@Pharmweb.NET
+ 
diff --git a/src/patches/squid/squid-3.5-14105.patch b/src/patches/squid/squid-3.5-14105.patch
new file mode 100644
index 0000000..d73dcea
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14105.patch
@@ -0,0 +1,48 @@
+------------------------------------------------------------
+revno: 14105
+revision-id: squid3@treenet.co.nz-20161030093920-5f7f2px9ea08rxlq
+parent: squid3@treenet.co.nz-20161030093816-7vwnk5zrrql2p5ks
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4567
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Sun 2016-10-30 22:39:20 +1300
+message:
+  Bug 4567: Strange IPv6 shown in access.log
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161030093920-5f7f2px9ea08rxlq
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 8dbae4e7fc5fb80afc6eee6800743abd1b1eaa47
+# timestamp: 2016-10-30 09:40:47 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161030093816-\
+#   7vwnk5zrrql2p5ks
+# 
+# Begin patch
+=== modified file 'src/AccessLogEntry.cc'
+--- src/AccessLogEntry.cc	2016-01-01 00:14:27 +0000
++++ src/AccessLogEntry.cc	2016-10-30 09:39:20 +0000
+@@ -30,14 +30,17 @@
+         log_ip = request->indirect_client_addr;
+     else
+ #endif
+-        if (tcpClient != NULL)
++        if (tcpClient)
+             log_ip = tcpClient->remote;
+-        else if (cache.caddr.isNoAddr()) { // e.g., ICAP OPTIONS lack client
+-            strncpy(buf, "-", bufsz);
+-            return;
+-        } else
++        else
+             log_ip = cache.caddr;
+ 
++    // internally generated requests (and some ICAP) lack client IP
++    if (log_ip.isNoAddr()) {
++        strncpy(buf, "-", bufsz);
++        return;
++    }
++
+     // Apply so-called 'privacy masking' to IPv4 clients
+     // - localhost IP is always shown in full
+     // - IPv4 clients masked with client_netmask
+
diff --git a/src/patches/squid/squid-3.5-14106.patch b/src/patches/squid/squid-3.5-14106.patch
new file mode 100644
index 0000000..cd3f63f
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14106.patch
@@ -0,0 +1,34 @@
+------------------------------------------------------------
+revno: 14106
+revision-id: squid3@treenet.co.nz-20161030094025-l4b8fdahoru8h16d
+parent: squid3@treenet.co.nz-20161030093920-5f7f2px9ea08rxlq
+author: Garri Djavadyan garryd@comnet.uz
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Sun 2016-10-30 22:40:25 +1300
+message:
+  Fix debug message in ACLChecklist::bannedAction()
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161030094025-l4b8fdahoru8h16d
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 4fd7942b294096f5c27e3d460b6d4c79580443e1
+# timestamp: 2016-10-30 09:40:49 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161030093920-\
+#   5f7f2px9ea08rxlq
+# 
+# Begin patch
+=== modified file 'src/acl/Checklist.cc'
+--- src/acl/Checklist.cc	2016-01-01 00:14:27 +0000
++++ src/acl/Checklist.cc	2016-10-30 09:40:25 +0000
+@@ -397,7 +397,7 @@
+ ACLChecklist::bannedAction(const allow_t &action) const
+ {
+     const bool found = std::find(bannedActions_.begin(), bannedActions_.end(), action) != bannedActions_.end();
+-    debugs(28, 5, "Action '" << action << "/" << action.kind << (found ? " is " : "is not") << " banned");
++    debugs(28, 5, "Action '" << action << "/" << action.kind << (found ? "' is " : "' is not") << " banned");
+     return found;
+ }
+ 
+
diff --git a/src/patches/squid/squid-3.5-14107.patch b/src/patches/squid/squid-3.5-14107.patch
new file mode 100644
index 0000000..34b0ace
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14107.patch
@@ -0,0 +1,56 @@
+------------------------------------------------------------
+revno: 14107
+revision-id: squid3@treenet.co.nz-20161030094503-rwdft21ffff44rns
+parent: squid3@treenet.co.nz-20161030094025-l4b8fdahoru8h16d
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Sun 2016-10-30 22:45:03 +1300
+message:
+  HTTP/1.1: make Vary:* objects cacheable
+  
+  Under new clauses from RFC 7231 section 7.1.4 and HTTP response
+  containing header Vary:* (wifcard variant) can be cached, but
+  requires revalidation with server before each use.
+  
+  Use the new mandatory revalidation flags to allow storing of any
+  wildcard Vary:* response.
+  
+  Note that responses with headers like Vary:A,B,C,* are equivalent
+  to Vary:*. The cache key string for these objects is normalized.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161030094503-rwdft21ffff44rns
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 2652a5a689745e31fc450e0dfd1c5c472f6d68d6
+# timestamp: 2016-10-30 09:45:47 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161030094025-\
+#   l4b8fdahoru8h16d
+# 
+# Begin patch
+=== modified file 'src/http.cc'
+--- src/http.cc	2016-10-09 19:47:26 +0000
++++ src/http.cc	2016-10-30 09:45:03 +0000
+@@ -594,7 +594,7 @@
+     while (strListGetItem(&vary, ',', &item, &ilen, &pos)) {
+         SBuf name(item, ilen);
+         if (name == asterisk) {
+-            vstr.clear();
++            vstr = asterisk;
+             break;
+         }
+         name.toLower();
+@@ -917,6 +917,12 @@
+             varyFailure = true;
+         } else {
+             entry->mem_obj->vary_headers = vary;
++
++            // RFC 7231 section 7.1.4
++            // Vary:* can be cached, but has mandatory revalidation
++            static const SBuf asterisk("*");
++            if (vary == asterisk)
++                EBIT_SET(entry->flags, ENTRY_REVALIDATE_ALWAYS);
+         }
+     }
+ 
+
diff --git a/src/patches/squid/squid-3.5-14108.patch b/src/patches/squid/squid-3.5-14108.patch
new file mode 100644
index 0000000..282fe41
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14108.patch
@@ -0,0 +1,33 @@
+------------------------------------------------------------
+revno: 14108
+revision-id: squid3@treenet.co.nz-20161101112231-k77st4up2sekl5zx
+parent: squid3@treenet.co.nz-20161030094503-rwdft21ffff44rns
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Wed 2016-11-02 00:22:31 +1300
+message:
+  Fix build issue after rev.14105
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161101112231-k77st4up2sekl5zx
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: fea1ede525ccb3ad7bf50e8de8f125a86a8dc016
+# timestamp: 2016-11-01 11:51:06 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161030094503-\
+#   rwdft21ffff44rns
+# 
+# Begin patch
+=== modified file 'src/AccessLogEntry.cc'
+--- src/AccessLogEntry.cc	2016-10-30 09:39:20 +0000
++++ src/AccessLogEntry.cc	2016-11-01 11:22:31 +0000
+@@ -30,7 +30,7 @@
+         log_ip = request->indirect_client_addr;
+     else
+ #endif
+-        if (tcpClient)
++        if (tcpClient != NULL)
+             log_ip = tcpClient->remote;
+         else
+             log_ip = cache.caddr;
+
diff --git a/src/patches/squid/squid-3.5-14109.patch b/src/patches/squid/squid-3.5-14109.patch
new file mode 100644
index 0000000..82b7dd2
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14109.patch
@@ -0,0 +1,167 @@
+------------------------------------------------------------
+revno: 14109
+revision-id: squid3@treenet.co.nz-20161111060325-yh8chavvnzuvfh3h
+parent: squid3@treenet.co.nz-20161101112231-k77st4up2sekl5zx
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3379
+author: Garri Djavadyan garryd@comnet.uz, Amos Jeffries squid3@treenet.co.nz
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Fri 2016-11-11 19:03:25 +1300
+message:
+  Bug 3379: Combination of If-Match and a Cache Hit result in TCP Connection Failure
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161111060325-yh8chavvnzuvfh3h
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 50d66878a765925d9a64569b3c226bebdee1f736
+# timestamp: 2016-11-11 06:10:37 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161101112231-\
+#   k77st4up2sekl5zx
+# 
+# Begin patch
+=== modified file 'src/client_side_reply.cc'
+--- src/client_side_reply.cc	2016-10-09 19:47:26 +0000
++++ src/client_side_reply.cc	2016-11-11 06:03:25 +0000
+@@ -589,6 +589,7 @@
+         debugs(88, 5, "negative-HIT");
+         http->logType = LOG_TCP_NEGATIVE_HIT;
+         sendMoreData(result);
++        return;
+     } else if (blockedHit()) {
+         debugs(88, 5, "send_hit forces a MISS");
+         http->logType = LOG_TCP_MISS;
+@@ -641,27 +642,29 @@
+             http->logType = LOG_TCP_MISS;
+             processMiss();
+         }
++        return;
+     } else if (r->conditional()) {
+         debugs(88, 5, "conditional HIT");
+-        processConditional(result);
+-    } else {
+-        /*
+-         * plain ol' cache hit
+-         */
+-        debugs(88, 5, "plain old HIT");
++        if (processConditional(result))
++            return;
++    }
++
++    /*
++     * plain ol' cache hit
++     */
++    debugs(88, 5, "plain old HIT");
+ 
+ #if USE_DELAY_POOLS
+-        if (e->store_status != STORE_OK)
+-            http->logType = LOG_TCP_MISS;
+-        else
++    if (e->store_status != STORE_OK)
++        http->logType = LOG_TCP_MISS;
++    else
+ #endif
+-            if (e->mem_status == IN_MEMORY)
+-                http->logType = LOG_TCP_MEM_HIT;
+-            else if (Config.onoff.offline)
+-                http->logType = LOG_TCP_OFFLINE_HIT;
++        if (e->mem_status == IN_MEMORY)
++            http->logType = LOG_TCP_MEM_HIT;
++        else if (Config.onoff.offline)
++            http->logType = LOG_TCP_OFFLINE_HIT;
+ 
+-        sendMoreData(result);
+-    }
++    sendMoreData(result);
+ }
+ 
+ /**
+@@ -755,17 +758,16 @@
+ }
+ 
+ /// process conditional request from client
+-void
++bool
+ clientReplyContext::processConditional(StoreIOBuffer &result)
+ {
+     StoreEntry *const e = http->storeEntry();
+ 
+     if (e->getReply()->sline.status() != Http::scOkay) {
+-        debugs(88, 4, "clientReplyContext::processConditional: Reply code " <<
+-               e->getReply()->sline.status() << " != 200");
++        debugs(88, 4, "Reply code " << e->getReply()->sline.status() << " != 200");
+         http->logType = LOG_TCP_MISS;
+         processMiss();
+-        return;
++        return true;
+     }
+ 
+     HttpRequest &r = *http->request;
+@@ -773,7 +775,7 @@
+     if (r.header.has(HDR_IF_MATCH) && !e->hasIfMatchEtag(r)) {
+         // RFC 2616: reply with 412 Precondition Failed if If-Match did not match
+         sendPreconditionFailedError();
+-        return;
++        return true;
+     }
+ 
+     bool matchedIfNoneMatch = false;
+@@ -786,14 +788,14 @@
+             r.header.delById(HDR_IF_MODIFIED_SINCE);
+             http->logType = LOG_TCP_MISS;
+             sendMoreData(result);
+-            return;
++            return true;
+         }
+ 
+         if (!r.flags.ims) {
+             // RFC 2616: if If-None-Match matched and there is no IMS,
+             // reply with 304 Not Modified or 412 Precondition Failed
+             sendNotModifiedOrPreconditionFailedError();
+-            return;
++            return true;
+         }
+ 
+         // otherwise check IMS below to decide if we reply with 304 or 412
+@@ -805,19 +807,20 @@
+         if (e->modifiedSince(r.ims, r.imslen)) {
+             http->logType = LOG_TCP_IMS_HIT;
+             sendMoreData(result);
+-            return;
+-        }
+ 
+-        if (matchedIfNoneMatch) {
++        } else if (matchedIfNoneMatch) {
+             // If-None-Match matched, reply with 304 Not Modified or
+             // 412 Precondition Failed
+             sendNotModifiedOrPreconditionFailedError();
+-            return;
++
++        } else {
++            // otherwise reply with 304 Not Modified
++            sendNotModified();
+         }
+-
+-        // otherwise reply with 304 Not Modified
+-        sendNotModified();
++        return true;
+     }
++
++    return false;
+ }
+ 
+ /// whether squid.conf send_hit prevents us from serving this hit
+
+=== modified file 'src/client_side_reply.h'
+--- src/client_side_reply.h	2016-09-23 15:28:42 +0000
++++ src/client_side_reply.h	2016-11-11 06:03:25 +0000
+@@ -114,7 +114,7 @@
+     bool alwaysAllowResponse(Http::StatusCode sline) const;
+     int checkTransferDone();
+     void processOnlyIfCachedMiss();
+-    void processConditional(StoreIOBuffer &result);
++    bool processConditional(StoreIOBuffer &result);
+     void cacheHit(StoreIOBuffer result);
+     void handleIMSReply(StoreIOBuffer result);
+     void sendMoreData(StoreIOBuffer result);
+
diff --git a/src/patches/squid/squid-3.5-14110.patch b/src/patches/squid/squid-3.5-14110.patch
new file mode 100644
index 0000000..0d0a9db
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14110.patch
@@ -0,0 +1,102 @@
+------------------------------------------------------------
+revno: 14110
+revision-id: squid3@treenet.co.nz-20161114105124-46hmtnsg8uj4owxz
+parent: squid3@treenet.co.nz-20161111060325-yh8chavvnzuvfh3h
+author: Christos Tsantilas chtsanti@users.sourceforge.net
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Mon 2016-11-14 23:51:24 +1300
+message:
+  Fix ssl::server_name ACL badly broken since inception.
+  
+  The original server_name code mishandled all SNI checks and some rare
+  host checks:
+  
+  * The SNI-derived value was pointing to an already freed memory storage.
+  * Missing host-derived values were not detected (host() is never nil).
+  * Mismatches were re-checked with an undocumented "none" value
+    instead of being treated as mismatches.
+  
+  Same for ssl::server_name_regex.
+  
+  Also set SNI for more server-first and client-first transactions.
+  
+  This is a Measurement Factory project.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161114105124-46hmtnsg8uj4owxz
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 46aadc410b46d91d597218961dbf1c634fb834fb
+# timestamp: 2016-11-14 10:56:00 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161111060325-\
+#   yh8chavvnzuvfh3h
+# 
+# Begin patch
+=== modified file 'src/acl/ServerName.cc'
+--- src/acl/ServerName.cc	2016-09-08 12:27:06 +0000
++++ src/acl/ServerName.cc	2016-11-14 10:51:24 +0000
+@@ -90,27 +90,28 @@
+ {
+     assert(checklist != NULL && checklist->request != NULL);
+ 
+-    if (checklist->conn() && checklist->conn()->serverBump()) {
+-        if (X509 *peer_cert = checklist->conn()->serverBump()->serverCert.get()) {
+-            if (Ssl::matchX509CommonNames(peer_cert, (void *)data, check_cert_domain<MatchType>))
+-                return 1;
+-        }
+-    }
+-
+     const char *serverName = NULL;
+-    if (checklist->conn() && !checklist->conn()->sslCommonName().isEmpty()) {
+-        SBuf scn = checklist->conn()->sslCommonName();
+-        serverName = scn.c_str();
+-    }
+-
+-    if (serverName == NULL)
+-        serverName = checklist->request->GetHost();
+-
+-    if (serverName && data->match(serverName)) {
+-        return 1;
+-    }
+-
+-    return data->match("none");
++    SBuf serverNameKeeper; // because c_str() is not constant
++    if (ConnStateData *conn = checklist->conn()) {
++        if (conn->serverBump()) {
++            if (X509 *peer_cert = conn->serverBump()->serverCert.get())
++                return Ssl::matchX509CommonNames(peer_cert, (void *)data, check_cert_domain<MatchType>);
++        }
++
++        if (conn->sslCommonName().isEmpty()) {
++            const char *host = checklist->request->GetHost();
++            if (host && *host) // paranoid first condition: host() is never nil
++                serverName = host;
++        } else {
++            serverNameKeeper = conn->sslCommonName();
++            serverName = serverNameKeeper.c_str();
++        }
++    }
++
++    if (!serverName)
++        serverName = "none";
++
++    return data->match(serverName);
+ }
+ 
+ ACLServerNameStrategy *
+
+=== modified file 'src/cf.data.pre'
+--- src/cf.data.pre	2016-10-29 23:26:28 +0000
++++ src/cf.data.pre	2016-11-14 10:51:24 +0000
+@@ -1167,6 +1167,9 @@
+ 	  # During each Ssl-Bump step, Squid may improve its understanding of a
+ 	  # "true server name". Unlike dstdomain, this ACL does not perform
+ 	  # DNS lookups.
++	  # The "none" name can be used to match transactions where Squid
++	  # could not compute the server name using any information source
++	  # already available at the ACL evaluation time.
+ 
+ 	acl aclname ssl::server_name_regex [-i] .foo.com ...
+ 	  # regex matches server name obtained from various sources [fast]
+
diff --git a/src/patches/squid/squid-3.5-14111.patch b/src/patches/squid/squid-3.5-14111.patch
new file mode 100644
index 0000000..984069b
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14111.patch
@@ -0,0 +1,43 @@
+------------------------------------------------------------
+revno: 14111
+revision-id: squid3@treenet.co.nz-20161114105434-f1uvw2lu8l4lpgay
+parent: squid3@treenet.co.nz-20161114105124-46hmtnsg8uj4owxz
+author: Garri Djavadyan garryd@comnet.uz
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Mon 2016-11-14 23:54:34 +1300
+message:
+  Fix spelling for digest nonce cache maintenance event
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161114105434-f1uvw2lu8l4lpgay
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 8c91678868beb689db5e0e6eaa6911c44f503ac8
+# timestamp: 2016-11-14 10:56:03 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161114105124-\
+#   46hmtnsg8uj4owxz
+# 
+# Begin patch
+=== modified file 'src/auth/digest/Config.cc'
+--- src/auth/digest/Config.cc	2016-01-01 00:14:27 +0000
++++ src/auth/digest/Config.cc	2016-11-14 10:54:34 +0000
+@@ -204,7 +204,7 @@
+     if (!digest_nonce_cache) {
+         digest_nonce_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
+         assert(digest_nonce_cache);
+-        eventAdd("Digest none cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_castAuth::Digest::Config*(Auth::Config::Find("digest"))->nonceGCInterval, 1);
++        eventAdd("Digest nonce cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_castAuth::Digest::Config*(Auth::Config::Find("digest"))->nonceGCInterval, 1);
+     }
+ }
+ 
+@@ -268,7 +268,7 @@
+     debugs(29, 3, "Finished cleaning the nonce cache.");
+ 
+     if (static_castAuth::Digest::Config*(Auth::Config::Find("digest"))->active())
+-        eventAdd("Digest none cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_castAuth::Digest::Config*(Auth::Config::Find("digest"))->nonceGCInterval, 1);
++        eventAdd("Digest nonce cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_castAuth::Digest::Config*(Auth::Config::Find("digest"))->nonceGCInterval, 1);
+ }
+ 
+ static void
+
diff --git a/src/patches/squid/squid-3.5-14112.patch b/src/patches/squid/squid-3.5-14112.patch
new file mode 100644
index 0000000..a63c1c0
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14112.patch
@@ -0,0 +1,60 @@
+------------------------------------------------------------
+revno: 14112
+revision-id: squid3@treenet.co.nz-20161114124051-s0vzoj5exv5g8w56
+parent: squid3@treenet.co.nz-20161114105434-f1uvw2lu8l4lpgay
+author: Alex Rousskov rousskov@measurement-factory.com
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Tue 2016-11-15 01:40:51 +1300
+message:
+  Honor SBufReservationRequirements::minSize regardless of idealSize.
+    
+    In a fully specified SBufReservationRequirements, idealSize would
+    naturally match or exceed minSize. However, the idealSize default value
+    (zero) may not. We should honor minSize regardless of idealSize, just as
+    the API documentation promises to do.
+    
+    No runtime changes expected right now because the only existing user of
+    SBufReservationRequirements sets .idealSize to CLIENT_REQ_BUF_SZ (4096)
+    and .minSize to 1024.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161114124051-s0vzoj5exv5g8w56
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: fb0969aa035352582364b529a70286cbfd89564a
+# timestamp: 2016-11-14 12:43:10 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161114105434-\
+#   f1uvw2lu8l4lpgay
+# 
+# Begin patch
+=== modified file 'src/SBuf.cc'
+--- src/SBuf.cc	2016-06-18 13:36:07 +0000
++++ src/SBuf.cc	2016-11-14 12:40:51 +0000
+@@ -178,7 +178,8 @@
+     if (!mustRealloc && len_ >= req.maxCapacity)
+         return spaceSize(); // but we cannot reallocate
+ 
+-    const size_type newSpace = std::min(req.idealSpace, maxSize - len_);
++    const size_type desiredSpace = std::max(req.minSpace, req.idealSpace);
++    const size_type newSpace = std::min(desiredSpace, maxSize - len_);
+     reserveCapacity(std::min(len_ + newSpace, req.maxCapacity));
+     debugs(24, 7, id << " now: " << off_ << '+' << len_ << '+' << spaceSize() <<
+            '=' << store_->capacity);
+
+=== modified file 'src/SBuf.h'
+--- src/SBuf.h	2016-06-18 13:36:07 +0000
++++ src/SBuf.h	2016-11-14 12:40:51 +0000
+@@ -635,9 +635,10 @@
+     /*
+      * Parameters are listed in the reverse order of importance: Satisfaction of
+      * the lower-listed requirements may violate the higher-listed requirements.
++     * For example, idealSpace has no effect unless it exceeds minSpace.
+      */
+     size_type idealSpace; ///< if allocating anyway, provide this much space
+-    size_type minSpace; ///< allocate if spaceSize() is smaller
++    size_type minSpace; ///< allocate [at least this much] if spaceSize() is smaller
+     size_type maxCapacity; ///< do not allocate more than this
+     bool allowShared; ///< whether sharing our storage with others is OK
+ };
+
diff --git a/src/patches/squid/squid-3.5-14113.patch b/src/patches/squid/squid-3.5-14113.patch
new file mode 100644
index 0000000..d545026
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14113.patch
@@ -0,0 +1,47 @@
+------------------------------------------------------------
+revno: 14113
+revision-id: squid3@treenet.co.nz-20161115075728-2xj2621oh5bwn8wn
+parent: squid3@treenet.co.nz-20161114124051-s0vzoj5exv5g8w56
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Tue 2016-11-15 20:57:28 +1300
+message:
+  TLS: Make key= before cert= an error instead of quietly hiding the issue
+  
+  This squid.conf setup is fatal in Squid-4. So best to fix these installations.
+  Even though Squdi-3 can cope with it.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161115075728-2xj2621oh5bwn8wn
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: a18738f4cbf0c1bd368e61d4b19c5d6f5005b919
+# timestamp: 2016-11-15 07:58:39 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161114124051-\
+#   s0vzoj5exv5g8w56
+# 
+# Begin patch
+=== modified file 'src/cache_cf.cc'
+--- src/cache_cf.cc	2016-09-23 11:11:48 +0000
++++ src/cache_cf.cc	2016-11-15 07:57:28 +0000
+@@ -2257,6 +2257,9 @@
+             safe_free(p->sslcert);
+             p->sslcert = xstrdup(token + 8);
+         } else if (strncmp(token, "sslkey=", 7) == 0) {
++            if (!p->sslcert) {
++                debugs(3, DBG_CRITICAL, "ERROR: " << cfg_directive << ": sslcert= option must be set before sslkey= is used.");
++            }
+             safe_free(p->sslkey);
+             p->sslkey = xstrdup(token + 7);
+         } else if (strncmp(token, "sslversion=", 11) == 0) {
+@@ -3729,6 +3732,9 @@
+         safe_free(s->cert);
+         s->cert = xstrdup(token + 5);
+     } else if (strncmp(token, "key=", 4) == 0) {
++        if (!s->cert) {
++            debugs(3, DBG_CRITICAL, "ERROR: " << cfg_directive << ": cert= option must be set before key= is used.");
++        }
+         safe_free(s->key);
+         s->key = xstrdup(token + 4);
+     } else if (strncmp(token, "version=", 8) == 0) {
+
diff --git a/src/patches/squid/squid-3.5-14114.patch b/src/patches/squid/squid-3.5-14114.patch
new file mode 100644
index 0000000..0985004
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14114.patch
@@ -0,0 +1,46 @@
+------------------------------------------------------------
+revno: 14114
+revision-id: squid3@treenet.co.nz-20161130154205-c9z1bhqzuh3rafl3
+parent: squid3@treenet.co.nz-20161115075728-2xj2621oh5bwn8wn
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Thu 2016-12-01 04:42:05 +1300
+message:
+  Improve debugs warnings when loading signing certs fails
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161130154205-c9z1bhqzuh3rafl3
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: e760bf590489a354e314f19dd158b063d23ef7a7
+# timestamp: 2016-11-30 15:51:47 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161115075728-\
+#   2xj2621oh5bwn8wn
+# 
+# Begin patch
+=== modified file 'src/ssl/support.cc'
+--- src/ssl/support.cc	2016-10-09 14:30:11 +0000
++++ src/ssl/support.cc	2016-11-30 15:42:05 +0000
+@@ -2011,10 +2011,17 @@
+     pem_password_cb *cb = ::Config.Program.ssl_password ? &ssl_ask_password_cb : NULL;
+     pkey.reset(readSslPrivateKey(keyFilename, cb));
+     cert.reset(readSslX509CertificatesChain(certFilename, chain.get()));
+-    if (!pkey || !cert || !X509_check_private_key(cert.get(), pkey.get())) {
+-        pkey.reset(NULL);
+-        cert.reset(NULL);
+-    }
++    if (!cert) {
++        debugs(83, DBG_IMPORTANT, "WARNING: missing cert in '" << certFilename << "'");
++    } else if (!pkey) {
++        debugs(83, DBG_IMPORTANT, "WARNING: missing private key in '" << keyFilename << "'");
++    } else if (!X509_check_private_key(cert.get(), pkey.get())) {
++        debugs(83, DBG_IMPORTANT, "WARNING: X509_check_private_key() failed to verify signing cert");
++    } else
++        return; // everything is okay
++
++    pkey.reset(NULL);
++    cert.reset(NULL);
+ }
+ 
+ bool Ssl::generateUntrustedCert(X509_Pointer &untrustedCert, EVP_PKEY_Pointer &untrustedPkey, X509_Pointer const  &cert, EVP_PKEY_Pointer const & pkey)
+
diff --git a/src/patches/squid/squid-3.5-14115.patch b/src/patches/squid/squid-3.5-14115.patch
new file mode 100644
index 0000000..4e5e3cf
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14115.patch
@@ -0,0 +1,197 @@
+------------------------------------------------------------
+revno: 14115
+revision-id: squid3@treenet.co.nz-20161130215630-c42qucqar9bi9a1k
+parent: squid3@treenet.co.nz-20161130154205-c9z1bhqzuh3rafl3
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4004
+author: Christos Tsantilas chtsanti@users.sourceforge.net
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Thu 2016-12-01 10:56:30 +1300
+message:
+  Bug 4004 partial: Fix segfault via Ftp::Client::readControlReply
+  
+  Added nil dereference checks for Ftp::Client::ctrl.conn, including:
+  - Ftp::Client::handlePasvReply() and handleEpsvReply() that dereference
+    ctrl.conn in DBG_IMPORTANT messages.
+  - Many functions inside FtpClient.cc and FtpGateway.cc files.
+  
+  TODO: We need to find a better way to handle nil ctrl.conn. It is only
+  a matter of time when we forget to add another dereference check or
+  discover a place we missed during this change.
+  
+  Also disabled forwarding of EPRT and PORT commands to origin servers.
+  Squid support for those commands is broken and their forwarding may
+  cause segfaults (bug #4004). Active FTP is still supported, of course.
+  
+  This is a Measurement Factory project
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161130215630-c42qucqar9bi9a1k
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 345883c1b5a5cd221e9d0e68b254df7d955372ad
+# timestamp: 2016-11-30 22:42:02 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161130154205-\
+#   c9z1bhqzuh3rafl3
+# 
+# Begin patch
+=== modified file 'src/clients/FtpClient.cc'
+--- src/clients/FtpClient.cc	2016-08-05 14:59:33 +0000
++++ src/clients/FtpClient.cc	2016-11-30 21:56:30 +0000
+@@ -442,6 +442,11 @@
+     char *buf;
+     debugs(9, 3, status());
+ 
++    if (!Comm::IsConnOpen(ctrl.conn)) {
++        debugs(9, 5, "The control connection to the remote end is closed");
++        return false;
++    }
++
+     if (code != 227) {
+         debugs(9, 2, "PASV not supported by remote end");
+         return false;
+@@ -473,6 +478,11 @@
+     char *buf;
+     debugs(9, 3, status());
+ 
++    if (!Comm::IsConnOpen(ctrl.conn)) {
++        debugs(9, 5, "The control connection to the remote end is closed");
++        return false;
++    }
++
+     if (code != 229 && code != 522) {
+         if (code == 200) {
+             /* handle broken servers (RFC 2428 says OK code for EPSV MUST be 229 not 200) */
+@@ -733,6 +743,11 @@
+ void
+ Ftp::Client::connectDataChannel()
+ {
++    if (!Comm::IsConnOpen(ctrl.conn)) {
++        debugs(9, 5, "The control connection to the remote end is closed");
++        return;
++    }
++
+     safe_free(ctrl.last_command);
+ 
+     safe_free(ctrl.last_reply);
+
+=== modified file 'src/clients/FtpGateway.cc'
+--- src/clients/FtpGateway.cc	2016-01-31 05:39:09 +0000
++++ src/clients/FtpGateway.cc	2016-11-30 21:56:30 +0000
+@@ -212,7 +212,9 @@
+ static FTPSM ftpReadMdtm;
+ static FTPSM ftpSendSize;
+ static FTPSM ftpReadSize;
++#if 0
+ static FTPSM ftpSendEPRT;
++#endif
+ static FTPSM ftpReadEPRT;
+ static FTPSM ftpSendPORT;
+ static FTPSM ftpReadPORT;
+@@ -450,6 +452,11 @@
+ void
+ Ftp::Gateway::listenForDataChannel(const Comm::ConnectionPointer &conn)
+ {
++    if (!Comm::IsConnOpen(ctrl.conn)) {
++        debugs(9, 5, "The control connection to the remote end is closed");
++        return;
++    }
++
+     assert(!Comm::IsConnOpen(data.conn));
+ 
+     typedef CommCbMemFunT<Gateway, CommAcceptCbParams> AcceptDialer;
+@@ -1183,7 +1190,7 @@
+ 
+     checkUrlpath();
+     buildTitleUrl();
+-    debugs(9, 5, HERE << "FD " << ctrl.conn->fd << " : host=" << request->GetHost() <<
++    debugs(9, 5, "FD " << (ctrl.conn != NULL ? ctrl.conn->fd : -1) << " : host=" << request->GetHost() <<
+            ", path=" << request->urlpath << ", user=" << user << ", passwd=" << password);
+     state = BEGIN;
+     Ftp::Client::start();
+@@ -1750,7 +1757,9 @@
+     if (ftpState->handlePasvReply(srvAddr))
+         ftpState->connectDataChannel();
+     else {
+-        ftpSendEPRT(ftpState);
++        ftpFail(ftpState);
++        // Currently disabled, does not work correctly:
++        // ftpSendEPRT(ftpState);
+         return;
+     }
+ }
+@@ -1790,6 +1799,11 @@
+     }
+     safe_free(ftpState->data.host);
+ 
++    if (!Comm::IsConnOpen(ftpState->ctrl.conn)) {
++        debugs(9, 5, "The control connection to the remote end is closed");
++        return;
++    }
++
+     /*
+      * Set up a listen socket on the same local address as the
+      * control connection.
+@@ -1875,9 +1889,14 @@
+     ftpRestOrList(ftpState);
+ }
+ 
++#if 0
+ static void
+ ftpSendEPRT(Ftp::Gateway * ftpState)
+ {
++    /* check the server control channel is still available */
++    if (!ftpState || !ftpState->haveControlChannel("ftpSendEPRT"))
++        return;
++
+     if (Config.Ftp.epsv_all && ftpState->flags.epsv_all_sent) {
+         debugs(9, DBG_IMPORTANT, "FTP does not allow EPRT method after 'EPSV ALL' has been sent.");
+         return;
+@@ -1913,6 +1932,7 @@
+     ftpState->writeCommand(cbuf);
+     ftpState->state = Ftp::Client::SENT_EPRT;
+ }
++#endif
+ 
+ static void
+ ftpReadEPRT(Ftp::Gateway * ftpState)
+@@ -1939,10 +1959,8 @@
+ {
+     debugs(9, 3, HERE);
+ 
+-    if (EBIT_TEST(entry->flags, ENTRY_ABORTED)) {
+-        abortAll("entry aborted when accepting data conn");
+-        data.listenConn->close();
+-        data.listenConn = NULL;
++    if (!Comm::IsConnOpen(ctrl.conn)) { /*Close handlers will cleanup*/
++        debugs(9, 5, "The control connection to the remote end is closed");
+         return;
+     }
+ 
+@@ -1955,6 +1973,14 @@
+         return;
+     }
+ 
++    if (EBIT_TEST(entry->flags, ENTRY_ABORTED)) {
++        abortAll("entry aborted when accepting data conn");
++        data.listenConn->close();
++        data.listenConn = NULL;
++        io.conn->close();
++        return;
++    }
++
+     /* data listening conn is no longer even open. abort. */
+     if (!Comm::IsConnOpen(data.listenConn)) {
+         data.listenConn = NULL; // ensure that it's cleared and not just closed.
+@@ -2705,8 +2731,8 @@
+ Ftp::Gateway::completeForwarding()
+ {
+     if (fwd == NULL || flags.completed_forwarding) {
+-        debugs(9, 3, HERE << "completeForwarding avoids " <<
+-               "double-complete on FD " << ctrl.conn->fd << ", Data FD " << data.conn->fd <<
++        debugs(9, 3, "avoid double-complete on FD " <<
++               (ctrl.conn != NULL ? ctrl.conn->fd : -1) << ", Data FD " << data.conn->fd <<
+                ", this " << this << ", fwd " << fwd);
+         return;
+     }
+
diff --git a/src/patches/squid/squid-3.5-14116.patch b/src/patches/squid/squid-3.5-14116.patch
new file mode 100644
index 0000000..c92d8b8
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14116.patch
@@ -0,0 +1,38 @@
+------------------------------------------------------------
+revno: 14116
+revision-id: squid3@treenet.co.nz-20161130223332-zcaxll4prj3kag1b
+parent: squid3@treenet.co.nz-20161130215630-c42qucqar9bi9a1k
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3533
+author: Garri Djavadyan garryd@comnet.uz
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Thu 2016-12-01 11:33:32 +1300
+message:
+  Bug 3533: Cache still valid after HTTP/1.1 303 See Other
+  
+  RFC7231 does not mention 303 response as non-cacheable.
+  So, assuming that means it *is* cacheable.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161130223332-zcaxll4prj3kag1b
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: c90320c95a4b64c8d18794fbe5df526fe0f9f702
+# timestamp: 2016-11-30 22:42:05 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161130215630-\
+#   c42qucqar9bi9a1k
+# 
+# Begin patch
+=== modified file 'src/http.cc'
+--- src/http.cc	2016-10-30 09:45:03 +0000
++++ src/http.cc	2016-11-30 22:33:32 +0000
+@@ -203,6 +203,8 @@
+ 
+     case Http::scFound:
+ 
++    case Http::scSeeOther:
++
+     case Http::scGone:
+ 
+     case Http::scNotFound:
+
diff --git a/src/patches/squid/squid-3.5-14117.patch b/src/patches/squid/squid-3.5-14117.patch
new file mode 100644
index 0000000..23d5376
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14117.patch
@@ -0,0 +1,152 @@
+------------------------------------------------------------
+revno: 14117
+revision-id: squid3@treenet.co.nz-20161130232039-z18ikhhcf3j185my
+parent: squid3@treenet.co.nz-20161130223332-zcaxll4prj3kag1b
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4007
+author: Stephen Baynes sbaynes@mail.com, Amos Jeffries squid3@treenet.co.nz
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Thu 2016-12-01 12:20:39 +1300
+message:
+  Bug 4007: Hang on DNS query with dead-end CNAME
+  
+  DNS lookup recursion no longer occurs. ipcacheParse() return values are no
+  longer useful.
+  
+  Also, cleanup the debugging output.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161130232039-z18ikhhcf3j185my
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 9059c7a07e5366bd2eac606c72f875077766ed34
+# timestamp: 2016-11-30 23:27:11 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161130223332-\
+#   zcaxll4prj3kag1b
+# 
+# Begin patch
+=== modified file 'src/ipcache.cc'
+--- src/ipcache.cc	2016-01-01 00:14:27 +0000
++++ src/ipcache.cc	2016-11-30 23:20:39 +0000
+@@ -123,7 +123,6 @@
+ static FREE ipcacheFreeEntry;
+ static IDNSCB ipcacheHandleReply;
+ static int ipcacheExpiredEntry(ipcache_entry *);
+-static int ipcacheParse(ipcache_entry *, const rfc1035_rr *, int, const char *error);
+ static ipcache_entry *ipcache_get(const char *);
+ static void ipcacheLockEntry(ipcache_entry *);
+ static void ipcacheStatPrint(ipcache_entry *, StoreEntry *);
+@@ -328,8 +327,7 @@
+     ipcacheUnlockEntry(i);
+ }
+ 
+-/// \ingroup IPCacheAPI
+-static int
++static void
+ ipcacheParse(ipcache_entry *i, const rfc1035_rr * answers, int nr, const char *error_message)
+ {
+     int k;
+@@ -350,25 +348,25 @@
+     i->addrs.count = 0;
+ 
+     if (nr < 0) {
+-        debugs(14, 3, "ipcacheParse: Lookup failed '" << error_message << "' for '" << (const char *)i->hash.key << "'");
++        debugs(14, 3, "Lookup failed '" << error_message << "' for '" << (const char *)i->hash.key << "'");
+         i->error_message = xstrdup(error_message);
+-        return -1;
++        return;
+     }
+ 
+     if (nr == 0) {
+-        debugs(14, 3, "ipcacheParse: No DNS records in response to '" << name << "'");
++        debugs(14, 3, "No DNS records in response to '" << name << "'");
+         i->error_message = xstrdup("No DNS records");
+-        return -1;
++        return;
+     }
+ 
+-    debugs(14, 3, "ipcacheParse: " << nr << " answers for '" << name << "'");
++    debugs(14, 3, nr << " answers for '" << name << "'");
+     assert(answers);
+ 
+     for (k = 0; k < nr; ++k) {
+ 
+         if (Ip::EnableIpv6 && answers[k].type == RFC1035_TYPE_AAAA) {
+             if (answers[k].rdlength != sizeof(struct in6_addr)) {
+-                debugs(14, DBG_IMPORTANT, "ipcacheParse: Invalid IPv6 address in response to '" << name << "'");
++                debugs(14, DBG_IMPORTANT, MYNAME << "Invalid IPv6 address in response to '" << name << "'");
+                 continue;
+             }
+             ++na;
+@@ -378,7 +376,7 @@
+ 
+         if (answers[k].type == RFC1035_TYPE_A) {
+             if (answers[k].rdlength != sizeof(struct in_addr)) {
+-                debugs(14, DBG_IMPORTANT, "ipcacheParse: Invalid IPv4 address in response to '" << name << "'");
++                debugs(14, DBG_IMPORTANT, MYNAME << "Invalid IPv4 address in response to '" << name << "'");
+                 continue;
+             }
+             ++na;
+@@ -394,14 +392,14 @@
+         }
+ 
+         // otherwise its an unknown RR. debug at level 9 since we usually want to ignore these and they are common.
+-        debugs(14, 9, HERE << "Unknown RR type received: type=" << answers[k].type << " starting at " << &(answers[k]) );
++        debugs(14, 9, "Unknown RR type received: type=" << answers[k].type << " starting at " << &(answers[k]) );
+     }
+     if (na == 0) {
+-        debugs(14, DBG_IMPORTANT, "ipcacheParse: No Address records in response to '" << name << "'");
++        debugs(14, DBG_IMPORTANT, MYNAME << "No Address records in response to '" << name << "'");
+         i->error_message = xstrdup("No Address records");
+         if (cname_found)
+             ++IpcacheStats.cname_only;
+-        return 0;
++        return;
+     }
+ 
+     i->addrs.in_addrs = static_cast<Ip::Address *>(xcalloc(na, sizeof(Ip::Address)));
+@@ -419,7 +417,7 @@
+             memcpy(&temp, answers[k].rdata, sizeof(struct in_addr));
+             i->addrs.in_addrs[j] = temp;
+ 
+-            debugs(14, 3, "ipcacheParse: " << name << " #" << j << " " << i->addrs.in_addrs[j]);
++            debugs(14, 3, name << " #" << j << " " << i->addrs.in_addrs[j]);
+             ++j;
+ 
+         } else if (Ip::EnableIpv6 && answers[k].type == RFC1035_TYPE_AAAA) {
+@@ -430,7 +428,7 @@
+             memcpy(&temp, answers[k].rdata, sizeof(struct in6_addr));
+             i->addrs.in_addrs[j] = temp;
+ 
+-            debugs(14, 3, "ipcacheParse: " << name << " #" << j << " " << i->addrs.in_addrs[j] );
++            debugs(14, 3, name << " #" << j << " " << i->addrs.in_addrs[j] );
+             ++j;
+         }
+         if (ttl == 0 || (int) answers[k].ttl < ttl)
+@@ -453,8 +451,6 @@
+     i->expires = squid_curtime + ttl;
+ 
+     i->flags.negcached = false;
+-
+-    return i->addrs.count;
+ }
+ 
+ /// \ingroup IPCacheInternal
+@@ -467,13 +463,9 @@
+     const int age = i->age();
+     statCounter.dns.svcTime.count(age);
+ 
+-    int done = ipcacheParse(i, answers, na, error_message);
+-
+-    /* If we have not produced either IPs or Error immediately, wait for recursion to finish. */
+-    if (done != 0 || error_message != NULL) {
+-        ipcacheAddEntry(i);
+-        ipcacheCallback(i, age);
+-    }
++    ipcacheParse(i, answers, na, error_message);
++    ipcacheAddEntry(i);
++    ipcacheCallback(i, age);
+ }
+ 
+ /**
+
diff --git a/src/patches/squid/squid-3.5-14118.patch b/src/patches/squid/squid-3.5-14118.patch
new file mode 100644
index 0000000..1e36294
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14118.patch
@@ -0,0 +1,55 @@
+------------------------------------------------------------
+revno: 14118
+revision-id: squid3@treenet.co.nz-20161130233304-lk3q0bx8gn5l3l85
+parent: squid3@treenet.co.nz-20161130232039-z18ikhhcf3j185my
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3290
+author: Garri Djavadyan garryd@comnet.uz
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Thu 2016-12-01 12:33:04 +1300
+message:
+  Bug 3290: authenticate_ttl not working for digest authentication
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161130233304-lk3q0bx8gn5l3l85
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 50ff391db1484222ead5fb50b1bca0694c37ed4c
+# timestamp: 2016-11-30 23:34:59 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161130232039-\
+#   z18ikhhcf3j185my
+# 
+# Begin patch
+=== modified file 'src/auth/digest/Config.cc'
+--- src/auth/digest/Config.cc	2016-11-14 10:54:34 +0000
++++ src/auth/digest/Config.cc	2016-11-30 23:33:04 +0000
+@@ -1058,6 +1058,10 @@
+          * the user agent won't change user name without warning.
+          */
+         authDigestUserLinkNonce(digest_user, nonce);
++
++        /* auth_user is now linked, we reset these values
++         * after external auth occurs anyway */
++        auth_user->expiretime = current_time.tv_sec;
+     } else {
+         debugs(29, 9, "Found user '" << username << "' in the user cache as '" << auth_user << "'");
+         digest_user = static_cast<Auth::Digest::User *>(auth_user.getRaw());
+
+=== modified file 'src/auth/digest/UserRequest.cc'
+--- src/auth/digest/UserRequest.cc	2016-01-01 00:14:27 +0000
++++ src/auth/digest/UserRequest.cc	2016-11-30 23:33:04 +0000
+@@ -187,12 +187,7 @@
+     auth_user->credentials(Auth::Ok);
+ 
+     /* password was checked and did match */
+-    debugs(29, 4, HERE << "user '" << auth_user->username() << "' validated OK");
+-
+-    /* auth_user is now linked, we reset these values
+-     * after external auth occurs anyway */
+-    auth_user->expiretime = current_time.tv_sec;
+-    return;
++    debugs(29, 4, "user '" << auth_user->username() << "' validated OK");
+ }
+ 
+ Auth::Direction
+
diff --git a/src/patches/squid/squid-3.5-14119.patch b/src/patches/squid/squid-3.5-14119.patch
new file mode 100644
index 0000000..d6e85a5
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14119.patch
@@ -0,0 +1,184 @@
+------------------------------------------------------------
+revno: 14119
+revision-id: squid3@treenet.co.nz-20161209015833-xm965d5l6u03qhew
+parent: squid3@treenet.co.nz-20161130233304-lk3q0bx8gn5l3l85
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4174
+author: Christos Tsantilas chtsanti@users.sourceforge.net
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Fri 2016-12-09 14:58:33 +1300
+message:
+  Bug 4174 partial: fix Write.cc:41 "!ccb->active()" assertion.
+  
+  The following sequence of events triggers this assertion:
+    - The server sends an 1xx control message.
+    - http.cc schedules ConnStateData::sendControlMsg call.
+    - Before sendControlMsg is fired, http.cc detects an error (e.g., I/O
+      error or timeout) and starts writing the reply to the user.
+    - The ConnStateData::sendControlMsg is fired, starts writing 1xx, and
+      hits the "no concurrent writes" assertion.
+  
+  We could only reproduce this sequence in the lab after changing Squid
+  code to trigger a timeout at the right moment, but the sequence looks
+  plausible. Other event sequences might result in the same outcome.
+  
+  To avoid concurrent writes, Squid now drops the control message if
+  Http::One::Server detects that a reply is already being written. Also,
+  ConnStateData delays reply writing until a pending control message write
+  has been completed.
+  
+  This is a Measurement Factory project.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161209015833-xm965d5l6u03qhew
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 103c6fc1fa45d78ba7f9e85ab3d89fff898ee762
+# timestamp: 2016-12-09 02:51:06 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161130233304-\
+#   lk3q0bx8gn5l3l85
+# 
+# Begin patch
+=== modified file 'src/client_side.cc'
+--- src/client_side.cc	2016-09-23 20:49:24 +0000
++++ src/client_side.cc	2016-12-09 01:58:33 +0000
+@@ -340,7 +340,21 @@
+     AsyncCall::Pointer call = commCbCall(33, 5, "ClientSocketContext::wroteControlMsg",
+                                          CommIoCbPtrFun(&WroteControlMsg, this));
+ 
+-    getConn()->writeControlMsgAndCall(this, rep.getRaw(), call);
++    if (!getConn()->writeControlMsgAndCall(this, rep.getRaw(), call)) {
++        // but still inform the caller (so it may resume its operation)
++        doneWithControlMsg();
++    }
++}
++
++void
++ClientSocketContext::doneWithControlMsg()
++{
++    ScheduleCallHere(cbControlMsgSent);
++    cbControlMsgSent = NULL;
++
++    debugs(33, 3, clientConnection << ": calling PushDeferredIfNeeded after control msg wrote");
++    ClientSocketContextPushDeferredIfNeeded(this, getConn());
++
+ }
+ 
+ /// called when we wrote the 1xx response
+@@ -351,7 +365,7 @@
+         return;
+ 
+     if (errflag == Comm::OK) {
+-        ScheduleCallHere(cbControlMsgSent);
++        doneWithControlMsg();
+         return;
+     }
+ 
+@@ -1455,6 +1469,8 @@
+ 
+     if (context != http->getConn()->getCurrentContext())
+         context->deferRecipientForLater(node, rep, receivedData);
++    else if (context->controlMsgIsPending())
++        context->deferRecipientForLater(node, rep, receivedData);
+     else
+         http->getConn()->handleReply(rep, receivedData);
+ 
+
+=== modified file 'src/client_side.h'
+--- src/client_side.h	2016-06-18 13:36:07 +0000
++++ src/client_side.h	2016-12-09 01:58:33 +0000
+@@ -129,9 +129,13 @@
+     /// starts writing 1xx control message to the client
+     void writeControlMsg(HttpControlMsg &msg);
+ 
++    /// true if 1xx to the user is pending
++    bool controlMsgIsPending() {return cbControlMsgSent != NULL;}
++
+ protected:
+     static IOCB WroteControlMsg;
+     void wroteControlMsg(const Comm::ConnectionPointer &conn, char *bufnotused, size_t size, Comm::Flag errflag, int xerrno);
++    void doneWithControlMsg();
+ 
+ private:
+     void prepareReply(HttpReply * rep);
+@@ -387,7 +391,7 @@
+     void connectionTag(const char *aTag) { connectionTag_ = aTag; }
+ 
+     /// handle a control message received by context from a peer and call back
+-    virtual void writeControlMsgAndCall(ClientSocketContext *context, HttpReply *rep, AsyncCall::Pointer &call) = 0;
++    virtual bool writeControlMsgAndCall(ClientSocketContext *context, HttpReply *rep, AsyncCall::Pointer &call) = 0;
+ 
+     /// ClientStream calls this to supply response header (once) and data
+     /// for the current ClientSocketContext.
+
+=== modified file 'src/servers/FtpServer.cc'
+--- src/servers/FtpServer.cc	2016-06-30 21:09:12 +0000
++++ src/servers/FtpServer.cc	2016-12-09 01:58:33 +0000
+@@ -1152,12 +1152,13 @@
+     writeErrorReply(reply, 451);
+ }
+ 
+-void
++bool
+ Ftp::Server::writeControlMsgAndCall(ClientSocketContext *context, HttpReply *reply, AsyncCall::Pointer &call)
+ {
+     // the caller guarantees that we are dealing with the current context only
+     // the caller should also make sure reply->header.has(HDR_FTP_STATUS)
+     writeForwardedReplyAndCall(reply, call);
++    return true;
+ }
+ 
+ void
+
+=== modified file 'src/servers/FtpServer.h'
+--- src/servers/FtpServer.h	2016-03-15 18:14:15 +0000
++++ src/servers/FtpServer.h	2016-12-09 01:58:33 +0000
+@@ -94,7 +94,7 @@
+     virtual void clientPinnedConnectionClosed(const CommCloseCbParams &io);
+     virtual void handleReply(HttpReply *header, StoreIOBuffer receivedData);
+     virtual int pipelinePrefetchMax() const;
+-    virtual void writeControlMsgAndCall(ClientSocketContext *context, HttpReply *rep, AsyncCall::Pointer &call);
++    virtual bool writeControlMsgAndCall(ClientSocketContext *context, HttpReply *rep, AsyncCall::Pointer &call);
+     virtual time_t idleTimeout() const;
+ 
+     /* BodyPipe API */
+
+=== modified file 'src/servers/HttpServer.cc'
+--- src/servers/HttpServer.cc	2016-01-01 00:14:27 +0000
++++ src/servers/HttpServer.cc	2016-12-09 01:58:33 +0000
+@@ -35,7 +35,7 @@
+     virtual ClientSocketContext *parseOneRequest(Http::ProtocolVersion &ver);
+     virtual void processParsedRequest(ClientSocketContext *context, const Http::ProtocolVersion &ver);
+     virtual void handleReply(HttpReply *rep, StoreIOBuffer receivedData);
+-    virtual void writeControlMsgAndCall(ClientSocketContext *context, HttpReply *rep, AsyncCall::Pointer &call);
++    virtual bool writeControlMsgAndCall(ClientSocketContext *context, HttpReply *rep, AsyncCall::Pointer &call);
+     virtual time_t idleTimeout() const;
+ 
+     /* BodyPipe API */
+@@ -167,9 +167,16 @@
+     context->sendStartOfMessage(rep, receivedData);
+ }
+ 
+-void
++bool
+ Http::Server::writeControlMsgAndCall(ClientSocketContext *context, HttpReply *rep, AsyncCall::Pointer &call)
+ {
++    // Ignore this late control message if we have started sending a 
++    // reply to the user already (e.g., after an error).
++    if (context->reply) {
++        debugs(11, 2, "drop 1xx made late by " << context->reply);
++        return false;
++    }
++
+     // apply selected clientReplyContext::buildReplyHeader() mods
+     // it is not clear what headers are required for control messages
+     rep->header.removeHopByHopEntries();
+@@ -184,6 +191,7 @@
+     Comm::Write(context->clientConnection, mb, call);
+ 
+     delete mb;
++    return true;
+ }
+ 
+ ConnStateData *
+
diff --git a/src/patches/squid/squid-3.5-14120.patch b/src/patches/squid/squid-3.5-14120.patch
new file mode 100644
index 0000000..4d28d4a
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14120.patch
@@ -0,0 +1,62 @@
+------------------------------------------------------------
+revno: 14120
+revision-id: squid3@treenet.co.nz-20161209034636-wytrnx7ks2jv0sxt
+parent: squid3@treenet.co.nz-20161209015833-xm965d5l6u03qhew
+author: Egervary Gergely gergely@egervary.hu
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Fri 2016-12-09 16:46:36 +1300
+message:
+  Support IPv6 NAT with PF for NetBSD and FreeBSD
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161209034636-wytrnx7ks2jv0sxt
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: b47da8d30fe000bbe50ea978bab7594065f7dc07
+# timestamp: 2016-12-09 03:51:01 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161209015833-\
+#   xm965d5l6u03qhew
+# 
+# Begin patch
+=== modified file 'src/ip/Intercept.cc'
+--- src/ip/Intercept.cc	2016-10-25 08:25:30 +0000
++++ src/ip/Intercept.cc	2016-12-09 03:46:36 +0000
+@@ -339,13 +339,20 @@
+     }
+ 
+     memset(&nl, 0, sizeof(struct pfioc_natlook));
+-    newConn->remote.getInAddr(nl.saddr.v4);
++
++    if (newConn->remote.isIPv6()) {
++        newConn->remote.getInAddr(nl.saddr.v6);
++        newConn->local.getInAddr(nl.daddr.v6);
++        nl.af = AF_INET6;
++    } else {
++        newConn->remote.getInAddr(nl.saddr.v4);
++        newConn->local.getInAddr(nl.daddr.v4);
++        nl.af = AF_INET;
++    }
++
+     nl.sport = htons(newConn->remote.port());
+-
+-    newConn->local.getInAddr(nl.daddr.v4);
+     nl.dport = htons(newConn->local.port());
+ 
+-    nl.af = AF_INET;
+     nl.proto = IPPROTO_TCP;
+     nl.direction = PF_OUT;
+ 
+@@ -361,7 +368,10 @@
+         debugs(89, 9, HERE << "address: " << newConn);
+         return false;
+     } else {
+-        newConn->local = nl.rdaddr.v4;
++        if (newConn->remote.isIPv6())
++            newConn->local = nl.rdaddr.v6;
++        else
++            newConn->local = nl.rdaddr.v4;
+         newConn->local.port(ntohs(nl.rdport));
+         debugs(89, 5, HERE << "address NAT: " << newConn);
+         return true;
+
diff --git a/src/patches/squid/squid-3.5-14121.patch b/src/patches/squid/squid-3.5-14121.patch
new file mode 100644
index 0000000..36f3f7a
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14121.patch
@@ -0,0 +1,36 @@
+------------------------------------------------------------
+revno: 14121
+revision-id: squid3@treenet.co.nz-20161209043304-krtzvsm4a0zbzgi8
+parent: squid3@treenet.co.nz-20161209034636-wytrnx7ks2jv0sxt
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4406
+author: Michael Buchau mike@m-buchau.de
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Fri 2016-12-09 17:33:04 +1300
+message:
+  Bug 4406: SIGSEV in TunnelStateData::handleConnectResponse() during reconfigure and restart
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161209043304-krtzvsm4a0zbzgi8
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: ce1153061cb79ac9ede6851f438ec830ed7a3e78
+# timestamp: 2016-12-09 04:51:01 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161209034636-\
+#   wytrnx7ks2jv0sxt
+# 
+# Begin patch
+=== modified file 'src/tunnel.cc'
+--- src/tunnel.cc	2016-08-17 13:34:13 +0000
++++ src/tunnel.cc	2016-12-09 04:33:04 +0000
+@@ -475,7 +475,8 @@
+     *status_ptr = rep.sline.status();
+ 
+     // we need to relay the 401/407 responses when login=PASS(THRU)
+-    const char *pwd = server.conn->getPeer()->login;
++    const CachePeer *peer = server.conn->getPeer();
++    const char *pwd = (peer ? peer->login : NULL);
+     const bool relay = pwd && (strcmp(pwd, "PASS") == 0 || strcmp(pwd, "PASSTHRU") == 0) &&
+                        (*status_ptr == Http::scProxyAuthenticationRequired ||
+                         *status_ptr == Http::scUnauthorized);
+
diff --git a/src/patches/squid/squid-3.5-14122.patch b/src/patches/squid/squid-3.5-14122.patch
new file mode 100644
index 0000000..292306e
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14122.patch
@@ -0,0 +1,34 @@
+------------------------------------------------------------
+revno: 14122
+revision-id: squidadm@squid-cache.org-20161209061551-361ava4lrrmbwiy9
+parent: squid3@treenet.co.nz-20161209043304-krtzvsm4a0zbzgi8
+committer: Source Maintenance squidadm@squid-cache.org
+branch nick: 3.5
+timestamp: Fri 2016-12-09 06:15:51 +0000
+message:
+  SourceFormat Enforcement
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squidadm@squid-cache.org-20161209061551-\
+#   361ava4lrrmbwiy9
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: cb4bfe0e0aaf3e3d107ffb16e2729c6f46d5a822
+# timestamp: 2016-12-09 06:51:04 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161209043304-\
+#   krtzvsm4a0zbzgi8
+# 
+# Begin patch
+=== modified file 'src/servers/HttpServer.cc'
+--- src/servers/HttpServer.cc	2016-12-09 01:58:33 +0000
++++ src/servers/HttpServer.cc	2016-12-09 06:15:51 +0000
+@@ -170,7 +170,7 @@
+ bool
+ Http::Server::writeControlMsgAndCall(ClientSocketContext *context, HttpReply *rep, AsyncCall::Pointer &call)
+ {
+-    // Ignore this late control message if we have started sending a 
++    // Ignore this late control message if we have started sending a
+     // reply to the user already (e.g., after an error).
+     if (context->reply) {
+         debugs(11, 2, "drop 1xx made late by " << context->reply);
+
hooks/post-receive
--
IPFire 2.x development tree

    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

[git.ipfire.org] IPFire 2.x development tree branch, master, updated. b26b242a9c5f9bc5b0a941782b2d57465dc69565