[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 6426c4066f85a9c706df2c141fbf9604739a78c3 - IPFire-SCM

6 Dec 2016

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
       via  6426c4066f85a9c706df2c141fbf9604739a78c3 (commit)
       via  4ce082a4dd427ea9a9d94241f1f2ce04e72d98a6 (commit)
       via  262c48be60bbfaa1f190aeacffd303800f3090cf (commit)
       via  cc8f79f95fea8a2eb87f888c472c311df585035e (commit)
       via  cc2a2209d8797569013c9dec58ff10e49dfabec5 (commit)
       via  67214dc2eb6b0a7c1b0f43e049a0aad6802a8db1 (commit)
       via  31986a351cc54a07a2205f5426e80e143afa87c5 (commit)
      from  6268c62384c17112f10cb0c6acc3b0951eb81f2c (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 6426c4066f85a9c706df2c141fbf9604739a78c3
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Tue Dec 6 14:20:16 2016 +0000
core108: Ship updated squid
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4ce082a4dd427ea9a9d94241f1f2ce04e72d98a6
Author: Matthias Fischer matthias.fischer@ipfire.org
Date:   Fri Dec 2 23:22:22 2016 +0100
squid 3.5.22: latest patches (14114-14118)
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
    Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 262c48be60bbfaa1f190aeacffd303800f3090cf
Author: Matthias Fischer matthias.fischer@ipfire.org
Date:   Wed Nov 30 18:50:05 2016 +0100
squid 3.5.22: latest patches (14103-14113)
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
    Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit cc8f79f95fea8a2eb87f888c472c311df585035e
Author: Matthias Fischer matthias.fischer@ipfire.org
Date:   Fri Oct 28 09:49:32 2016 +0200
squid 3.5.22: latest patches (14100-14102)
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
    Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit cc2a2209d8797569013c9dec58ff10e49dfabec5
Author: Matthias Fischer matthias.fischer@ipfire.org
Date:   Fri Oct 21 20:30:29 2016 +0200
squid 3.5.22: latest patch (14099)
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
    Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 67214dc2eb6b0a7c1b0f43e049a0aad6802a8db1
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Tue Dec 6 14:17:05 2016 +0000
core108: Ship updated NTP
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 31986a351cc54a07a2205f5426e80e143afa87c5
Author: Matthias Fischer matthias.fischer@ipfire.org
Date:   Thu Dec 1 18:32:31 2016 +0100
ntp: Update to 4.2.8p9
"It addresses 1 high-, 2 medium-, 2 medium-/low-, and 5 low-severity
    security issues, 28 bugfixes, and contains other improvements over 4.2.8p8."
For a complete list, see:
    http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
    Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes:
 .../{oldcore/96 => core/108}/filelists/ntp         |   0
 .../{oldcore/94 => core/108}/filelists/squid       |   0
 config/rootfiles/core/108/update.sh                |   3 +
 lfs/ntp                                            |   6 +-
 lfs/squid                                          |  20 +++
 src/patches/squid/squid-3.5-14099.patch            |  65 +++++++
 src/patches/squid/squid-3.5-14100.patch            |  39 ++++
 src/patches/squid/squid-3.5-14101.patch            |  59 ++++++
 src/patches/squid/squid-3.5-14102.patch            |  38 ++++
 src/patches/squid/squid-3.5-14103.patch            |  61 +++++++
 src/patches/squid/squid-3.5-14104.patch            |  66 +++++++
 src/patches/squid/squid-3.5-14105.patch            |  48 +++++
 src/patches/squid/squid-3.5-14106.patch            |  34 ++++
 src/patches/squid/squid-3.5-14107.patch            |  56 ++++++
 src/patches/squid/squid-3.5-14108.patch            |  33 ++++
 src/patches/squid/squid-3.5-14109.patch            | 167 +++++++++++++++++
 src/patches/squid/squid-3.5-14110.patch            | 102 +++++++++++
 src/patches/squid/squid-3.5-14111.patch            |  43 +++++
 src/patches/squid/squid-3.5-14112.patch            |  60 +++++++
 src/patches/squid/squid-3.5-14113.patch            |  47 +++++
 src/patches/squid/squid-3.5-14114.patch            |  46 +++++
 src/patches/squid/squid-3.5-14115.patch            | 197 +++++++++++++++++++++
 src/patches/squid/squid-3.5-14116.patch            |  38 ++++
 src/patches/squid/squid-3.5-14117.patch            | 152 ++++++++++++++++
 src/patches/squid/squid-3.5-14118.patch            |  55 ++++++
 25 files changed, 1432 insertions(+), 3 deletions(-)
 copy config/rootfiles/{oldcore/96 => core/108}/filelists/ntp (100%)
 copy config/rootfiles/{oldcore/94 => core/108}/filelists/squid (100%)
 create mode 100644 src/patches/squid/squid-3.5-14099.patch
 create mode 100644 src/patches/squid/squid-3.5-14100.patch
 create mode 100644 src/patches/squid/squid-3.5-14101.patch
 create mode 100644 src/patches/squid/squid-3.5-14102.patch
 create mode 100644 src/patches/squid/squid-3.5-14103.patch
 create mode 100644 src/patches/squid/squid-3.5-14104.patch
 create mode 100644 src/patches/squid/squid-3.5-14105.patch
 create mode 100644 src/patches/squid/squid-3.5-14106.patch
 create mode 100644 src/patches/squid/squid-3.5-14107.patch
 create mode 100644 src/patches/squid/squid-3.5-14108.patch
 create mode 100644 src/patches/squid/squid-3.5-14109.patch
 create mode 100644 src/patches/squid/squid-3.5-14110.patch
 create mode 100644 src/patches/squid/squid-3.5-14111.patch
 create mode 100644 src/patches/squid/squid-3.5-14112.patch
 create mode 100644 src/patches/squid/squid-3.5-14113.patch
 create mode 100644 src/patches/squid/squid-3.5-14114.patch
 create mode 100644 src/patches/squid/squid-3.5-14115.patch
 create mode 100644 src/patches/squid/squid-3.5-14116.patch
 create mode 100644 src/patches/squid/squid-3.5-14117.patch
 create mode 100644 src/patches/squid/squid-3.5-14118.patch
Difference in files:

diff --git a/config/rootfiles/core/108/filelists/ntp b/config/rootfiles/core/108/filelists/ntp
new file mode 120000
index 0000000..7542d86
--- /dev/null
+++ b/config/rootfiles/core/108/filelists/ntp
@@ -0,0 +1 @@
+../../../common/ntp
\ No newline at end of file
diff --git a/config/rootfiles/core/108/filelists/squid b/config/rootfiles/core/108/filelists/squid
new file mode 120000
index 0000000..2dc8372
--- /dev/null
+++ b/config/rootfiles/core/108/filelists/squid
@@ -0,0 +1 @@
+../../../common/squid
\ No newline at end of file
diff --git a/config/rootfiles/core/108/update.sh b/config/rootfiles/core/108/update.sh
index ba4a669..7a4bcd3 100644
--- a/config/rootfiles/core/108/update.sh
+++ b/config/rootfiles/core/108/update.sh
@@ -33,6 +33,7 @@ done
# Stop services
 /etc/init.d/ipsec stop
+/etc/init.d/squid stop
# Extract files
 extract_files
@@ -51,6 +52,8 @@ ldconfig
 if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then
    /etc/init.d/ipsec start
 fi
+/etc/init.d/ntp restart
+/etc/init.d/squid start
# This update need a reboot...
 #touch /var/run/need_reboot
diff --git a/lfs/ntp b/lfs/ntp
index 536a4a8..572bb88 100644
--- a/lfs/ntp
+++ b/lfs/ntp
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2016  Michael Tremer & Christian Schmidt                      #
+# Copyright (C) 2007-2016  IPFire Team  info@ipfire.org                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@
include Config
-VER        = 4.2.8p8
+VER        = 4.2.8p9
THISAPP    = ntp-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 4a8636260435b230636f053ffd070e34
+$(DL_FILE)_MD5 = 857452b05f5f2e033786f77ade1974ed
install : $(TARGET)
diff --git a/lfs/squid b/lfs/squid
index 269c663..0642532 100644
--- a/lfs/squid
+++ b/lfs/squid
@@ -70,6 +70,26 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
    @$(PREBUILD)
    @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14099.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14100.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14101.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14102.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14103.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14104.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14105.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14106.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14107.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14108.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14109.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14110.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14111.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14112.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14113.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14114.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14115.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14116.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14117.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14118.patch
    cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.22-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi
diff --git a/src/patches/squid/squid-3.5-14099.patch b/src/patches/squid/squid-3.5-14099.patch
new file mode 100644
index 0000000..0e10eff
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14099.patch
@@ -0,0 +1,65 @@
+------------------------------------------------------------
+revno: 14099
+revision-id: squid3@treenet.co.nz-20161015042024-jagzafukd2t6gcr0
+parent: squid3@treenet.co.nz-20161009195739-pcju9hl8vqwijt26
+author: Alex Rousskov rousskov@measurement-factory.com
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Sat 2016-10-15 17:20:24 +1300
+message:
+  Fix build with eCAP but without ICAP support.
+  
+  That is, when ./configured with --enable-ecap --disable-icap-client.
+  
+  AccessLogEntry::icap requires ICAP_CLIENT, not just USE_ADAPTATION.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161015042024-jagzafukd2t6gcr0
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 4cd2e7bf4e2be0acd252963afc107537b17450fc
+# timestamp: 2016-10-15 04:52:07 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161009195739-\
+#   pcju9hl8vqwijt26
+# 
+# Begin patch
+=== modified file 'src/format/Format.cc'
+--- src/format/Format.cc	2016-09-16 11:53:28 +0000
++++ src/format/Format.cc	2016-10-15 04:20:24 +0000
+@@ -318,7 +318,7 @@
+ actualReplyHeader(const AccessLogEntry::Pointer &al)
+ {
+     const HttpMsg *msg = al->reply;
+-#if USE_ADAPTATION
++#if ICAP_CLIENT
+     // al->icap.reqMethod is methodNone in access.log context
+     if (!msg && al->icap.reqMethod == Adaptation::methodReqmod)
+         msg = al->adapted_request;
+@@ -331,7 +331,7 @@
+ static const HttpMsg *
+ actualRequestHeader(const AccessLogEntry::Pointer &al)
+ {
+-#if USE_ADAPTATION
++#if ICAP_CLIENT
+     // al->icap.reqMethod is methodNone in access.log context
+     if (al->icap.reqMethod == Adaptation::methodRespmod) {
+         // XXX: for now AccessLogEntry lacks virgin response headers
+@@ -819,7 +819,7 @@
+         break;
+ 
+         case LFT_REQUEST_ALL_HEADERS:
+-#if USE_ADAPTATION
++#if ICAP_CLIENT
+             if (al->icap.reqMethod == Adaptation::methodRespmod) {
+                 // XXX: since AccessLogEntry::Headers lacks virgin response
+                 // headers, do nothing for now
+@@ -843,7 +843,7 @@
+ 
+         case LFT_REPLY_ALL_HEADERS:
+             out = al->headers.reply;
+-#if USE_ADAPTATION
++#if ICAP_CLIENT
+             if (!out && al->icap.reqMethod == Adaptation::methodReqmod)
+                 out = al->headers.adapted_request;
+ #endif
+
diff --git a/src/patches/squid/squid-3.5-14100.patch b/src/patches/squid/squid-3.5-14100.patch
new file mode 100644
index 0000000..7e5335a
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14100.patch
@@ -0,0 +1,39 @@
+------------------------------------------------------------
+revno: 14100
+revision-id: squid3@treenet.co.nz-20161025081949-3sxzd0n4snmadlke
+parent: squid3@treenet.co.nz-20161015042024-jagzafukd2t6gcr0
+author: Christos Tsantilas chtsanti@users.sourceforge.net
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Tue 2016-10-25 21:19:49 +1300
+message:
+  Fix regression bug introduced by r14089.
+    
+  Squid crashed because HttpMsg::body_pipe was used without check that it
+  was initialized. The message lacks body pipe when it has no body or
+  empty body.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161025081949-3sxzd0n4snmadlke
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 50468130801fc3ebf75129c103bcfe4be9b6d4b7
+# timestamp: 2016-10-25 08:28:30 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161015042024-\
+#   jagzafukd2t6gcr0
+# 
+# Begin patch
+=== modified file 'src/adaptation/icap/ModXact.cc'
+--- src/adaptation/icap/ModXact.cc	2016-09-16 18:50:04 +0000
++++ src/adaptation/icap/ModXact.cc	2016-10-25 08:19:49 +0000
+@@ -1303,7 +1303,8 @@
+         virgin_msg = virgin_request_;
+     assert(virgin_msg != virgin.cause);
+     al.http.clientRequestSz.header = virgin_msg->hdr_sz;
+-    al.http.clientRequestSz.payloadData = virgin_msg->body_pipe->producedSize();
++    if (virgin_msg->body_pipe != NULL)
++        al.http.clientRequestSz.payloadData = virgin_msg->body_pipe->producedSize();
+ 
+     // leave al.icap.bodyBytesRead negative if no body
+     if (replyHttpHeaderSize >= 0 || replyHttpBodySize >= 0) {
+
diff --git a/src/patches/squid/squid-3.5-14101.patch b/src/patches/squid/squid-3.5-14101.patch
new file mode 100644
index 0000000..92ff4d4
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14101.patch
@@ -0,0 +1,59 @@
+------------------------------------------------------------
+revno: 14101
+revision-id: squid3@treenet.co.nz-20161025082349-4gds2nic8qcahkem
+parent: squid3@treenet.co.nz-20161025081949-3sxzd0n4snmadlke
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Tue 2016-10-25 21:23:49 +1300
+message:
+  Fix external_acl_type default children documentations
+  
+  The max children has always been 5, not 20.
+  
+  Also, make mgr:config report dumper actually hide only the real default
+  values. (sync with helper/ChildConfig.cc defaults)
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161025082349-4gds2nic8qcahkem
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 02234eff0589032ea31d911c20f792617eeb18a9
+# timestamp: 2016-10-25 08:28:32 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161025081949-\
+#   3sxzd0n4snmadlke
+# 
+# Begin patch
+=== modified file 'src/cf.data.pre'
+--- src/cf.data.pre	2016-09-23 15:28:42 +0000
++++ src/cf.data.pre	2016-10-25 08:23:49 +0000
+@@ -678,7 +678,7 @@
+ 
+ 	  children-max=n
+ 			Maximum number of acl helper processes spawned to service
+-			external acl lookups of this type. (default 20)
++			external acl lookups of this type. (default 5)
+ 
+ 	  children-startup=n
+ 			Minimum number of acl helper processes to spawn during
+
+=== modified file 'src/external_acl.cc'
+--- src/external_acl.cc	2016-05-17 18:14:16 +0000
++++ src/external_acl.cc	2016-10-25 08:23:49 +0000
+@@ -474,13 +474,13 @@
+         if (node->children.n_max != DEFAULT_EXTERNAL_ACL_CHILDREN)
+             storeAppendPrintf(sentry, " children-max=%d", node->children.n_max);
+ 
+-        if (node->children.n_startup != 1)
++        if (node->children.n_startup != 0) // sync with helper/ChildConfig.cc default
+             storeAppendPrintf(sentry, " children-startup=%d", node->children.n_startup);
+ 
+-        if (node->children.n_idle != (node->children.n_max + node->children.n_startup) )
++        if (node->children.n_idle != 1) // sync with helper/ChildConfig.cc default
+             storeAppendPrintf(sentry, " children-idle=%d", node->children.n_idle);
+ 
+-        if (node->children.concurrency)
++        if (node->children.concurrency != 0)
+             storeAppendPrintf(sentry, " concurrency=%d", node->children.concurrency);
+ 
+         if (node->cache)
+
diff --git a/src/patches/squid/squid-3.5-14102.patch b/src/patches/squid/squid-3.5-14102.patch
new file mode 100644
index 0000000..f592531
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14102.patch
@@ -0,0 +1,38 @@
+------------------------------------------------------------
+revno: 14102
+revision-id: squid3@treenet.co.nz-20161025082530-do632qnr9bwyk5et
+parent: squid3@treenet.co.nz-20161025082349-4gds2nic8qcahkem
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4620
+author: Takahiro Kambe taca@back-street.net
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Tue 2016-10-25 21:25:30 +1300
+message:
+  Bug 4620: NetBSD build error with --enable-ipf-transparent
+  
+  On NetBSD sys/param.h must be included before netinet/ip_compat.h
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161025082530-do632qnr9bwyk5et
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: eedfc8764a631aa008fd4aba589ca08ee161c3a5
+# timestamp: 2016-10-25 08:28:35 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161025082349-\
+#   4gds2nic8qcahkem
+# 
+# Begin patch
+=== modified file 'src/ip/Intercept.cc'
+--- src/ip/Intercept.cc	2016-10-09 00:14:14 +0000
++++ src/ip/Intercept.cc	2016-10-25 08:25:30 +0000
+@@ -25,6 +25,9 @@
+ #define IPFILTER_VERSION        5000004
+ #endif
+ 
++#if HAVE_SYS_PARAM_H
++#include <sys/param.h>
++#endif
+ #if HAVE_SYS_IOCCOM_H
+ #include <sys/ioccom.h>
+ #endif
+
diff --git a/src/patches/squid/squid-3.5-14103.patch b/src/patches/squid/squid-3.5-14103.patch
new file mode 100644
index 0000000..816aa91
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14103.patch
@@ -0,0 +1,61 @@
+------------------------------------------------------------
+revno: 14103
+revision-id: squid3@treenet.co.nz-20161029232628-1y2u918re62uqs3v
+parent: squid3@treenet.co.nz-20161025082530-do632qnr9bwyk5et
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4627
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Sun 2016-10-30 12:26:28 +1300
+message:
+  Bug 4627: fix generate-host-certificates and dynamic_cert_mem_cache_size docs
+  
+  For Squid-3 the fix is just to update the documentation.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161029232628-1y2u918re62uqs3v
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: ea728cefc977ea5489da01b7a742821121c29476
+# timestamp: 2016-10-29 23:51:13 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161025082530-\
+#   do632qnr9bwyk5et
+# 
+# Begin patch
+=== modified file 'src/cf.data.pre'
+--- src/cf.data.pre	2016-10-25 08:23:49 +0000
++++ src/cf.data.pre	2016-10-29 23:26:28 +0000
+@@ -1787,13 +1787,12 @@
+ 			certificate equals lifetime of the CA certificate. If
+ 			generated certificate is selfsigned lifetime is three 
+ 			years.
+-			This option is enabled by default when ssl-bump is used.
+-			See the ssl-bump option above for more information.
++			This option is disabled by default. See the ssl-bump
++			option above for more information.
+ 			
+ 	   dynamic_cert_mem_cache_size=SIZE
+ 			Approximate total RAM size spent on cached generated
+-			certificates. If set to zero, caching is disabled. The
+-			default value is 4MB.
++			certificates. If set to zero, caching is disabled.
+ 
+ 	TLS / SSL Options:
+ 
+@@ -2063,13 +2062,12 @@
+ 			certificate equals lifetime of CA certificate. If
+ 			generated certificate is selfsigned lifetime is three
+ 			years.
+-			This option is enabled by default when SslBump is used.
+-			See the sslBump option above for more information.
++			This option is disabled by default. See the ssl-bump
++			option above for more information.
+ 
+ 	   dynamic_cert_mem_cache_size=SIZE
+ 			Approximate total RAM size spent on cached generated
+-			certificates. If set to zero, caching is disabled. The
+-			default value is 4MB.
++			certificates. If set to zero, caching is disabled.
+ 
+ 	See http_port for a list of available options.
+ DOC_END
+
diff --git a/src/patches/squid/squid-3.5-14104.patch b/src/patches/squid/squid-3.5-14104.patch
new file mode 100644
index 0000000..c5d6ed0
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14104.patch
@@ -0,0 +1,66 @@
+------------------------------------------------------------
+revno: 14104
+revision-id: squid3@treenet.co.nz-20161030093816-7vwnk5zrrql2p5ks
+parent: squid3@treenet.co.nz-20161029232628-1y2u918re62uqs3v
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Sun 2016-10-30 22:38:16 +1300
+message:
+  Copyright: add some missing blurbs and contributor details
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161030093816-7vwnk5zrrql2p5ks
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 8d44709a8f9c34926ce569e58aef82603a3d514b
+# timestamp: 2016-10-30 09:40:44 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161029232628-\
+#   1y2u918re62uqs3v
+# 
+# Begin patch
+=== modified file 'CONTRIBUTORS'
+--- CONTRIBUTORS	2016-01-06 14:27:36 +0000
++++ CONTRIBUTORS	2016-10-30 09:38:16 +0000
+@@ -211,6 +211,8 @@
+     Joe Ramey ramey@jello.csc.ti.com
+     Joerg Lehrke jlehrke@noc.de
+     Johnathan Conley johnathan.conley@gmail.com
++    John@MCC.ac.uk
++    John@Pharmweb.NET
+     John Dilley jad@hpl.hp.com
+     John M Cooper john.cooper@yourcommunications.co.uk
+     John Saunders johns@rd.scitec.com.au
+
+=== modified file 'contrib/url-normalizer.pl'
+--- contrib/url-normalizer.pl	1996-12-07 00:54:31 +0000
++++ contrib/url-normalizer.pl	2016-10-30 09:38:16 +0000
+@@ -1,4 +1,11 @@
+ #!/usr/local/bin/perl -Tw
++#
++# * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
++# *
++# * Squid software is distributed under GPLv2+ license and includes
++# * contributions from numerous individuals and organizations.
++# * Please see the COPYING and CONTRIBUTORS files for details.
++#
+ 
+ # From:    Markus Gyger mgyger@itr.ch
+ #
+
+=== modified file 'contrib/user-agents.pl'
+--- contrib/user-agents.pl	1996-12-07 00:28:56 +0000
++++ contrib/user-agents.pl	2016-10-30 09:38:16 +0000
+@@ -1,5 +1,13 @@
+ #!/usr/bin/perl
+ #
++# * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
++# *
++# * Squid software is distributed under GPLv2+ license and includes
++# * contributions from numerous individuals and organizations.
++# * Please see the COPYING and CONTRIBUTORS files for details.
++#
++
++#
+ # John@MCC.ac.uk
+ # John@Pharmweb.NET
+ 
diff --git a/src/patches/squid/squid-3.5-14105.patch b/src/patches/squid/squid-3.5-14105.patch
new file mode 100644
index 0000000..d73dcea
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14105.patch
@@ -0,0 +1,48 @@
+------------------------------------------------------------
+revno: 14105
+revision-id: squid3@treenet.co.nz-20161030093920-5f7f2px9ea08rxlq
+parent: squid3@treenet.co.nz-20161030093816-7vwnk5zrrql2p5ks
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4567
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Sun 2016-10-30 22:39:20 +1300
+message:
+  Bug 4567: Strange IPv6 shown in access.log
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161030093920-5f7f2px9ea08rxlq
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 8dbae4e7fc5fb80afc6eee6800743abd1b1eaa47
+# timestamp: 2016-10-30 09:40:47 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161030093816-\
+#   7vwnk5zrrql2p5ks
+# 
+# Begin patch
+=== modified file 'src/AccessLogEntry.cc'
+--- src/AccessLogEntry.cc	2016-01-01 00:14:27 +0000
++++ src/AccessLogEntry.cc	2016-10-30 09:39:20 +0000
+@@ -30,14 +30,17 @@
+         log_ip = request->indirect_client_addr;
+     else
+ #endif
+-        if (tcpClient != NULL)
++        if (tcpClient)
+             log_ip = tcpClient->remote;
+-        else if (cache.caddr.isNoAddr()) { // e.g., ICAP OPTIONS lack client
+-            strncpy(buf, "-", bufsz);
+-            return;
+-        } else
++        else
+             log_ip = cache.caddr;
+ 
++    // internally generated requests (and some ICAP) lack client IP
++    if (log_ip.isNoAddr()) {
++        strncpy(buf, "-", bufsz);
++        return;
++    }
++
+     // Apply so-called 'privacy masking' to IPv4 clients
+     // - localhost IP is always shown in full
+     // - IPv4 clients masked with client_netmask
+
diff --git a/src/patches/squid/squid-3.5-14106.patch b/src/patches/squid/squid-3.5-14106.patch
new file mode 100644
index 0000000..cd3f63f
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14106.patch
@@ -0,0 +1,34 @@
+------------------------------------------------------------
+revno: 14106
+revision-id: squid3@treenet.co.nz-20161030094025-l4b8fdahoru8h16d
+parent: squid3@treenet.co.nz-20161030093920-5f7f2px9ea08rxlq
+author: Garri Djavadyan garryd@comnet.uz
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Sun 2016-10-30 22:40:25 +1300
+message:
+  Fix debug message in ACLChecklist::bannedAction()
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161030094025-l4b8fdahoru8h16d
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 4fd7942b294096f5c27e3d460b6d4c79580443e1
+# timestamp: 2016-10-30 09:40:49 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161030093920-\
+#   5f7f2px9ea08rxlq
+# 
+# Begin patch
+=== modified file 'src/acl/Checklist.cc'
+--- src/acl/Checklist.cc	2016-01-01 00:14:27 +0000
++++ src/acl/Checklist.cc	2016-10-30 09:40:25 +0000
+@@ -397,7 +397,7 @@
+ ACLChecklist::bannedAction(const allow_t &action) const
+ {
+     const bool found = std::find(bannedActions_.begin(), bannedActions_.end(), action) != bannedActions_.end();
+-    debugs(28, 5, "Action '" << action << "/" << action.kind << (found ? " is " : "is not") << " banned");
++    debugs(28, 5, "Action '" << action << "/" << action.kind << (found ? "' is " : "' is not") << " banned");
+     return found;
+ }
+ 
+
diff --git a/src/patches/squid/squid-3.5-14107.patch b/src/patches/squid/squid-3.5-14107.patch
new file mode 100644
index 0000000..34b0ace
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14107.patch
@@ -0,0 +1,56 @@
+------------------------------------------------------------
+revno: 14107
+revision-id: squid3@treenet.co.nz-20161030094503-rwdft21ffff44rns
+parent: squid3@treenet.co.nz-20161030094025-l4b8fdahoru8h16d
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Sun 2016-10-30 22:45:03 +1300
+message:
+  HTTP/1.1: make Vary:* objects cacheable
+  
+  Under new clauses from RFC 7231 section 7.1.4 and HTTP response
+  containing header Vary:* (wifcard variant) can be cached, but
+  requires revalidation with server before each use.
+  
+  Use the new mandatory revalidation flags to allow storing of any
+  wildcard Vary:* response.
+  
+  Note that responses with headers like Vary:A,B,C,* are equivalent
+  to Vary:*. The cache key string for these objects is normalized.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161030094503-rwdft21ffff44rns
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 2652a5a689745e31fc450e0dfd1c5c472f6d68d6
+# timestamp: 2016-10-30 09:45:47 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161030094025-\
+#   l4b8fdahoru8h16d
+# 
+# Begin patch
+=== modified file 'src/http.cc'
+--- src/http.cc	2016-10-09 19:47:26 +0000
++++ src/http.cc	2016-10-30 09:45:03 +0000
+@@ -594,7 +594,7 @@
+     while (strListGetItem(&vary, ',', &item, &ilen, &pos)) {
+         SBuf name(item, ilen);
+         if (name == asterisk) {
+-            vstr.clear();
++            vstr = asterisk;
+             break;
+         }
+         name.toLower();
+@@ -917,6 +917,12 @@
+             varyFailure = true;
+         } else {
+             entry->mem_obj->vary_headers = vary;
++
++            // RFC 7231 section 7.1.4
++            // Vary:* can be cached, but has mandatory revalidation
++            static const SBuf asterisk("*");
++            if (vary == asterisk)
++                EBIT_SET(entry->flags, ENTRY_REVALIDATE_ALWAYS);
+         }
+     }
+ 
+
diff --git a/src/patches/squid/squid-3.5-14108.patch b/src/patches/squid/squid-3.5-14108.patch
new file mode 100644
index 0000000..282fe41
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14108.patch
@@ -0,0 +1,33 @@
+------------------------------------------------------------
+revno: 14108
+revision-id: squid3@treenet.co.nz-20161101112231-k77st4up2sekl5zx
+parent: squid3@treenet.co.nz-20161030094503-rwdft21ffff44rns
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Wed 2016-11-02 00:22:31 +1300
+message:
+  Fix build issue after rev.14105
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161101112231-k77st4up2sekl5zx
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: fea1ede525ccb3ad7bf50e8de8f125a86a8dc016
+# timestamp: 2016-11-01 11:51:06 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161030094503-\
+#   rwdft21ffff44rns
+# 
+# Begin patch
+=== modified file 'src/AccessLogEntry.cc'
+--- src/AccessLogEntry.cc	2016-10-30 09:39:20 +0000
++++ src/AccessLogEntry.cc	2016-11-01 11:22:31 +0000
+@@ -30,7 +30,7 @@
+         log_ip = request->indirect_client_addr;
+     else
+ #endif
+-        if (tcpClient)
++        if (tcpClient != NULL)
+             log_ip = tcpClient->remote;
+         else
+             log_ip = cache.caddr;
+
diff --git a/src/patches/squid/squid-3.5-14109.patch b/src/patches/squid/squid-3.5-14109.patch
new file mode 100644
index 0000000..82b7dd2
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14109.patch
@@ -0,0 +1,167 @@
+------------------------------------------------------------
+revno: 14109
+revision-id: squid3@treenet.co.nz-20161111060325-yh8chavvnzuvfh3h
+parent: squid3@treenet.co.nz-20161101112231-k77st4up2sekl5zx
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3379
+author: Garri Djavadyan garryd@comnet.uz, Amos Jeffries squid3@treenet.co.nz
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Fri 2016-11-11 19:03:25 +1300
+message:
+  Bug 3379: Combination of If-Match and a Cache Hit result in TCP Connection Failure
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161111060325-yh8chavvnzuvfh3h
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 50d66878a765925d9a64569b3c226bebdee1f736
+# timestamp: 2016-11-11 06:10:37 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161101112231-\
+#   k77st4up2sekl5zx
+# 
+# Begin patch
+=== modified file 'src/client_side_reply.cc'
+--- src/client_side_reply.cc	2016-10-09 19:47:26 +0000
++++ src/client_side_reply.cc	2016-11-11 06:03:25 +0000
+@@ -589,6 +589,7 @@
+         debugs(88, 5, "negative-HIT");
+         http->logType = LOG_TCP_NEGATIVE_HIT;
+         sendMoreData(result);
++        return;
+     } else if (blockedHit()) {
+         debugs(88, 5, "send_hit forces a MISS");
+         http->logType = LOG_TCP_MISS;
+@@ -641,27 +642,29 @@
+             http->logType = LOG_TCP_MISS;
+             processMiss();
+         }
++        return;
+     } else if (r->conditional()) {
+         debugs(88, 5, "conditional HIT");
+-        processConditional(result);
+-    } else {
+-        /*
+-         * plain ol' cache hit
+-         */
+-        debugs(88, 5, "plain old HIT");
++        if (processConditional(result))
++            return;
++    }
++
++    /*
++     * plain ol' cache hit
++     */
++    debugs(88, 5, "plain old HIT");
+ 
+ #if USE_DELAY_POOLS
+-        if (e->store_status != STORE_OK)
+-            http->logType = LOG_TCP_MISS;
+-        else
++    if (e->store_status != STORE_OK)
++        http->logType = LOG_TCP_MISS;
++    else
+ #endif
+-            if (e->mem_status == IN_MEMORY)
+-                http->logType = LOG_TCP_MEM_HIT;
+-            else if (Config.onoff.offline)
+-                http->logType = LOG_TCP_OFFLINE_HIT;
++        if (e->mem_status == IN_MEMORY)
++            http->logType = LOG_TCP_MEM_HIT;
++        else if (Config.onoff.offline)
++            http->logType = LOG_TCP_OFFLINE_HIT;
+ 
+-        sendMoreData(result);
+-    }
++    sendMoreData(result);
+ }
+ 
+ /**
+@@ -755,17 +758,16 @@
+ }
+ 
+ /// process conditional request from client
+-void
++bool
+ clientReplyContext::processConditional(StoreIOBuffer &result)
+ {
+     StoreEntry *const e = http->storeEntry();
+ 
+     if (e->getReply()->sline.status() != Http::scOkay) {
+-        debugs(88, 4, "clientReplyContext::processConditional: Reply code " <<
+-               e->getReply()->sline.status() << " != 200");
++        debugs(88, 4, "Reply code " << e->getReply()->sline.status() << " != 200");
+         http->logType = LOG_TCP_MISS;
+         processMiss();
+-        return;
++        return true;
+     }
+ 
+     HttpRequest &r = *http->request;
+@@ -773,7 +775,7 @@
+     if (r.header.has(HDR_IF_MATCH) && !e->hasIfMatchEtag(r)) {
+         // RFC 2616: reply with 412 Precondition Failed if If-Match did not match
+         sendPreconditionFailedError();
+-        return;
++        return true;
+     }
+ 
+     bool matchedIfNoneMatch = false;
+@@ -786,14 +788,14 @@
+             r.header.delById(HDR_IF_MODIFIED_SINCE);
+             http->logType = LOG_TCP_MISS;
+             sendMoreData(result);
+-            return;
++            return true;
+         }
+ 
+         if (!r.flags.ims) {
+             // RFC 2616: if If-None-Match matched and there is no IMS,
+             // reply with 304 Not Modified or 412 Precondition Failed
+             sendNotModifiedOrPreconditionFailedError();
+-            return;
++            return true;
+         }
+ 
+         // otherwise check IMS below to decide if we reply with 304 or 412
+@@ -805,19 +807,20 @@
+         if (e->modifiedSince(r.ims, r.imslen)) {
+             http->logType = LOG_TCP_IMS_HIT;
+             sendMoreData(result);
+-            return;
+-        }
+ 
+-        if (matchedIfNoneMatch) {
++        } else if (matchedIfNoneMatch) {
+             // If-None-Match matched, reply with 304 Not Modified or
+             // 412 Precondition Failed
+             sendNotModifiedOrPreconditionFailedError();
+-            return;
++
++        } else {
++            // otherwise reply with 304 Not Modified
++            sendNotModified();
+         }
+-
+-        // otherwise reply with 304 Not Modified
+-        sendNotModified();
++        return true;
+     }
++
++    return false;
+ }
+ 
+ /// whether squid.conf send_hit prevents us from serving this hit
+
+=== modified file 'src/client_side_reply.h'
+--- src/client_side_reply.h	2016-09-23 15:28:42 +0000
++++ src/client_side_reply.h	2016-11-11 06:03:25 +0000
+@@ -114,7 +114,7 @@
+     bool alwaysAllowResponse(Http::StatusCode sline) const;
+     int checkTransferDone();
+     void processOnlyIfCachedMiss();
+-    void processConditional(StoreIOBuffer &result);
++    bool processConditional(StoreIOBuffer &result);
+     void cacheHit(StoreIOBuffer result);
+     void handleIMSReply(StoreIOBuffer result);
+     void sendMoreData(StoreIOBuffer result);
+
diff --git a/src/patches/squid/squid-3.5-14110.patch b/src/patches/squid/squid-3.5-14110.patch
new file mode 100644
index 0000000..0d0a9db
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14110.patch
@@ -0,0 +1,102 @@
+------------------------------------------------------------
+revno: 14110
+revision-id: squid3@treenet.co.nz-20161114105124-46hmtnsg8uj4owxz
+parent: squid3@treenet.co.nz-20161111060325-yh8chavvnzuvfh3h
+author: Christos Tsantilas chtsanti@users.sourceforge.net
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Mon 2016-11-14 23:51:24 +1300
+message:
+  Fix ssl::server_name ACL badly broken since inception.
+  
+  The original server_name code mishandled all SNI checks and some rare
+  host checks:
+  
+  * The SNI-derived value was pointing to an already freed memory storage.
+  * Missing host-derived values were not detected (host() is never nil).
+  * Mismatches were re-checked with an undocumented "none" value
+    instead of being treated as mismatches.
+  
+  Same for ssl::server_name_regex.
+  
+  Also set SNI for more server-first and client-first transactions.
+  
+  This is a Measurement Factory project.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161114105124-46hmtnsg8uj4owxz
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 46aadc410b46d91d597218961dbf1c634fb834fb
+# timestamp: 2016-11-14 10:56:00 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161111060325-\
+#   yh8chavvnzuvfh3h
+# 
+# Begin patch
+=== modified file 'src/acl/ServerName.cc'
+--- src/acl/ServerName.cc	2016-09-08 12:27:06 +0000
++++ src/acl/ServerName.cc	2016-11-14 10:51:24 +0000
+@@ -90,27 +90,28 @@
+ {
+     assert(checklist != NULL && checklist->request != NULL);
+ 
+-    if (checklist->conn() && checklist->conn()->serverBump()) {
+-        if (X509 *peer_cert = checklist->conn()->serverBump()->serverCert.get()) {
+-            if (Ssl::matchX509CommonNames(peer_cert, (void *)data, check_cert_domain<MatchType>))
+-                return 1;
+-        }
+-    }
+-
+     const char *serverName = NULL;
+-    if (checklist->conn() && !checklist->conn()->sslCommonName().isEmpty()) {
+-        SBuf scn = checklist->conn()->sslCommonName();
+-        serverName = scn.c_str();
+-    }
+-
+-    if (serverName == NULL)
+-        serverName = checklist->request->GetHost();
+-
+-    if (serverName && data->match(serverName)) {
+-        return 1;
+-    }
+-
+-    return data->match("none");
++    SBuf serverNameKeeper; // because c_str() is not constant
++    if (ConnStateData *conn = checklist->conn()) {
++        if (conn->serverBump()) {
++            if (X509 *peer_cert = conn->serverBump()->serverCert.get())
++                return Ssl::matchX509CommonNames(peer_cert, (void *)data, check_cert_domain<MatchType>);
++        }
++
++        if (conn->sslCommonName().isEmpty()) {
++            const char *host = checklist->request->GetHost();
++            if (host && *host) // paranoid first condition: host() is never nil
++                serverName = host;
++        } else {
++            serverNameKeeper = conn->sslCommonName();
++            serverName = serverNameKeeper.c_str();
++        }
++    }
++
++    if (!serverName)
++        serverName = "none";
++
++    return data->match(serverName);
+ }
+ 
+ ACLServerNameStrategy *
+
+=== modified file 'src/cf.data.pre'
+--- src/cf.data.pre	2016-10-29 23:26:28 +0000
++++ src/cf.data.pre	2016-11-14 10:51:24 +0000
+@@ -1167,6 +1167,9 @@
+ 	  # During each Ssl-Bump step, Squid may improve its understanding of a
+ 	  # "true server name". Unlike dstdomain, this ACL does not perform
+ 	  # DNS lookups.
++	  # The "none" name can be used to match transactions where Squid
++	  # could not compute the server name using any information source
++	  # already available at the ACL evaluation time.
+ 
+ 	acl aclname ssl::server_name_regex [-i] .foo.com ...
+ 	  # regex matches server name obtained from various sources [fast]
+
diff --git a/src/patches/squid/squid-3.5-14111.patch b/src/patches/squid/squid-3.5-14111.patch
new file mode 100644
index 0000000..984069b
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14111.patch
@@ -0,0 +1,43 @@
+------------------------------------------------------------
+revno: 14111
+revision-id: squid3@treenet.co.nz-20161114105434-f1uvw2lu8l4lpgay
+parent: squid3@treenet.co.nz-20161114105124-46hmtnsg8uj4owxz
+author: Garri Djavadyan garryd@comnet.uz
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Mon 2016-11-14 23:54:34 +1300
+message:
+  Fix spelling for digest nonce cache maintenance event
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161114105434-f1uvw2lu8l4lpgay
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 8c91678868beb689db5e0e6eaa6911c44f503ac8
+# timestamp: 2016-11-14 10:56:03 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161114105124-\
+#   46hmtnsg8uj4owxz
+# 
+# Begin patch
+=== modified file 'src/auth/digest/Config.cc'
+--- src/auth/digest/Config.cc	2016-01-01 00:14:27 +0000
++++ src/auth/digest/Config.cc	2016-11-14 10:54:34 +0000
+@@ -204,7 +204,7 @@
+     if (!digest_nonce_cache) {
+         digest_nonce_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
+         assert(digest_nonce_cache);
+-        eventAdd("Digest none cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_castAuth::Digest::Config*(Auth::Config::Find("digest"))->nonceGCInterval, 1);
++        eventAdd("Digest nonce cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_castAuth::Digest::Config*(Auth::Config::Find("digest"))->nonceGCInterval, 1);
+     }
+ }
+ 
+@@ -268,7 +268,7 @@
+     debugs(29, 3, "Finished cleaning the nonce cache.");
+ 
+     if (static_castAuth::Digest::Config*(Auth::Config::Find("digest"))->active())
+-        eventAdd("Digest none cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_castAuth::Digest::Config*(Auth::Config::Find("digest"))->nonceGCInterval, 1);
++        eventAdd("Digest nonce cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_castAuth::Digest::Config*(Auth::Config::Find("digest"))->nonceGCInterval, 1);
+ }
+ 
+ static void
+
diff --git a/src/patches/squid/squid-3.5-14112.patch b/src/patches/squid/squid-3.5-14112.patch
new file mode 100644
index 0000000..a63c1c0
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14112.patch
@@ -0,0 +1,60 @@
+------------------------------------------------------------
+revno: 14112
+revision-id: squid3@treenet.co.nz-20161114124051-s0vzoj5exv5g8w56
+parent: squid3@treenet.co.nz-20161114105434-f1uvw2lu8l4lpgay
+author: Alex Rousskov rousskov@measurement-factory.com
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Tue 2016-11-15 01:40:51 +1300
+message:
+  Honor SBufReservationRequirements::minSize regardless of idealSize.
+    
+    In a fully specified SBufReservationRequirements, idealSize would
+    naturally match or exceed minSize. However, the idealSize default value
+    (zero) may not. We should honor minSize regardless of idealSize, just as
+    the API documentation promises to do.
+    
+    No runtime changes expected right now because the only existing user of
+    SBufReservationRequirements sets .idealSize to CLIENT_REQ_BUF_SZ (4096)
+    and .minSize to 1024.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161114124051-s0vzoj5exv5g8w56
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: fb0969aa035352582364b529a70286cbfd89564a
+# timestamp: 2016-11-14 12:43:10 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161114105434-\
+#   f1uvw2lu8l4lpgay
+# 
+# Begin patch
+=== modified file 'src/SBuf.cc'
+--- src/SBuf.cc	2016-06-18 13:36:07 +0000
++++ src/SBuf.cc	2016-11-14 12:40:51 +0000
+@@ -178,7 +178,8 @@
+     if (!mustRealloc && len_ >= req.maxCapacity)
+         return spaceSize(); // but we cannot reallocate
+ 
+-    const size_type newSpace = std::min(req.idealSpace, maxSize - len_);
++    const size_type desiredSpace = std::max(req.minSpace, req.idealSpace);
++    const size_type newSpace = std::min(desiredSpace, maxSize - len_);
+     reserveCapacity(std::min(len_ + newSpace, req.maxCapacity));
+     debugs(24, 7, id << " now: " << off_ << '+' << len_ << '+' << spaceSize() <<
+            '=' << store_->capacity);
+
+=== modified file 'src/SBuf.h'
+--- src/SBuf.h	2016-06-18 13:36:07 +0000
++++ src/SBuf.h	2016-11-14 12:40:51 +0000
+@@ -635,9 +635,10 @@
+     /*
+      * Parameters are listed in the reverse order of importance: Satisfaction of
+      * the lower-listed requirements may violate the higher-listed requirements.
++     * For example, idealSpace has no effect unless it exceeds minSpace.
+      */
+     size_type idealSpace; ///< if allocating anyway, provide this much space
+-    size_type minSpace; ///< allocate if spaceSize() is smaller
++    size_type minSpace; ///< allocate [at least this much] if spaceSize() is smaller
+     size_type maxCapacity; ///< do not allocate more than this
+     bool allowShared; ///< whether sharing our storage with others is OK
+ };
+
diff --git a/src/patches/squid/squid-3.5-14113.patch b/src/patches/squid/squid-3.5-14113.patch
new file mode 100644
index 0000000..d545026
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14113.patch
@@ -0,0 +1,47 @@
+------------------------------------------------------------
+revno: 14113
+revision-id: squid3@treenet.co.nz-20161115075728-2xj2621oh5bwn8wn
+parent: squid3@treenet.co.nz-20161114124051-s0vzoj5exv5g8w56
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Tue 2016-11-15 20:57:28 +1300
+message:
+  TLS: Make key= before cert= an error instead of quietly hiding the issue
+  
+  This squid.conf setup is fatal in Squid-4. So best to fix these installations.
+  Even though Squdi-3 can cope with it.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161115075728-2xj2621oh5bwn8wn
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: a18738f4cbf0c1bd368e61d4b19c5d6f5005b919
+# timestamp: 2016-11-15 07:58:39 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161114124051-\
+#   s0vzoj5exv5g8w56
+# 
+# Begin patch
+=== modified file 'src/cache_cf.cc'
+--- src/cache_cf.cc	2016-09-23 11:11:48 +0000
++++ src/cache_cf.cc	2016-11-15 07:57:28 +0000
+@@ -2257,6 +2257,9 @@
+             safe_free(p->sslcert);
+             p->sslcert = xstrdup(token + 8);
+         } else if (strncmp(token, "sslkey=", 7) == 0) {
++            if (!p->sslcert) {
++                debugs(3, DBG_CRITICAL, "ERROR: " << cfg_directive << ": sslcert= option must be set before sslkey= is used.");
++            }
+             safe_free(p->sslkey);
+             p->sslkey = xstrdup(token + 7);
+         } else if (strncmp(token, "sslversion=", 11) == 0) {
+@@ -3729,6 +3732,9 @@
+         safe_free(s->cert);
+         s->cert = xstrdup(token + 5);
+     } else if (strncmp(token, "key=", 4) == 0) {
++        if (!s->cert) {
++            debugs(3, DBG_CRITICAL, "ERROR: " << cfg_directive << ": cert= option must be set before key= is used.");
++        }
+         safe_free(s->key);
+         s->key = xstrdup(token + 4);
+     } else if (strncmp(token, "version=", 8) == 0) {
+
diff --git a/src/patches/squid/squid-3.5-14114.patch b/src/patches/squid/squid-3.5-14114.patch
new file mode 100644
index 0000000..0985004
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14114.patch
@@ -0,0 +1,46 @@
+------------------------------------------------------------
+revno: 14114
+revision-id: squid3@treenet.co.nz-20161130154205-c9z1bhqzuh3rafl3
+parent: squid3@treenet.co.nz-20161115075728-2xj2621oh5bwn8wn
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Thu 2016-12-01 04:42:05 +1300
+message:
+  Improve debugs warnings when loading signing certs fails
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161130154205-c9z1bhqzuh3rafl3
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: e760bf590489a354e314f19dd158b063d23ef7a7
+# timestamp: 2016-11-30 15:51:47 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161115075728-\
+#   2xj2621oh5bwn8wn
+# 
+# Begin patch
+=== modified file 'src/ssl/support.cc'
+--- src/ssl/support.cc	2016-10-09 14:30:11 +0000
++++ src/ssl/support.cc	2016-11-30 15:42:05 +0000
+@@ -2011,10 +2011,17 @@
+     pem_password_cb *cb = ::Config.Program.ssl_password ? &ssl_ask_password_cb : NULL;
+     pkey.reset(readSslPrivateKey(keyFilename, cb));
+     cert.reset(readSslX509CertificatesChain(certFilename, chain.get()));
+-    if (!pkey || !cert || !X509_check_private_key(cert.get(), pkey.get())) {
+-        pkey.reset(NULL);
+-        cert.reset(NULL);
+-    }
++    if (!cert) {
++        debugs(83, DBG_IMPORTANT, "WARNING: missing cert in '" << certFilename << "'");
++    } else if (!pkey) {
++        debugs(83, DBG_IMPORTANT, "WARNING: missing private key in '" << keyFilename << "'");
++    } else if (!X509_check_private_key(cert.get(), pkey.get())) {
++        debugs(83, DBG_IMPORTANT, "WARNING: X509_check_private_key() failed to verify signing cert");
++    } else
++        return; // everything is okay
++
++    pkey.reset(NULL);
++    cert.reset(NULL);
+ }
+ 
+ bool Ssl::generateUntrustedCert(X509_Pointer &untrustedCert, EVP_PKEY_Pointer &untrustedPkey, X509_Pointer const  &cert, EVP_PKEY_Pointer const & pkey)
+
diff --git a/src/patches/squid/squid-3.5-14115.patch b/src/patches/squid/squid-3.5-14115.patch
new file mode 100644
index 0000000..4e5e3cf
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14115.patch
@@ -0,0 +1,197 @@
+------------------------------------------------------------
+revno: 14115
+revision-id: squid3@treenet.co.nz-20161130215630-c42qucqar9bi9a1k
+parent: squid3@treenet.co.nz-20161130154205-c9z1bhqzuh3rafl3
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4004
+author: Christos Tsantilas chtsanti@users.sourceforge.net
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Thu 2016-12-01 10:56:30 +1300
+message:
+  Bug 4004 partial: Fix segfault via Ftp::Client::readControlReply
+  
+  Added nil dereference checks for Ftp::Client::ctrl.conn, including:
+  - Ftp::Client::handlePasvReply() and handleEpsvReply() that dereference
+    ctrl.conn in DBG_IMPORTANT messages.
+  - Many functions inside FtpClient.cc and FtpGateway.cc files.
+  
+  TODO: We need to find a better way to handle nil ctrl.conn. It is only
+  a matter of time when we forget to add another dereference check or
+  discover a place we missed during this change.
+  
+  Also disabled forwarding of EPRT and PORT commands to origin servers.
+  Squid support for those commands is broken and their forwarding may
+  cause segfaults (bug #4004). Active FTP is still supported, of course.
+  
+  This is a Measurement Factory project
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161130215630-c42qucqar9bi9a1k
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 345883c1b5a5cd221e9d0e68b254df7d955372ad
+# timestamp: 2016-11-30 22:42:02 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161130154205-\
+#   c9z1bhqzuh3rafl3
+# 
+# Begin patch
+=== modified file 'src/clients/FtpClient.cc'
+--- src/clients/FtpClient.cc	2016-08-05 14:59:33 +0000
++++ src/clients/FtpClient.cc	2016-11-30 21:56:30 +0000
+@@ -442,6 +442,11 @@
+     char *buf;
+     debugs(9, 3, status());
+ 
++    if (!Comm::IsConnOpen(ctrl.conn)) {
++        debugs(9, 5, "The control connection to the remote end is closed");
++        return false;
++    }
++
+     if (code != 227) {
+         debugs(9, 2, "PASV not supported by remote end");
+         return false;
+@@ -473,6 +478,11 @@
+     char *buf;
+     debugs(9, 3, status());
+ 
++    if (!Comm::IsConnOpen(ctrl.conn)) {
++        debugs(9, 5, "The control connection to the remote end is closed");
++        return false;
++    }
++
+     if (code != 229 && code != 522) {
+         if (code == 200) {
+             /* handle broken servers (RFC 2428 says OK code for EPSV MUST be 229 not 200) */
+@@ -733,6 +743,11 @@
+ void
+ Ftp::Client::connectDataChannel()
+ {
++    if (!Comm::IsConnOpen(ctrl.conn)) {
++        debugs(9, 5, "The control connection to the remote end is closed");
++        return;
++    }
++
+     safe_free(ctrl.last_command);
+ 
+     safe_free(ctrl.last_reply);
+
+=== modified file 'src/clients/FtpGateway.cc'
+--- src/clients/FtpGateway.cc	2016-01-31 05:39:09 +0000
++++ src/clients/FtpGateway.cc	2016-11-30 21:56:30 +0000
+@@ -212,7 +212,9 @@
+ static FTPSM ftpReadMdtm;
+ static FTPSM ftpSendSize;
+ static FTPSM ftpReadSize;
++#if 0
+ static FTPSM ftpSendEPRT;
++#endif
+ static FTPSM ftpReadEPRT;
+ static FTPSM ftpSendPORT;
+ static FTPSM ftpReadPORT;
+@@ -450,6 +452,11 @@
+ void
+ Ftp::Gateway::listenForDataChannel(const Comm::ConnectionPointer &conn)
+ {
++    if (!Comm::IsConnOpen(ctrl.conn)) {
++        debugs(9, 5, "The control connection to the remote end is closed");
++        return;
++    }
++
+     assert(!Comm::IsConnOpen(data.conn));
+ 
+     typedef CommCbMemFunT<Gateway, CommAcceptCbParams> AcceptDialer;
+@@ -1183,7 +1190,7 @@
+ 
+     checkUrlpath();
+     buildTitleUrl();
+-    debugs(9, 5, HERE << "FD " << ctrl.conn->fd << " : host=" << request->GetHost() <<
++    debugs(9, 5, "FD " << (ctrl.conn != NULL ? ctrl.conn->fd : -1) << " : host=" << request->GetHost() <<
+            ", path=" << request->urlpath << ", user=" << user << ", passwd=" << password);
+     state = BEGIN;
+     Ftp::Client::start();
+@@ -1750,7 +1757,9 @@
+     if (ftpState->handlePasvReply(srvAddr))
+         ftpState->connectDataChannel();
+     else {
+-        ftpSendEPRT(ftpState);
++        ftpFail(ftpState);
++        // Currently disabled, does not work correctly:
++        // ftpSendEPRT(ftpState);
+         return;
+     }
+ }
+@@ -1790,6 +1799,11 @@
+     }
+     safe_free(ftpState->data.host);
+ 
++    if (!Comm::IsConnOpen(ftpState->ctrl.conn)) {
++        debugs(9, 5, "The control connection to the remote end is closed");
++        return;
++    }
++
+     /*
+      * Set up a listen socket on the same local address as the
+      * control connection.
+@@ -1875,9 +1889,14 @@
+     ftpRestOrList(ftpState);
+ }
+ 
++#if 0
+ static void
+ ftpSendEPRT(Ftp::Gateway * ftpState)
+ {
++    /* check the server control channel is still available */
++    if (!ftpState || !ftpState->haveControlChannel("ftpSendEPRT"))
++        return;
++
+     if (Config.Ftp.epsv_all && ftpState->flags.epsv_all_sent) {
+         debugs(9, DBG_IMPORTANT, "FTP does not allow EPRT method after 'EPSV ALL' has been sent.");
+         return;
+@@ -1913,6 +1932,7 @@
+     ftpState->writeCommand(cbuf);
+     ftpState->state = Ftp::Client::SENT_EPRT;
+ }
++#endif
+ 
+ static void
+ ftpReadEPRT(Ftp::Gateway * ftpState)
+@@ -1939,10 +1959,8 @@
+ {
+     debugs(9, 3, HERE);
+ 
+-    if (EBIT_TEST(entry->flags, ENTRY_ABORTED)) {
+-        abortAll("entry aborted when accepting data conn");
+-        data.listenConn->close();
+-        data.listenConn = NULL;
++    if (!Comm::IsConnOpen(ctrl.conn)) { /*Close handlers will cleanup*/
++        debugs(9, 5, "The control connection to the remote end is closed");
+         return;
+     }
+ 
+@@ -1955,6 +1973,14 @@
+         return;
+     }
+ 
++    if (EBIT_TEST(entry->flags, ENTRY_ABORTED)) {
++        abortAll("entry aborted when accepting data conn");
++        data.listenConn->close();
++        data.listenConn = NULL;
++        io.conn->close();
++        return;
++    }
++
+     /* data listening conn is no longer even open. abort. */
+     if (!Comm::IsConnOpen(data.listenConn)) {
+         data.listenConn = NULL; // ensure that it's cleared and not just closed.
+@@ -2705,8 +2731,8 @@
+ Ftp::Gateway::completeForwarding()
+ {
+     if (fwd == NULL || flags.completed_forwarding) {
+-        debugs(9, 3, HERE << "completeForwarding avoids " <<
+-               "double-complete on FD " << ctrl.conn->fd << ", Data FD " << data.conn->fd <<
++        debugs(9, 3, "avoid double-complete on FD " <<
++               (ctrl.conn != NULL ? ctrl.conn->fd : -1) << ", Data FD " << data.conn->fd <<
+                ", this " << this << ", fwd " << fwd);
+         return;
+     }
+
diff --git a/src/patches/squid/squid-3.5-14116.patch b/src/patches/squid/squid-3.5-14116.patch
new file mode 100644
index 0000000..c92d8b8
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14116.patch
@@ -0,0 +1,38 @@
+------------------------------------------------------------
+revno: 14116
+revision-id: squid3@treenet.co.nz-20161130223332-zcaxll4prj3kag1b
+parent: squid3@treenet.co.nz-20161130215630-c42qucqar9bi9a1k
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3533
+author: Garri Djavadyan garryd@comnet.uz
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Thu 2016-12-01 11:33:32 +1300
+message:
+  Bug 3533: Cache still valid after HTTP/1.1 303 See Other
+  
+  RFC7231 does not mention 303 response as non-cacheable.
+  So, assuming that means it *is* cacheable.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161130223332-zcaxll4prj3kag1b
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: c90320c95a4b64c8d18794fbe5df526fe0f9f702
+# timestamp: 2016-11-30 22:42:05 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161130215630-\
+#   c42qucqar9bi9a1k
+# 
+# Begin patch
+=== modified file 'src/http.cc'
+--- src/http.cc	2016-10-30 09:45:03 +0000
++++ src/http.cc	2016-11-30 22:33:32 +0000
+@@ -203,6 +203,8 @@
+ 
+     case Http::scFound:
+ 
++    case Http::scSeeOther:
++
+     case Http::scGone:
+ 
+     case Http::scNotFound:
+
diff --git a/src/patches/squid/squid-3.5-14117.patch b/src/patches/squid/squid-3.5-14117.patch
new file mode 100644
index 0000000..23d5376
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14117.patch
@@ -0,0 +1,152 @@
+------------------------------------------------------------
+revno: 14117
+revision-id: squid3@treenet.co.nz-20161130232039-z18ikhhcf3j185my
+parent: squid3@treenet.co.nz-20161130223332-zcaxll4prj3kag1b
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4007
+author: Stephen Baynes sbaynes@mail.com, Amos Jeffries squid3@treenet.co.nz
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Thu 2016-12-01 12:20:39 +1300
+message:
+  Bug 4007: Hang on DNS query with dead-end CNAME
+  
+  DNS lookup recursion no longer occurs. ipcacheParse() return values are no
+  longer useful.
+  
+  Also, cleanup the debugging output.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161130232039-z18ikhhcf3j185my
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 9059c7a07e5366bd2eac606c72f875077766ed34
+# timestamp: 2016-11-30 23:27:11 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161130223332-\
+#   zcaxll4prj3kag1b
+# 
+# Begin patch
+=== modified file 'src/ipcache.cc'
+--- src/ipcache.cc	2016-01-01 00:14:27 +0000
++++ src/ipcache.cc	2016-11-30 23:20:39 +0000
+@@ -123,7 +123,6 @@
+ static FREE ipcacheFreeEntry;
+ static IDNSCB ipcacheHandleReply;
+ static int ipcacheExpiredEntry(ipcache_entry *);
+-static int ipcacheParse(ipcache_entry *, const rfc1035_rr *, int, const char *error);
+ static ipcache_entry *ipcache_get(const char *);
+ static void ipcacheLockEntry(ipcache_entry *);
+ static void ipcacheStatPrint(ipcache_entry *, StoreEntry *);
+@@ -328,8 +327,7 @@
+     ipcacheUnlockEntry(i);
+ }
+ 
+-/// \ingroup IPCacheAPI
+-static int
++static void
+ ipcacheParse(ipcache_entry *i, const rfc1035_rr * answers, int nr, const char *error_message)
+ {
+     int k;
+@@ -350,25 +348,25 @@
+     i->addrs.count = 0;
+ 
+     if (nr < 0) {
+-        debugs(14, 3, "ipcacheParse: Lookup failed '" << error_message << "' for '" << (const char *)i->hash.key << "'");
++        debugs(14, 3, "Lookup failed '" << error_message << "' for '" << (const char *)i->hash.key << "'");
+         i->error_message = xstrdup(error_message);
+-        return -1;
++        return;
+     }
+ 
+     if (nr == 0) {
+-        debugs(14, 3, "ipcacheParse: No DNS records in response to '" << name << "'");
++        debugs(14, 3, "No DNS records in response to '" << name << "'");
+         i->error_message = xstrdup("No DNS records");
+-        return -1;
++        return;
+     }
+ 
+-    debugs(14, 3, "ipcacheParse: " << nr << " answers for '" << name << "'");
++    debugs(14, 3, nr << " answers for '" << name << "'");
+     assert(answers);
+ 
+     for (k = 0; k < nr; ++k) {
+ 
+         if (Ip::EnableIpv6 && answers[k].type == RFC1035_TYPE_AAAA) {
+             if (answers[k].rdlength != sizeof(struct in6_addr)) {
+-                debugs(14, DBG_IMPORTANT, "ipcacheParse: Invalid IPv6 address in response to '" << name << "'");
++                debugs(14, DBG_IMPORTANT, MYNAME << "Invalid IPv6 address in response to '" << name << "'");
+                 continue;
+             }
+             ++na;
+@@ -378,7 +376,7 @@
+ 
+         if (answers[k].type == RFC1035_TYPE_A) {
+             if (answers[k].rdlength != sizeof(struct in_addr)) {
+-                debugs(14, DBG_IMPORTANT, "ipcacheParse: Invalid IPv4 address in response to '" << name << "'");
++                debugs(14, DBG_IMPORTANT, MYNAME << "Invalid IPv4 address in response to '" << name << "'");
+                 continue;
+             }
+             ++na;
+@@ -394,14 +392,14 @@
+         }
+ 
+         // otherwise its an unknown RR. debug at level 9 since we usually want to ignore these and they are common.
+-        debugs(14, 9, HERE << "Unknown RR type received: type=" << answers[k].type << " starting at " << &(answers[k]) );
++        debugs(14, 9, "Unknown RR type received: type=" << answers[k].type << " starting at " << &(answers[k]) );
+     }
+     if (na == 0) {
+-        debugs(14, DBG_IMPORTANT, "ipcacheParse: No Address records in response to '" << name << "'");
++        debugs(14, DBG_IMPORTANT, MYNAME << "No Address records in response to '" << name << "'");
+         i->error_message = xstrdup("No Address records");
+         if (cname_found)
+             ++IpcacheStats.cname_only;
+-        return 0;
++        return;
+     }
+ 
+     i->addrs.in_addrs = static_cast<Ip::Address *>(xcalloc(na, sizeof(Ip::Address)));
+@@ -419,7 +417,7 @@
+             memcpy(&temp, answers[k].rdata, sizeof(struct in_addr));
+             i->addrs.in_addrs[j] = temp;
+ 
+-            debugs(14, 3, "ipcacheParse: " << name << " #" << j << " " << i->addrs.in_addrs[j]);
++            debugs(14, 3, name << " #" << j << " " << i->addrs.in_addrs[j]);
+             ++j;
+ 
+         } else if (Ip::EnableIpv6 && answers[k].type == RFC1035_TYPE_AAAA) {
+@@ -430,7 +428,7 @@
+             memcpy(&temp, answers[k].rdata, sizeof(struct in6_addr));
+             i->addrs.in_addrs[j] = temp;
+ 
+-            debugs(14, 3, "ipcacheParse: " << name << " #" << j << " " << i->addrs.in_addrs[j] );
++            debugs(14, 3, name << " #" << j << " " << i->addrs.in_addrs[j] );
+             ++j;
+         }
+         if (ttl == 0 || (int) answers[k].ttl < ttl)
+@@ -453,8 +451,6 @@
+     i->expires = squid_curtime + ttl;
+ 
+     i->flags.negcached = false;
+-
+-    return i->addrs.count;
+ }
+ 
+ /// \ingroup IPCacheInternal
+@@ -467,13 +463,9 @@
+     const int age = i->age();
+     statCounter.dns.svcTime.count(age);
+ 
+-    int done = ipcacheParse(i, answers, na, error_message);
+-
+-    /* If we have not produced either IPs or Error immediately, wait for recursion to finish. */
+-    if (done != 0 || error_message != NULL) {
+-        ipcacheAddEntry(i);
+-        ipcacheCallback(i, age);
+-    }
++    ipcacheParse(i, answers, na, error_message);
++    ipcacheAddEntry(i);
++    ipcacheCallback(i, age);
+ }
+ 
+ /**
+
diff --git a/src/patches/squid/squid-3.5-14118.patch b/src/patches/squid/squid-3.5-14118.patch
new file mode 100644
index 0000000..1e36294
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14118.patch
@@ -0,0 +1,55 @@
+------------------------------------------------------------
+revno: 14118
+revision-id: squid3@treenet.co.nz-20161130233304-lk3q0bx8gn5l3l85
+parent: squid3@treenet.co.nz-20161130232039-z18ikhhcf3j185my
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3290
+author: Garri Djavadyan garryd@comnet.uz
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Thu 2016-12-01 12:33:04 +1300
+message:
+  Bug 3290: authenticate_ttl not working for digest authentication
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161130233304-lk3q0bx8gn5l3l85
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 50ff391db1484222ead5fb50b1bca0694c37ed4c
+# timestamp: 2016-11-30 23:34:59 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161130232039-\
+#   z18ikhhcf3j185my
+# 
+# Begin patch
+=== modified file 'src/auth/digest/Config.cc'
+--- src/auth/digest/Config.cc	2016-11-14 10:54:34 +0000
++++ src/auth/digest/Config.cc	2016-11-30 23:33:04 +0000
+@@ -1058,6 +1058,10 @@
+          * the user agent won't change user name without warning.
+          */
+         authDigestUserLinkNonce(digest_user, nonce);
++
++        /* auth_user is now linked, we reset these values
++         * after external auth occurs anyway */
++        auth_user->expiretime = current_time.tv_sec;
+     } else {
+         debugs(29, 9, "Found user '" << username << "' in the user cache as '" << auth_user << "'");
+         digest_user = static_cast<Auth::Digest::User *>(auth_user.getRaw());
+
+=== modified file 'src/auth/digest/UserRequest.cc'
+--- src/auth/digest/UserRequest.cc	2016-01-01 00:14:27 +0000
++++ src/auth/digest/UserRequest.cc	2016-11-30 23:33:04 +0000
+@@ -187,12 +187,7 @@
+     auth_user->credentials(Auth::Ok);
+ 
+     /* password was checked and did match */
+-    debugs(29, 4, HERE << "user '" << auth_user->username() << "' validated OK");
+-
+-    /* auth_user is now linked, we reset these values
+-     * after external auth occurs anyway */
+-    auth_user->expiretime = current_time.tv_sec;
+-    return;
++    debugs(29, 4, "user '" << auth_user->username() << "' validated OK");
+ }
+ 
+ Auth::Direction
+
hooks/post-receive
--
IPFire 2.x development tree

    