.gitignore

@@ -1 +1,2 @@
 SOURCES/squid-4.15.tar.xz
+/squid-4.15.tar.xz

.squid.metadata

@@ -1 +1 @@
-60bda34ba39657e2d870c8c1d2acece8a69c3075 SOURCES/squid-4.15.tar.xz
+60bda34ba39657e2d870c8c1d2acece8a69c3075 squid-4.15.tar.xz

gating.yaml

@@ -0,0 +1,9 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier2.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier3.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.acceptance-tier.functional}

sources

@@ -0,0 +1 @@
+SHA512 (squid-4.15.tar.xz) = 8f0ce6e30dd9173927e8133618211ffb865fb5dde4c63c2fb465e2efccda4a6efb33f2c0846870c9b915340aff5f59461a60171882bcc0c890336b846fe60bd1

squid-3.0.STABLE1-perlpath.patch

@@ -0,0 +1,10 @@
+diff --git a/contrib/url-normalizer.pl b/contrib/url-normalizer.pl
+index 4cb0480..4b89910 100755
+--- a/contrib/url-normalizer.pl
++++ b/contrib/url-normalizer.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl -Tw
++#!/usr/bin/perl -Tw
+ #
+ # * Copyright (C) 1996-2022 The Squid Software Foundation and contributors
+ # *

squid-3.1.0.9-location.patch

@@ -0,0 +1,32 @@
+diff -up squid-3.1.0.9/QUICKSTART.location squid-3.1.0.9/QUICKSTART
+--- squid-3.1.0.9/QUICKSTART.location	2009-06-26 12:35:27.000000000 +0200
++++ squid-3.1.0.9/QUICKSTART	2009-07-17 14:03:10.000000000 +0200
+@@ -10,10 +10,9 @@ After you retrieved, compiled and instal
+ INSTALL in the same directory), you have to configure the squid.conf
+ file. This is the list of the values you *need* to change, because no
+ sensible defaults could be defined. Do not touch the other variables
+-for now.  We assume you have installed Squid in the default location:
+-/usr/local/squid
++for now.
+ 
+-Uncomment and edit the following lines in /usr/local/squid/etc/squid.conf:
++Uncomment and edit the following lines in /etc/squid/squid.conf:
+ 
+ ==============================================================================
+ 
+@@ -82,12 +81,12 @@ After editing squid.conf to your liking,
+ line TWICE:
+ 
+ To create any disk cache_dir configured:
+-    % /usr/local/squid/sbin/squid -z
++    % /usr/sbin/squid -z
+ 
+ To start squid:
+-    % /usr/local/squid/sbin/squid 
++    % /usr/sbin/squid 
+ 
+-Check in the cache.log (/usr/local/squid/var/logs/cache.log) that
++Check in the cache.log (/var/log/squid/cache.log) that
+ everything is all right.
+ 
+ Once Squid created all its files (it can take several minutes on some

squid-3.5.9-include-guards.patch

@@ -0,0 +1,95 @@
+------------------------------------------------------------
+revno: 14311
+revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
+parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr
+------------------------------------------------------------
+revno: 14311
+revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
+parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323
+author: Francesco Chemolli <kinkie@squid-cache.org>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: trunk
+timestamp: Thu 2015-09-24 06:05:37 -0700
+message:
+  Bug 4323: Netfilter broken cross-includes with Linux 4.2
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
+# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b
+# timestamp: 2015-09-24 13:06:33 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk
+# base_revision_id: squid3@treenet.co.nz-20150924032241-\
+#   6cx3g6hwz9xfoybr
+# 
+# Begin patch
+=== modified file 'compat/os/linux.h'
+--- compat/os/linux.h	2015-01-13 07:25:36 +0000
++++ compat/os/linux.h	2015-09-24 13:05:37 +0000
+@@ -30,6 +30,21 @@
+ #endif
+ 
+ /*
++ * Netfilter header madness. (see Bug 4323)
++ *
++ * Netfilter have a history of defining their own versions of network protocol
++ * primitives without sufficient protection against the POSIX defines which are
++ * aways present in Linux.
++ *
++ * netinet/in.h must be included before any other sys header in order to properly
++ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
++ * to workaround it.
++ */
++#if HAVE_NETINET_IN_H
++#include <netinet/in.h>
++#endif
++
++/*
+  * sys/capability.h is only needed in Linux apparently.
+  *
+  * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323
+author: Francesco Chemolli <kinkie@squid-cache.org>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: trunk
+timestamp: Thu 2015-09-24 06:05:37 -0700
+message:
+  Bug 4323: Netfilter broken cross-includes with Linux 4.2
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
+# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b
+# timestamp: 2015-09-24 13:06:33 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk
+# base_revision_id: squid3@treenet.co.nz-20150924032241-\
+#   6cx3g6hwz9xfoybr
+# 
+# Begin patch
+=== modified file 'compat/os/linux.h'
+--- compat/os/linux.h	2015-01-13 07:25:36 +0000
++++ compat/os/linux.h	2015-09-24 13:05:37 +0000
+@@ -30,6 +30,21 @@
+ #endif
+ 
+ /*
++ * Netfilter header madness. (see Bug 4323)
++ *
++ * Netfilter have a history of defining their own versions of network protocol
++ * primitives without sufficient protection against the POSIX defines which are
++ * aways present in Linux.
++ *
++ * netinet/in.h must be included before any other sys header in order to properly
++ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
++ * to workaround it.
++ */
++#if HAVE_NETINET_IN_H
++#include <netinet/in.h>
++#endif
++
++/*
+  * sys/capability.h is only needed in Linux apparently.
+  *
+  * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc
+

squid-4.0.11-config.patch

@@ -0,0 +1,26 @@
+diff -up squid-4.0.11/src/cf.data.pre.config squid-4.0.11/src/cf.data.pre
+--- squid-4.0.11/src/cf.data.pre.config	2016-06-09 22:32:57.000000000 +0200
++++ squid-4.0.11/src/cf.data.pre	2016-07-11 21:08:35.090976840 +0200
+@@ -4658,7 +4658,7 @@ DOC_END
+ 
+ NAME: logfile_rotate
+ TYPE: int
+-DEFAULT: 10
++DEFAULT: 0
+ LOC: Config.Log.rotateNumber
+ DOC_START
+ 	Specifies the default number of logfile rotations to make when you
+@@ -6444,11 +6444,11 @@ COMMENT_END
+ 
+ NAME: cache_mgr
+ TYPE: string
+-DEFAULT: webmaster
++DEFAULT: root
+ LOC: Config.adminEmail
+ DOC_START
+ 	Email-address of local cache manager who will receive
+-	mail if the cache dies.  The default is "webmaster".
++	mail if the cache dies.  The default is "root".
+ DOC_END
+ 
+ NAME: mail_from

squid-4.15-halfclosed.patch

@@ -0,0 +1,163 @@
+diff --git a/src/client_side.cc b/src/client_side.cc
+index f57f3f7..ab393e4 100644
+--- a/src/client_side.cc
++++ b/src/client_side.cc
+@@ -906,7 +906,7 @@ ConnStateData::kick()
+      * We are done with the response, and we are either still receiving request
+      * body (early response!) or have already stopped receiving anything.
+      *
+-     * If we are still receiving, then clientParseRequest() below will fail.
++     * If we are still receiving, then parseRequests() below will fail.
+      * (XXX: but then we will call readNextRequest() which may succeed and
+      * execute a smuggled request as we are not done with the current request).
+      *
+@@ -926,28 +926,12 @@ ConnStateData::kick()
+      * Attempt to parse a request from the request buffer.
+      * If we've been fed a pipelined request it may already
+      * be in our read buffer.
+-     *
+-     \par
+-     * This needs to fall through - if we're unlucky and parse the _last_ request
+-     * from our read buffer we may never re-register for another client read.
+      */
+ 
+-    if (clientParseRequests()) {
+-        debugs(33, 3, clientConnection << ": parsed next request from buffer");
+-    }
++    parseRequests();
+ 
+-    /** \par
+-     * Either we need to kick-start another read or, if we have
+-     * a half-closed connection, kill it after the last request.
+-     * This saves waiting for half-closed connections to finished being
+-     * half-closed _AND_ then, sometimes, spending "Timeout" time in
+-     * the keepalive "Waiting for next request" state.
+-     */
+-    if (commIsHalfClosed(clientConnection->fd) && pipeline.empty()) {
+-        debugs(33, 3, "half-closed client with no pending requests, closing");
+-        clientConnection->close();
++    if (!isOpen())
+         return;
+-    }
+ 
+     /** \par
+      * At this point we either have a parsed request (which we've
+@@ -2058,16 +2042,11 @@ ConnStateData::receivedFirstByte()
+     commSetConnTimeout(clientConnection, Config.Timeout.request, timeoutCall);
+ }
+ 
+-/**
+- * Attempt to parse one or more requests from the input buffer.
+- * Returns true after completing parsing of at least one request [header]. That
+- * includes cases where parsing ended with an error (e.g., a huge request).
+- */
+-bool
+-ConnStateData::clientParseRequests()
++/// Attempt to parse one or more requests from the input buffer.
++/// May close the connection.
++void
++ConnStateData::parseRequests()
+ {
+-    bool parsed_req = false;
+-
+     debugs(33, 5, HERE << clientConnection << ": attempting to parse");
+ 
+     // Loop while we have read bytes that are not needed for producing the body
+@@ -2116,8 +2095,6 @@ ConnStateData::clientParseRequests()
+ 
+             processParsedRequest(context);
+ 
+-            parsed_req = true; // XXX: do we really need to parse everything right NOW ?
+-
+             if (context->mayUseConnection()) {
+                 debugs(33, 3, HERE << "Not parsing new requests, as this request may need the connection");
+                 break;
+@@ -2130,8 +2107,19 @@ ConnStateData::clientParseRequests()
+         }
+     }
+ 
+-    /* XXX where to 'finish' the parsing pass? */
+-    return parsed_req;
++    debugs(33, 7, "buffered leftovers: " << inBuf.length());
++
++    if (isOpen() && commIsHalfClosed(clientConnection->fd)) {
++        if (pipeline.empty()) {
++            // we processed what we could parse, and no more data is coming
++            debugs(33, 5, "closing half-closed without parsed requests: " << clientConnection);
++            clientConnection->close();
++        } else {
++            // we parsed what we could, and no more data is coming
++            debugs(33, 5, "monitoring half-closed while processing parsed requests: " << clientConnection);
++            flags.readMore = false; // may already be false
++        }
++    }
+ }
+ 
+ void
+@@ -2148,23 +2136,7 @@ ConnStateData::afterClientRead()
+     if (pipeline.empty())
+         fd_note(clientConnection->fd, "Reading next request");
+ 
+-    if (!clientParseRequests()) {
+-        if (!isOpen())
+-            return;
+-        /*
+-         * If the client here is half closed and we failed
+-         * to parse a request, close the connection.
+-         * The above check with connFinishedWithConn() only
+-         * succeeds _if_ the buffer is empty which it won't
+-         * be if we have an incomplete request.
+-         * XXX: This duplicates ConnStateData::kick
+-         */
+-        if (pipeline.empty() && commIsHalfClosed(clientConnection->fd)) {
+-            debugs(33, 5, clientConnection << ": half-closed connection, no completed request parsed, connection closing.");
+-            clientConnection->close();
+-            return;
+-        }
+-    }
++    parseRequests();
+ 
+     if (!isOpen())
+         return;
+@@ -3945,7 +3917,7 @@ ConnStateData::notePinnedConnectionBecameIdle(PinnedIdleContext pic)
+     startPinnedConnectionMonitoring();
+ 
+     if (pipeline.empty())
+-        kick(); // in case clientParseRequests() was blocked by a busy pic.connection
++        kick(); // in case parseRequests() was blocked by a busy pic.connection
+ }
+ 
+ /// Forward future client requests using the given server connection.
+diff --git a/src/client_side.h b/src/client_side.h
+index 9fe8463..dfb4d8e 100644
+--- a/src/client_side.h
++++ b/src/client_side.h
+@@ -85,7 +85,6 @@ public:
+     virtual void doneWithControlMsg();
+ 
+     /// Traffic parsing
+-    bool clientParseRequests();
+     void readNextRequest();
+ 
+     /// try to make progress on a transaction or read more I/O
+@@ -373,6 +372,7 @@ private:
+     virtual bool connFinishedWithConn(int size);
+     virtual void checkLogging();
+ 
++    void parseRequests();
+     void clientAfterReadingRequests();
+     bool concurrentRequestQueueFilled() const;
+ 
+diff --git a/src/tests/stub_client_side.cc b/src/tests/stub_client_side.cc
+index d7efb0f..655ed83 100644
+--- a/src/tests/stub_client_side.cc
++++ b/src/tests/stub_client_side.cc
+@@ -14,7 +14,7 @@
+ #include "tests/STUB.h"
+ 
+ #include "client_side.h"
+-bool ConnStateData::clientParseRequests() STUB_RETVAL(false)
++void ConnStateData::parseRequests() STUB
+ void ConnStateData::readNextRequest() STUB
+ bool ConnStateData::isOpen() const STUB_RETVAL(false)
+ void ConnStateData::kick() STUB

squid-5.0.5-symlink-lang-err.patch

@@ -0,0 +1,68 @@
+From fc01451000eaa5592cd5afbd6aee14e53f7dd2c3 Mon Sep 17 00:00:00 2001
+From: Amos Jeffries <amosjeffries@squid-cache.org>
+Date: Sun, 18 Oct 2020 20:23:10 +1300
+Subject: [PATCH] Update translations integration
+
+* Add credits for es-mx translation moderator
+* Use es-mx for default of all Spanish (Central America) texts
+* Update translation related .am files
+---
+ doc/manuals/language.am | 2 +-
+ errors/TRANSLATORS      | 1 +
+ errors/aliases          | 3 ++-
+ errors/language.am      | 3 ++-
+ errors/template.am      | 2 +-
+ 5 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/doc/manuals/language.am b/doc/manuals/language.am
+index 7670c88380c..f03c4cf71b4 100644
+--- a/doc/manuals/language.am
++++ b/doc/manuals/language.am
+@@ -18,4 +18,4 @@ TRANSLATE_LANGUAGES = \
+     oc.lang \
+     pt.lang \
+     ro.lang \
+-    ru.lang 
++    ru.lang
+diff --git a/errors/aliases b/errors/aliases
+index 36f17f4b80f..cf0116f297d 100644
+--- a/errors/aliases
++++ b/errors/aliases
+@@ -14,7 +14,8 @@ da	da-dk
+ de	de-at de-ch de-de de-li de-lu
+ el	el-gr
+ en	en-au en-bz en-ca en-cn en-gb en-ie en-in en-jm en-nz en-ph en-sg en-tt en-uk en-us en-za en-zw
+-es	es-ar es-bo es-cl es-co es-cr es-do es-ec es-es es-gt es-hn es-mx es-ni es-pa es-pe es-pr es-py es-sv es-us es-uy es-ve es-xl
++es	es-ar es-bo es-cl es-cu es-co es-do es-ec es-es es-pe es-pr es-py es-us es-uy es-ve es-xl spq
++es-mx	es-bz es-cr es-gt es-hn es-ni es-pa es-sv
+ et	et-ee
+ fa	fa-fa fa-ir
+ fi	fi-fi
+diff --git a/errors/language.am b/errors/language.am
+index 12b1b2b3b43..029e8c1eb2f 100644
+--- a/errors/language.am
++++ b/errors/language.am
+@@ -17,6 +17,7 @@ TRANSLATE_LANGUAGES = \
+     de.lang \
+     el.lang \
+     en.lang \
++    es-mx.lang \
+     es.lang \
+     et.lang \
+     fa.lang \
+@@ -51,4 +52,4 @@ TRANSLATE_LANGUAGES = \
+     uz.lang \
+     vi.lang \
+     zh-hans.lang \
+-    zh-hant.lang 
++    zh-hant.lang
+diff --git a/errors/template.am b/errors/template.am
+index 6c12781e6f4..715c65aa22b 100644
+--- a/errors/template.am
++++ b/errors/template.am
+@@ -48,4 +48,4 @@ ERROR_TEMPLATES = \
+     templates/ERR_UNSUP_REQ \
+     templates/ERR_URN_RESOLVE \
+     templates/ERR_WRITE_ERROR \
+-    templates/ERR_ZERO_SIZE_OBJECT 
++    templates/ERR_ZERO_SIZE_OBJECT

squid-5.0.6-active-ftp.patch

@@ -0,0 +1,127 @@
+diff --git a/src/clients/FtpClient.cc b/src/clients/FtpClient.cc
+index 747ed35..f2b7126 100644
+--- a/src/clients/FtpClient.cc
++++ b/src/clients/FtpClient.cc
+@@ -795,7 +795,8 @@ Ftp::Client::connectDataChannel()
+ bool
+ Ftp::Client::openListenSocket()
+ {
+-    return false;
++    debugs(9, 3, HERE);
++	  return false;
+ }
+ 
+ /// creates a data channel Comm close callback
+diff --git a/src/clients/FtpClient.h b/src/clients/FtpClient.h
+index eb5ea1b..e92c007 100644
+--- a/src/clients/FtpClient.h
++++ b/src/clients/FtpClient.h
+@@ -137,7 +137,7 @@ public:
+     bool sendPort();
+     bool sendPassive();
+     void connectDataChannel();
+-    bool openListenSocket();
++    virtual bool openListenSocket();
+     void switchTimeoutToDataChannel();
+ 
+     CtrlChannel ctrl; ///< FTP control channel state
+diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc
+index 05db817..2989cd2 100644
+--- a/src/clients/FtpGateway.cc
++++ b/src/clients/FtpGateway.cc
+@@ -86,6 +86,13 @@ struct GatewayFlags {
+ class Gateway;
+ typedef void (StateMethod)(Ftp::Gateway *);
+ 
++} // namespace FTP
++
++static void ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback);
++
++namespace Ftp
++{
++
+ /// FTP Gateway: An FTP client that takes an HTTP request with an ftp:// URI,
+ /// converts it into one or more FTP commands, and then
+ /// converts one or more FTP responses into the final HTTP response.
+@@ -136,7 +143,11 @@ public:
+ 
+     /// create a data channel acceptor and start listening.
+     void listenForDataChannel(const Comm::ConnectionPointer &conn);
+-
++    virtual bool openListenSocket() {
++    		debugs(9, 3, HERE);
++				ftpOpenListenSocket(this, 0);
++        return Comm::IsConnOpen(data.conn);
++		}
+     int checkAuth(const HttpHeader * req_hdr);
+     void checkUrlpath();
+     void buildTitleUrl();
+@@ -1786,6 +1797,7 @@ ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback)
+     }
+ 
+     ftpState->listenForDataChannel(temp);
++    ftpState->data.listenConn = temp;
+ }
+ 
+ static void
+@@ -1821,13 +1833,19 @@ ftpSendPORT(Ftp::Gateway * ftpState)
+     // pull out the internal IP address bytes to send in PORT command...
+     // source them from the listen_conn->local
+ 
++    struct sockaddr_in addr;
++    socklen_t addrlen = sizeof(addr);
++    getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen);
++    unsigned char port_high = ntohs(addr.sin_port) >> 8;
++    unsigned char port_low  = ntohs(addr.sin_port) & 0xff;
++
+     struct addrinfo *AI = NULL;
+     ftpState->data.listenConn->local.getAddrInfo(AI, AF_INET);
+     unsigned char *addrptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_addr;
+-    unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port;
++    // unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port;
+     snprintf(cbuf, CTRL_BUFLEN, "PORT %d,%d,%d,%d,%d,%d\r\n",
+              addrptr[0], addrptr[1], addrptr[2], addrptr[3],
+-             portptr[0], portptr[1]);
++             port_high, port_low);
+     ftpState->writeCommand(cbuf);
+     ftpState->state = Ftp::Client::SENT_PORT;
+ 
+@@ -1880,14 +1898,27 @@ ftpSendEPRT(Ftp::Gateway * ftpState)
+         return;
+     }
+ 
++
++    unsigned int port;
++    struct sockaddr_storage addr;
++    socklen_t addrlen = sizeof(addr);
++    getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen);
++    if (addr.ss_family == AF_INET) {
++        struct sockaddr_in *addr4 = (struct sockaddr_in*) &addr;
++        port = ntohs( addr4->sin_port );
++    } else {
++        struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &addr;
++        port = ntohs( addr6->sin6_port );
++    }
++
+     char buf[MAX_IPSTRLEN];
+ 
+     /* RFC 2428 defines EPRT as IPv6 equivalent to IPv4 PORT command. */
+     /* Which can be used by EITHER protocol. */
+-    snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%d|\r\n",
++    snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%u|\r\n",
+              ( ftpState->data.listenConn->local.isIPv6() ? 2 : 1 ),
+              ftpState->data.listenConn->local.toStr(buf,MAX_IPSTRLEN),
+-             ftpState->data.listenConn->local.port() );
++             port);
+ 
+     ftpState->writeCommand(cbuf);
+     ftpState->state = Ftp::Client::SENT_EPRT;
+@@ -1906,7 +1937,7 @@ ftpReadEPRT(Ftp::Gateway * ftpState)
+         ftpSendPORT(ftpState);
+         return;
+     }
+-
++    ftpState->ctrl.message = NULL;
+     ftpRestOrList(ftpState);
+ }
+ 

squid-5.0.6-openssl3.patch

@@ -0,0 +1,185 @@
+diff --git a/src/ssl/support.cc b/src/ssl/support.cc
+index 3ad135d..73912ce 100644
+--- a/src/ssl/support.cc
++++ b/src/ssl/support.cc
+@@ -557,7 +557,11 @@ Ssl::VerifyCallbackParameters::At(Security::Connection &sconn)
+ }
+ 
+ // "dup" function for SSL_get_ex_new_index("cert_err_check")
+-#if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP
++#if OPENSSL_VERSION_MAJOR >= 3
++static int
++ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **,
++                    int, long, void *)
++#elif SQUID_USE_CONST_CRYPTO_EX_DATA_DUP
+ static int
+ ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *,
+                     int, long, void *)
+diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
+index cf1d4ba..4346ba5 100644
+--- a/src/security/PeerOptions.cc
++++ b/src/security/PeerOptions.cc
+@@ -297,130 +297,130 @@ static struct ssl_option {
+ 
+ } ssl_options[] = {
+ 
+-#if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
++#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
+     {
+         "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
+     },
+ #endif
+-#if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
++#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
+     {
+         "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
+     },
+ #endif
+-#if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
++#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
+     {
+         "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
+     },
+ #endif
+-#if SSL_OP_SSLEAY_080_CLIENT_DH_BUG
++#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
+     {
+         "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG
+     },
+ #endif
+-#if SSL_OP_TLS_D5_BUG
++#ifdef SSL_OP_TLS_D5_BUG
+     {
+         "TLS_D5_BUG", SSL_OP_TLS_D5_BUG
+     },
+ #endif
+-#if SSL_OP_TLS_BLOCK_PADDING_BUG
++#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
+     {
+         "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG
+     },
+ #endif
+-#if SSL_OP_TLS_ROLLBACK_BUG
++#ifdef SSL_OP_TLS_ROLLBACK_BUG
+     {
+         "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG
+     },
+ #endif
+-#if SSL_OP_ALL
++#ifdef SSL_OP_ALL
+     {
+         "ALL", (long)SSL_OP_ALL
+     },
+ #endif
+-#if SSL_OP_SINGLE_DH_USE
++#ifdef SSL_OP_SINGLE_DH_USE
+     {
+         "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE
+     },
+ #endif
+-#if SSL_OP_EPHEMERAL_RSA
++#ifdef SSL_OP_EPHEMERAL_RSA
+     {
+         "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA
+     },
+ #endif
+-#if SSL_OP_PKCS1_CHECK_1
++#ifdef SSL_OP_PKCS1_CHECK_1
+     {
+         "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1
+     },
+ #endif
+-#if SSL_OP_PKCS1_CHECK_2
++#ifdef SSL_OP_PKCS1_CHECK_2
+     {
+         "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2
+     },
+ #endif
+-#if SSL_OP_NETSCAPE_CA_DN_BUG
++#ifdef SSL_OP_NETSCAPE_CA_DN_BUG
+     {
+         "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG
+     },
+ #endif
+-#if SSL_OP_NON_EXPORT_FIRST
++#ifdef SSL_OP_NON_EXPORT_FIRST
+     {
+         "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST
+     },
+ #endif
+-#if SSL_OP_CIPHER_SERVER_PREFERENCE
++#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+     {
+         "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE
+     },
+ #endif
+-#if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
++#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
+     {
+         "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
+     },
+ #endif
+-#if SSL_OP_NO_SSLv3
++#ifdef SSL_OP_NO_SSLv3
+     {
+         "NO_SSLv3", SSL_OP_NO_SSLv3
+     },
+ #endif
+-#if SSL_OP_NO_TLSv1
++#ifdef SSL_OP_NO_TLSv1
+     {
+         "NO_TLSv1", SSL_OP_NO_TLSv1
+     },
+ #else
+     { "NO_TLSv1", 0 },
+ #endif
+-#if SSL_OP_NO_TLSv1_1
++#ifdef SSL_OP_NO_TLSv1_1
+     {
+         "NO_TLSv1_1", SSL_OP_NO_TLSv1_1
+     },
+ #else
+     { "NO_TLSv1_1", 0 },
+ #endif
+-#if SSL_OP_NO_TLSv1_2
++#ifdef SSL_OP_NO_TLSv1_2
+     {
+         "NO_TLSv1_2", SSL_OP_NO_TLSv1_2
+     },
+ #else
+     { "NO_TLSv1_2", 0 },
+ #endif
+-#if SSL_OP_NO_TLSv1_3
++#ifdef SSL_OP_NO_TLSv1_3
+     {
+         "NO_TLSv1_3", SSL_OP_NO_TLSv1_3
+     },
+ #else
+     { "NO_TLSv1_3", 0 },
+ #endif
+-#if SSL_OP_NO_COMPRESSION
++#ifdef SSL_OP_NO_COMPRESSION
+     {
+         "No_Compression", SSL_OP_NO_COMPRESSION
+     },
+ #endif
+-#if SSL_OP_NO_TICKET
++#ifdef SSL_OP_NO_TICKET
+     {
+         "NO_TICKET", SSL_OP_NO_TICKET
+     },
+ #endif
+-#if SSL_OP_SINGLE_ECDH_USE
++#ifdef SSL_OP_SINGLE_ECDH_USE
+     {
+         "SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE
+     },
+@@ -512,7 +512,7 @@ Security::PeerOptions::parseOptions()
+ 
+     }
+ 
+-#if SSL_OP_NO_SSLv2
++#ifdef SSL_OP_NO_SSLv2
+     // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0
+     op = op | SSL_OP_NO_SSLv2;
+ #endif

squid-5.1-test-store-cppsuite.patch

@@ -0,0 +1,24 @@
+diff --git a/src/tests/testStoreHashIndex.cc b/src/tests/testStoreHashIndex.cc
+index 0564380..fcd60b9 100644
+--- a/src/tests/testStoreHashIndex.cc
++++ b/src/tests/testStoreHashIndex.cc
+@@ -102,6 +102,8 @@ void commonInit()
+     if (inited)
+         return;
+ 
++    inited = true;
++
+     Mem::Init();
+ 
+     Config.Store.avgObjectSize = 1024;
+@@ -109,6 +111,10 @@ void commonInit()
+     Config.Store.objectsPerBucket = 20;
+ 
+     Config.Store.maxObjectSize = 2048;
++
++    Config.memShared.defaultTo(false);
++
++    Config.store_dir_select_algorithm = xstrdup("round-robin");
+ }
+ 
+ /* TODO make this a cbdata class */

squid-5.5-CVE-2021-46784.patch

@@ -0,0 +1,120 @@
+diff --git a/src/gopher.cc b/src/gopher.cc
+index 576a3f7..2645b6b 100644
+--- a/src/gopher.cc
++++ b/src/gopher.cc
+@@ -364,7 +364,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+     char *lpos = NULL;
+     char *tline = NULL;
+     LOCAL_ARRAY(char, line, TEMP_BUF_SIZE);
+-    LOCAL_ARRAY(char, tmpbuf, TEMP_BUF_SIZE);
+     char *name = NULL;
+     char *selector = NULL;
+     char *host = NULL;
+@@ -374,7 +373,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+     char gtype;
+     StoreEntry *entry = NULL;
+ 
+-    memset(tmpbuf, '\0', TEMP_BUF_SIZE);
+     memset(line, '\0', TEMP_BUF_SIZE);
+ 
+     entry = gopherState->entry;
+@@ -409,7 +407,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+         return;
+     }
+ 
+-    String outbuf;
++    SBuf outbuf;
+ 
+     if (!gopherState->HTML_header_added) {
+         if (gopherState->conversion == GopherStateData::HTML_CSO_RESULT)
+@@ -577,34 +575,34 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+                         break;
+                     }
+ 
+-                    memset(tmpbuf, '\0', TEMP_BUF_SIZE);
+-
+                     if ((gtype == GOPHER_TELNET) || (gtype == GOPHER_3270)) {
+                         if (strlen(escaped_selector) != 0)
+-                            snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s@%s%s%s/\">%s</A>\n",
+-                                     icon_url, escaped_selector, rfc1738_escape_part(host),
+-                                     *port ? ":" : "", port, html_quote(name));
++                            outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s@%s%s%s/\">%s</A>\n",
++                                           icon_url, escaped_selector, rfc1738_escape_part(host),
++                                           *port ? ":" : "", port, html_quote(name));
+                         else
+-                            snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s%s%s/\">%s</A>\n",
+-                                     icon_url, rfc1738_escape_part(host), *port ? ":" : "",
+-                                     port, html_quote(name));
++                            outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s%s%s/\">%s</A>\n",
++                                           icon_url, rfc1738_escape_part(host), *port ? ":" : "",
++                                           port, html_quote(name));
+ 
+                     } else if (gtype == GOPHER_INFO) {
+-                        snprintf(tmpbuf, TEMP_BUF_SIZE, "\t%s\n", html_quote(name));
++                        outbuf.appendf("\t%s\n", html_quote(name));
+                     } else {
+                         if (strncmp(selector, "GET /", 5) == 0) {
+                             /* WWW link */
+-                            snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"http://%s/%s\">%s</A>\n",
+-                                     icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name));
++                            outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"http://%s/%s\">%s</A>\n",
++                                           icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name));
++                        } else if (gtype == GOPHER_WWW) {
++                            outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
++                                           icon_url, rfc1738_escape_unescaped(selector), html_quote(name));
+                         } else {
+                             /* Standard link */
+-                            snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
+-                                     icon_url, host, gtype, escaped_selector, html_quote(name));
++                            outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
++                                           icon_url, host, gtype, escaped_selector, html_quote(name));
+                         }
+                     }
+ 
+                     safe_free(escaped_selector);
+-                    outbuf.append(tmpbuf);
+                 } else {
+                     memset(line, '\0', TEMP_BUF_SIZE);
+                     continue;
+@@ -637,13 +635,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+                     break;
+ 
+                 if (gopherState->cso_recno != recno) {
+-                    snprintf(tmpbuf, TEMP_BUF_SIZE, "</PRE><HR noshade size=\"1px\"><H2>Record# %d<br><i>%s</i></H2>\n<PRE>", recno, html_quote(result));
++                    outbuf.appendf("</PRE><HR noshade size=\"1px\"><H2>Record# %d<br><i>%s</i></H2>\n<PRE>", recno, html_quote(result));
+                     gopherState->cso_recno = recno;
+                 } else {
+-                    snprintf(tmpbuf, TEMP_BUF_SIZE, "%s\n", html_quote(result));
++                    outbuf.appendf("%s\n", html_quote(result));
+                 }
+ 
+-                outbuf.append(tmpbuf);
+                 break;
+             } else {
+                 int code;
+@@ -671,8 +668,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+ 
+                 case 502: { /* Too Many Matches */
+                     /* Print the message the server returns */
+-                    snprintf(tmpbuf, TEMP_BUF_SIZE, "</PRE><HR noshade size=\"1px\"><H2>%s</H2>\n<PRE>", html_quote(result));
+-                    outbuf.append(tmpbuf);
++                    outbuf.appendf("</PRE><HR noshade size=\"1px\"><H2>%s</H2>\n<PRE>", html_quote(result));
+                     break;
+                 }
+ 
+@@ -688,13 +684,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+ 
+     }               /* while loop */
+ 
+-    if (outbuf.size() > 0) {
+-        entry->append(outbuf.rawBuf(), outbuf.size());
++    if (outbuf.length() > 0) {
++        entry->append(outbuf.rawContent(), outbuf.length());
+         /* now let start sending stuff to client */
+         entry->flush();
+     }
+ 
+-    outbuf.clean();
+     return;
+ }
+ 

squid.spec

@@ -2,7 +2,7 @@
 
 Name:     squid
 Version:  4.15
-Release:  6%{?dist}
+Release:  7%{?dist}
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@@ -38,6 +38,8 @@ Patch206: squid-4.11-active-ftp.patch
 Patch208: squid-4.11-convert-ipv4.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2006121
 Patch209: squid-4.15-ftp-filename-extraction.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2076717
+Patch210: squid-4.15-halfclosed.patch
 
 # Security fixes
 # https://bugzilla.redhat.com/show_bug.cgi?id=1941506
@@ -107,6 +109,7 @@ lookup program (dnsserver), a program for retrieving FTP data
 %patch206 -p1 -b .active-ftp
 %patch208 -p1 -b .convert-ipv4
 %patch209 -p1 -b .ftp-fn-extraction
+%patch210 -p1 -b .halfclosed
 
 # Security patches
 %patch300 -p1 -b .CVE-2021-28116
@@ -328,6 +331,9 @@ fi
 
 
 %changelog
+* Wed Aug 16 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-7
+- Resolves: #2076717 - Crash with half_closed_client on
+
 * Thu Dec 08 2022 Tomas Korbar <tkorbar@redhat.com> - 4.15-6
 - Resolves: #2072988 - [RFE] Add the "IP_BIND_ADDRESS_NO_PORT"
   flag to sockets created for outgoing connections in the squid source code.