46 changed files with 700 additions and 8230 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
 SOURCES/squid-4.15.tar.xz
 /squid-4.15.tar.xz
--- a/.squid.metadata
+++ b/.squid.metadata
@ -1 +0,0 @@
 60bda34ba39657e2d870c8c1d2acece8a69c3075 SOURCES/squid-4.15.tar.xz
--- a/SOURCES/squid-4.15-CVE-2023-46724.patch
+++ b/SOURCES/squid-4.15-CVE-2023-46724.patch
@ -1,24 +0,0 @@
 diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc
 index 20b9bf1..81ebb18 100644
 --- a/src/anyp/Uri.cc
 +++ b/src/anyp/Uri.cc
@@ -173,6 +173,10 @@ urlInitialize(void)
     assert(0 == matchDomainName("*.foo.com", ".foo.com", mdnHonorWildcards));
     assert(0 != matchDomainName("*.foo.com", "foo.com", mdnHonorWildcards));
 +    assert(0 != matchDomainName("foo.com", ""));
 +    assert(0 != matchDomainName("foo.com", "", mdnHonorWildcards));
 +    assert(0 != matchDomainName("foo.com", "", mdnRejectSubsubDomains));
 +
     /* more cases? */
 }
@@ -756,6 +760,8 @@ matchDomainName(const char *h, const char *d, MatchDomainNameFlags flags)
         return -1;
     dl = strlen(d);
 +    if (dl == 0)
 +        return 1;
     /*
      * Start at the ends of the two strings and work towards the
--- a/SOURCES/squid-4.15-CVE-2023-46728.patch
+++ b/SOURCES/squid-4.15-CVE-2023-46728.patch
--- a/SOURCES/squid-4.15-CVE-2023-46846.patch
+++ b/SOURCES/squid-4.15-CVE-2023-46846.patch
--- a/SOURCES/squid-4.15-CVE-2023-46847.patch
+++ b/SOURCES/squid-4.15-CVE-2023-46847.patch
@ -1,23 +0,0 @@
 diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
 index 6a9736f..0a883fa 100644
 --- a/src/auth/digest/Config.cc
 +++ b/src/auth/digest/Config.cc
@@ -847,11 +847,15 @@ Auth::Digest::Config::decode(char const *proxy_auth, const char *aRequestRealm)
             break;
         case DIGEST_NC:
 -            if (value.size() != 8) {
 +            if (value.size() == 8) {
 +                // for historical reasons, the nc value MUST be exactly 8 bytes
 +                static_assert(sizeof(digest_request->nc) == 8 + 1, "bad nc buffer size");
 +                xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
 +                debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
 +            } else {
                 debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'");
 +                digest_request->nc[0] = 0;
             }
 -            xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
 -            debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
             break;
         case DIGEST_CNONCE:
--- a/SOURCES/squid-4.15-CVE-2023-49285.patch
+++ b/SOURCES/squid-4.15-CVE-2023-49285.patch
@ -1,30 +0,0 @@
 commit 77b3fb4df0f126784d5fd4967c28ed40eb8d521b
 Author: Alex Rousskov <rousskov@measurement-factory.com>
 Date:   Wed Oct 25 19:41:45 2023 +0000
    RFC 1123: Fix date parsing (#1538)
    The bug was discovered and detailed by Joshua Rogers at
    https://megamansec.github.io/Squid-Security-Audit/datetime-overflow.html
    where it was filed as "1-Byte Buffer OverRead in RFC 1123 date/time
    Handling".
 diff --git a/lib/rfc1123.c b/lib/rfc1123.c
 index e5bf9a4d7..cb484cc00 100644
 --- a/lib/rfc1123.c
 +++ b/lib/rfc1123.c
@@ -50,7 +50,13 @@ make_month(const char *s)
     char month[3];
     month[0] = xtoupper(*s);
 +    if (!month[0])
 +        return -1; // protects *(s + 1) below
 +
     month[1] = xtolower(*(s + 1));
 +    if (!month[1])
 +        return -1; // protects *(s + 2) below
 +
     month[2] = xtolower(*(s + 2));
     for (i = 0; i < 12; i++)
--- a/SOURCES/squid-4.15-CVE-2023-49286.patch
+++ b/SOURCES/squid-4.15-CVE-2023-49286.patch
@ -1,62 +0,0 @@
 diff --git a/src/ipc.cc b/src/ipc.cc
 index 42e11e6..a68e623 100644
 --- a/src/ipc.cc
 +++ b/src/ipc.cc
@@ -19,6 +19,11 @@
 #include "SquidConfig.h"
 #include "SquidIpc.h"
 #include "tools.h"
 +#include <cstdlib>
 +
 +#if HAVE_UNISTD_H
 +#include <unistd.h>
 +#endif
 static const char *hello_string = "hi there\n";
 #ifndef HELLO_BUF_SZ
@@ -365,6 +370,22 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
     }
     PutEnvironment();
 +
 +    // A dup(2) wrapper that reports and exits the process on errors. The
 +    // exiting logic is only suitable for this child process context.
 +    const auto dupOrExit = [prog,name](const int oldFd) {
 +        const auto newFd = dup(oldFd);
 +        if (newFd < 0) {
 +            const auto savedErrno = errno;
 +            debugs(54, DBG_CRITICAL, "ERROR: Helper process initialization failure: " << name <<
 +                   Debug::Extra << "helper (CHILD) PID: " << getpid() <<
 +                   Debug::Extra << "helper program name: " << prog <<
 +                   Debug::Extra << "dup(2) system call error for FD " << oldFd << ": " << xstrerr(savedErrno));
 +            _exit(EXIT_FAILURE);
 +        }
 +        return newFd;
 +    };
 +
     /*
      * This double-dup stuff avoids problems when one of
      *  crfd, cwfd, or debug_log are in the rage 0-2.
@@ -372,17 +393,16 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
     do {
         /* First make sure 0-2 is occupied by something. Gets cleaned up later */
 -        x = dup(crfd);
 -        assert(x > -1);
 -    } while (x < 3 && x > -1);
 +        x = dupOrExit(crfd);
 +    } while (x < 3);
     close(x);
 -    t1 = dup(crfd);
 +    t1 = dupOrExit(crfd);
 -    t2 = dup(cwfd);
 +    t2 = dupOrExit(cwfd);
 -    t3 = dup(fileno(debug_log));
 +    t3 = dupOrExit(fileno(debug_log));
     assert(t1 > 2 && t2 > 2 && t3 > 2);
--- a/SOURCES/squid-4.15-CVE-2023-50269.patch
+++ b/SOURCES/squid-4.15-CVE-2023-50269.patch
@ -1,50 +0,0 @@
 diff --git a/src/ClientRequestContext.h b/src/ClientRequestContext.h
 index fe2edf6..47aa935 100644
 --- a/src/ClientRequestContext.h
 +++ b/src/ClientRequestContext.h
@@ -81,6 +81,10 @@ public:
 #endif
     ErrorState *error; ///< saved error page for centralized/delayed processing
     bool readNextRequest; ///< whether Squid should read after error handling
 +
 +#if FOLLOW_X_FORWARDED_FOR
 +    size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far
 +#endif
 };
 #endif /* SQUID_CLIENTREQUESTCONTEXT_H */
 diff --git a/src/client_side_request.cc b/src/client_side_request.cc
 index 1c6ff62..b758f6f 100644
 --- a/src/client_side_request.cc
 +++ b/src/client_side_request.cc
@@ -78,6 +78,11 @@
 static const char *const crlf = "\r\n";
 #if FOLLOW_X_FORWARDED_FOR
 +
 +#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX)
 +#define SQUID_X_FORWARDED_FOR_HOP_MAX 64
 +#endif
 +
 static void clientFollowXForwardedForCheck(allow_t answer, void *data);
 #endif /* FOLLOW_X_FORWARDED_FOR */
@@ -485,8 +490,16 @@ clientFollowXForwardedForCheck(allow_t answer, void *data)
                 /* override the default src_addr tested if we have to go deeper than one level into XFF */
                 Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr;
             }
 -            calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
 -            return;
 +            if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) {
 +                calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
 +                return;
 +            }
 +            const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name;
 +            debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses" <<
 +                   Debug::Extra << "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber <<
 +                   Debug::Extra << "last/accepted address: " << request->indirect_client_addr <<
 +                   Debug::Extra << "ignored trailing addresses: " << request->x_forwarded_for_iterator);
 +            // fall through to resume clientAccessCheck() processing
         }
     }
--- a/SOURCES/squid-4.15-CVE-2023-5824.patch
+++ b/SOURCES/squid-4.15-CVE-2023-5824.patch
--- a/SOURCES/squid-4.15-CVE-2024-25111.patch
+++ b/SOURCES/squid-4.15-CVE-2024-25111.patch
@ -1,193 +0,0 @@
 diff --git a/src/http.cc b/src/http.cc
 index b006300..023e411 100644
 --- a/src/http.cc
 +++ b/src/http.cc
@@ -52,6 +52,7 @@
 #include "rfc1738.h"
 #include "SquidConfig.h"
 #include "SquidTime.h"
 +#include "SquidMath.h"
 #include "StatCounters.h"
 #include "Store.h"
 #include "StrList.h"
@@ -1150,18 +1151,26 @@ HttpStateData::readReply(const CommIoCbParams &io)
      * Plus, it breaks our lame *HalfClosed() detection
      */
 -    Must(maybeMakeSpaceAvailable(true));
 -    CommIoCbParams rd(this); // will be expanded with ReadNow results
 -    rd.conn = io.conn;
 -    rd.size = entry->bytesWanted(Range<size_t>(0, inBuf.spaceSize()));
 +    size_t moreDataPermission = 0;
 +    if ((!canBufferMoreReplyBytes(&moreDataPermission) || !moreDataPermission)) {
 +        abortTransaction("ready to read required data, but the read buffer is full and cannot be drained");
 +        return;
 +    }
 +
 +    const auto readSizeMax = maybeMakeSpaceAvailable(moreDataPermission);
 +    // TODO: Move this logic inside maybeMakeSpaceAvailable():
 +    const auto readSizeWanted = readSizeMax ? entry->bytesWanted(Range<size_t>(0, readSizeMax)) : 0;
 -    if (rd.size <= 0) {
 +    if (readSizeWanted <= 0) {
         assert(entry->mem_obj);
         AsyncCall::Pointer nilCall;
         entry->mem_obj->delayRead(DeferredRead(readDelayed, this, CommRead(io.conn, NULL, 0, nilCall)));
         return;
     }
 +    CommIoCbParams rd(this); // will be expanded with ReadNow results
 +    rd.conn = io.conn;
 +    rd.size = readSizeWanted;
     switch (Comm::ReadNow(rd, inBuf)) {
     case Comm::INPROGRESS:
         if (inBuf.isEmpty())
@@ -1520,8 +1529,11 @@ HttpStateData::maybeReadVirginBody()
     if (!Comm::IsConnOpen(serverConnection) || fd_table[serverConnection->fd].closing())
         return;
 -    if (!maybeMakeSpaceAvailable(false))
 +    size_t moreDataPermission = 0;
 +    if ((!canBufferMoreReplyBytes(&moreDataPermission)) || !moreDataPermission) {
 +        abortTransaction("more response bytes required, but the read buffer is full and cannot be drained");
         return;
 +    }
     // XXX: get rid of the do_next_read flag
     // check for the proper reasons preventing read(2)
@@ -1539,40 +1551,79 @@ HttpStateData::maybeReadVirginBody()
     Comm::Read(serverConnection, call);
 }
 +/// Desired inBuf capacity based on various capacity preferences/limits:
 +/// * a smaller buffer may not hold enough for look-ahead header/body parsers;
 +/// * a smaller buffer may result in inefficient tiny network reads;
 +/// * a bigger buffer may waste memory;
 +/// * a bigger buffer may exceed SBuf storage capabilities (SBuf::maxSize);
 +size_t
 +HttpStateData::calcReadBufferCapacityLimit() const
 +{
 +    if (!flags.headers_parsed)
 +        return Config.maxReplyHeaderSize;
 +
 +    // XXX: Our inBuf is not used to maintain the read-ahead gap, and using
 +    // Config.readAheadGap like this creates huge read buffers for large
 +    // read_ahead_gap values. TODO: Switch to using tcp_recv_bufsize as the
 +    // primary read buffer capacity factor.
 +    //
 +    // TODO: Cannot reuse throwing NaturalCast() here. Consider removing
 +    // .value() dereference in NaturalCast() or add/use NaturalCastOrMax().
 +    const auto configurationPreferences = NaturalSum<size_t>(Config.readAheadGap).second ? NaturalSum<size_t>(Config.readAheadGap).first : SBuf::maxSize;
 +
 +    // TODO: Honor TeChunkedParser look-ahead and trailer parsing requirements
 +    // (when explicit configurationPreferences are set too low).
 +
 +    return std::min<size_t>(configurationPreferences, SBuf::maxSize);
 +}
 +
 +/// The maximum number of virgin reply bytes we may buffer before we violate
 +/// the currently configured response buffering limits.
 +/// \retval std::nullopt means that no more virgin response bytes can be read
 +/// \retval 0 means that more virgin response bytes may be read later
 +/// \retval >0 is the number of bytes that can be read now (subject to other constraints)
 bool
 -HttpStateData::maybeMakeSpaceAvailable(bool doGrow)
 +HttpStateData::canBufferMoreReplyBytes(size_t *maxReadSize) const
 {
 -    // how much we are allowed to buffer
 -    const int limitBuffer = (flags.headers_parsed ? Config.readAheadGap : Config.maxReplyHeaderSize);
 -
 -    if (limitBuffer < 0 || inBuf.length() >= (SBuf::size_type)limitBuffer) {
 -        // when buffer is at or over limit already
 -        debugs(11, 7, "will not read up to " << limitBuffer << ". buffer has (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection);
 -        debugs(11, DBG_DATA, "buffer has {" << inBuf << "}");
 -        // Process next response from buffer
 -        processReply();
 -        return false;
 +#if USE_ADAPTATION
 +    // If we do not check this now, we may say the final "no" prematurely below
 +    // because inBuf.length() will decrease as adaptation drains buffered bytes.
 +    if (responseBodyBuffer) {
 +        debugs(11, 3, "yes, but waiting for adaptation to drain read buffer");
 +        *maxReadSize = 0; // yes, we may be able to buffer more (but later)
 +        return true;
 +    }
 +#endif
 +
 +    const auto maxCapacity = calcReadBufferCapacityLimit();
 +    if (inBuf.length() >= maxCapacity) {
 +        debugs(11, 3, "no, due to a full buffer: " << inBuf.length() << '/' << inBuf.spaceSize() << "; limit: " << maxCapacity);
 +        return false; // no, configuration prohibits buffering more
     }
 +    *maxReadSize = (maxCapacity - inBuf.length()); // positive
 +    debugs(11, 7, "yes, may read up to " << *maxReadSize << " into " << inBuf.length() << '/' << inBuf.spaceSize());
 +    return true; // yes, can read up to this many bytes (subject to other constraints)
 +}
 +
 +/// prepare read buffer for reading
 +/// \return the maximum number of bytes the caller should attempt to read
 +/// \retval 0 means that the caller should delay reading
 +size_t
 +HttpStateData::maybeMakeSpaceAvailable(const size_t maxReadSize)
 +{
     // how much we want to read
 -    const size_t read_size = calcBufferSpaceToReserve(inBuf.spaceSize(), (limitBuffer - inBuf.length()));
 +    const size_t read_size = calcBufferSpaceToReserve(inBuf.spaceSize(), maxReadSize);
 -    if (!read_size) {
 +    if (read_size < 2) {
         debugs(11, 7, "will not read up to " << read_size << " into buffer (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection);
 -        return false;
 +        return 0;
     }
 -    // just report whether we could grow or not, do not actually do it
 -    if (doGrow)
 -        return (read_size >= 2);
 -
     // we may need to grow the buffer
     inBuf.reserveSpace(read_size);
 -    debugs(11, 8, (!flags.do_next_read ? "will not" : "may") <<
 -           " read up to " << read_size << " bytes info buf(" << inBuf.length() << "/" << inBuf.spaceSize() <<
 -           ") from " << serverConnection);
 -
 -    return (inBuf.spaceSize() >= 2); // only read if there is 1+ bytes of space available
 +    debugs(11, 7, "may read up to " << read_size << " bytes info buffer (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection);
 +    return read_size;
 }
 /// called after writing the very last request byte (body, last-chunk, etc)
 diff --git a/src/http.h b/src/http.h
 index 8965b77..007d2e6 100644
 --- a/src/http.h
 +++ b/src/http.h
@@ -15,6 +15,8 @@
 #include "http/StateFlags.h"
 #include "sbuf/SBuf.h"
 +#include <optional>
 +
 class FwdState;
 class HttpHeader;
@@ -107,16 +109,9 @@ private:
     void abortTransaction(const char *reason) { abortAll(reason); } // abnormal termination
 -    /**
 -     * determine if read buffer can have space made available
 -     * for a read.
 -     *
 -     * \param grow  whether to actually expand the buffer
 -     *
 -     * \return whether the buffer can be grown to provide space
 -     *         regardless of whether the grow actually happened.
 -     */
 -    bool maybeMakeSpaceAvailable(bool grow);
 +    size_t calcReadBufferCapacityLimit() const;
 +    bool canBufferMoreReplyBytes(size_t *maxReadSize) const;
 +    size_t maybeMakeSpaceAvailable(size_t maxReadSize);
     // consuming request body
     virtual void handleMoreRequestBodyAvailable();
--- a/SOURCES/squid-4.15-CVE-2024-25617.patch
+++ b/SOURCES/squid-4.15-CVE-2024-25617.patch
@ -1,105 +0,0 @@
 diff --git a/src/SquidString.h b/src/SquidString.h
 index a791885..b9aef38 100644
 --- a/src/SquidString.h
 +++ b/src/SquidString.h
@@ -114,7 +114,16 @@ private:
     size_type len_;  /* current length  */
 -    static const size_type SizeMax_ = 65535; ///< 64K limit protects some fixed-size buffers
 +    /// An earlier 64KB limit was meant to protect some fixed-size buffers, but
 +    /// (a) we do not know where those buffers are (or whether they still exist)
 +    /// (b) too many String users unknowingly exceeded that limit and asserted.
 +    /// We are now using a larger limit to reduce the number of (b) cases,
 +    /// especially cases where "compact" lists of items grow 50% in size when we
 +    /// convert them to canonical form. The new limit is selected to withstand
 +    /// concatenation and ~50% expansion of two HTTP headers limited by default
 +    /// request_header_max_size and reply_header_max_size settings.
 +    static const size_type SizeMax_ = 3*64*1024 - 1;
 +
     /// returns true after increasing the first argument by extra if the sum does not exceed SizeMax_
     static bool SafeAdd(size_type &base, size_type extra) { if (extra <= SizeMax_ && base <= SizeMax_ - extra) { base += extra; return true; } return false; }
 diff --git a/src/cache_cf.cc b/src/cache_cf.cc
 index a9c1b7e..46f07bb 100644
 --- a/src/cache_cf.cc
 +++ b/src/cache_cf.cc
@@ -935,6 +935,18 @@ configDoConfigure(void)
                (uint32_t)Config.maxRequestBufferSize, (uint32_t)Config.maxRequestHeaderSize);
     }
 +    // Warn about the dangers of exceeding String limits when manipulating HTTP
 +    // headers. Technically, we do not concatenate _requests_, so we could relax
 +    // their check, but we keep the two checks the same for simplicity sake.
 +    const auto safeRawHeaderValueSizeMax = (String::SizeMaxXXX()+1)/3;
 +    // TODO: static_assert(safeRawHeaderValueSizeMax >= 64*1024); // no WARNINGs for default settings
 +    if (Config.maxRequestHeaderSize > safeRawHeaderValueSizeMax)
 +        debugs(3, DBG_CRITICAL, "WARNING: Increasing request_header_max_size beyond " << safeRawHeaderValueSizeMax <<
 +               " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxRequestHeaderSize << " bytes");
 +    if (Config.maxReplyHeaderSize > safeRawHeaderValueSizeMax)
 +        debugs(3, DBG_CRITICAL, "WARNING: Increasing reply_header_max_size beyond " << safeRawHeaderValueSizeMax <<
 +               " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxReplyHeaderSize << " bytes");
 +
     /*
      * Disable client side request pipelining if client_persistent_connections OFF.
      * Waste of resources queueing any pipelined requests when the first will close the connection.
 diff --git a/src/cf.data.pre b/src/cf.data.pre
 index bc2ddcd..d55b870 100644
 --- a/src/cf.data.pre
 +++ b/src/cf.data.pre
@@ -6196,11 +6196,14 @@ TYPE: b_size_t
 DEFAULT: 64 KB
 LOC: Config.maxRequestHeaderSize
 DOC_START
 -	This specifies the maximum size for HTTP headers in a request.
 -	Request headers are usually relatively small (about 512 bytes).
 -	Placing a limit on the request header size will catch certain
 -	bugs (for example with persistent connections) and possibly
 -	buffer-overflow or denial-of-service attacks.
 +	This directives limits the header size of a received HTTP request
 +	(including request-line). Increasing this limit beyond its 64 KB default
 +	exposes certain old Squid code to various denial-of-service attacks. This
 +	limit also applies to received FTP commands.
 +
 +	This limit has no direct affect on Squid memory consumption.
 +
 +	Squid does not check this limit when sending requests.
 DOC_END
 NAME: reply_header_max_size
@@ -6209,11 +6212,14 @@ TYPE: b_size_t
 DEFAULT: 64 KB
 LOC: Config.maxReplyHeaderSize
 DOC_START
 -	This specifies the maximum size for HTTP headers in a reply.
 -	Reply headers are usually relatively small (about 512 bytes).
 -	Placing a limit on the reply header size will catch certain
 -	bugs (for example with persistent connections) and possibly
 -	buffer-overflow or denial-of-service attacks.
 +	This directives limits the header size of a received HTTP response
 +	(including status-line). Increasing this limit beyond its 64 KB default
 +	exposes certain old Squid code to various denial-of-service attacks. This
 +	limit also applies to FTP command responses.
 +
 +	Squid also checks this limit when loading hit responses from disk cache.
 +
 +	Squid does not check this limit when sending responses.
 DOC_END
 NAME: request_body_max_size
 diff --git a/src/http.cc b/src/http.cc
 index 877172d..b006300 100644
 --- a/src/http.cc
 +++ b/src/http.cc
@@ -1820,8 +1820,9 @@ HttpStateData::httpBuildRequestHeader(HttpRequest * request,
         String strFwd = hdr_in->getList(Http::HdrType::X_FORWARDED_FOR);
 -        // if we cannot double strFwd size, then it grew past 50% of the limit
 -        if (!strFwd.canGrowBy(strFwd.size())) {
 +        // Detect unreasonably long header values. And paranoidly check String
 +        // limits: a String ought to accommodate two reasonable-length values.
 +        if (strFwd.size() > 32*1024 || !strFwd.canGrowBy(strFwd.size())) {
             // There is probably a forwarding loop with Via detection disabled.
             // If we do nothing, String will assert on overflow soon.
             // TODO: Terminate all transactions with huge XFF?
--- a/SOURCES/squid-4.15-ignore-wsp-after-chunk-size.patch
+++ b/SOURCES/squid-4.15-ignore-wsp-after-chunk-size.patch
@ -1,367 +0,0 @@
 From 8d0ee420a4d91ac7fd97316338f1e28b4b060cbf Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
 Date: Thu, 10 Oct 2024 19:26:27 +0200
 Subject: [PATCH 1/6] Ignore whitespace chars after chunk-size
 Previously (before #1498 change), squid was accepting TE-chunked replies
 with whitespaces after chunk-size and missing chunk-ext data. After
 It turned out that replies with such whitespace chars are pretty
 common and other webservers which can act as forward proxies (e.g.
 nginx, httpd...) are accepting them.
 This change will allow to proxy chunked responses from origin server,
 which had whitespaces inbetween chunk-size and CRLF.
 ---
 src/http/one/TeChunkedParser.cc | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc
 index 9cce10fdc91..04753395e16 100644
 --- a/src/http/one/TeChunkedParser.cc
 +++ b/src/http/one/TeChunkedParser.cc
@@ -125,6 +125,7 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
     // Code becomes much simpler when incremental parsing functions throw on
     // bad or insufficient input, like in the code below. TODO: Expand up.
     try {
 +        tok.skipAll(CharacterSet::WSP); // Some servers send SP/TAB after chunk-size
         parseChunkExtensions(tok); // a possibly empty chunk-ext list
         tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf());
         buf_ = tok.remaining();
 From 9c8d35f899035fa06021ab3fe6919f892c2f0c6b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
 Date: Fri, 11 Oct 2024 02:06:31 +0200
 Subject: [PATCH 2/6] Added new argument to Http::One::ParseBws()
 Depending on new wsp_only argument in ParseBws() it will be decided
 which set of whitespaces characters will be parsed. If wsp_only is set
 to true, only SP and HTAB chars will be parsed.
 Also optimized number of ParseBws calls.
 ---
 src/http/one/Parser.cc          |  4 ++--
 src/http/one/Parser.h           |  3 ++-
 src/http/one/TeChunkedParser.cc | 13 +++++++++----
 src/http/one/TeChunkedParser.h  |  2 +-
 4 files changed, 14 insertions(+), 8 deletions(-)
 diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc
 index b1908316a0b..01d7e3bc0e8 100644
 --- a/src/http/one/Parser.cc
 +++ b/src/http/one/Parser.cc
@@ -273,9 +273,9 @@ Http::One::ErrorLevel()
 // BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule
 void
 -Http::One::ParseBws(Parser::Tokenizer &tok)
 +Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only)
 {
 -    const auto count = tok.skipAll(Parser::WhitespaceCharacters());
 +    const auto count = tok.skipAll(wsp_only ? CharacterSet::WSP : Parser::WhitespaceCharacters());
     if (tok.atEnd())
         throw InsufficientInput(); // even if count is positive
 diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h
 index d9a0ac8c273..08200371cd6 100644
 --- a/src/http/one/Parser.h
 +++ b/src/http/one/Parser.h
@@ -163,8 +163,9 @@ class Parser : public RefCountable
 };
 /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace)
 +/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimeter chars
 /// \throws InsufficientInput when the end of BWS cannot be confirmed
 -void ParseBws(Parser::Tokenizer &);
 +void ParseBws(Parser::Tokenizer &, const bool wsp_only = false);
 /// the right debugs() level for logging HTTP violation messages
 int ErrorLevel();
 diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc
 index 04753395e16..41e1e5ddaea 100644
 --- a/src/http/one/TeChunkedParser.cc
 +++ b/src/http/one/TeChunkedParser.cc
@@ -125,8 +125,11 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
     // Code becomes much simpler when incremental parsing functions throw on
     // bad or insufficient input, like in the code below. TODO: Expand up.
     try {
 -        tok.skipAll(CharacterSet::WSP); // Some servers send SP/TAB after chunk-size
 -        parseChunkExtensions(tok); // a possibly empty chunk-ext list
 +        // A possibly empty chunk-ext list. If no chunk-ext has been found,
 +        // try to skip trailing BWS, because some servers send "chunk-size BWS CRLF".
 +        if (!parseChunkExtensions(tok))
 +            ParseBws(tok, true);
 +
         tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf());
         buf_ = tok.remaining();
         parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME;
@@ -140,20 +143,22 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
 /// Parses the chunk-ext list (RFC 9112 section 7.1.1:
 /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] )
 -void
 +bool
 Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok)
 {
 +    bool foundChunkExt = false;
     do {
         auto tok = callerTok;
         ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size
         if (!tok.skip(';'))
 -            return; // reached the end of extensions (if any)
 +            return foundChunkExt; // reached the end of extensions (if any)
         parseOneChunkExtension(tok);
         buf_ = tok.remaining(); // got one extension
         callerTok = tok;
 +        foundChunkExt = true;
     } while (true);
 }
 diff --git a/src/http/one/TeChunkedParser.h b/src/http/one/TeChunkedParser.h
 index 02eacd1bb89..8c5d4bb4cba 100644
 --- a/src/http/one/TeChunkedParser.h
 +++ b/src/http/one/TeChunkedParser.h
@@ -71,7 +71,7 @@ class TeChunkedParser : public Http1::Parser
 private:
     bool parseChunkSize(Tokenizer &tok);
     bool parseChunkMetadataSuffix(Tokenizer &);
 -    void parseChunkExtensions(Tokenizer &);
 +    bool parseChunkExtensions(Tokenizer &);
     void parseOneChunkExtension(Tokenizer &);
     bool parseChunkBody(Tokenizer &tok);
     bool parseChunkEnd(Tokenizer &tok);
 From 81e67f97f9c386bdd0bb4a5e182395c46adb70ad Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
 Date: Fri, 11 Oct 2024 02:44:33 +0200
 Subject: [PATCH 3/6] Fix typo in Parser.h
 ---
 src/http/one/Parser.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h
 index 08200371cd6..3ef4c5f7752 100644
 --- a/src/http/one/Parser.h
 +++ b/src/http/one/Parser.h
@@ -163,7 +163,7 @@ class Parser : public RefCountable
 };
 /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace)
 -/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimeter chars
 +/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimiter chars
 /// \throws InsufficientInput when the end of BWS cannot be confirmed
 void ParseBws(Parser::Tokenizer &, const bool wsp_only = false);
 From a0d4fe1794e605f8299a5c118c758a807453f016 Mon Sep 17 00:00:00 2001
 From: Alex Rousskov <rousskov@measurement-factory.com>
 Date: Thu, 10 Oct 2024 22:39:42 -0400
 Subject: [PATCH 4/6] Bug 5449 is a regression of Bug 4492!
 Both bugs deal with "chunk-size SP+ CRLF" use cases. Bug 4492 had _two_
 spaces after chunk-size, which answers one of the PR review questions:
 Should we skip just one space? No, we should not.
 The lines moved around in many commits, but I believe this regression
 was introduced in commit 951013d0 because that commit stopped consuming
 partially parsed chunk-ext sequences. That consumption was wrong, but it
 had a positive side effect -- fixing Bug 4492...
 ---
 src/http/one/TeChunkedParser.cc | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)
 diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc
 index 41e1e5ddaea..aa4a840fdcf 100644
 --- a/src/http/one/TeChunkedParser.cc
 +++ b/src/http/one/TeChunkedParser.cc
@@ -125,10 +125,10 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
     // Code becomes much simpler when incremental parsing functions throw on
     // bad or insufficient input, like in the code below. TODO: Expand up.
     try {
 -        // A possibly empty chunk-ext list. If no chunk-ext has been found,
 -        // try to skip trailing BWS, because some servers send "chunk-size BWS CRLF".
 -        if (!parseChunkExtensions(tok))
 -            ParseBws(tok, true);
 +        // Bug 4492: IBM_HTTP_Server sends SP after chunk-size
 +        ParseBws(tok, true);
 +
 +        parseChunkExtensions(tok);
         tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf());
         buf_ = tok.remaining();
@@ -150,7 +150,7 @@ Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok)
     do {
         auto tok = callerTok;
 -        ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size
 +        ParseBws(tok);
         if (!tok.skip(';'))
             return foundChunkExt; // reached the end of extensions (if any)
 From f837f5ff61301a17008f16ce1fb793c2abf19786 Mon Sep 17 00:00:00 2001
 From: Alex Rousskov <rousskov@measurement-factory.com>
 Date: Thu, 10 Oct 2024 23:06:42 -0400
 Subject: [PATCH 5/6] fixup: Fewer conditionals/ifs and more explicit spelling
 ... to draw code reader attention when something unusual is going on.
 ---
 src/http/one/Parser.cc          | 22 ++++++++++++++++++----
 src/http/one/Parser.h           | 10 ++++++++--
 src/http/one/TeChunkedParser.cc | 14 ++++++--------
 src/http/one/TeChunkedParser.h  |  2 +-
 4 files changed, 33 insertions(+), 15 deletions(-)
 diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc
 index 01d7e3bc0e8..d3937e5e96b 100644
 --- a/src/http/one/Parser.cc
 +++ b/src/http/one/Parser.cc
@@ -271,11 +271,12 @@ Http::One::ErrorLevel()
     return Config.onoff.relaxed_header_parser < 0 ? DBG_IMPORTANT : 5;
 }
 -// BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule
 -void
 -Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only)
 +/// common part of ParseBws() and ParseStrctBws()
 +namespace Http::One {
 +static void
 +ParseBws_(Parser::Tokenizer &tok, const CharacterSet &bwsChars)
 {
 -    const auto count = tok.skipAll(wsp_only ? CharacterSet::WSP : Parser::WhitespaceCharacters());
 +    const auto count = tok.skipAll(bwsChars);
     if (tok.atEnd())
         throw InsufficientInput(); // even if count is positive
@@ -290,4 +291,17 @@ Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only)
     // success: no more BWS characters expected
 }
 +} // namespace Http::One
 +
 +void
 +Http::One::ParseBws(Parser::Tokenizer &tok)
 +{
 +    ParseBws_(tok, CharacterSet::WSP);
 +}
 +
 +void
 +Http::One::ParseStrictBws(Parser::Tokenizer &tok)
 +{
 +    ParseBws_(tok, Parser::WhitespaceCharacters());
 +}
 diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h
 index 3ef4c5f7752..49e399de546 100644
 --- a/src/http/one/Parser.h
 +++ b/src/http/one/Parser.h
@@ -163,9 +163,15 @@ class Parser : public RefCountable
 };
 /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace)
 -/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimiter chars
 /// \throws InsufficientInput when the end of BWS cannot be confirmed
 -void ParseBws(Parser::Tokenizer &, const bool wsp_only = false);
 +/// \sa WhitespaceCharacters() for the definition of BWS characters
 +/// \sa ParseStrictBws() that avoids WhitespaceCharacters() uncertainties
 +void ParseBws(Parser::Tokenizer &);
 +
 +/// Like ParseBws() but only skips CharacterSet::WSP characters. This variation
 +/// must be used if the next element may start with CR or any other character
 +/// from RelaxedDelimiterCharacters().
 +void ParseStrictBws(Parser::Tokenizer &);
 /// the right debugs() level for logging HTTP violation messages
 int ErrorLevel();
 diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc
 index aa4a840fdcf..859471b8c77 100644
 --- a/src/http/one/TeChunkedParser.cc
 +++ b/src/http/one/TeChunkedParser.cc
@@ -125,11 +125,11 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
     // Code becomes much simpler when incremental parsing functions throw on
     // bad or insufficient input, like in the code below. TODO: Expand up.
     try {
 -        // Bug 4492: IBM_HTTP_Server sends SP after chunk-size
 -        ParseBws(tok, true);
 -
 -        parseChunkExtensions(tok);
 +        // Bug 4492: IBM_HTTP_Server sends SP after chunk-size.
 +        // No ParseBws() here because it may consume CR required further below.
 +        ParseStrictBws(tok);
 +        parseChunkExtensions(tok); // a possibly empty chunk-ext list
         tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf());
         buf_ = tok.remaining();
         parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME;
@@ -143,22 +143,20 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
 /// Parses the chunk-ext list (RFC 9112 section 7.1.1:
 /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] )
 -bool
 +void
 Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok)
 {
 -    bool foundChunkExt = false;
     do {
         auto tok = callerTok;
         ParseBws(tok);
         if (!tok.skip(';'))
 -            return foundChunkExt; // reached the end of extensions (if any)
 +            return; // reached the end of extensions (if any)
         parseOneChunkExtension(tok);
         buf_ = tok.remaining(); // got one extension
         callerTok = tok;
 -        foundChunkExt = true;
     } while (true);
 }
 diff --git a/src/http/one/TeChunkedParser.h b/src/http/one/TeChunkedParser.h
 index 8c5d4bb4cba..02eacd1bb89 100644
 --- a/src/http/one/TeChunkedParser.h
 +++ b/src/http/one/TeChunkedParser.h
@@ -71,7 +71,7 @@ class TeChunkedParser : public Http1::Parser
 private:
     bool parseChunkSize(Tokenizer &tok);
     bool parseChunkMetadataSuffix(Tokenizer &);
 -    bool parseChunkExtensions(Tokenizer &);
 +    void parseChunkExtensions(Tokenizer &);
     void parseOneChunkExtension(Tokenizer &);
     bool parseChunkBody(Tokenizer &tok);
     bool parseChunkEnd(Tokenizer &tok);
 From f79936a234e722adb2dd08f31cf6019d81ee712c Mon Sep 17 00:00:00 2001
 From: Alex Rousskov <rousskov@measurement-factory.com>
 Date: Thu, 10 Oct 2024 23:31:08 -0400
 Subject: [PATCH 6/6] fixup: Deadly typo
 ---
 src/http/one/Parser.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc
 index d3937e5e96b..7403a9163a2 100644
 --- a/src/http/one/Parser.cc
 +++ b/src/http/one/Parser.cc
@@ -296,12 +296,12 @@ ParseBws_(Parser::Tokenizer &tok, const CharacterSet &bwsChars)
 void
 Http::One::ParseBws(Parser::Tokenizer &tok)
 {
 -    ParseBws_(tok, CharacterSet::WSP);
 +    ParseBws_(tok, Parser::WhitespaceCharacters());
 }
 void
 Http::One::ParseStrictBws(Parser::Tokenizer &tok)
 {
 -    ParseBws_(tok, Parser::WhitespaceCharacters());
 +    ParseBws_(tok, CharacterSet::WSP);
 }
--- a/SOURCES/cache_swap.sh
+++ b/SOURCES/cache_swap.sh
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,9 @@
 --- !Policy
 product_versions:
  - rhel-9
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier2.functional}
  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier3.functional}
  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.acceptance-tier.functional}
--- a/SOURCES/perl-requires-squid.sh
+++ b/SOURCES/perl-requires-squid.sh
--- a/1
+++ b/1
@ -0,0 +1 @@
 SHA512 (squid-4.15.tar.xz) = 8f0ce6e30dd9173927e8133618211ffb865fb5dde4c63c2fb465e2efccda4a6efb33f2c0846870c9b915340aff5f59461a60171882bcc0c890336b846fe60bd1
--- a/squid-3.0.STABLE1-perlpath.patch
+++ b/squid-3.0.STABLE1-perlpath.patch
@ -0,0 +1,10 @@
 diff --git a/contrib/url-normalizer.pl b/contrib/url-normalizer.pl
 index 4cb0480..4b89910 100755
 --- a/contrib/url-normalizer.pl
 +++ b/contrib/url-normalizer.pl
@@ -1,4 +1,4 @@
 -#!/usr/local/bin/perl -Tw
 +#!/usr/bin/perl -Tw
 #
 # * Copyright (C) 1996-2022 The Squid Software Foundation and contributors
 # *
--- a/squid-3.1.0.9-location.patch
+++ b/squid-3.1.0.9-location.patch
@ -0,0 +1,32 @@
 diff -up squid-3.1.0.9/QUICKSTART.location squid-3.1.0.9/QUICKSTART
 --- squid-3.1.0.9/QUICKSTART.location	2009-06-26 12:35:27.000000000 +0200
 +++ squid-3.1.0.9/QUICKSTART	2009-07-17 14:03:10.000000000 +0200
@@ -10,10 +10,9 @@ After you retrieved, compiled and instal
 INSTALL in the same directory), you have to configure the squid.conf
 file. This is the list of the values you *need* to change, because no
 sensible defaults could be defined. Do not touch the other variables
 -for now.  We assume you have installed Squid in the default location:
 -/usr/local/squid
 +for now.
 -Uncomment and edit the following lines in /usr/local/squid/etc/squid.conf:
 +Uncomment and edit the following lines in /etc/squid/squid.conf:
 ==============================================================================
@@ -82,12 +81,12 @@ After editing squid.conf to your liking,
 line TWICE:
 To create any disk cache_dir configured:
 -    % /usr/local/squid/sbin/squid -z
 +    % /usr/sbin/squid -z
 To start squid:
 -    % /usr/local/squid/sbin/squid 
 +    % /usr/sbin/squid 
 -Check in the cache.log (/usr/local/squid/var/logs/cache.log) that
 +Check in the cache.log (/var/log/squid/cache.log) that
 everything is all right.
 Once Squid created all its files (it can take several minutes on some
--- a/squid-3.5.9-include-guards.patch
+++ b/squid-3.5.9-include-guards.patch
@ -0,0 +1,95 @@
 ------------------------------------------------------------
 revno: 14311
 revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
 parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr
 ------------------------------------------------------------
 revno: 14311
 revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
 parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr
 fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323
 author: Francesco Chemolli <kinkie@squid-cache.org>
 committer: Amos Jeffries <squid3@treenet.co.nz>
 branch nick: trunk
 timestamp: Thu 2015-09-24 06:05:37 -0700
 message:
  Bug 4323: Netfilter broken cross-includes with Linux 4.2
 ------------------------------------------------------------
 # Bazaar merge directive format 2 (Bazaar 0.90)
 # revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
 # target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
 # testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b
 # timestamp: 2015-09-24 13:06:33 +0000
 # source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk
 # base_revision_id: squid3@treenet.co.nz-20150924032241-\
 #   6cx3g6hwz9xfoybr
 # 
 # Begin patch
 === modified file 'compat/os/linux.h'
 --- compat/os/linux.h	2015-01-13 07:25:36 +0000
 +++ compat/os/linux.h	2015-09-24 13:05:37 +0000
@@ -30,6 +30,21 @@
 #endif
 /*
 + * Netfilter header madness. (see Bug 4323)
 + *
 + * Netfilter have a history of defining their own versions of network protocol
 + * primitives without sufficient protection against the POSIX defines which are
 + * aways present in Linux.
 + *
 + * netinet/in.h must be included before any other sys header in order to properly
 + * activate include guards in <linux/libc-compat.h> the kernel maintainers added
 + * to workaround it.
 + */
 +#if HAVE_NETINET_IN_H
 +#include <netinet/in.h>
 +#endif
 +
 +/*
  * sys/capability.h is only needed in Linux apparently.
  *
  * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc
 fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323
 author: Francesco Chemolli <kinkie@squid-cache.org>
 committer: Amos Jeffries <squid3@treenet.co.nz>
 branch nick: trunk
 timestamp: Thu 2015-09-24 06:05:37 -0700
 message:
  Bug 4323: Netfilter broken cross-includes with Linux 4.2
 ------------------------------------------------------------
 # Bazaar merge directive format 2 (Bazaar 0.90)
 # revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
 # target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
 # testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b
 # timestamp: 2015-09-24 13:06:33 +0000
 # source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk
 # base_revision_id: squid3@treenet.co.nz-20150924032241-\
 #   6cx3g6hwz9xfoybr
 # 
 # Begin patch
 === modified file 'compat/os/linux.h'
 --- compat/os/linux.h	2015-01-13 07:25:36 +0000
 +++ compat/os/linux.h	2015-09-24 13:05:37 +0000
@@ -30,6 +30,21 @@
 #endif
 /*
 + * Netfilter header madness. (see Bug 4323)
 + *
 + * Netfilter have a history of defining their own versions of network protocol
 + * primitives without sufficient protection against the POSIX defines which are
 + * aways present in Linux.
 + *
 + * netinet/in.h must be included before any other sys header in order to properly
 + * activate include guards in <linux/libc-compat.h> the kernel maintainers added
 + * to workaround it.
 + */
 +#if HAVE_NETINET_IN_H
 +#include <netinet/in.h>
 +#endif
 +
 +/*
  * sys/capability.h is only needed in Linux apparently.
  *
  * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc
--- a/squid-4.0.11-config.patch
+++ b/squid-4.0.11-config.patch
@ -0,0 +1,26 @@
 diff -up squid-4.0.11/src/cf.data.pre.config squid-4.0.11/src/cf.data.pre
 --- squid-4.0.11/src/cf.data.pre.config	2016-06-09 22:32:57.000000000 +0200
 +++ squid-4.0.11/src/cf.data.pre	2016-07-11 21:08:35.090976840 +0200
@@ -4658,7 +4658,7 @@ DOC_END
 NAME: logfile_rotate
 TYPE: int
 -DEFAULT: 10
 +DEFAULT: 0
 LOC: Config.Log.rotateNumber
 DOC_START
 	Specifies the default number of logfile rotations to make when you
@@ -6444,11 +6444,11 @@ COMMENT_END
 NAME: cache_mgr
 TYPE: string
 -DEFAULT: webmaster
 +DEFAULT: root
 LOC: Config.adminEmail
 DOC_START
 	Email-address of local cache manager who will receive
 -	mail if the cache dies.  The default is "webmaster".
 +	mail if the cache dies.  The default is "root".
 DOC_END
 NAME: mail_from
--- a/SOURCES/squid-4.11-active-ftp.patch
+++ b/SOURCES/squid-4.11-active-ftp.patch
--- a/SOURCES/squid-4.11-config.patch
+++ b/SOURCES/squid-4.11-config.patch
--- a/SOURCES/squid-4.11-convert-ipv4.patch
+++ b/SOURCES/squid-4.11-convert-ipv4.patch
--- a/SOURCES/squid-4.11-include-guards.patch
+++ b/SOURCES/squid-4.11-include-guards.patch
--- a/SOURCES/squid-4.11-large-acl.patch
+++ b/SOURCES/squid-4.11-large-acl.patch
--- a/SOURCES/squid-4.11-location.patch
+++ b/SOURCES/squid-4.11-location.patch
--- a/SOURCES/squid-4.11-perlpath.patch
+++ b/SOURCES/squid-4.11-perlpath.patch
--- a/SOURCES/squid-4.15-CVE-2021-28116.patch
+++ b/SOURCES/squid-4.15-CVE-2021-28116.patch
--- a/SOURCES/squid-4.15-CVE-2021-46784.patch
+++ b/SOURCES/squid-4.15-CVE-2021-46784.patch
--- a/SOURCES/squid-4.15-CVE-2022-41318.patch
+++ b/SOURCES/squid-4.15-CVE-2022-41318.patch
--- a/SOURCES/squid-4.15-ftp-filename-extraction.patch
+++ b/SOURCES/squid-4.15-ftp-filename-extraction.patch
--- a/SOURCES/squid-4.15-halfclosed.patch
+++ b/SOURCES/squid-4.15-halfclosed.patch
--- a/SOURCES/squid-4.15-ip-bind-address-no-port.patch
+++ b/SOURCES/squid-4.15-ip-bind-address-no-port.patch
--- a/SOURCES/squid-4.15.tar.xz.asc
+++ b/SOURCES/squid-4.15.tar.xz.asc
--- a/squid-5.0.5-symlink-lang-err.patch
+++ b/squid-5.0.5-symlink-lang-err.patch
@ -0,0 +1,68 @@
 From fc01451000eaa5592cd5afbd6aee14e53f7dd2c3 Mon Sep 17 00:00:00 2001
 From: Amos Jeffries <amosjeffries@squid-cache.org>
 Date: Sun, 18 Oct 2020 20:23:10 +1300
 Subject: [PATCH] Update translations integration
 * Add credits for es-mx translation moderator
 * Use es-mx for default of all Spanish (Central America) texts
 * Update translation related .am files
 ---
 doc/manuals/language.am | 2 +-
 errors/TRANSLATORS      | 1 +
 errors/aliases          | 3 ++-
 errors/language.am      | 3 ++-
 errors/template.am      | 2 +-
 5 files changed, 7 insertions(+), 4 deletions(-)
 diff --git a/doc/manuals/language.am b/doc/manuals/language.am
 index 7670c88380c..f03c4cf71b4 100644
 --- a/doc/manuals/language.am
 +++ b/doc/manuals/language.am
@@ -18,4 +18,4 @@ TRANSLATE_LANGUAGES = \
     oc.lang \
     pt.lang \
     ro.lang \
 -    ru.lang 
 +    ru.lang
 diff --git a/errors/aliases b/errors/aliases
 index 36f17f4b80f..cf0116f297d 100644
 --- a/errors/aliases
 +++ b/errors/aliases
@@ -14,7 +14,8 @@ da	da-dk
 de	de-at de-ch de-de de-li de-lu
 el	el-gr
 en	en-au en-bz en-ca en-cn en-gb en-ie en-in en-jm en-nz en-ph en-sg en-tt en-uk en-us en-za en-zw
 -es	es-ar es-bo es-cl es-co es-cr es-do es-ec es-es es-gt es-hn es-mx es-ni es-pa es-pe es-pr es-py es-sv es-us es-uy es-ve es-xl
 +es	es-ar es-bo es-cl es-cu es-co es-do es-ec es-es es-pe es-pr es-py es-us es-uy es-ve es-xl spq
 +es-mx	es-bz es-cr es-gt es-hn es-ni es-pa es-sv
 et	et-ee
 fa	fa-fa fa-ir
 fi	fi-fi
 diff --git a/errors/language.am b/errors/language.am
 index 12b1b2b3b43..029e8c1eb2f 100644
 --- a/errors/language.am
 +++ b/errors/language.am
@@ -17,6 +17,7 @@ TRANSLATE_LANGUAGES = \
     de.lang \
     el.lang \
     en.lang \
 +    es-mx.lang \
     es.lang \
     et.lang \
     fa.lang \
@@ -51,4 +52,4 @@ TRANSLATE_LANGUAGES = \
     uz.lang \
     vi.lang \
     zh-hans.lang \
 -    zh-hant.lang 
 +    zh-hant.lang
 diff --git a/errors/template.am b/errors/template.am
 index 6c12781e6f4..715c65aa22b 100644
 --- a/errors/template.am
 +++ b/errors/template.am
@@ -48,4 +48,4 @@ ERROR_TEMPLATES = \
     templates/ERR_UNSUP_REQ \
     templates/ERR_URN_RESOLVE \
     templates/ERR_WRITE_ERROR \
 -    templates/ERR_ZERO_SIZE_OBJECT 
 +    templates/ERR_ZERO_SIZE_OBJECT
--- a/squid-5.0.6-active-ftp.patch
+++ b/squid-5.0.6-active-ftp.patch
@ -0,0 +1,127 @@
 diff --git a/src/clients/FtpClient.cc b/src/clients/FtpClient.cc
 index 747ed35..f2b7126 100644
 --- a/src/clients/FtpClient.cc
 +++ b/src/clients/FtpClient.cc
@@ -795,7 +795,8 @@ Ftp::Client::connectDataChannel()
 bool
 Ftp::Client::openListenSocket()
 {
 -    return false;
 +    debugs(9, 3, HERE);
 +	  return false;
 }
 /// creates a data channel Comm close callback
 diff --git a/src/clients/FtpClient.h b/src/clients/FtpClient.h
 index eb5ea1b..e92c007 100644
 --- a/src/clients/FtpClient.h
 +++ b/src/clients/FtpClient.h
@@ -137,7 +137,7 @@ public:
     bool sendPort();
     bool sendPassive();
     void connectDataChannel();
 -    bool openListenSocket();
 +    virtual bool openListenSocket();
     void switchTimeoutToDataChannel();
     CtrlChannel ctrl; ///< FTP control channel state
 diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc
 index 05db817..2989cd2 100644
 --- a/src/clients/FtpGateway.cc
 +++ b/src/clients/FtpGateway.cc
@@ -86,6 +86,13 @@ struct GatewayFlags {
 class Gateway;
 typedef void (StateMethod)(Ftp::Gateway *);
 +} // namespace FTP
 +
 +static void ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback);
 +
 +namespace Ftp
 +{
 +
 /// FTP Gateway: An FTP client that takes an HTTP request with an ftp:// URI,
 /// converts it into one or more FTP commands, and then
 /// converts one or more FTP responses into the final HTTP response.
@@ -136,7 +143,11 @@ public:
     /// create a data channel acceptor and start listening.
     void listenForDataChannel(const Comm::ConnectionPointer &conn);
 -
 +    virtual bool openListenSocket() {
 +    		debugs(9, 3, HERE);
 +				ftpOpenListenSocket(this, 0);
 +        return Comm::IsConnOpen(data.conn);
 +		}
     int checkAuth(const HttpHeader * req_hdr);
     void checkUrlpath();
     void buildTitleUrl();
@@ -1786,6 +1797,7 @@ ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback)
     }
     ftpState->listenForDataChannel(temp);
 +    ftpState->data.listenConn = temp;
 }
 static void
@@ -1821,13 +1833,19 @@ ftpSendPORT(Ftp::Gateway * ftpState)
     // pull out the internal IP address bytes to send in PORT command...
     // source them from the listen_conn->local
 +    struct sockaddr_in addr;
 +    socklen_t addrlen = sizeof(addr);
 +    getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen);
 +    unsigned char port_high = ntohs(addr.sin_port) >> 8;
 +    unsigned char port_low  = ntohs(addr.sin_port) & 0xff;
 +
     struct addrinfo *AI = NULL;
     ftpState->data.listenConn->local.getAddrInfo(AI, AF_INET);
     unsigned char *addrptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_addr;
 -    unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port;
 +    // unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port;
     snprintf(cbuf, CTRL_BUFLEN, "PORT %d,%d,%d,%d,%d,%d\r\n",
              addrptr[0], addrptr[1], addrptr[2], addrptr[3],
 -             portptr[0], portptr[1]);
 +             port_high, port_low);
     ftpState->writeCommand(cbuf);
     ftpState->state = Ftp::Client::SENT_PORT;
@@ -1880,14 +1898,27 @@ ftpSendEPRT(Ftp::Gateway * ftpState)
         return;
     }
 +
 +    unsigned int port;
 +    struct sockaddr_storage addr;
 +    socklen_t addrlen = sizeof(addr);
 +    getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen);
 +    if (addr.ss_family == AF_INET) {
 +        struct sockaddr_in *addr4 = (struct sockaddr_in*) &addr;
 +        port = ntohs( addr4->sin_port );
 +    } else {
 +        struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &addr;
 +        port = ntohs( addr6->sin6_port );
 +    }
 +
     char buf[MAX_IPSTRLEN];
     /* RFC 2428 defines EPRT as IPv6 equivalent to IPv4 PORT command. */
     /* Which can be used by EITHER protocol. */
 -    snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%d|\r\n",
 +    snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%u|\r\n",
              ( ftpState->data.listenConn->local.isIPv6() ? 2 : 1 ),
              ftpState->data.listenConn->local.toStr(buf,MAX_IPSTRLEN),
 -             ftpState->data.listenConn->local.port() );
 +             port);
     ftpState->writeCommand(cbuf);
     ftpState->state = Ftp::Client::SENT_EPRT;
@@ -1906,7 +1937,7 @@ ftpReadEPRT(Ftp::Gateway * ftpState)
         ftpSendPORT(ftpState);
         return;
     }
 -
 +    ftpState->ctrl.message = NULL;
     ftpRestOrList(ftpState);
 }
--- a/squid-5.0.6-openssl3.patch
+++ b/squid-5.0.6-openssl3.patch
@ -0,0 +1,185 @@
 diff --git a/src/ssl/support.cc b/src/ssl/support.cc
 index 3ad135d..73912ce 100644
 --- a/src/ssl/support.cc
 +++ b/src/ssl/support.cc
@@ -557,7 +557,11 @@ Ssl::VerifyCallbackParameters::At(Security::Connection &sconn)
 }
 // "dup" function for SSL_get_ex_new_index("cert_err_check")
 -#if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP
 +#if OPENSSL_VERSION_MAJOR >= 3
 +static int
 +ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **,
 +                    int, long, void *)
 +#elif SQUID_USE_CONST_CRYPTO_EX_DATA_DUP
 static int
 ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *,
                     int, long, void *)
 diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
 index cf1d4ba..4346ba5 100644
 --- a/src/security/PeerOptions.cc
 +++ b/src/security/PeerOptions.cc
@@ -297,130 +297,130 @@ static struct ssl_option {
 } ssl_options[] = {
 -#if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
 +#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
     {
         "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
     },
 #endif
 -#if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
 +#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
     {
         "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
     },
 #endif
 -#if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
 +#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
     {
         "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
     },
 #endif
 -#if SSL_OP_SSLEAY_080_CLIENT_DH_BUG
 +#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
     {
         "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG
     },
 #endif
 -#if SSL_OP_TLS_D5_BUG
 +#ifdef SSL_OP_TLS_D5_BUG
     {
         "TLS_D5_BUG", SSL_OP_TLS_D5_BUG
     },
 #endif
 -#if SSL_OP_TLS_BLOCK_PADDING_BUG
 +#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
     {
         "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG
     },
 #endif
 -#if SSL_OP_TLS_ROLLBACK_BUG
 +#ifdef SSL_OP_TLS_ROLLBACK_BUG
     {
         "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG
     },
 #endif
 -#if SSL_OP_ALL
 +#ifdef SSL_OP_ALL
     {
         "ALL", (long)SSL_OP_ALL
     },
 #endif
 -#if SSL_OP_SINGLE_DH_USE
 +#ifdef SSL_OP_SINGLE_DH_USE
     {
         "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE
     },
 #endif
 -#if SSL_OP_EPHEMERAL_RSA
 +#ifdef SSL_OP_EPHEMERAL_RSA
     {
         "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA
     },
 #endif
 -#if SSL_OP_PKCS1_CHECK_1
 +#ifdef SSL_OP_PKCS1_CHECK_1
     {
         "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1
     },
 #endif
 -#if SSL_OP_PKCS1_CHECK_2
 +#ifdef SSL_OP_PKCS1_CHECK_2
     {
         "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2
     },
 #endif
 -#if SSL_OP_NETSCAPE_CA_DN_BUG
 +#ifdef SSL_OP_NETSCAPE_CA_DN_BUG
     {
         "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG
     },
 #endif
 -#if SSL_OP_NON_EXPORT_FIRST
 +#ifdef SSL_OP_NON_EXPORT_FIRST
     {
         "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST
     },
 #endif
 -#if SSL_OP_CIPHER_SERVER_PREFERENCE
 +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
     {
         "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE
     },
 #endif
 -#if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
 +#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
     {
         "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
     },
 #endif
 -#if SSL_OP_NO_SSLv3
 +#ifdef SSL_OP_NO_SSLv3
     {
         "NO_SSLv3", SSL_OP_NO_SSLv3
     },
 #endif
 -#if SSL_OP_NO_TLSv1
 +#ifdef SSL_OP_NO_TLSv1
     {
         "NO_TLSv1", SSL_OP_NO_TLSv1
     },
 #else
     { "NO_TLSv1", 0 },
 #endif
 -#if SSL_OP_NO_TLSv1_1
 +#ifdef SSL_OP_NO_TLSv1_1
     {
         "NO_TLSv1_1", SSL_OP_NO_TLSv1_1
     },
 #else
     { "NO_TLSv1_1", 0 },
 #endif
 -#if SSL_OP_NO_TLSv1_2
 +#ifdef SSL_OP_NO_TLSv1_2
     {
         "NO_TLSv1_2", SSL_OP_NO_TLSv1_2
     },
 #else
     { "NO_TLSv1_2", 0 },
 #endif
 -#if SSL_OP_NO_TLSv1_3
 +#ifdef SSL_OP_NO_TLSv1_3
     {
         "NO_TLSv1_3", SSL_OP_NO_TLSv1_3
     },
 #else
     { "NO_TLSv1_3", 0 },
 #endif
 -#if SSL_OP_NO_COMPRESSION
 +#ifdef SSL_OP_NO_COMPRESSION
     {
         "No_Compression", SSL_OP_NO_COMPRESSION
     },
 #endif
 -#if SSL_OP_NO_TICKET
 +#ifdef SSL_OP_NO_TICKET
     {
         "NO_TICKET", SSL_OP_NO_TICKET
     },
 #endif
 -#if SSL_OP_SINGLE_ECDH_USE
 +#ifdef SSL_OP_SINGLE_ECDH_USE
     {
         "SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE
     },
@@ -512,7 +512,7 @@ Security::PeerOptions::parseOptions()
     }
 -#if SSL_OP_NO_SSLv2
 +#ifdef SSL_OP_NO_SSLv2
     // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0
     op = op | SSL_OP_NO_SSLv2;
 #endif
--- a/squid-5.1-test-store-cppsuite.patch
+++ b/squid-5.1-test-store-cppsuite.patch
@ -0,0 +1,24 @@
 diff --git a/src/tests/testStoreHashIndex.cc b/src/tests/testStoreHashIndex.cc
 index 0564380..fcd60b9 100644
 --- a/src/tests/testStoreHashIndex.cc
 +++ b/src/tests/testStoreHashIndex.cc
@@ -102,6 +102,8 @@ void commonInit()
     if (inited)
         return;
 +    inited = true;
 +
     Mem::Init();
     Config.Store.avgObjectSize = 1024;
@@ -109,6 +111,10 @@ void commonInit()
     Config.Store.objectsPerBucket = 20;
     Config.Store.maxObjectSize = 2048;
 +
 +    Config.memShared.defaultTo(false);
 +
 +    Config.store_dir_select_algorithm = xstrdup("round-robin");
 }
 /* TODO make this a cbdata class */
--- a/squid-5.5-CVE-2021-46784.patch
+++ b/squid-5.5-CVE-2021-46784.patch
@ -0,0 +1,120 @@
 diff --git a/src/gopher.cc b/src/gopher.cc
 index 576a3f7..2645b6b 100644
 --- a/src/gopher.cc
 +++ b/src/gopher.cc
@@ -364,7 +364,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
     char *lpos = NULL;
     char *tline = NULL;
     LOCAL_ARRAY(char, line, TEMP_BUF_SIZE);
 -    LOCAL_ARRAY(char, tmpbuf, TEMP_BUF_SIZE);
     char *name = NULL;
     char *selector = NULL;
     char *host = NULL;
@@ -374,7 +373,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
     char gtype;
     StoreEntry *entry = NULL;
 -    memset(tmpbuf, '\0', TEMP_BUF_SIZE);
     memset(line, '\0', TEMP_BUF_SIZE);
     entry = gopherState->entry;
@@ -409,7 +407,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
         return;
     }
 -    String outbuf;
 +    SBuf outbuf;
     if (!gopherState->HTML_header_added) {
         if (gopherState->conversion == GopherStateData::HTML_CSO_RESULT)
@@ -577,34 +575,34 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
                         break;
                     }
 -                    memset(tmpbuf, '\0', TEMP_BUF_SIZE);
 -
                     if ((gtype == GOPHER_TELNET) || (gtype == GOPHER_3270)) {
                         if (strlen(escaped_selector) != 0)
 -                            snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s@%s%s%s/\">%s</A>\n",
 -                                     icon_url, escaped_selector, rfc1738_escape_part(host),
 -                                     *port ? ":" : "", port, html_quote(name));
 +                            outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s@%s%s%s/\">%s</A>\n",
 +                                           icon_url, escaped_selector, rfc1738_escape_part(host),
 +                                           *port ? ":" : "", port, html_quote(name));
                         else
 -                            snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s%s%s/\">%s</A>\n",
 -                                     icon_url, rfc1738_escape_part(host), *port ? ":" : "",
 -                                     port, html_quote(name));
 +                            outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s%s%s/\">%s</A>\n",
 +                                           icon_url, rfc1738_escape_part(host), *port ? ":" : "",
 +                                           port, html_quote(name));
                     } else if (gtype == GOPHER_INFO) {
 -                        snprintf(tmpbuf, TEMP_BUF_SIZE, "\t%s\n", html_quote(name));
 +                        outbuf.appendf("\t%s\n", html_quote(name));
                     } else {
                         if (strncmp(selector, "GET /", 5) == 0) {
                             /* WWW link */
 -                            snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"http://%s/%s\">%s</A>\n",
 -                                     icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name));
 +                            outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"http://%s/%s\">%s</A>\n",
 +                                           icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name));
 +                        } else if (gtype == GOPHER_WWW) {
 +                            outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
 +                                           icon_url, rfc1738_escape_unescaped(selector), html_quote(name));
                         } else {
                             /* Standard link */
 -                            snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
 -                                     icon_url, host, gtype, escaped_selector, html_quote(name));
 +                            outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
 +                                           icon_url, host, gtype, escaped_selector, html_quote(name));
                         }
                     }
                     safe_free(escaped_selector);
 -                    outbuf.append(tmpbuf);
                 } else {
                     memset(line, '\0', TEMP_BUF_SIZE);
                     continue;
@@ -637,13 +635,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
                     break;
                 if (gopherState->cso_recno != recno) {
 -                    snprintf(tmpbuf, TEMP_BUF_SIZE, "</PRE><HR noshade size=\"1px\"><H2>Record# %d<br><i>%s</i></H2>\n<PRE>", recno, html_quote(result));
 +                    outbuf.appendf("</PRE><HR noshade size=\"1px\"><H2>Record# %d<br><i>%s</i></H2>\n<PRE>", recno, html_quote(result));
                     gopherState->cso_recno = recno;
                 } else {
 -                    snprintf(tmpbuf, TEMP_BUF_SIZE, "%s\n", html_quote(result));
 +                    outbuf.appendf("%s\n", html_quote(result));
                 }
 -                outbuf.append(tmpbuf);
                 break;
             } else {
                 int code;
@@ -671,8 +668,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
                 case 502: { /* Too Many Matches */
                     /* Print the message the server returns */
 -                    snprintf(tmpbuf, TEMP_BUF_SIZE, "</PRE><HR noshade size=\"1px\"><H2>%s</H2>\n<PRE>", html_quote(result));
 -                    outbuf.append(tmpbuf);
 +                    outbuf.appendf("</PRE><HR noshade size=\"1px\"><H2>%s</H2>\n<PRE>", html_quote(result));
                     break;
                 }
@@ -688,13 +684,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
     }               /* while loop */
 -    if (outbuf.size() > 0) {
 -        entry->append(outbuf.rawBuf(), outbuf.size());
 +    if (outbuf.length() > 0) {
 +        entry->append(outbuf.rawContent(), outbuf.length());
         /* now let start sending stuff to client */
         entry->flush();
     }
 -    outbuf.clean();
     return;
 }
--- a/SOURCES/squid.logrotate
+++ b/SOURCES/squid.logrotate
--- a/SOURCES/squid.nm
+++ b/SOURCES/squid.nm
--- a/SOURCES/squid.pam
+++ b/SOURCES/squid.pam
--- a/SOURCES/squid.service
+++ b/SOURCES/squid.service
--- a/SPECS/squid.spec
+++ b/SPECS/squid.spec
@ -2,7 +2,7 @@
 Name:     squid
 Version:  4.15
-Release:  10%{?dist}.1
+Release:  7%{?dist}
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@ -48,31 +48,6 @@ Patch300: squid-4.15-CVE-2021-28116.patch
 Patch301: squid-4.15-CVE-2021-46784.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2129771
 Patch302: squid-4.15-CVE-2022-41318.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2245910
 # +backported: https://github.com/squid-cache/squid/commit/417da4006cf5c97d44e74431b816fc58fec9e270
 Patch303: squid-4.15-CVE-2023-46846.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2245916
 Patch304: squid-4.15-CVE-2023-46847.patch
 # https://issues.redhat.com/browse/RHEL-14792
 Patch305: squid-4.15-CVE-2023-5824.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2248521
 Patch306: squid-4.15-CVE-2023-46728.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2247567
 Patch307: squid-4.15-CVE-2023-46724.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2252926
 Patch308: squid-4.15-CVE-2023-49285.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2252923
 Patch309: squid-4.15-CVE-2023-49286.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2254663
 Patch310: squid-4.15-CVE-2023-50269.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2264309
 Patch311: squid-4.15-CVE-2024-25617.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2268366
 Patch312: squid-4.15-CVE-2024-25111.patch
 # Regression caused by squid-4.15-CVE-2023-46846.patch
 # Upstream PR: https://github.com/squid-cache/squid/pull/1914
 Patch313: squid-4.15-ignore-wsp-after-chunk-size.patch
 Requires: bash >= 2.0
 Requires(pre): shadow-utils
@ -140,17 +115,6 @@ lookup program (dnsserver), a program for retrieving FTP data
 %patch300 -p1 -b .CVE-2021-28116
 %patch301 -p1 -b .CVE-2021-46784
 %patch302 -p1 -b .CVE-2022-41318
 %patch303 -p1 -b .CVE-2023-46846
 %patch304 -p1 -b .CVE-2023-46847
 %patch305 -p1 -b .CVE-2023-5824
 %patch306 -p1 -b .CVE-2023-46728
 %patch307 -p1 -b .CVE-2023-46724
 %patch308 -p1 -b .CVE-2023-49285
 %patch309 -p1 -b .CVE-2023-49286
 %patch310 -p1 -b .CVE-2023-50269
 %patch311 -p1 -b .CVE-2024-25617
 %patch312 -p1 -b .CVE-2024-25111
 %patch313 -p1 -b .ignore-wsp-chunk-sz
 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526
 # Patch in the vendor documentation and used different location for documentation
@ -367,37 +331,6 @@ fi
 %changelog
 * Mon Oct 14 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.1
 - Resolves: RHEL-56024 - (Regression) Transfer-encoding:chunked data is not sent
  to the client in its complementary
 * Tue Mar 19 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10
 - Resolves: RHEL-28529 - squid:4/squid: Denial of Service in HTTP Chunked
  Decoding (CVE-2024-25111)
 - Resolves: RHEL-26088 - squid:4/squid: denial of service in HTTP header
  parser (CVE-2024-25617)
 * Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-9
 - Resolves: RHEL-19552 - squid:4/squid: denial of service in HTTP request 
  parsing (CVE-2023-50269)
 * Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-8
 - Resolves: RHEL-18351 - squid:4/squid: Buffer over-read in the HTTP Message
  processing feature (CVE-2023-49285)
 - Resolves: RHEL-18342 - squid:4/squid: Incorrect Check of Function Return
  Value In Helper Process management (CVE-2023-49286)
 - Resolves: RHEL-18230 - squid:4/squid: Denial of Service in SSL Certificate
  validation (CVE-2023-46724)
 - Resolves: RHEL-15911 - squid:4/squid: NULL pointer dereference in the gopher
  protocol code (CVE-2023-46728)
 - Resolves: RHEL-18251 - squid crashes in assertion when a parent peer exists
 - Resolves: RHEL-14794 - squid: squid multiple issues in HTTP response caching
  (CVE-2023-5824)
 - Resolves: RHEL-14803 - squid: squid: Denial of Service in HTTP Digest
  Authentication (CVE-2023-46847)
 - Resolves: RHEL-14777 - squid: squid: Request/Response smuggling in HTTP/1.1
  and ICAP (CVE-2023-46846)
 * Wed Aug 16 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-7
 - Resolves: #2076717 - Crash with half_closed_client on
--- a/SOURCES/squid.sysconfig
+++ b/SOURCES/squid.sysconfig
`@ -1 +1,2 @@`
	`SOURCES/squid-4.15.tar.xz`	`SOURCES/squid-4.15.tar.xz`
		`/squid-4.15.tar.xz`
		`@ -1 +0,0 @@`
			`60bda34ba39657e2d870c8c1d2acece8a69c3075 SOURCES/squid-4.15.tar.xz`
		`@ -0,0 +1 @@`
							`SHA512 (squid-4.15.tar.xz) = 8f0ce6e30dd9173927e8133618211ffb865fb5dde4c63c2fb465e2efccda4a6efb33f2c0846870c9b915340aff5f59461a60171882bcc0c890336b846fe60bd1`