41 changed files with 982 additions and 9507 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
-SOURCES/squid-4.15.tar.xz
+SOURCES/pgp.asc
 SOURCES/squid-5.5.tar.xz
--- a/.squid.metadata
+++ b/.squid.metadata
@ -1 +1,2 @@
-60bda34ba39657e2d870c8c1d2acece8a69c3075 SOURCES/squid-4.15.tar.xz
+8e3de63f3bef0c9c4edbcfe000c567119f687143 SOURCES/pgp.asc
 42302bd9b8feff851a41420334cb8eaeab2806ab SOURCES/squid-5.5.tar.xz
--- a/SOURCES/cache_swap.sh
+++ b/SOURCES/cache_swap.sh
@ -5,12 +5,17 @@ fi
 SQUID_CONF=${SQUID_CONF:-"/etc/squid/squid.conf"}
-CACHE_SWAP=`sed -e 's/#.*//g' $SQUID_CONF | \
+CACHE_SWAP=`awk '/^[[:blank:]]*cache_dir/ { print $3 }' "$SQUID_CONF"`
 	grep cache_dir | awk '{ print $3 }'`
 init_cache_dirs=0
 for adir in $CACHE_SWAP; do
 	if [ ! -d $adir/00 ]; then
 		echo -n "init_cache_dir $adir... "
-		squid -N -z -F -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1
+		init_cache_dirs=1
 	fi
 done
 if [ $init_cache_dirs -ne 0 ]; then
 	echo ""
 	squid --foreground -z -f "$SQUID_CONF" >> /var/log/squid/squid.out 2>&1
 fi
--- a/SOURCES/squid-3.0.STABLE1-perlpath.patch
+++ b/SOURCES/squid-3.0.STABLE1-perlpath.patch
@ -1,10 +1,10 @@
 diff --git a/contrib/url-normalizer.pl b/contrib/url-normalizer.pl
-index 90ac6a4..8dbed90 100755
+index 4cb0480..4b89910 100755
 --- a/contrib/url-normalizer.pl
 +++ b/contrib/url-normalizer.pl
@@ -1,4 +1,4 @@
 -#!/usr/local/bin/perl -Tw
 +#!/usr/bin/perl -Tw
 #
- # * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
+ # * Copyright (C) 1996-2022 The Squid Software Foundation and contributors
 # *
--- a/SOURCES/squid-3.1.0.9-location.patch
+++ b/SOURCES/squid-3.1.0.9-location.patch
@ -1,8 +1,7 @@
-diff --git a/QUICKSTART b/QUICKSTART
+diff -up squid-3.1.0.9/QUICKSTART.location squid-3.1.0.9/QUICKSTART
-index e5299b4..a243437 100644
+--- squid-3.1.0.9/QUICKSTART.location	2009-06-26 12:35:27.000000000 +0200
--- a/QUICKSTART
+++ squid-3.1.0.9/QUICKSTART	2009-07-17 14:03:10.000000000 +0200
-+++ b/QUICKSTART
+@@ -10,10 +10,9 @@ After you retrieved, compiled and instal
@@ -10,10 +10,9 @@ After you retrieved, compiled and installed the Squid software (see
 INSTALL in the same directory), you have to configure the squid.conf
 file. This is the list of the values you *need* to change, because no
 sensible defaults could be defined. Do not touch the other variables
@ -15,7 +14,7 @@ index e5299b4..a243437 100644
 ==============================================================================
-@@ -80,12 +79,12 @@ After editing squid.conf to your liking, run Squid from the command
+@@ -82,12 +81,12 @@ After editing squid.conf to your liking,
 line TWICE:
 To create any disk cache_dir configured:
--- a/SOURCES/squid-3.5.9-include-guards.patch
+++ b/SOURCES/squid-3.5.9-include-guards.patch
@ -0,0 +1,95 @@
 ------------------------------------------------------------
 revno: 14311
 revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
 parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr
 ------------------------------------------------------------
 revno: 14311
 revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
 parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr
 fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323
 author: Francesco Chemolli <kinkie@squid-cache.org>
 committer: Amos Jeffries <squid3@treenet.co.nz>
 branch nick: trunk
 timestamp: Thu 2015-09-24 06:05:37 -0700
 message:
  Bug 4323: Netfilter broken cross-includes with Linux 4.2
 ------------------------------------------------------------
 # Bazaar merge directive format 2 (Bazaar 0.90)
 # revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
 # target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
 # testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b
 # timestamp: 2015-09-24 13:06:33 +0000
 # source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk
 # base_revision_id: squid3@treenet.co.nz-20150924032241-\
 #   6cx3g6hwz9xfoybr
 # 
 # Begin patch
 === modified file 'compat/os/linux.h'
 --- compat/os/linux.h	2015-01-13 07:25:36 +0000
 +++ compat/os/linux.h	2015-09-24 13:05:37 +0000
@@ -30,6 +30,21 @@
 #endif
 /*
 + * Netfilter header madness. (see Bug 4323)
 + *
 + * Netfilter have a history of defining their own versions of network protocol
 + * primitives without sufficient protection against the POSIX defines which are
 + * aways present in Linux.
 + *
 + * netinet/in.h must be included before any other sys header in order to properly
 + * activate include guards in <linux/libc-compat.h> the kernel maintainers added
 + * to workaround it.
 + */
 +#if HAVE_NETINET_IN_H
 +#include <netinet/in.h>
 +#endif
 +
 +/*
  * sys/capability.h is only needed in Linux apparently.
  *
  * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc
 fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323
 author: Francesco Chemolli <kinkie@squid-cache.org>
 committer: Amos Jeffries <squid3@treenet.co.nz>
 branch nick: trunk
 timestamp: Thu 2015-09-24 06:05:37 -0700
 message:
  Bug 4323: Netfilter broken cross-includes with Linux 4.2
 ------------------------------------------------------------
 # Bazaar merge directive format 2 (Bazaar 0.90)
 # revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
 # target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
 # testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b
 # timestamp: 2015-09-24 13:06:33 +0000
 # source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk
 # base_revision_id: squid3@treenet.co.nz-20150924032241-\
 #   6cx3g6hwz9xfoybr
 # 
 # Begin patch
 === modified file 'compat/os/linux.h'
 --- compat/os/linux.h	2015-01-13 07:25:36 +0000
 +++ compat/os/linux.h	2015-09-24 13:05:37 +0000
@@ -30,6 +30,21 @@
 #endif
 /*
 + * Netfilter header madness. (see Bug 4323)
 + *
 + * Netfilter have a history of defining their own versions of network protocol
 + * primitives without sufficient protection against the POSIX defines which are
 + * aways present in Linux.
 + *
 + * netinet/in.h must be included before any other sys header in order to properly
 + * activate include guards in <linux/libc-compat.h> the kernel maintainers added
 + * to workaround it.
 + */
 +#if HAVE_NETINET_IN_H
 +#include <netinet/in.h>
 +#endif
 +
 +/*
  * sys/capability.h is only needed in Linux apparently.
  *
  * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc
--- a/SOURCES/squid-4.0.11-config.patch
+++ b/SOURCES/squid-4.0.11-config.patch
@ -1,8 +1,7 @@
-diff --git a/src/cf.data.pre b/src/cf.data.pre
+diff -up squid-4.0.11/src/cf.data.pre.config squid-4.0.11/src/cf.data.pre
-index 26ef576..30d5509 100644
+--- squid-4.0.11/src/cf.data.pre.config	2016-06-09 22:32:57.000000000 +0200
--- a/src/cf.data.pre
+++ squid-4.0.11/src/cf.data.pre	2016-07-11 21:08:35.090976840 +0200
-+++ b/src/cf.data.pre
+@@ -4658,7 +4658,7 @@ DOC_END
@@ -5006,7 +5006,7 @@ DOC_END
 NAME: logfile_rotate
 TYPE: int
@ -11,7 +10,7 @@ index 26ef576..30d5509 100644
 LOC: Config.Log.rotateNumber
 DOC_START
 	Specifies the default number of logfile rotations to make when you
-@@ -6857,11 +6857,11 @@ COMMENT_END
+@@ -6444,11 +6444,11 @@ COMMENT_END
 NAME: cache_mgr
 TYPE: string
--- a/SOURCES/squid-4.11-convert-ipv4.patch
+++ b/SOURCES/squid-4.11-convert-ipv4.patch
@ -1,143 +0,0 @@
 From 771908d313ee9c255adfb5e4fdba4d6797c18409 Mon Sep 17 00:00:00 2001
 From: Amos Jeffries <yadij@users.noreply.github.com>
 Date: Thu, 7 Mar 2019 13:50:38 +0000
 Subject: [PATCH] Bug 4928: Cannot convert non-IPv4 to IPv4 (#379)
 ... when reaching client_ip_max_connections
 The client_ip_max_connections limit is checked before the TCP dst-IP is located for the newly received TCP connection. This leaves Squid unable to fetch the NFMARK or similar
 details later on (they do not exist for [::]).
 Move client_ip_max_connections test later in the TCP accept process to ensure dst-IP is known when the error is produced.
 ---
 src/comm/TcpAcceptor.cc | 82 ++++++++++++++++++++---------------------
 1 file changed, 39 insertions(+), 43 deletions(-)
 diff --git a/src/comm/TcpAcceptor.cc b/src/comm/TcpAcceptor.cc
 index d4b576d..936aa30 100644
 --- a/src/comm/TcpAcceptor.cc
 +++ b/src/comm/TcpAcceptor.cc
@@ -282,7 +282,16 @@ Comm::TcpAcceptor::acceptOne()
     ConnectionPointer newConnDetails = new Connection();
     const Comm::Flag flag = oldAccept(newConnDetails);
 -    if (flag == Comm::COMM_ERROR) {
 +    /* Check for errors */
 +    if (!newConnDetails->isOpen()) {
 +
 +        if (flag == Comm::NOMESSAGE) {
 +            /* register interest again */
 +            debugs(5, 5, HERE << "try later: " << conn << " handler Subscription: " << theCallSub);
 +            SetSelect(conn->fd, COMM_SELECT_READ, doAccept, this, 0);
 +            return;
 +        }
 +
         // A non-recoverable error; notify the caller */
         debugs(5, 5, HERE << "non-recoverable error:" << status() << " handler Subscription: " << theCallSub);
         if (intendedForUserConnections())
@@ -292,16 +301,12 @@ Comm::TcpAcceptor::acceptOne()
         return;
     }
 -    if (flag == Comm::NOMESSAGE) {
 -        /* register interest again */
 -        debugs(5, 5, "try later: " << conn << " handler Subscription: " << theCallSub);
 -    } else {
 -        debugs(5, 5, "Listener: " << conn <<
 -               " accepted new connection " << newConnDetails <<
 -               " handler Subscription: " << theCallSub);
 -        notify(flag, newConnDetails);
 -    }
 +    newConnDetails->nfmark = Ip::Qos::getNfmarkFromConnection(newConnDetails, Ip::Qos::dirAccepted);
 +    debugs(5, 5, HERE << "Listener: " << conn <<
 +           " accepted new connection " << newConnDetails <<
 +           " handler Subscription: " << theCallSub);
 +    notify(flag, newConnDetails);
     SetSelect(conn->fd, COMM_SELECT_READ, doAccept, this, 0);
 }
@@ -341,8 +346,8 @@ Comm::TcpAcceptor::notify(const Comm::Flag flag, const Comm::ConnectionPointer &
  *
  * \retval Comm::OK          success. details parameter filled.
  * \retval Comm::NOMESSAGE   attempted accept() but nothing useful came in.
 - *                           Or this client has too many connections already.
  * \retval Comm::COMM_ERROR  an outright failure occurred.
 + *                           Or this client has too many connections already.
  */
 Comm::Flag
 Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details)
@@ -383,6 +388,15 @@ Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details)
     details->remote = *gai;
 +    if ( Config.client_ip_max_connections >= 0) {
 +        if (clientdbEstablished(details->remote, 0) > Config.client_ip_max_connections) {
 +            debugs(50, DBG_IMPORTANT, "WARNING: " << details->remote << " attempting more than " << Config.client_ip_max_connections << " connections.");
 +            Ip::Address::FreeAddr(gai);
 +            PROF_stop(comm_accept);
 +            return Comm::COMM_ERROR;
 +        }
 +    }
 +
     // lookup the local-end details of this new connection
     Ip::Address::InitAddr(gai);
     details->local.setEmpty();
@@ -396,6 +410,23 @@ Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details)
     details->local = *gai;
     Ip::Address::FreeAddr(gai);
 +    /* fdstat update */
 +    fdd_table[sock].close_file = NULL;
 +    fdd_table[sock].close_line = 0;
 +
 +    fde *F = &fd_table[sock];
 +    details->remote.toStr(F->ipaddr,MAX_IPSTRLEN);
 +    F->remote_port = details->remote.port();
 +    F->local_addr = details->local;
 +    F->sock_family = details->local.isIPv6()?AF_INET6:AF_INET;
 +
 +    // set socket flags
 +    commSetCloseOnExec(sock);
 +    commSetNonBlocking(sock);
 +
 +    /* IFF the socket is (tproxy) transparent, pass the flag down to allow spoofing */
 +    F->flags.transparent = fd_table[conn->fd].flags.transparent; // XXX: can we remove this line yet?
 +
     // Perform NAT or TPROXY operations to retrieve the real client/dest IP addresses
     if (conn->flags&(COMM_TRANSPARENT|COMM_INTERCEPTION) && !Ip::Interceptor.Lookup(details, conn)) {
         debugs(50, DBG_IMPORTANT, "ERROR: NAT/TPROXY lookup failed to locate original IPs on " << details);
@@ -414,33 +445,6 @@ Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details)
     }
 #endif
 -    details->nfmark = Ip::Qos::getNfmarkFromConnection(details, Ip::Qos::dirAccepted);
 -
 -    if (Config.client_ip_max_connections >= 0) {
 -        if (clientdbEstablished(details->remote, 0) > Config.client_ip_max_connections) {
 -            debugs(50, DBG_IMPORTANT, "WARNING: " << details->remote << " attempting more than " << Config.client_ip_max_connections << " connections.");
 -            PROF_stop(comm_accept);
 -            return Comm::NOMESSAGE;
 -        }
 -    }
 -
 -    /* fdstat update */
 -    fdd_table[sock].close_file = NULL;
 -    fdd_table[sock].close_line = 0;
 -
 -    fde *F = &fd_table[sock];
 -    details->remote.toStr(F->ipaddr,MAX_IPSTRLEN);
 -    F->remote_port = details->remote.port();
 -    F->local_addr = details->local;
 -    F->sock_family = details->local.isIPv6()?AF_INET6:AF_INET;
 -
 -    // set socket flags
 -    commSetCloseOnExec(sock);
 -    commSetNonBlocking(sock);
 -
 -    /* IFF the socket is (tproxy) transparent, pass the flag down to allow spoofing */
 -    F->flags.transparent = fd_table[conn->fd].flags.transparent; // XXX: can we remove this line yet?
 -
     PROF_stop(comm_accept);
     return Comm::OK;
 }
--- a/SOURCES/squid-4.11-include-guards.patch
+++ b/SOURCES/squid-4.11-include-guards.patch
@ -1,41 +0,0 @@
 diff --git a/compat/os/linux.h b/compat/os/linux.h
 index 0ff05c6..d51389b 100644
 --- a/compat/os/linux.h
 +++ b/compat/os/linux.h
@@ -44,6 +44,36 @@
 #include <netinet/in.h>
 #endif
 +/*
 + * Netfilter header madness. (see Bug 4323)
 + *
 + * Netfilter have a history of defining their own versions of network protocol
 + * primitives without sufficient protection against the POSIX defines which are
 + * aways present in Linux.
 + *
 + * netinet/in.h must be included before any other sys header in order to properly
 + * activate include guards in <linux/libc-compat.h> the kernel maintainers added
 + * to workaround it.
 + */
 +#if HAVE_NETINET_IN_H
 +#include <netinet/in.h>
 +#endif
 +
 +/*
 + * Netfilter header madness. (see Bug 4323)
 + *
 + * Netfilter have a history of defining their own versions of network protocol
 + * primitives without sufficient protection against the POSIX defines which are
 + * aways present in Linux.
 + *
 + * netinet/in.h must be included before any other sys header in order to properly
 + * activate include guards in <linux/libc-compat.h> the kernel maintainers added
 + * to workaround it.
 + */
 +#if HAVE_NETINET_IN_H
 +#include <netinet/in.h>
 +#endif
 +
 /*
  * sys/capability.h is only needed in Linux apparently.
  *
--- a/SOURCES/squid-4.11-large-acl.patch
+++ b/SOURCES/squid-4.11-large-acl.patch
@ -1,178 +0,0 @@
 diff --git a/src/acl/RegexData.cc b/src/acl/RegexData.cc
 index 01a4c12..b5c1679 100644
 --- a/src/acl/RegexData.cc
 +++ b/src/acl/RegexData.cc
@@ -22,6 +22,7 @@
 #include "ConfigParser.h"
 #include "Debug.h"
 #include "sbuf/List.h"
 +#include "sbuf/Algorithms.h"
 ACLRegexData::~ACLRegexData()
 {
@@ -129,6 +130,18 @@ compileRE(std::list<RegexPattern> &curlist, const char * RE, int flags)
     return true;
 }
 +static bool
 +compileRE(std::list<RegexPattern> &curlist, const SBufList &RE, int flags)
 +{
 +	if (RE.empty())
 +		return curlist.empty(); // XXX: old code did this. It looks wrong.
 +	SBuf regexp;
 +	static const SBuf openparen("("), closeparen(")"), separator(")|(");
 +	JoinContainerIntoSBuf(regexp, RE.begin(), RE.end(), separator, openparen,
 +			closeparen);
 +	return compileRE(curlist, regexp.c_str(), flags);
 +}
 +
 /** Compose and compile one large RE from a set of (small) REs.
  * The ultimate goal is to have only one RE per ACL so that match() is
  * called only once per ACL.
@@ -137,16 +150,11 @@ static int
 compileOptimisedREs(std::list<RegexPattern> &curlist, const SBufList &sl)
 {
     std::list<RegexPattern> newlist;
 -    int numREs = 0;
 +    SBufList accumulatedRE;
 +    int numREs = 0, reSize = 0;
     int flags = REG_EXTENDED | REG_NOSUB;
 -    int largeREindex = 0;
 -    char largeRE[BUFSIZ];
 -    *largeRE = 0;
     for (const SBuf & configurationLineWord : sl) {
 -        int RElen;
 -        RElen = configurationLineWord.length();
 -
         static const SBuf minus_i("-i");
         static const SBuf plus_i("+i");
         if (configurationLineWord == minus_i) {
@@ -155,10 +163,11 @@ compileOptimisedREs(std::list<RegexPattern> &curlist, const SBufList &sl)
                 debugs(28, 2, "optimisation of -i ... -i" );
             } else {
                 debugs(28, 2, "-i" );
 -                if (!compileRE(newlist, largeRE, flags))
 +                if (!compileRE(newlist, accumulatedRE, flags))
                     return 0;
                 flags |= REG_ICASE;
 -                largeRE[largeREindex=0] = '\0';
 +                accumulatedRE.clear();
 +                reSize = 0;
             }
         } else if (configurationLineWord == plus_i) {
             if ((flags & REG_ICASE) == 0) {
@@ -166,37 +175,34 @@ compileOptimisedREs(std::list<RegexPattern> &curlist, const SBufList &sl)
                 debugs(28, 2, "optimisation of +i ... +i");
             } else {
                 debugs(28, 2, "+i");
 -                if (!compileRE(newlist, largeRE, flags))
 +                if (!compileRE(newlist, accumulatedRE, flags))
                     return 0;
                 flags &= ~REG_ICASE;
 -                largeRE[largeREindex=0] = '\0';
 +                accumulatedRE.clear();
 +                reSize = 0;
             }
 -        } else if (RElen + largeREindex + 3 < BUFSIZ-1) {
 +        } else if (reSize < 1024) {
             debugs(28, 2, "adding RE '" << configurationLineWord << "'");
 -            if (largeREindex > 0) {
 -                largeRE[largeREindex] = '|';
 -                ++largeREindex;
 -            }
 -            largeRE[largeREindex] = '(';
 -            ++largeREindex;
 -            configurationLineWord.copy(largeRE+largeREindex, BUFSIZ-largeREindex);
 -            largeREindex += configurationLineWord.length();
 -            largeRE[largeREindex] = ')';
 -            ++largeREindex;
 -            largeRE[largeREindex] = '\0';
 +            accumulatedRE.push_back(configurationLineWord);
             ++numREs;
 +            reSize += configurationLineWord.length();
         } else {
             debugs(28, 2, "buffer full, generating new optimised RE..." );
 -            if (!compileRE(newlist, largeRE, flags))
 +            accumulatedRE.push_back(configurationLineWord);
 +            if (!compileRE(newlist, accumulatedRE, flags))
                 return 0;
 -            largeRE[largeREindex=0] = '\0';
 +            accumulatedRE.clear();
 +            reSize = 0;
             continue;    /* do the loop again to add the RE to largeRE */
         }
     }
 -    if (!compileRE(newlist, largeRE, flags))
 +    if (!compileRE(newlist, accumulatedRE, flags))
         return 0;
 +    accumulatedRE.clear();
 +    reSize = 0;
 +
     /* all was successful, so put the new list at the tail */
     curlist.splice(curlist.end(), newlist);
 diff --git a/src/sbuf/Algorithms.h b/src/sbuf/Algorithms.h
 index 21ee889..338e9c0 100644
 --- a/src/sbuf/Algorithms.h
 +++ b/src/sbuf/Algorithms.h
@@ -81,6 +81,57 @@ SBufContainerJoin(const Container &items, const SBuf& separator)
     return rv;
 }
 +/** Join container of SBufs and append to supplied target
 + *
 + * append to the target SBuf all elements in the [begin,end) range from
 + * an iterable container, prefixed by prefix, separated by separator and
 + * followed by suffix. Prefix and suffix are added also in case of empty
 + * iterable
 + *
 + * \return the modified dest
 + */
 +template <class ContainerIterator>
 +SBuf&
 +JoinContainerIntoSBuf(SBuf &dest, const ContainerIterator &begin,
 +                      const ContainerIterator &end, const SBuf& separator,
 +                      const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf())
 +{
 +    if (begin == end) {
 +        dest.append(prefix).append(suffix);
 +        return dest;
 +    }
 +
 +    // optimization: pre-calculate needed storage
 +    const SBuf::size_type totalContainerSize =
 +        std::accumulate(begin, end, 0, SBufAddLength(separator)) +
 +        dest.length() + prefix.length() + suffix.length();
 +    SBufReservationRequirements req;
 +    req.minSpace = totalContainerSize;
 +    dest.reserve(req);
 +
 +    auto i = begin;
 +    dest.append(prefix);
 +    dest.append(*i);
 +    ++i;
 +    for (; i != end; ++i)
 +        dest.append(separator).append(*i);
 +    dest.append(suffix);
 +    return dest;
 +}
 +
 +
 +/// convenience wrapper of JoinContainerIntoSBuf with no caller-supplied SBuf
 +template <class ContainerIterator>
 +SBuf
 +JoinContainerToSBuf(const ContainerIterator &begin,
 +                    const ContainerIterator &end, const SBuf& separator,
 +                    const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf())
 +{
 +    SBuf rv;
 +    return JoinContainerIntoSBuf(rv, begin, end, separator, prefix, suffix);
 +}
 +
 +
 namespace std {
 /// default hash functor to support std::unordered_map<SBuf,*>
 template <>
--- a/SOURCES/squid-4.15-CVE-2021-28116.patch
+++ b/SOURCES/squid-4.15-CVE-2021-28116.patch
@ -1,424 +0,0 @@
 commit b003a0da7865caa25b5d1e70c79329b32409b02a (HEAD -> refs/heads/v4, refs/remotes/origin/v4)
 Author: Amos Jeffries <yadij@users.noreply.github.com>
 Date:   2021-09-24 21:53:11 +0000
    WCCP: Validate packets better (#899)
    Update WCCP to support exception based error handling for
    parsing and processing we are moving Squid to for protocol
    handling.
    Update the main WCCPv2 parsing checks to throw meaningful
    exceptions when detected.
 diff --git a/src/wccp2.cc b/src/wccp2.cc
 index ee592449c..6ef469e91 100644
 --- a/src/wccp2.cc
 +++ b/src/wccp2.cc
@@ -1108,6 +1108,59 @@ wccp2ConnectionClose(void)
  * Functions for handling the requests.
  */
 +/// Checks that the given area section ends inside the given (whole) area.
 +/// \param error the message to throw when the section does not fit
 +static void
 +CheckSectionLength(const void *sectionStart, const size_t sectionLength, const void *wholeStart, const size_t wholeSize, const char *error)
 +{
 +    assert(sectionStart);
 +    assert(wholeStart);
 +
 +    const auto wholeEnd = static_cast<const char*>(wholeStart) + wholeSize;
 +    assert(sectionStart >= wholeStart && "we never go backwards");
 +    assert(sectionStart <= wholeEnd && "we never go beyond our whole (but zero-sized fields are OK)");
 +    static_assert(sizeof(wccp2_i_see_you_t) <= PTRDIFF_MAX, "paranoid: no UB when subtracting in-whole pointers");
 +    // subtraction safe due to the three assertions above
 +    const auto remainderDiff = wholeEnd - static_cast<const char*>(sectionStart);
 +
 +    // casting safe due to the assertions above (and size_t definition)
 +    assert(remainderDiff >= 0);
 +    const auto remainderSize = static_cast<size_t>(remainderDiff);
 +
 +    if (sectionLength <= remainderSize)
 +        return;
 +
 +    throw TextException(error, Here());
 +}
 +
 +/// Checks that the area contains at least dataLength bytes after the header.
 +/// The size of the field header itself is not included in dataLength.
 +/// \returns the total field size -- the field header and field data combined
 +template<class FieldHeader>
 +static size_t
 +CheckFieldDataLength(const FieldHeader *header, const size_t dataLength, const void *areaStart, const size_t areaSize, const char *error)
 +{
 +    assert(header);
 +    const auto dataStart = reinterpret_cast<const char*>(header) + sizeof(header);
 +    CheckSectionLength(dataStart, dataLength, areaStart, areaSize, error);
 +    return sizeof(header) + dataLength; // no overflow after CheckSectionLength()
 +}
 +
 +/// Positions the given field at a given start within a given packet area.
 +/// The Field type determines the correct field size (used for bounds checking).
 +/// \param field the field pointer the function should set
 +/// \param areaStart the start of a packet (sub)structure containing the field
 +/// \param areaSize the size of the packet (sub)structure starting at areaStart
 +/// \param fieldStart the start of a field within the given area
 +/// \param error the message to throw when the field does not fit the area
 +template<class Field>
 +static void
 +SetField(Field *&field, const void *fieldStart, const void *areaStart, const size_t areaSize, const char *error)
 +{
 +    CheckSectionLength(fieldStart, sizeof(Field), areaStart, areaSize, error);
 +    field = static_cast<Field*>(const_cast<void*>(fieldStart));
 +}
 +
 /*
  * Accept the UDP packet
  */
@@ -1124,8 +1177,6 @@ wccp2HandleUdp(int sock, void *)
     /* These structs form the parts of the packet */
 -    struct wccp2_item_header_t *header = NULL;
 -
     struct wccp2_security_none_t *security_info = NULL;
     struct wccp2_service_info_t *service_info = NULL;
@@ -1141,14 +1192,13 @@ wccp2HandleUdp(int sock, void *)
     struct wccp2_cache_identity_info_t *cache_identity = NULL;
     struct wccp2_capability_info_header_t *router_capability_header = NULL;
 +    char *router_capability_data_start = nullptr;
     struct wccp2_capability_element_t *router_capability_element;
     struct sockaddr_in from;
     struct in_addr cache_address;
 -    int len, found;
 -    short int data_length, offset;
     uint32_t tmp;
     char *ptr;
     int num_caches;
@@ -1161,20 +1211,18 @@ wccp2HandleUdp(int sock, void *)
     Ip::Address from_tmp;
     from_tmp.setIPv4();
 -    len = comm_udp_recvfrom(sock,
 -                            &wccp2_i_see_you,
 -                            WCCP_RESPONSE_SIZE,
 -                            0,
 -                            from_tmp);
 +    const auto lenOrError = comm_udp_recvfrom(sock, &wccp2_i_see_you, WCCP_RESPONSE_SIZE, 0, from_tmp);
 -    if (len < 0)
 +    if (lenOrError < 0)
         return;
 +    const auto len = static_cast<size_t>(lenOrError);
 -    if (ntohs(wccp2_i_see_you.version) != WCCP2_VERSION)
 -        return;
 -
 -    if (ntohl(wccp2_i_see_you.type) != WCCP2_I_SEE_YOU)
 -        return;
 +    try {
 +        // TODO: Remove wccp2_i_see_you.data and use a buffer to read messages.
 +        const auto message_header_size = sizeof(wccp2_i_see_you) - sizeof(wccp2_i_see_you.data);
 +        Must2(len >= message_header_size, "incomplete WCCP message header");
 +        Must2(ntohs(wccp2_i_see_you.version) == WCCP2_VERSION, "WCCP version unsupported");
 +        Must2(ntohl(wccp2_i_see_you.type) == WCCP2_I_SEE_YOU, "WCCP packet type unsupported");
     /* FIXME INET6 : drop conversion boundary */
     from_tmp.getSockAddr(from);
@@ -1182,73 +1230,60 @@ wccp2HandleUdp(int sock, void *)
     debugs(80, 3, "Incoming WCCPv2 I_SEE_YOU length " << ntohs(wccp2_i_see_you.length) << ".");
     /* Record the total data length */
 -    data_length = ntohs(wccp2_i_see_you.length);
 +    const auto data_length = ntohs(wccp2_i_see_you.length);
 +    Must2(data_length <= len - message_header_size,
 +          "malformed packet claiming it's bigger than received data");
 -    offset = 0;
 -
 -    if (data_length > len) {
 -        debugs(80, DBG_IMPORTANT, "ERROR: Malformed WCCPv2 packet claiming it's bigger than received data");
 -        return;
 -    }
 +    size_t offset = 0;
     /* Go through the data structure */
 -    while (data_length > offset) {
 +    while (offset + sizeof(struct wccp2_item_header_t) <= data_length) {
         char *data = wccp2_i_see_you.data;
 -        header = (struct wccp2_item_header_t *) &data[offset];
 +        const auto itemHeader = reinterpret_cast<const wccp2_item_header_t*>(&data[offset]);
 +        const auto itemSize = CheckFieldDataLength(itemHeader, ntohs(itemHeader->length),
 +                              data, data_length, "truncated record");
 +        // XXX: Check "The specified length must be a multiple of 4 octets"
 +        // requirement to avoid unaligned memory reads after the first item.
 -        switch (ntohs(header->type)) {
 +        switch (ntohs(itemHeader->type)) {
         case WCCP2_SECURITY_INFO:
 -
 -            if (security_info != NULL) {
 -                debugs(80, DBG_IMPORTANT, "Duplicate security definition");
 -                return;
 -            }
 -
 -            security_info = (struct wccp2_security_none_t *) &wccp2_i_see_you.data[offset];
 +            Must2(!security_info, "duplicate security definition");
 +            SetField(security_info, itemHeader, itemHeader, itemSize,
 +                     "security definition truncated");
             break;
         case WCCP2_SERVICE_INFO:
 -
 -            if (service_info != NULL) {
 -                debugs(80, DBG_IMPORTANT, "Duplicate service_info definition");
 -                return;
 -            }
 -
 -            service_info = (struct wccp2_service_info_t *) &wccp2_i_see_you.data[offset];
 +            Must2(!service_info, "duplicate service_info definition");
 +            SetField(service_info, itemHeader, itemHeader, itemSize,
 +                     "service_info definition truncated");
             break;
         case WCCP2_ROUTER_ID_INFO:
 -
 -            if (router_identity_info != NULL) {
 -                debugs(80, DBG_IMPORTANT, "Duplicate router_identity_info definition");
 -                return;
 -            }
 -
 -            router_identity_info = (struct router_identity_info_t *) &wccp2_i_see_you.data[offset];
 +            Must2(!router_identity_info, "duplicate router_identity_info definition");
 +            SetField(router_identity_info, itemHeader, itemHeader, itemSize,
 +                     "router_identity_info definition truncated");
             break;
         case WCCP2_RTR_VIEW_INFO:
 -
 -            if (router_view_header != NULL) {
 -                debugs(80, DBG_IMPORTANT, "Duplicate router_view definition");
 -                return;
 -            }
 -
 -            router_view_header = (struct router_view_t *) &wccp2_i_see_you.data[offset];
 +            Must2(!router_view_header, "duplicate router_view definition");
 +            SetField(router_view_header, itemHeader, itemHeader, itemSize,
 +                     "router_view definition truncated");
             break;
 -        case WCCP2_CAPABILITY_INFO:
 -
 -            if (router_capability_header != NULL) {
 -                debugs(80, DBG_IMPORTANT, "Duplicate router_capability definition");
 -                return;
 -            }
 +        case WCCP2_CAPABILITY_INFO: {
 +            Must2(!router_capability_header, "duplicate router_capability definition");
 +            SetField(router_capability_header, itemHeader, itemHeader, itemSize,
 +                     "router_capability definition truncated");
 -            router_capability_header = (struct wccp2_capability_info_header_t *) &wccp2_i_see_you.data[offset];
 +            CheckFieldDataLength(router_capability_header, ntohs(router_capability_header->capability_info_length),
 +                                 itemHeader, itemSize, "capability info truncated");
 +            router_capability_data_start = reinterpret_cast<char*>(router_capability_header) +
 +                                           sizeof(*router_capability_header);
             break;
 +        }
         /* Nothing to do for the types below */
@@ -1257,22 +1292,17 @@ wccp2HandleUdp(int sock, void *)
             break;
         default:
 -            debugs(80, DBG_IMPORTANT, "Unknown record type in WCCPv2 Packet (" << ntohs(header->type) << ").");
 +            debugs(80, DBG_IMPORTANT, "Unknown record type in WCCPv2 Packet (" << ntohs(itemHeader->type) << ").");
         }
 -        offset += sizeof(struct wccp2_item_header_t);
 -        offset += ntohs(header->length);
 -
 -        if (offset > data_length) {
 -            debugs(80, DBG_IMPORTANT, "Error: WCCPv2 packet tried to tell us there is data beyond the end of the packet");
 -            return;
 -        }
 +        offset += itemSize;
 +        assert(offset <= data_length && "CheckFieldDataLength(itemHeader...) established that");
     }
 -    if ((security_info == NULL) || (service_info == NULL) || (router_identity_info == NULL) || (router_view_header == NULL)) {
 -        debugs(80, DBG_IMPORTANT, "Incomplete WCCPv2 Packet");
 -        return;
 -    }
 +    Must2(security_info, "packet missing security definition");
 +    Must2(service_info, "packet missing service_info definition");
 +    Must2(router_identity_info, "packet missing router_identity_info definition");
 +    Must2(router_view_header, "packet missing router_view definition");
     debugs(80, 5, "Complete packet received");
@@ -1308,10 +1338,7 @@ wccp2HandleUdp(int sock, void *)
             break;
     }
 -    if (router_list_ptr->next == NULL) {
 -        debugs(80, DBG_IMPORTANT, "WCCPv2 Packet received from unknown router");
 -        return;
 -    }
 +    Must2(router_list_ptr->next, "packet received from unknown router");
     /* Set the router id */
     router_list_ptr->info->router_address = router_identity_info->router_id_element.router_address;
@@ -1331,11 +1358,20 @@ wccp2HandleUdp(int sock, void *)
         }
     } else {
 -        char *end = ((char *) router_capability_header) + sizeof(*router_capability_header) + ntohs(router_capability_header->capability_info_length) - sizeof(struct wccp2_capability_info_header_t);
 -
 -        router_capability_element = (struct wccp2_capability_element_t *) (((char *) router_capability_header) + sizeof(*router_capability_header));
 -
 -        while ((char *) router_capability_element <= end) {
 +        const auto router_capability_data_length = ntohs(router_capability_header->capability_info_length);
 +        assert(router_capability_data_start);
 +        const auto router_capability_data_end = router_capability_data_start +
 +                                                router_capability_data_length;
 +        for (auto router_capability_data_current = router_capability_data_start;
 +                router_capability_data_current < router_capability_data_end;) {
 +
 +            SetField(router_capability_element, router_capability_data_current,
 +                     router_capability_data_start, router_capability_data_length,
 +                     "capability element header truncated");
 +            const auto elementSize = CheckFieldDataLength(
 +                                         router_capability_element, ntohs(router_capability_element->capability_length),
 +                                         router_capability_data_start, router_capability_data_length,
 +                                         "capability element truncated");
             switch (ntohs(router_capability_element->capability_type)) {
@@ -1377,7 +1413,7 @@ wccp2HandleUdp(int sock, void *)
                 debugs(80, DBG_IMPORTANT, "Unknown capability type in WCCPv2 Packet (" << ntohs(router_capability_element->capability_type) << ").");
             }
 -            router_capability_element = (struct wccp2_capability_element_t *) (((char *) router_capability_element) + sizeof(struct wccp2_item_header_t) + ntohs(router_capability_element->capability_length));
 +            router_capability_data_current += elementSize;
         }
     }
@@ -1396,23 +1432,34 @@ wccp2HandleUdp(int sock, void *)
     num_caches = 0;
     /* Check to see if we're the master cache and update the cache list */
 -    found = 0;
 +    bool found = false;
     service_list_ptr->lowest_ip = 1;
     cache_list_ptr = &router_list_ptr->cache_list_head;
     /* to find the list of caches, we start at the end of the router view header */
     ptr = (char *) (router_view_header) + sizeof(struct router_view_t);
 +    const auto router_view_size = sizeof(struct router_view_t) +
 +                                  ntohs(router_view_header->header.length);
     /* Then we read the number of routers */
 -    memcpy(&tmp, ptr, sizeof(tmp));
 +    const uint32_t *routerCountRaw = nullptr;
 +    SetField(routerCountRaw, ptr, router_view_header, router_view_size,
 +             "malformed packet (truncated router view info w/o number of routers)");
     /* skip the number plus all the ip's */
 -
 -    ptr += sizeof(tmp) + (ntohl(tmp) * sizeof(struct in_addr));
 +    ptr += sizeof(*routerCountRaw);
 +    const auto ipCount = ntohl(*routerCountRaw);
 +    const auto ipsSize = ipCount * sizeof(struct in_addr); // we check for unsigned overflow below
 +    Must2(ipsSize / sizeof(struct in_addr) != ipCount, "huge IP address count");
 +    CheckSectionLength(ptr, ipsSize, router_view_header, router_view_size, "invalid IP address count");
 +    ptr += ipsSize;
     /* Then read the number of caches */
 -    memcpy(&tmp, ptr, sizeof(tmp));
 +    const uint32_t *cacheCountRaw = nullptr;
 +    SetField(cacheCountRaw, ptr, router_view_header, router_view_size,
 +             "malformed packet (truncated router view info w/o cache count)");
 +    memcpy(&tmp, cacheCountRaw, sizeof(tmp)); // TODO: Replace tmp with cacheCount
     ptr += sizeof(tmp);
     if (ntohl(tmp) != 0) {
@@ -1426,7 +1473,8 @@ wccp2HandleUdp(int sock, void *)
             case WCCP2_ASSIGNMENT_METHOD_HASH:
 -                cache_identity = (struct wccp2_cache_identity_info_t *) ptr;
 +                SetField(cache_identity, ptr, router_view_header, router_view_size,
 +                         "malformed packet (truncated router view info cache w/o assignment hash)");
                 ptr += sizeof(struct wccp2_cache_identity_info_t);
@@ -1437,13 +1485,15 @@ wccp2HandleUdp(int sock, void *)
             case WCCP2_ASSIGNMENT_METHOD_MASK:
 -                cache_mask_info = (struct cache_mask_info_t *) ptr;
 +                SetField(cache_mask_info, ptr, router_view_header, router_view_size,
 +                         "malformed packet (truncated router view info cache w/o assignment mask)");
                 /* The mask assignment has an undocumented variable length entry here */
                 if (ntohl(cache_mask_info->num1) == 3) {
 -                    cache_mask_identity = (struct wccp2_cache_mask_identity_info_t *) ptr;
 +                    SetField(cache_mask_identity, ptr, router_view_header, router_view_size,
 +                             "malformed packet (truncated router view info cache w/o assignment mask identity)");
                     ptr += sizeof(struct wccp2_cache_mask_identity_info_t);
@@ -1474,10 +1524,7 @@ wccp2HandleUdp(int sock, void *)
             debugs (80, 5,  "checking cache list: (" << std::hex << cache_address.s_addr << ":" <<  router_list_ptr->local_ip.s_addr << ")");
             /* Check to see if it's the master, or us */
 -
 -            if (cache_address.s_addr == router_list_ptr->local_ip.s_addr) {
 -                found = 1;
 -            }
 +            found = found || (cache_address.s_addr == router_list_ptr->local_ip.s_addr);
             if (cache_address.s_addr < router_list_ptr->local_ip.s_addr) {
                 service_list_ptr->lowest_ip = 0;
@@ -1494,7 +1541,7 @@ wccp2HandleUdp(int sock, void *)
         cache_list_ptr->next = NULL;
         service_list_ptr->lowest_ip = 1;
 -        found = 1;
 +        found = true;
         num_caches = 1;
     }
@@ -1502,7 +1549,7 @@ wccp2HandleUdp(int sock, void *)
     router_list_ptr->num_caches = htonl(num_caches);
 -    if ((found == 1) && (service_list_ptr->lowest_ip == 1)) {
 +    if (found && (service_list_ptr->lowest_ip == 1)) {
         if (ntohl(router_view_header->change_number) != router_list_ptr->member_change) {
             debugs(80, 4, "Change detected - queueing up new assignment");
             router_list_ptr->member_change = ntohl(router_view_header->change_number);
@@ -1515,6 +1562,10 @@ wccp2HandleUdp(int sock, void *)
         eventDelete(wccp2AssignBuckets, NULL);
         debugs(80, 5, "I am not the lowest ip cache - not assigning buckets");
     }
 +
 +    } catch (...) {
 +        debugs(80, DBG_IMPORTANT, "ERROR: Ignoring WCCPv2 message: " << CurrentException);
 +    }
 }
 static void
--- a/SOURCES/squid-4.15-CVE-2023-46724.patch
+++ b/SOURCES/squid-4.15-CVE-2023-46724.patch
@ -1,24 +0,0 @@
 diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc
 index 20b9bf1..81ebb18 100644
 --- a/src/anyp/Uri.cc
 +++ b/src/anyp/Uri.cc
@@ -173,6 +173,10 @@ urlInitialize(void)
     assert(0 == matchDomainName("*.foo.com", ".foo.com", mdnHonorWildcards));
     assert(0 != matchDomainName("*.foo.com", "foo.com", mdnHonorWildcards));
 +    assert(0 != matchDomainName("foo.com", ""));
 +    assert(0 != matchDomainName("foo.com", "", mdnHonorWildcards));
 +    assert(0 != matchDomainName("foo.com", "", mdnRejectSubsubDomains));
 +
     /* more cases? */
 }
@@ -756,6 +760,8 @@ matchDomainName(const char *h, const char *d, MatchDomainNameFlags flags)
         return -1;
     dl = strlen(d);
 +    if (dl == 0)
 +        return 1;
     /*
      * Start at the ends of the two strings and work towards the
--- a/SOURCES/squid-4.15-CVE-2023-46728.patch
+++ b/SOURCES/squid-4.15-CVE-2023-46728.patch
--- a/SOURCES/squid-4.15-CVE-2023-46846.patch
+++ b/SOURCES/squid-4.15-CVE-2023-46846.patch
--- a/SOURCES/squid-4.15-CVE-2023-49285.patch
+++ b/SOURCES/squid-4.15-CVE-2023-49285.patch
@ -1,30 +0,0 @@
 commit 77b3fb4df0f126784d5fd4967c28ed40eb8d521b
 Author: Alex Rousskov <rousskov@measurement-factory.com>
 Date:   Wed Oct 25 19:41:45 2023 +0000
    RFC 1123: Fix date parsing (#1538)
    The bug was discovered and detailed by Joshua Rogers at
    https://megamansec.github.io/Squid-Security-Audit/datetime-overflow.html
    where it was filed as "1-Byte Buffer OverRead in RFC 1123 date/time
    Handling".
 diff --git a/lib/rfc1123.c b/lib/rfc1123.c
 index e5bf9a4d7..cb484cc00 100644
 --- a/lib/rfc1123.c
 +++ b/lib/rfc1123.c
@@ -50,7 +50,13 @@ make_month(const char *s)
     char month[3];
     month[0] = xtoupper(*s);
 +    if (!month[0])
 +        return -1; // protects *(s + 1) below
 +
     month[1] = xtolower(*(s + 1));
 +    if (!month[1])
 +        return -1; // protects *(s + 2) below
 +
     month[2] = xtolower(*(s + 2));
     for (i = 0; i < 12; i++)
--- a/SOURCES/squid-4.15-CVE-2023-49286.patch
+++ b/SOURCES/squid-4.15-CVE-2023-49286.patch
@ -1,62 +0,0 @@
 diff --git a/src/ipc.cc b/src/ipc.cc
 index 42e11e6..a68e623 100644
 --- a/src/ipc.cc
 +++ b/src/ipc.cc
@@ -19,6 +19,11 @@
 #include "SquidConfig.h"
 #include "SquidIpc.h"
 #include "tools.h"
 +#include <cstdlib>
 +
 +#if HAVE_UNISTD_H
 +#include <unistd.h>
 +#endif
 static const char *hello_string = "hi there\n";
 #ifndef HELLO_BUF_SZ
@@ -365,6 +370,22 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
     }
     PutEnvironment();
 +
 +    // A dup(2) wrapper that reports and exits the process on errors. The
 +    // exiting logic is only suitable for this child process context.
 +    const auto dupOrExit = [prog,name](const int oldFd) {
 +        const auto newFd = dup(oldFd);
 +        if (newFd < 0) {
 +            const auto savedErrno = errno;
 +            debugs(54, DBG_CRITICAL, "ERROR: Helper process initialization failure: " << name <<
 +                   Debug::Extra << "helper (CHILD) PID: " << getpid() <<
 +                   Debug::Extra << "helper program name: " << prog <<
 +                   Debug::Extra << "dup(2) system call error for FD " << oldFd << ": " << xstrerr(savedErrno));
 +            _exit(EXIT_FAILURE);
 +        }
 +        return newFd;
 +    };
 +
     /*
      * This double-dup stuff avoids problems when one of
      *  crfd, cwfd, or debug_log are in the rage 0-2.
@@ -372,17 +393,16 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
     do {
         /* First make sure 0-2 is occupied by something. Gets cleaned up later */
 -        x = dup(crfd);
 -        assert(x > -1);
 -    } while (x < 3 && x > -1);
 +        x = dupOrExit(crfd);
 +    } while (x < 3);
     close(x);
 -    t1 = dup(crfd);
 +    t1 = dupOrExit(crfd);
 -    t2 = dup(cwfd);
 +    t2 = dupOrExit(cwfd);
 -    t3 = dup(fileno(debug_log));
 +    t3 = dupOrExit(fileno(debug_log));
     assert(t1 > 2 && t2 > 2 && t3 > 2);
--- a/SOURCES/squid-4.15-CVE-2023-50269.patch
+++ b/SOURCES/squid-4.15-CVE-2023-50269.patch
@ -1,50 +0,0 @@
 diff --git a/src/ClientRequestContext.h b/src/ClientRequestContext.h
 index fe2edf6..47aa935 100644
 --- a/src/ClientRequestContext.h
 +++ b/src/ClientRequestContext.h
@@ -81,6 +81,10 @@ public:
 #endif
     ErrorState *error; ///< saved error page for centralized/delayed processing
     bool readNextRequest; ///< whether Squid should read after error handling
 +
 +#if FOLLOW_X_FORWARDED_FOR
 +    size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far
 +#endif
 };
 #endif /* SQUID_CLIENTREQUESTCONTEXT_H */
 diff --git a/src/client_side_request.cc b/src/client_side_request.cc
 index 1c6ff62..b758f6f 100644
 --- a/src/client_side_request.cc
 +++ b/src/client_side_request.cc
@@ -78,6 +78,11 @@
 static const char *const crlf = "\r\n";
 #if FOLLOW_X_FORWARDED_FOR
 +
 +#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX)
 +#define SQUID_X_FORWARDED_FOR_HOP_MAX 64
 +#endif
 +
 static void clientFollowXForwardedForCheck(allow_t answer, void *data);
 #endif /* FOLLOW_X_FORWARDED_FOR */
@@ -485,8 +490,16 @@ clientFollowXForwardedForCheck(allow_t answer, void *data)
                 /* override the default src_addr tested if we have to go deeper than one level into XFF */
                 Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr;
             }
 -            calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
 -            return;
 +            if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) {
 +                calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
 +                return;
 +            }
 +            const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name;
 +            debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses" <<
 +                   Debug::Extra << "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber <<
 +                   Debug::Extra << "last/accepted address: " << request->indirect_client_addr <<
 +                   Debug::Extra << "ignored trailing addresses: " << request->x_forwarded_for_iterator);
 +            // fall through to resume clientAccessCheck() processing
         }
     }
--- a/SOURCES/squid-4.15-CVE-2023-5824.patch
+++ b/SOURCES/squid-4.15-CVE-2023-5824.patch
--- a/SOURCES/squid-4.15-CVE-2024-23638.patch
+++ b/SOURCES/squid-4.15-CVE-2024-23638.patch
@ -1,31 +0,0 @@
 commit 8fcff9c09824b18628f010d26a04247f6a6cbcb8
 Author: Alex Rousskov <rousskov@measurement-factory.com>
 Date:   Sun Nov 12 09:33:20 2023 +0000
    Do not update StoreEntry expiration after errorAppendEntry() (#1580)
    errorAppendEntry() is responsible for setting entry expiration times,
    which it does by calling StoreEntry::storeErrorResponse() that calls
    StoreEntry::negativeCache().
    This change was triggered by a vulnerability report by Joshua Rogers at
    https://megamansec.github.io/Squid-Security-Audit/cache-uaf.html where
    it was filed as "Use-After-Free in Cache Manager Errors". The reported
    "use after free" vulnerability was unknowingly addressed by 2022 commit
    1fa761a that removed excessively long "reentrant" store_client calls
    responsible for the disappearance of the properly locked StoreEntry in
    this (and probably other) contexts.
 diff --git a/src/cache_manager.cc b/src/cache_manager.cc
 index 8055ece..fdcc9cf 100644
 --- a/src/cache_manager.cc
 +++ b/src/cache_manager.cc
@@ -323,7 +323,6 @@ CacheManager::Start(const Comm::ConnectionPointer &client, HttpRequest * request
         const auto err = new ErrorState(ERR_INVALID_URL, Http::scNotFound, request);
         err->url = xstrdup(entry->url());
         errorAppendEntry(entry, err);
 -        entry->expires = squid_curtime;
         return;
     }
--- a/SOURCES/squid-4.15-CVE-2024-25111.patch
+++ b/SOURCES/squid-4.15-CVE-2024-25111.patch
@ -1,193 +0,0 @@
 diff --git a/src/http.cc b/src/http.cc
 index b006300..023e411 100644
 --- a/src/http.cc
 +++ b/src/http.cc
@@ -52,6 +52,7 @@
 #include "rfc1738.h"
 #include "SquidConfig.h"
 #include "SquidTime.h"
 +#include "SquidMath.h"
 #include "StatCounters.h"
 #include "Store.h"
 #include "StrList.h"
@@ -1150,18 +1151,26 @@ HttpStateData::readReply(const CommIoCbParams &io)
      * Plus, it breaks our lame *HalfClosed() detection
      */
 -    Must(maybeMakeSpaceAvailable(true));
 -    CommIoCbParams rd(this); // will be expanded with ReadNow results
 -    rd.conn = io.conn;
 -    rd.size = entry->bytesWanted(Range<size_t>(0, inBuf.spaceSize()));
 +    size_t moreDataPermission = 0;
 +    if ((!canBufferMoreReplyBytes(&moreDataPermission) || !moreDataPermission)) {
 +        abortTransaction("ready to read required data, but the read buffer is full and cannot be drained");
 +        return;
 +    }
 +
 +    const auto readSizeMax = maybeMakeSpaceAvailable(moreDataPermission);
 +    // TODO: Move this logic inside maybeMakeSpaceAvailable():
 +    const auto readSizeWanted = readSizeMax ? entry->bytesWanted(Range<size_t>(0, readSizeMax)) : 0;
 -    if (rd.size <= 0) {
 +    if (readSizeWanted <= 0) {
         assert(entry->mem_obj);
         AsyncCall::Pointer nilCall;
         entry->mem_obj->delayRead(DeferredRead(readDelayed, this, CommRead(io.conn, NULL, 0, nilCall)));
         return;
     }
 +    CommIoCbParams rd(this); // will be expanded with ReadNow results
 +    rd.conn = io.conn;
 +    rd.size = readSizeWanted;
     switch (Comm::ReadNow(rd, inBuf)) {
     case Comm::INPROGRESS:
         if (inBuf.isEmpty())
@@ -1520,8 +1529,11 @@ HttpStateData::maybeReadVirginBody()
     if (!Comm::IsConnOpen(serverConnection) || fd_table[serverConnection->fd].closing())
         return;
 -    if (!maybeMakeSpaceAvailable(false))
 +    size_t moreDataPermission = 0;
 +    if ((!canBufferMoreReplyBytes(&moreDataPermission)) || !moreDataPermission) {
 +        abortTransaction("more response bytes required, but the read buffer is full and cannot be drained");
         return;
 +    }
     // XXX: get rid of the do_next_read flag
     // check for the proper reasons preventing read(2)
@@ -1539,40 +1551,79 @@ HttpStateData::maybeReadVirginBody()
     Comm::Read(serverConnection, call);
 }
 +/// Desired inBuf capacity based on various capacity preferences/limits:
 +/// * a smaller buffer may not hold enough for look-ahead header/body parsers;
 +/// * a smaller buffer may result in inefficient tiny network reads;
 +/// * a bigger buffer may waste memory;
 +/// * a bigger buffer may exceed SBuf storage capabilities (SBuf::maxSize);
 +size_t
 +HttpStateData::calcReadBufferCapacityLimit() const
 +{
 +    if (!flags.headers_parsed)
 +        return Config.maxReplyHeaderSize;
 +
 +    // XXX: Our inBuf is not used to maintain the read-ahead gap, and using
 +    // Config.readAheadGap like this creates huge read buffers for large
 +    // read_ahead_gap values. TODO: Switch to using tcp_recv_bufsize as the
 +    // primary read buffer capacity factor.
 +    //
 +    // TODO: Cannot reuse throwing NaturalCast() here. Consider removing
 +    // .value() dereference in NaturalCast() or add/use NaturalCastOrMax().
 +    const auto configurationPreferences = NaturalSum<size_t>(Config.readAheadGap).second ? NaturalSum<size_t>(Config.readAheadGap).first : SBuf::maxSize;
 +
 +    // TODO: Honor TeChunkedParser look-ahead and trailer parsing requirements
 +    // (when explicit configurationPreferences are set too low).
 +
 +    return std::min<size_t>(configurationPreferences, SBuf::maxSize);
 +}
 +
 +/// The maximum number of virgin reply bytes we may buffer before we violate
 +/// the currently configured response buffering limits.
 +/// \retval std::nullopt means that no more virgin response bytes can be read
 +/// \retval 0 means that more virgin response bytes may be read later
 +/// \retval >0 is the number of bytes that can be read now (subject to other constraints)
 bool
 -HttpStateData::maybeMakeSpaceAvailable(bool doGrow)
 +HttpStateData::canBufferMoreReplyBytes(size_t *maxReadSize) const
 {
 -    // how much we are allowed to buffer
 -    const int limitBuffer = (flags.headers_parsed ? Config.readAheadGap : Config.maxReplyHeaderSize);
 -
 -    if (limitBuffer < 0 || inBuf.length() >= (SBuf::size_type)limitBuffer) {
 -        // when buffer is at or over limit already
 -        debugs(11, 7, "will not read up to " << limitBuffer << ". buffer has (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection);
 -        debugs(11, DBG_DATA, "buffer has {" << inBuf << "}");
 -        // Process next response from buffer
 -        processReply();
 -        return false;
 +#if USE_ADAPTATION
 +    // If we do not check this now, we may say the final "no" prematurely below
 +    // because inBuf.length() will decrease as adaptation drains buffered bytes.
 +    if (responseBodyBuffer) {
 +        debugs(11, 3, "yes, but waiting for adaptation to drain read buffer");
 +        *maxReadSize = 0; // yes, we may be able to buffer more (but later)
 +        return true;
 +    }
 +#endif
 +
 +    const auto maxCapacity = calcReadBufferCapacityLimit();
 +    if (inBuf.length() >= maxCapacity) {
 +        debugs(11, 3, "no, due to a full buffer: " << inBuf.length() << '/' << inBuf.spaceSize() << "; limit: " << maxCapacity);
 +        return false; // no, configuration prohibits buffering more
     }
 +    *maxReadSize = (maxCapacity - inBuf.length()); // positive
 +    debugs(11, 7, "yes, may read up to " << *maxReadSize << " into " << inBuf.length() << '/' << inBuf.spaceSize());
 +    return true; // yes, can read up to this many bytes (subject to other constraints)
 +}
 +
 +/// prepare read buffer for reading
 +/// \return the maximum number of bytes the caller should attempt to read
 +/// \retval 0 means that the caller should delay reading
 +size_t
 +HttpStateData::maybeMakeSpaceAvailable(const size_t maxReadSize)
 +{
     // how much we want to read
 -    const size_t read_size = calcBufferSpaceToReserve(inBuf.spaceSize(), (limitBuffer - inBuf.length()));
 +    const size_t read_size = calcBufferSpaceToReserve(inBuf.spaceSize(), maxReadSize);
 -    if (!read_size) {
 +    if (read_size < 2) {
         debugs(11, 7, "will not read up to " << read_size << " into buffer (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection);
 -        return false;
 +        return 0;
     }
 -    // just report whether we could grow or not, do not actually do it
 -    if (doGrow)
 -        return (read_size >= 2);
 -
     // we may need to grow the buffer
     inBuf.reserveSpace(read_size);
 -    debugs(11, 8, (!flags.do_next_read ? "will not" : "may") <<
 -           " read up to " << read_size << " bytes info buf(" << inBuf.length() << "/" << inBuf.spaceSize() <<
 -           ") from " << serverConnection);
 -
 -    return (inBuf.spaceSize() >= 2); // only read if there is 1+ bytes of space available
 +    debugs(11, 7, "may read up to " << read_size << " bytes info buffer (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection);
 +    return read_size;
 }
 /// called after writing the very last request byte (body, last-chunk, etc)
 diff --git a/src/http.h b/src/http.h
 index 8965b77..007d2e6 100644
 --- a/src/http.h
 +++ b/src/http.h
@@ -15,6 +15,8 @@
 #include "http/StateFlags.h"
 #include "sbuf/SBuf.h"
 +#include <optional>
 +
 class FwdState;
 class HttpHeader;
@@ -107,16 +109,9 @@ private:
     void abortTransaction(const char *reason) { abortAll(reason); } // abnormal termination
 -    /**
 -     * determine if read buffer can have space made available
 -     * for a read.
 -     *
 -     * \param grow  whether to actually expand the buffer
 -     *
 -     * \return whether the buffer can be grown to provide space
 -     *         regardless of whether the grow actually happened.
 -     */
 -    bool maybeMakeSpaceAvailable(bool grow);
 +    size_t calcReadBufferCapacityLimit() const;
 +    bool canBufferMoreReplyBytes(size_t *maxReadSize) const;
 +    size_t maybeMakeSpaceAvailable(size_t maxReadSize);
     // consuming request body
     virtual void handleMoreRequestBodyAvailable();
--- a/SOURCES/squid-4.15-CVE-2024-25617.patch
+++ b/SOURCES/squid-4.15-CVE-2024-25617.patch
@ -1,105 +0,0 @@
 diff --git a/src/SquidString.h b/src/SquidString.h
 index a791885..b9aef38 100644
 --- a/src/SquidString.h
 +++ b/src/SquidString.h
@@ -114,7 +114,16 @@ private:
     size_type len_;  /* current length  */
 -    static const size_type SizeMax_ = 65535; ///< 64K limit protects some fixed-size buffers
 +    /// An earlier 64KB limit was meant to protect some fixed-size buffers, but
 +    /// (a) we do not know where those buffers are (or whether they still exist)
 +    /// (b) too many String users unknowingly exceeded that limit and asserted.
 +    /// We are now using a larger limit to reduce the number of (b) cases,
 +    /// especially cases where "compact" lists of items grow 50% in size when we
 +    /// convert them to canonical form. The new limit is selected to withstand
 +    /// concatenation and ~50% expansion of two HTTP headers limited by default
 +    /// request_header_max_size and reply_header_max_size settings.
 +    static const size_type SizeMax_ = 3*64*1024 - 1;
 +
     /// returns true after increasing the first argument by extra if the sum does not exceed SizeMax_
     static bool SafeAdd(size_type &base, size_type extra) { if (extra <= SizeMax_ && base <= SizeMax_ - extra) { base += extra; return true; } return false; }
 diff --git a/src/cache_cf.cc b/src/cache_cf.cc
 index a9c1b7e..46f07bb 100644
 --- a/src/cache_cf.cc
 +++ b/src/cache_cf.cc
@@ -935,6 +935,18 @@ configDoConfigure(void)
                (uint32_t)Config.maxRequestBufferSize, (uint32_t)Config.maxRequestHeaderSize);
     }
 +    // Warn about the dangers of exceeding String limits when manipulating HTTP
 +    // headers. Technically, we do not concatenate _requests_, so we could relax
 +    // their check, but we keep the two checks the same for simplicity sake.
 +    const auto safeRawHeaderValueSizeMax = (String::SizeMaxXXX()+1)/3;
 +    // TODO: static_assert(safeRawHeaderValueSizeMax >= 64*1024); // no WARNINGs for default settings
 +    if (Config.maxRequestHeaderSize > safeRawHeaderValueSizeMax)
 +        debugs(3, DBG_CRITICAL, "WARNING: Increasing request_header_max_size beyond " << safeRawHeaderValueSizeMax <<
 +               " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxRequestHeaderSize << " bytes");
 +    if (Config.maxReplyHeaderSize > safeRawHeaderValueSizeMax)
 +        debugs(3, DBG_CRITICAL, "WARNING: Increasing reply_header_max_size beyond " << safeRawHeaderValueSizeMax <<
 +               " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxReplyHeaderSize << " bytes");
 +
     /*
      * Disable client side request pipelining if client_persistent_connections OFF.
      * Waste of resources queueing any pipelined requests when the first will close the connection.
 diff --git a/src/cf.data.pre b/src/cf.data.pre
 index bc2ddcd..d55b870 100644
 --- a/src/cf.data.pre
 +++ b/src/cf.data.pre
@@ -6196,11 +6196,14 @@ TYPE: b_size_t
 DEFAULT: 64 KB
 LOC: Config.maxRequestHeaderSize
 DOC_START
 -	This specifies the maximum size for HTTP headers in a request.
 -	Request headers are usually relatively small (about 512 bytes).
 -	Placing a limit on the request header size will catch certain
 -	bugs (for example with persistent connections) and possibly
 -	buffer-overflow or denial-of-service attacks.
 +	This directives limits the header size of a received HTTP request
 +	(including request-line). Increasing this limit beyond its 64 KB default
 +	exposes certain old Squid code to various denial-of-service attacks. This
 +	limit also applies to received FTP commands.
 +
 +	This limit has no direct affect on Squid memory consumption.
 +
 +	Squid does not check this limit when sending requests.
 DOC_END
 NAME: reply_header_max_size
@@ -6209,11 +6212,14 @@ TYPE: b_size_t
 DEFAULT: 64 KB
 LOC: Config.maxReplyHeaderSize
 DOC_START
 -	This specifies the maximum size for HTTP headers in a reply.
 -	Reply headers are usually relatively small (about 512 bytes).
 -	Placing a limit on the reply header size will catch certain
 -	bugs (for example with persistent connections) and possibly
 -	buffer-overflow or denial-of-service attacks.
 +	This directives limits the header size of a received HTTP response
 +	(including status-line). Increasing this limit beyond its 64 KB default
 +	exposes certain old Squid code to various denial-of-service attacks. This
 +	limit also applies to FTP command responses.
 +
 +	Squid also checks this limit when loading hit responses from disk cache.
 +
 +	Squid does not check this limit when sending responses.
 DOC_END
 NAME: request_body_max_size
 diff --git a/src/http.cc b/src/http.cc
 index 877172d..b006300 100644
 --- a/src/http.cc
 +++ b/src/http.cc
@@ -1820,8 +1820,9 @@ HttpStateData::httpBuildRequestHeader(HttpRequest * request,
         String strFwd = hdr_in->getList(Http::HdrType::X_FORWARDED_FOR);
 -        // if we cannot double strFwd size, then it grew past 50% of the limit
 -        if (!strFwd.canGrowBy(strFwd.size())) {
 +        // Detect unreasonably long header values. And paranoidly check String
 +        // limits: a String ought to accommodate two reasonable-length values.
 +        if (strFwd.size() > 32*1024 || !strFwd.canGrowBy(strFwd.size())) {
             // There is probably a forwarding loop with Via detection disabled.
             // If we do nothing, String will assert on overflow soon.
             // TODO: Terminate all transactions with huge XFF?
--- a/SOURCES/squid-4.15-ftp-filename-extraction.patch
+++ b/SOURCES/squid-4.15-ftp-filename-extraction.patch
@ -1,32 +0,0 @@
 diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc
 index da9867f..e992638 100644
 --- a/src/clients/FtpGateway.cc
 +++ b/src/clients/FtpGateway.cc
@@ -1084,16 +1084,17 @@ Ftp::Gateway::checkAuth(const HttpHeader * req_hdr)
 void
 Ftp::Gateway::checkUrlpath()
 {
 -    static SBuf str_type_eq("type=");
 -    auto t = request->url.path().rfind(';');
 -
 -    if (t != SBuf::npos) {
 -        auto filenameEnd = t-1;
 -        if (request->url.path().substr(++t).cmp(str_type_eq, str_type_eq.length()) == 0) {
 -            t += str_type_eq.length();
 -            typecode = (char)xtoupper(request->url.path()[t]);
 -            request->url.path(request->url.path().substr(0,filenameEnd));
 -        }
 +    // If typecode was specified, extract it and leave just the filename in
 +    // url.path. Tolerate trailing garbage or missing typecode value. Roughly:
 +    // [filename] ;type=[typecode char] [trailing garbage]
 +    static const SBuf middle(";type=");
 +    const auto typeSpecStart = request->url.path().find(middle);
 +    if (typeSpecStart != SBuf::npos) {
 +        const auto fullPath = request->url.path();
 +        const auto typecodePos = typeSpecStart + middle.length();
 +        typecode = (typecodePos < fullPath.length()) ?
 +            static_cast<char>(xtoupper(fullPath[typecodePos])) : '\0';
 +        request->url.path(fullPath.substr(0, typeSpecStart));
     }
     int l = request->url.path().length();
--- a/SOURCES/squid-4.15-halfclosed.patch
+++ b/SOURCES/squid-4.15-halfclosed.patch
@ -1,163 +0,0 @@
 diff --git a/src/client_side.cc b/src/client_side.cc
 index f57f3f7..ab393e4 100644
 --- a/src/client_side.cc
 +++ b/src/client_side.cc
@@ -906,7 +906,7 @@ ConnStateData::kick()
      * We are done with the response, and we are either still receiving request
      * body (early response!) or have already stopped receiving anything.
      *
 -     * If we are still receiving, then clientParseRequest() below will fail.
 +     * If we are still receiving, then parseRequests() below will fail.
      * (XXX: but then we will call readNextRequest() which may succeed and
      * execute a smuggled request as we are not done with the current request).
      *
@@ -926,28 +926,12 @@ ConnStateData::kick()
      * Attempt to parse a request from the request buffer.
      * If we've been fed a pipelined request it may already
      * be in our read buffer.
 -     *
 -     \par
 -     * This needs to fall through - if we're unlucky and parse the _last_ request
 -     * from our read buffer we may never re-register for another client read.
      */
 -    if (clientParseRequests()) {
 -        debugs(33, 3, clientConnection << ": parsed next request from buffer");
 -    }
 +    parseRequests();
 -    /** \par
 -     * Either we need to kick-start another read or, if we have
 -     * a half-closed connection, kill it after the last request.
 -     * This saves waiting for half-closed connections to finished being
 -     * half-closed _AND_ then, sometimes, spending "Timeout" time in
 -     * the keepalive "Waiting for next request" state.
 -     */
 -    if (commIsHalfClosed(clientConnection->fd) && pipeline.empty()) {
 -        debugs(33, 3, "half-closed client with no pending requests, closing");
 -        clientConnection->close();
 +    if (!isOpen())
         return;
 -    }
     /** \par
      * At this point we either have a parsed request (which we've
@@ -2058,16 +2042,11 @@ ConnStateData::receivedFirstByte()
     commSetConnTimeout(clientConnection, Config.Timeout.request, timeoutCall);
 }
 -/**
 - * Attempt to parse one or more requests from the input buffer.
 - * Returns true after completing parsing of at least one request [header]. That
 - * includes cases where parsing ended with an error (e.g., a huge request).
 - */
 -bool
 -ConnStateData::clientParseRequests()
 +/// Attempt to parse one or more requests from the input buffer.
 +/// May close the connection.
 +void
 +ConnStateData::parseRequests()
 {
 -    bool parsed_req = false;
 -
     debugs(33, 5, HERE << clientConnection << ": attempting to parse");
     // Loop while we have read bytes that are not needed for producing the body
@@ -2116,8 +2095,6 @@ ConnStateData::clientParseRequests()
             processParsedRequest(context);
 -            parsed_req = true; // XXX: do we really need to parse everything right NOW ?
 -
             if (context->mayUseConnection()) {
                 debugs(33, 3, HERE << "Not parsing new requests, as this request may need the connection");
                 break;
@@ -2130,8 +2107,19 @@ ConnStateData::clientParseRequests()
         }
     }
 -    /* XXX where to 'finish' the parsing pass? */
 -    return parsed_req;
 +    debugs(33, 7, "buffered leftovers: " << inBuf.length());
 +
 +    if (isOpen() && commIsHalfClosed(clientConnection->fd)) {
 +        if (pipeline.empty()) {
 +            // we processed what we could parse, and no more data is coming
 +            debugs(33, 5, "closing half-closed without parsed requests: " << clientConnection);
 +            clientConnection->close();
 +        } else {
 +            // we parsed what we could, and no more data is coming
 +            debugs(33, 5, "monitoring half-closed while processing parsed requests: " << clientConnection);
 +            flags.readMore = false; // may already be false
 +        }
 +    }
 }
 void
@@ -2148,23 +2136,7 @@ ConnStateData::afterClientRead()
     if (pipeline.empty())
         fd_note(clientConnection->fd, "Reading next request");
 -    if (!clientParseRequests()) {
 -        if (!isOpen())
 -            return;
 -        /*
 -         * If the client here is half closed and we failed
 -         * to parse a request, close the connection.
 -         * The above check with connFinishedWithConn() only
 -         * succeeds _if_ the buffer is empty which it won't
 -         * be if we have an incomplete request.
 -         * XXX: This duplicates ConnStateData::kick
 -         */
 -        if (pipeline.empty() && commIsHalfClosed(clientConnection->fd)) {
 -            debugs(33, 5, clientConnection << ": half-closed connection, no completed request parsed, connection closing.");
 -            clientConnection->close();
 -            return;
 -        }
 -    }
 +    parseRequests();
     if (!isOpen())
         return;
@@ -3945,7 +3917,7 @@ ConnStateData::notePinnedConnectionBecameIdle(PinnedIdleContext pic)
     startPinnedConnectionMonitoring();
     if (pipeline.empty())
 -        kick(); // in case clientParseRequests() was blocked by a busy pic.connection
 +        kick(); // in case parseRequests() was blocked by a busy pic.connection
 }
 /// Forward future client requests using the given server connection.
 diff --git a/src/client_side.h b/src/client_side.h
 index 9fe8463..dfb4d8e 100644
 --- a/src/client_side.h
 +++ b/src/client_side.h
@@ -85,7 +85,6 @@ public:
     virtual void doneWithControlMsg();
     /// Traffic parsing
 -    bool clientParseRequests();
     void readNextRequest();
     /// try to make progress on a transaction or read more I/O
@@ -373,6 +372,7 @@ private:
     virtual bool connFinishedWithConn(int size);
     virtual void checkLogging();
 +    void parseRequests();
     void clientAfterReadingRequests();
     bool concurrentRequestQueueFilled() const;
 diff --git a/src/tests/stub_client_side.cc b/src/tests/stub_client_side.cc
 index d7efb0f..655ed83 100644
 --- a/src/tests/stub_client_side.cc
 +++ b/src/tests/stub_client_side.cc
@@ -14,7 +14,7 @@
 #include "tests/STUB.h"
 #include "client_side.h"
 -bool ConnStateData::clientParseRequests() STUB_RETVAL(false)
 +void ConnStateData::parseRequests() STUB
 void ConnStateData::readNextRequest() STUB
 bool ConnStateData::isOpen() const STUB_RETVAL(false)
 void ConnStateData::kick() STUB
--- a/SOURCES/squid-4.15-ignore-wsp-after-chunk-size.patch
+++ b/SOURCES/squid-4.15-ignore-wsp-after-chunk-size.patch
@ -1,367 +0,0 @@
 From 8d0ee420a4d91ac7fd97316338f1e28b4b060cbf Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
 Date: Thu, 10 Oct 2024 19:26:27 +0200
 Subject: [PATCH 1/6] Ignore whitespace chars after chunk-size
 Previously (before #1498 change), squid was accepting TE-chunked replies
 with whitespaces after chunk-size and missing chunk-ext data. After
 It turned out that replies with such whitespace chars are pretty
 common and other webservers which can act as forward proxies (e.g.
 nginx, httpd...) are accepting them.
 This change will allow to proxy chunked responses from origin server,
 which had whitespaces inbetween chunk-size and CRLF.
 ---
 src/http/one/TeChunkedParser.cc | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc
 index 9cce10fdc91..04753395e16 100644
 --- a/src/http/one/TeChunkedParser.cc
 +++ b/src/http/one/TeChunkedParser.cc
@@ -125,6 +125,7 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
     // Code becomes much simpler when incremental parsing functions throw on
     // bad or insufficient input, like in the code below. TODO: Expand up.
     try {
 +        tok.skipAll(CharacterSet::WSP); // Some servers send SP/TAB after chunk-size
         parseChunkExtensions(tok); // a possibly empty chunk-ext list
         tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf());
         buf_ = tok.remaining();
 From 9c8d35f899035fa06021ab3fe6919f892c2f0c6b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
 Date: Fri, 11 Oct 2024 02:06:31 +0200
 Subject: [PATCH 2/6] Added new argument to Http::One::ParseBws()
 Depending on new wsp_only argument in ParseBws() it will be decided
 which set of whitespaces characters will be parsed. If wsp_only is set
 to true, only SP and HTAB chars will be parsed.
 Also optimized number of ParseBws calls.
 ---
 src/http/one/Parser.cc          |  4 ++--
 src/http/one/Parser.h           |  3 ++-
 src/http/one/TeChunkedParser.cc | 13 +++++++++----
 src/http/one/TeChunkedParser.h  |  2 +-
 4 files changed, 14 insertions(+), 8 deletions(-)
 diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc
 index b1908316a0b..01d7e3bc0e8 100644
 --- a/src/http/one/Parser.cc
 +++ b/src/http/one/Parser.cc
@@ -273,9 +273,9 @@ Http::One::ErrorLevel()
 // BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule
 void
 -Http::One::ParseBws(Parser::Tokenizer &tok)
 +Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only)
 {
 -    const auto count = tok.skipAll(Parser::WhitespaceCharacters());
 +    const auto count = tok.skipAll(wsp_only ? CharacterSet::WSP : Parser::WhitespaceCharacters());
     if (tok.atEnd())
         throw InsufficientInput(); // even if count is positive
 diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h
 index d9a0ac8c273..08200371cd6 100644
 --- a/src/http/one/Parser.h
 +++ b/src/http/one/Parser.h
@@ -163,8 +163,9 @@ class Parser : public RefCountable
 };
 /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace)
 +/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimeter chars
 /// \throws InsufficientInput when the end of BWS cannot be confirmed
 -void ParseBws(Parser::Tokenizer &);
 +void ParseBws(Parser::Tokenizer &, const bool wsp_only = false);
 /// the right debugs() level for logging HTTP violation messages
 int ErrorLevel();
 diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc
 index 04753395e16..41e1e5ddaea 100644
 --- a/src/http/one/TeChunkedParser.cc
 +++ b/src/http/one/TeChunkedParser.cc
@@ -125,8 +125,11 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
     // Code becomes much simpler when incremental parsing functions throw on
     // bad or insufficient input, like in the code below. TODO: Expand up.
     try {
 -        tok.skipAll(CharacterSet::WSP); // Some servers send SP/TAB after chunk-size
 -        parseChunkExtensions(tok); // a possibly empty chunk-ext list
 +        // A possibly empty chunk-ext list. If no chunk-ext has been found,
 +        // try to skip trailing BWS, because some servers send "chunk-size BWS CRLF".
 +        if (!parseChunkExtensions(tok))
 +            ParseBws(tok, true);
 +
         tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf());
         buf_ = tok.remaining();
         parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME;
@@ -140,20 +143,22 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
 /// Parses the chunk-ext list (RFC 9112 section 7.1.1:
 /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] )
 -void
 +bool
 Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok)
 {
 +    bool foundChunkExt = false;
     do {
         auto tok = callerTok;
         ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size
         if (!tok.skip(';'))
 -            return; // reached the end of extensions (if any)
 +            return foundChunkExt; // reached the end of extensions (if any)
         parseOneChunkExtension(tok);
         buf_ = tok.remaining(); // got one extension
         callerTok = tok;
 +        foundChunkExt = true;
     } while (true);
 }
 diff --git a/src/http/one/TeChunkedParser.h b/src/http/one/TeChunkedParser.h
 index 02eacd1bb89..8c5d4bb4cba 100644
 --- a/src/http/one/TeChunkedParser.h
 +++ b/src/http/one/TeChunkedParser.h
@@ -71,7 +71,7 @@ class TeChunkedParser : public Http1::Parser
 private:
     bool parseChunkSize(Tokenizer &tok);
     bool parseChunkMetadataSuffix(Tokenizer &);
 -    void parseChunkExtensions(Tokenizer &);
 +    bool parseChunkExtensions(Tokenizer &);
     void parseOneChunkExtension(Tokenizer &);
     bool parseChunkBody(Tokenizer &tok);
     bool parseChunkEnd(Tokenizer &tok);
 From 81e67f97f9c386bdd0bb4a5e182395c46adb70ad Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
 Date: Fri, 11 Oct 2024 02:44:33 +0200
 Subject: [PATCH 3/6] Fix typo in Parser.h
 ---
 src/http/one/Parser.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h
 index 08200371cd6..3ef4c5f7752 100644
 --- a/src/http/one/Parser.h
 +++ b/src/http/one/Parser.h
@@ -163,7 +163,7 @@ class Parser : public RefCountable
 };
 /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace)
 -/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimeter chars
 +/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimiter chars
 /// \throws InsufficientInput when the end of BWS cannot be confirmed
 void ParseBws(Parser::Tokenizer &, const bool wsp_only = false);
 From a0d4fe1794e605f8299a5c118c758a807453f016 Mon Sep 17 00:00:00 2001
 From: Alex Rousskov <rousskov@measurement-factory.com>
 Date: Thu, 10 Oct 2024 22:39:42 -0400
 Subject: [PATCH 4/6] Bug 5449 is a regression of Bug 4492!
 Both bugs deal with "chunk-size SP+ CRLF" use cases. Bug 4492 had _two_
 spaces after chunk-size, which answers one of the PR review questions:
 Should we skip just one space? No, we should not.
 The lines moved around in many commits, but I believe this regression
 was introduced in commit 951013d0 because that commit stopped consuming
 partially parsed chunk-ext sequences. That consumption was wrong, but it
 had a positive side effect -- fixing Bug 4492...
 ---
 src/http/one/TeChunkedParser.cc | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)
 diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc
 index 41e1e5ddaea..aa4a840fdcf 100644
 --- a/src/http/one/TeChunkedParser.cc
 +++ b/src/http/one/TeChunkedParser.cc
@@ -125,10 +125,10 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
     // Code becomes much simpler when incremental parsing functions throw on
     // bad or insufficient input, like in the code below. TODO: Expand up.
     try {
 -        // A possibly empty chunk-ext list. If no chunk-ext has been found,
 -        // try to skip trailing BWS, because some servers send "chunk-size BWS CRLF".
 -        if (!parseChunkExtensions(tok))
 -            ParseBws(tok, true);
 +        // Bug 4492: IBM_HTTP_Server sends SP after chunk-size
 +        ParseBws(tok, true);
 +
 +        parseChunkExtensions(tok);
         tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf());
         buf_ = tok.remaining();
@@ -150,7 +150,7 @@ Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok)
     do {
         auto tok = callerTok;
 -        ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size
 +        ParseBws(tok);
         if (!tok.skip(';'))
             return foundChunkExt; // reached the end of extensions (if any)
 From f837f5ff61301a17008f16ce1fb793c2abf19786 Mon Sep 17 00:00:00 2001
 From: Alex Rousskov <rousskov@measurement-factory.com>
 Date: Thu, 10 Oct 2024 23:06:42 -0400
 Subject: [PATCH 5/6] fixup: Fewer conditionals/ifs and more explicit spelling
 ... to draw code reader attention when something unusual is going on.
 ---
 src/http/one/Parser.cc          | 22 ++++++++++++++++++----
 src/http/one/Parser.h           | 10 ++++++++--
 src/http/one/TeChunkedParser.cc | 14 ++++++--------
 src/http/one/TeChunkedParser.h  |  2 +-
 4 files changed, 33 insertions(+), 15 deletions(-)
 diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc
 index 01d7e3bc0e8..d3937e5e96b 100644
 --- a/src/http/one/Parser.cc
 +++ b/src/http/one/Parser.cc
@@ -271,11 +271,12 @@ Http::One::ErrorLevel()
     return Config.onoff.relaxed_header_parser < 0 ? DBG_IMPORTANT : 5;
 }
 -// BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule
 -void
 -Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only)
 +/// common part of ParseBws() and ParseStrctBws()
 +namespace Http::One {
 +static void
 +ParseBws_(Parser::Tokenizer &tok, const CharacterSet &bwsChars)
 {
 -    const auto count = tok.skipAll(wsp_only ? CharacterSet::WSP : Parser::WhitespaceCharacters());
 +    const auto count = tok.skipAll(bwsChars);
     if (tok.atEnd())
         throw InsufficientInput(); // even if count is positive
@@ -290,4 +291,17 @@ Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only)
     // success: no more BWS characters expected
 }
 +} // namespace Http::One
 +
 +void
 +Http::One::ParseBws(Parser::Tokenizer &tok)
 +{
 +    ParseBws_(tok, CharacterSet::WSP);
 +}
 +
 +void
 +Http::One::ParseStrictBws(Parser::Tokenizer &tok)
 +{
 +    ParseBws_(tok, Parser::WhitespaceCharacters());
 +}
 diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h
 index 3ef4c5f7752..49e399de546 100644
 --- a/src/http/one/Parser.h
 +++ b/src/http/one/Parser.h
@@ -163,9 +163,15 @@ class Parser : public RefCountable
 };
 /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace)
 -/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimiter chars
 /// \throws InsufficientInput when the end of BWS cannot be confirmed
 -void ParseBws(Parser::Tokenizer &, const bool wsp_only = false);
 +/// \sa WhitespaceCharacters() for the definition of BWS characters
 +/// \sa ParseStrictBws() that avoids WhitespaceCharacters() uncertainties
 +void ParseBws(Parser::Tokenizer &);
 +
 +/// Like ParseBws() but only skips CharacterSet::WSP characters. This variation
 +/// must be used if the next element may start with CR or any other character
 +/// from RelaxedDelimiterCharacters().
 +void ParseStrictBws(Parser::Tokenizer &);
 /// the right debugs() level for logging HTTP violation messages
 int ErrorLevel();
 diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc
 index aa4a840fdcf..859471b8c77 100644
 --- a/src/http/one/TeChunkedParser.cc
 +++ b/src/http/one/TeChunkedParser.cc
@@ -125,11 +125,11 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
     // Code becomes much simpler when incremental parsing functions throw on
     // bad or insufficient input, like in the code below. TODO: Expand up.
     try {
 -        // Bug 4492: IBM_HTTP_Server sends SP after chunk-size
 -        ParseBws(tok, true);
 -
 -        parseChunkExtensions(tok);
 +        // Bug 4492: IBM_HTTP_Server sends SP after chunk-size.
 +        // No ParseBws() here because it may consume CR required further below.
 +        ParseStrictBws(tok);
 +        parseChunkExtensions(tok); // a possibly empty chunk-ext list
         tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf());
         buf_ = tok.remaining();
         parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME;
@@ -143,22 +143,20 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
 /// Parses the chunk-ext list (RFC 9112 section 7.1.1:
 /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] )
 -bool
 +void
 Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok)
 {
 -    bool foundChunkExt = false;
     do {
         auto tok = callerTok;
         ParseBws(tok);
         if (!tok.skip(';'))
 -            return foundChunkExt; // reached the end of extensions (if any)
 +            return; // reached the end of extensions (if any)
         parseOneChunkExtension(tok);
         buf_ = tok.remaining(); // got one extension
         callerTok = tok;
 -        foundChunkExt = true;
     } while (true);
 }
 diff --git a/src/http/one/TeChunkedParser.h b/src/http/one/TeChunkedParser.h
 index 8c5d4bb4cba..02eacd1bb89 100644
 --- a/src/http/one/TeChunkedParser.h
 +++ b/src/http/one/TeChunkedParser.h
@@ -71,7 +71,7 @@ class TeChunkedParser : public Http1::Parser
 private:
     bool parseChunkSize(Tokenizer &tok);
     bool parseChunkMetadataSuffix(Tokenizer &);
 -    bool parseChunkExtensions(Tokenizer &);
 +    void parseChunkExtensions(Tokenizer &);
     void parseOneChunkExtension(Tokenizer &);
     bool parseChunkBody(Tokenizer &tok);
     bool parseChunkEnd(Tokenizer &tok);
 From f79936a234e722adb2dd08f31cf6019d81ee712c Mon Sep 17 00:00:00 2001
 From: Alex Rousskov <rousskov@measurement-factory.com>
 Date: Thu, 10 Oct 2024 23:31:08 -0400
 Subject: [PATCH 6/6] fixup: Deadly typo
 ---
 src/http/one/Parser.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc
 index d3937e5e96b..7403a9163a2 100644
 --- a/src/http/one/Parser.cc
 +++ b/src/http/one/Parser.cc
@@ -296,12 +296,12 @@ ParseBws_(Parser::Tokenizer &tok, const CharacterSet &bwsChars)
 void
 Http::One::ParseBws(Parser::Tokenizer &tok)
 {
 -    ParseBws_(tok, CharacterSet::WSP);
 +    ParseBws_(tok, Parser::WhitespaceCharacters());
 }
 void
 Http::One::ParseStrictBws(Parser::Tokenizer &tok)
 {
 -    ParseBws_(tok, Parser::WhitespaceCharacters());
 +    ParseBws_(tok, CharacterSet::WSP);
 }
--- a/SOURCES/squid-4.15.tar.xz.asc
+++ b/SOURCES/squid-4.15.tar.xz.asc
@ -1,25 +0,0 @@
 File: squid-4.15.tar.xz
 Date: Mon 10 May 2021 10:50:22 UTC
 Size: 2454176
 MD5 : a593de9dc888dfeca4f1f7db2cd7d3b9
 SHA1: 60bda34ba39657e2d870c8c1d2acece8a69c3075
 Key : CD6DBF8EF3B17D3E <squid3@treenet.co.nz>
            B068 84ED B779 C89B 044E  64E3 CD6D BF8E F3B1 7D3E
      keyring = http://www.squid-cache.org/pgp.asc
      keyserver = pool.sks-keyservers.net
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAmCZD/UACgkQzW2/jvOx
 fT6zZg/+N8JMIYpmVJ7jm4lF0Ub2kEHGTOrc+tnlA3LGnlMQuTm61+BYk58g0SKW
 96NbJ0cycW215Q34L+Y0tWuxEbIU01vIc3AA7rQd0LKy+fQU0OtBuhk5Vf4bKilW
 uHEVIQZs9HmY6bqC+kgtCf49tVZvR8FZYNuilg/68+i/pQdwaDDmVb+j2oF7w+y2
 dgkTFWtM5NTL6bqUVC0E7lLFPjzMefKfxkkpWFdV/VrAhU25jN24kpnjcfotQhdW
 LDFy5okduz3ljso9pBYJfLeMXM1FZPpceC91zj32x3tcUyrD3yIoXob58rEKvfe4
 RDXN4SuClsNe4UQ4oNoGIES9XtaYlOzPR1PlbqPUrdp1cDnhgLJ+1fkAixlMqCml
 wuI1VIKSEY+nvRzQzFHnXJK9otV8QwMF76AHaytO9y+X6JuZmu/CcV1pq61qY9qv
 t1/8z99wWSxpu17zthZgq64J225GF/hkBedaFlYoS5k5YUMDLPlRSCC0yPmb8JBF
 Cns5i/aq2PmOx2ZhQ2RQIF416J3HK8Galw8ytFOjnEcn4ux9yzKNjL38p4+PJJA0
 7GCMAqYYNjok3LSkGbiR7cPgbHnkqRfYbPFLMj4FtruoFlZ9L5MIU3oFvqA3ZR6l
 Az6LaKLsAYPUmukAOPUSIrqpKXZHc7hdBWkT+7RYA4qaoU+9oIo=
 =1Re1
 -----END PGP SIGNATURE-----
--- a/SOURCES/squid-5.0.5-symlink-lang-err.patch
+++ b/SOURCES/squid-5.0.5-symlink-lang-err.patch
@ -0,0 +1,68 @@
 From fc01451000eaa5592cd5afbd6aee14e53f7dd2c3 Mon Sep 17 00:00:00 2001
 From: Amos Jeffries <amosjeffries@squid-cache.org>
 Date: Sun, 18 Oct 2020 20:23:10 +1300
 Subject: [PATCH] Update translations integration
 * Add credits for es-mx translation moderator
 * Use es-mx for default of all Spanish (Central America) texts
 * Update translation related .am files
 ---
 doc/manuals/language.am | 2 +-
 errors/TRANSLATORS      | 1 +
 errors/aliases          | 3 ++-
 errors/language.am      | 3 ++-
 errors/template.am      | 2 +-
 5 files changed, 7 insertions(+), 4 deletions(-)
 diff --git a/doc/manuals/language.am b/doc/manuals/language.am
 index 7670c88380c..f03c4cf71b4 100644
 --- a/doc/manuals/language.am
 +++ b/doc/manuals/language.am
@@ -18,4 +18,4 @@ TRANSLATE_LANGUAGES = \
     oc.lang \
     pt.lang \
     ro.lang \
 -    ru.lang 
 +    ru.lang
 diff --git a/errors/aliases b/errors/aliases
 index 36f17f4b80f..cf0116f297d 100644
 --- a/errors/aliases
 +++ b/errors/aliases
@@ -14,7 +14,8 @@ da	da-dk
 de	de-at de-ch de-de de-li de-lu
 el	el-gr
 en	en-au en-bz en-ca en-cn en-gb en-ie en-in en-jm en-nz en-ph en-sg en-tt en-uk en-us en-za en-zw
 -es	es-ar es-bo es-cl es-co es-cr es-do es-ec es-es es-gt es-hn es-mx es-ni es-pa es-pe es-pr es-py es-sv es-us es-uy es-ve es-xl
 +es	es-ar es-bo es-cl es-cu es-co es-do es-ec es-es es-pe es-pr es-py es-us es-uy es-ve es-xl spq
 +es-mx	es-bz es-cr es-gt es-hn es-ni es-pa es-sv
 et	et-ee
 fa	fa-fa fa-ir
 fi	fi-fi
 diff --git a/errors/language.am b/errors/language.am
 index 12b1b2b3b43..029e8c1eb2f 100644
 --- a/errors/language.am
 +++ b/errors/language.am
@@ -17,6 +17,7 @@ TRANSLATE_LANGUAGES = \
     de.lang \
     el.lang \
     en.lang \
 +    es-mx.lang \
     es.lang \
     et.lang \
     fa.lang \
@@ -51,4 +52,4 @@ TRANSLATE_LANGUAGES = \
     uz.lang \
     vi.lang \
     zh-hans.lang \
 -    zh-hant.lang 
 +    zh-hant.lang
 diff --git a/errors/template.am b/errors/template.am
 index 6c12781e6f4..715c65aa22b 100644
 --- a/errors/template.am
 +++ b/errors/template.am
@@ -48,4 +48,4 @@ ERROR_TEMPLATES = \
     templates/ERR_UNSUP_REQ \
     templates/ERR_URN_RESOLVE \
     templates/ERR_WRITE_ERROR \
 -    templates/ERR_ZERO_SIZE_OBJECT 
 +    templates/ERR_ZERO_SIZE_OBJECT
--- a/SOURCES/squid-5.0.6-active-ftp.patch
+++ b/SOURCES/squid-5.0.6-active-ftp.patch
@ -1,8 +1,8 @@
 diff --git a/src/clients/FtpClient.cc b/src/clients/FtpClient.cc
-index b665bcf..d287e55 100644
+index 747ed35..f2b7126 100644
 --- a/src/clients/FtpClient.cc
 +++ b/src/clients/FtpClient.cc
-@@ -778,7 +778,8 @@ Ftp::Client::connectDataChannel()
+@@ -795,7 +795,8 @@ Ftp::Client::connectDataChannel()
 bool
 Ftp::Client::openListenSocket()
 {
@ -13,10 +13,10 @@ index b665bcf..d287e55 100644
 /// creates a data channel Comm close callback
 diff --git a/src/clients/FtpClient.h b/src/clients/FtpClient.h
-index a76a5a0..218d696 100644
+index eb5ea1b..e92c007 100644
 --- a/src/clients/FtpClient.h
 +++ b/src/clients/FtpClient.h
-@@ -118,7 +118,7 @@ public:
+@@ -137,7 +137,7 @@ public:
     bool sendPort();
     bool sendPassive();
     void connectDataChannel();
@ -26,10 +26,10 @@ index a76a5a0..218d696 100644
     CtrlChannel ctrl; ///< FTP control channel state
 diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc
-index 411bce9..31d3e36 100644
+index 05db817..2989cd2 100644
 --- a/src/clients/FtpGateway.cc
 +++ b/src/clients/FtpGateway.cc
-@@ -87,6 +87,13 @@ struct GatewayFlags {
+@@ -86,6 +86,13 @@ struct GatewayFlags {
 class Gateway;
 typedef void (StateMethod)(Ftp::Gateway *);
@ -43,7 +43,7 @@ index 411bce9..31d3e36 100644
 /// FTP Gateway: An FTP client that takes an HTTP request with an ftp:// URI,
 /// converts it into one or more FTP commands, and then
 /// converts one or more FTP responses into the final HTTP response.
-@@ -137,7 +144,11 @@ public:
+@@ -136,7 +143,11 @@ public:
     /// create a data channel acceptor and start listening.
     void listenForDataChannel(const Comm::ConnectionPointer &conn);
@ -56,7 +56,7 @@ index 411bce9..31d3e36 100644
     int checkAuth(const HttpHeader * req_hdr);
     void checkUrlpath();
     void buildTitleUrl();
-@@ -1787,6 +1798,7 @@ ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback)
+@@ -1786,6 +1797,7 @@ ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback)
     }
     ftpState->listenForDataChannel(temp);
@ -64,7 +64,7 @@ index 411bce9..31d3e36 100644
 }
 static void
-@@ -1822,13 +1834,19 @@ ftpSendPORT(Ftp::Gateway * ftpState)
+@@ -1821,13 +1833,19 @@ ftpSendPORT(Ftp::Gateway * ftpState)
     // pull out the internal IP address bytes to send in PORT command...
     // source them from the listen_conn->local
@ -86,7 +86,7 @@ index 411bce9..31d3e36 100644
     ftpState->writeCommand(cbuf);
     ftpState->state = Ftp::Client::SENT_PORT;
-@@ -1881,14 +1899,27 @@ ftpSendEPRT(Ftp::Gateway * ftpState)
+@@ -1880,14 +1898,27 @@ ftpSendEPRT(Ftp::Gateway * ftpState)
         return;
     }
@ -116,7 +116,7 @@ index 411bce9..31d3e36 100644
     ftpState->writeCommand(cbuf);
     ftpState->state = Ftp::Client::SENT_EPRT;
-@@ -1907,7 +1938,7 @@ ftpReadEPRT(Ftp::Gateway * ftpState)
+@@ -1906,7 +1937,7 @@ ftpReadEPRT(Ftp::Gateway * ftpState)
         ftpSendPORT(ftpState);
         return;
     }
--- a/SOURCES/squid-5.0.6-openssl3.patch
+++ b/SOURCES/squid-5.0.6-openssl3.patch
@ -0,0 +1,185 @@
 diff --git a/src/ssl/support.cc b/src/ssl/support.cc
 index 3ad135d..73912ce 100644
 --- a/src/ssl/support.cc
 +++ b/src/ssl/support.cc
@@ -557,7 +557,11 @@ Ssl::VerifyCallbackParameters::At(Security::Connection &sconn)
 }
 // "dup" function for SSL_get_ex_new_index("cert_err_check")
 -#if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP
 +#if OPENSSL_VERSION_MAJOR >= 3
 +static int
 +ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **,
 +                    int, long, void *)
 +#elif SQUID_USE_CONST_CRYPTO_EX_DATA_DUP
 static int
 ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *,
                     int, long, void *)
 diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
 index cf1d4ba..4346ba5 100644
 --- a/src/security/PeerOptions.cc
 +++ b/src/security/PeerOptions.cc
@@ -297,130 +297,130 @@ static struct ssl_option {
 } ssl_options[] = {
 -#if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
 +#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
     {
         "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
     },
 #endif
 -#if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
 +#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
     {
         "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
     },
 #endif
 -#if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
 +#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
     {
         "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
     },
 #endif
 -#if SSL_OP_SSLEAY_080_CLIENT_DH_BUG
 +#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
     {
         "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG
     },
 #endif
 -#if SSL_OP_TLS_D5_BUG
 +#ifdef SSL_OP_TLS_D5_BUG
     {
         "TLS_D5_BUG", SSL_OP_TLS_D5_BUG
     },
 #endif
 -#if SSL_OP_TLS_BLOCK_PADDING_BUG
 +#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
     {
         "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG
     },
 #endif
 -#if SSL_OP_TLS_ROLLBACK_BUG
 +#ifdef SSL_OP_TLS_ROLLBACK_BUG
     {
         "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG
     },
 #endif
 -#if SSL_OP_ALL
 +#ifdef SSL_OP_ALL
     {
         "ALL", (long)SSL_OP_ALL
     },
 #endif
 -#if SSL_OP_SINGLE_DH_USE
 +#ifdef SSL_OP_SINGLE_DH_USE
     {
         "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE
     },
 #endif
 -#if SSL_OP_EPHEMERAL_RSA
 +#ifdef SSL_OP_EPHEMERAL_RSA
     {
         "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA
     },
 #endif
 -#if SSL_OP_PKCS1_CHECK_1
 +#ifdef SSL_OP_PKCS1_CHECK_1
     {
         "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1
     },
 #endif
 -#if SSL_OP_PKCS1_CHECK_2
 +#ifdef SSL_OP_PKCS1_CHECK_2
     {
         "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2
     },
 #endif
 -#if SSL_OP_NETSCAPE_CA_DN_BUG
 +#ifdef SSL_OP_NETSCAPE_CA_DN_BUG
     {
         "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG
     },
 #endif
 -#if SSL_OP_NON_EXPORT_FIRST
 +#ifdef SSL_OP_NON_EXPORT_FIRST
     {
         "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST
     },
 #endif
 -#if SSL_OP_CIPHER_SERVER_PREFERENCE
 +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
     {
         "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE
     },
 #endif
 -#if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
 +#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
     {
         "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
     },
 #endif
 -#if SSL_OP_NO_SSLv3
 +#ifdef SSL_OP_NO_SSLv3
     {
         "NO_SSLv3", SSL_OP_NO_SSLv3
     },
 #endif
 -#if SSL_OP_NO_TLSv1
 +#ifdef SSL_OP_NO_TLSv1
     {
         "NO_TLSv1", SSL_OP_NO_TLSv1
     },
 #else
     { "NO_TLSv1", 0 },
 #endif
 -#if SSL_OP_NO_TLSv1_1
 +#ifdef SSL_OP_NO_TLSv1_1
     {
         "NO_TLSv1_1", SSL_OP_NO_TLSv1_1
     },
 #else
     { "NO_TLSv1_1", 0 },
 #endif
 -#if SSL_OP_NO_TLSv1_2
 +#ifdef SSL_OP_NO_TLSv1_2
     {
         "NO_TLSv1_2", SSL_OP_NO_TLSv1_2
     },
 #else
     { "NO_TLSv1_2", 0 },
 #endif
 -#if SSL_OP_NO_TLSv1_3
 +#ifdef SSL_OP_NO_TLSv1_3
     {
         "NO_TLSv1_3", SSL_OP_NO_TLSv1_3
     },
 #else
     { "NO_TLSv1_3", 0 },
 #endif
 -#if SSL_OP_NO_COMPRESSION
 +#ifdef SSL_OP_NO_COMPRESSION
     {
         "No_Compression", SSL_OP_NO_COMPRESSION
     },
 #endif
 -#if SSL_OP_NO_TICKET
 +#ifdef SSL_OP_NO_TICKET
     {
         "NO_TICKET", SSL_OP_NO_TICKET
     },
 #endif
 -#if SSL_OP_SINGLE_ECDH_USE
 +#ifdef SSL_OP_SINGLE_ECDH_USE
     {
         "SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE
     },
@@ -512,7 +512,7 @@ Security::PeerOptions::parseOptions()
     }
 -#if SSL_OP_NO_SSLv2
 +#ifdef SSL_OP_NO_SSLv2
     // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0
     op = op | SSL_OP_NO_SSLv2;
 #endif
--- a/SOURCES/squid-5.1-test-store-cppsuite.patch
+++ b/SOURCES/squid-5.1-test-store-cppsuite.patch
@ -0,0 +1,24 @@
 diff --git a/src/tests/testStoreHashIndex.cc b/src/tests/testStoreHashIndex.cc
 index 0564380..fcd60b9 100644
 --- a/src/tests/testStoreHashIndex.cc
 +++ b/src/tests/testStoreHashIndex.cc
@@ -102,6 +102,8 @@ void commonInit()
     if (inited)
         return;
 +    inited = true;
 +
     Mem::Init();
     Config.Store.avgObjectSize = 1024;
@@ -109,6 +111,10 @@ void commonInit()
     Config.Store.objectsPerBucket = 20;
     Config.Store.maxObjectSize = 2048;
 +
 +    Config.memShared.defaultTo(false);
 +
 +    Config.store_dir_select_algorithm = xstrdup("round-robin");
 }
 /* TODO make this a cbdata class */
--- a/SOURCES/squid-4.15-CVE-2021-46784.patch
+++ b/SOURCES/squid-4.15-CVE-2021-46784.patch
@ -1,17 +1,8 @@
 From 780c4ea1b4c9d2fb41f6962aa6ed73ae57f74b2b Mon Sep 17 00:00:00 2001
 From: Joshua Rogers <MegaManSec@users.noreply.github.com>
 Date: Mon, 18 Apr 2022 13:42:36 +0000
 Subject: [PATCH] Improve handling of Gopher responses (#1022)
 ---
 src/gopher.cc | 45 ++++++++++++++++++++-------------------------
 1 file changed, 20 insertions(+), 25 deletions(-)
 diff --git a/src/gopher.cc b/src/gopher.cc
-index 169b0e18299..6187da18bcd 100644
+index 576a3f7..2645b6b 100644
 --- a/src/gopher.cc
 +++ b/src/gopher.cc
-@@ -371,7 +371,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+@@ -364,7 +364,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
     char *lpos = NULL;
     char *tline = NULL;
     LOCAL_ARRAY(char, line, TEMP_BUF_SIZE);
@ -19,7 +10,7 @@ index 169b0e18299..6187da18bcd 100644
     char *name = NULL;
     char *selector = NULL;
     char *host = NULL;
-@@ -381,7 +380,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+@@ -374,7 +373,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
     char gtype;
     StoreEntry *entry = NULL;
@ -27,7 +18,7 @@ index 169b0e18299..6187da18bcd 100644
     memset(line, '\0', TEMP_BUF_SIZE);
     entry = gopherState->entry;
-@@ -416,7 +414,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+@@ -409,7 +407,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
         return;
     }
@ -36,7 +27,7 @@ index 169b0e18299..6187da18bcd 100644
     if (!gopherState->HTML_header_added) {
         if (gopherState->conversion == GopherStateData::HTML_CSO_RESULT)
-@@ -583,34 +581,34 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+@@ -577,34 +575,34 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
                         break;
                     }
@ -85,7 +76,7 @@ index 169b0e18299..6187da18bcd 100644
                 } else {
                     memset(line, '\0', TEMP_BUF_SIZE);
                     continue;
-@@ -643,13 +641,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+@@ -637,13 +635,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
                     break;
                 if (gopherState->cso_recno != recno) {
@ -101,7 +92,7 @@ index 169b0e18299..6187da18bcd 100644
                 break;
             } else {
                 int code;
-@@ -677,8 +674,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+@@ -671,8 +668,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
                 case 502: { /* Too Many Matches */
                     /* Print the message the server returns */
@ -111,7 +102,7 @@ index 169b0e18299..6187da18bcd 100644
                     break;
                 }
-@@ -694,13 +690,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+@@ -688,13 +684,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
     }               /* while loop */
--- a/SOURCES/squid-4.15-CVE-2022-41318.patch
+++ b/SOURCES/squid-4.15-CVE-2022-41318.patch
--- a/SOURCES/squid-5.5-CVE-2023-46846.patch
+++ b/SOURCES/squid-5.5-CVE-2023-46846.patch
@ -0,0 +1,178 @@
 From 05f6af2f4c85cc99323cfff6149c3d74af661b6d Mon Sep 17 00:00:00 2001
 From: Amos Jeffries <yadij@users.noreply.github.com>
 Date: Fri, 13 Oct 2023 08:44:16 +0000
 Subject: [PATCH] RFC 9112: Improve HTTP chunked encoding compliance (#1498)
 ---
 src/http/one/Parser.cc          |  8 +-------
 src/http/one/Parser.h           |  4 +---
 src/http/one/TeChunkedParser.cc | 23 ++++++++++++++++++-----
 src/parser/Tokenizer.cc         | 12 ++++++++++++
 src/parser/Tokenizer.h          |  7 +++++++
 5 files changed, 39 insertions(+), 15 deletions(-)
 diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc
 index c78ddd7f0..291ae39f0 100644
 --- a/src/http/one/Parser.cc
 +++ b/src/http/one/Parser.cc
@@ -65,16 +65,10 @@ Http::One::Parser::DelimiterCharacters()
 void
 Http::One::Parser::skipLineTerminator(Tokenizer &tok) const
 {
 -    if (tok.skip(Http1::CrLf()))
 -        return;
 -
     if (Config.onoff.relaxed_header_parser && tok.skipOne(CharacterSet::LF))
         return;
 -    if (tok.atEnd() || (tok.remaining().length() == 1 && tok.remaining().at(0) == '\r'))
 -        throw InsufficientInput();
 -
 -    throw TexcHere("garbage instead of CRLF line terminator");
 +    tok.skipRequired("line-terminating CRLF", Http1::CrLf());
 }
 /// all characters except the LF line terminator
 diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h
 index f83c01a9a..aab895583 100644
 --- a/src/http/one/Parser.h
 +++ b/src/http/one/Parser.h
@@ -124,9 +124,7 @@ protected:
      * detect and skip the CRLF or (if tolerant) LF line terminator
      * consume from the tokenizer.
      *
 -     * \throws exception on bad or InsuffientInput.
 -     * \retval true only if line terminator found.
 -     * \retval false incomplete or missing line terminator, need more data.
 +     * \throws exception on bad or InsufficientInput
      */
     void skipLineTerminator(Tokenizer &) const;
 diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc
 index 1434100b6..8bdb65abb 100644
 --- a/src/http/one/TeChunkedParser.cc
 +++ b/src/http/one/TeChunkedParser.cc
@@ -91,6 +91,11 @@ Http::One::TeChunkedParser::parseChunkSize(Tokenizer &tok)
 {
     Must(theChunkSize <= 0); // Should(), really
 +    static const SBuf bannedHexPrefixLower("0x");
 +    static const SBuf bannedHexPrefixUpper("0X");
 +    if (tok.skip(bannedHexPrefixLower) || tok.skip(bannedHexPrefixUpper))
 +        throw TextException("chunk starts with 0x", Here());
 +
     int64_t size = -1;
     if (tok.int64(size, 16, false) && !tok.atEnd()) {
         if (size < 0)
@@ -121,7 +126,7 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
     // bad or insufficient input, like in the code below. TODO: Expand up.
     try {
         parseChunkExtensions(tok); // a possibly empty chunk-ext list
 -        skipLineTerminator(tok);
 +        tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf());
         buf_ = tok.remaining();
         parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME;
         return true;
@@ -132,12 +137,14 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
     // other exceptions bubble up to kill message parsing
 }
 -/// Parses the chunk-ext list (RFC 7230 section 4.1.1 and its Errata #4667):
 +/// Parses the chunk-ext list (RFC 9112 section 7.1.1:
 /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] )
 void
 -Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &tok)
 +Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok)
 {
     do {
 +        auto tok = callerTok;
 +
         ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size
         if (!tok.skip(';'))
@@ -145,6 +152,7 @@ Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &tok)
         parseOneChunkExtension(tok);
         buf_ = tok.remaining(); // got one extension
 +        callerTok = tok;
     } while (true);
 }
@@ -158,11 +166,14 @@ Http::One::ChunkExtensionValueParser::Ignore(Tokenizer &tok, const SBuf &extName
 /// Parses a single chunk-ext list element:
 /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] )
 void
 -Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &tok)
 +Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &callerTok)
 {
 +    auto tok = callerTok;
 +
     ParseBws(tok); // Bug 4492: ICAP servers send SP before chunk-ext-name
     const auto extName = tok.prefix("chunk-ext-name", CharacterSet::TCHAR);
 +    callerTok = tok; // in case we determine that this is a valueless chunk-ext
     ParseBws(tok);
@@ -176,6 +187,8 @@ Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &tok)
         customExtensionValueParser->parse(tok, extName);
     else
         ChunkExtensionValueParser::Ignore(tok, extName);
 +
 +    callerTok = tok;
 }
 bool
@@ -209,7 +222,7 @@ Http::One::TeChunkedParser::parseChunkEnd(Tokenizer &tok)
     Must(theLeftBodySize == 0); // Should(), really
     try {
 -        skipLineTerminator(tok);
 +        tok.skipRequired("chunk CRLF", Http1::CrLf());
         buf_ = tok.remaining(); // parse checkpoint
         theChunkSize = 0; // done with the current chunk
         parsingStage_ = Http1::HTTP_PARSE_CHUNK_SZ;
 diff --git a/src/parser/Tokenizer.cc b/src/parser/Tokenizer.cc
 index edaffd8d3..15df793b8 100644
 --- a/src/parser/Tokenizer.cc
 +++ b/src/parser/Tokenizer.cc
@@ -147,6 +147,18 @@ Parser::Tokenizer::skipAll(const CharacterSet &tokenChars)
     return success(prefixLen);
 }
 +void
 +Parser::Tokenizer::skipRequired(const char *description, const SBuf &tokenToSkip)
 +{
 +    if (skip(tokenToSkip) || tokenToSkip.isEmpty())
 +        return;
 +
 +    if (tokenToSkip.startsWith(buf_))
 +        throw InsufficientInput();
 +
 +    throw TextException(ToSBuf("cannot skip ", description), Here());
 +}
 +
 bool
 Parser::Tokenizer::skipOne(const CharacterSet &chars)
 {
 diff --git a/src/parser/Tokenizer.h b/src/parser/Tokenizer.h
 index 7bae1ccbb..3cfa7dd6c 100644
 --- a/src/parser/Tokenizer.h
 +++ b/src/parser/Tokenizer.h
@@ -115,6 +115,13 @@ public:
      */
     SBuf::size_type skipAll(const CharacterSet &discardables);
 +    /** skips a given character sequence (string);
 +     * does nothing if the sequence is empty
 +     *
 +     * \throws exception on mismatching prefix or InsufficientInput
 +     */
 +    void skipRequired(const char *description, const SBuf &tokenToSkip);
 +
     /** Removes a single trailing character from the set.
      *
      * \return whether a character was removed
 -- 
 2.25.1
--- a/SOURCES/squid-4.15-CVE-2023-46847.patch
+++ b/SOURCES/squid-4.15-CVE-2023-46847.patch
@ -1,8 +1,26 @@
 From 052cf082b0faaef4eaaa4e94119d7a1437aac4a3 Mon Sep 17 00:00:00 2001
 From: squidadm <squidadm@users.noreply.github.com>
 Date: Wed, 18 Oct 2023 04:50:56 +1300
 Subject: [PATCH] Fix stack buffer overflow when parsing Digest Authorization
 (#1517)
 The bug was discovered and detailed by Joshua Rogers at
 https://megamansec.github.io/Squid-Security-Audit/digest-overflow.html
 where it was filed as "Stack Buffer Overflow in Digest Authentication".
 ---------
 Co-authored-by: Alex Bason <nonsleepr@gmail.com>
 Co-authored-by: Amos Jeffries <yadij@users.noreply.github.com>
 ---
 src/auth/digest/Config.cc | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)
 diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
-index 6a9736f..0a883fa 100644
+index d42831a55..be9f3c433 100644
 --- a/src/auth/digest/Config.cc
 +++ b/src/auth/digest/Config.cc
-@@ -847,11 +847,15 @@ Auth::Digest::Config::decode(char const *proxy_auth, const char *aRequestRealm)
+@@ -844,11 +844,15 @@ Auth::Digest::Config::decode(char const *proxy_auth, const HttpRequest *request,
             break;
         case DIGEST_NC:
@ -21,3 +39,5 @@ index 6a9736f..0a883fa 100644
             break;
         case DIGEST_CNONCE:
 -- 
 2.25.1
--- a/SOURCES/squid-5.5-CVE-2023-46848.patch
+++ b/SOURCES/squid-5.5-CVE-2023-46848.patch
@ -0,0 +1,46 @@
 From c67bf049871a49e9871efe50b230a7f37b7039f6 Mon Sep 17 00:00:00 2001
 From: Alex Rousskov <rousskov@measurement-factory.com>
 Date: Thu, 25 May 2023 02:10:28 +0000
 Subject: [PATCH] Fix userinfo percent-encoding (#1367)
 %X expects an unsigned int, and that is what we were giving it. However,
 to get to the correct unsigned int value from a (signed) char, one has
 to cast to an unsigned char (or equivalent) first.
 Broken since inception in commit 7b75100.
 Also adjusted similar (commented out) ext_edirectory_userip_acl code.
 ---
 src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc | 2 +-
 src/anyp/Uri.cc                                                 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc b/src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc
 index dbc20ae54..9028d1562 100644
 --- a/src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc
 +++ b/src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc
@@ -1612,7 +1612,7 @@ MainSafe(int argc, char **argv)
         /* BINARY DEBUGGING *
                     local_printfx("while() -> bufa[%" PRIuSIZE "]: %s", k, bufa);
                     for (i = 0; i < k; ++i)
 -                      local_printfx("%02X", bufa[i]);
 +                      local_printfx("%02X", static_cast<unsigned int>(static_cast<unsigned char>(bufa[i])));
                     local_printfx("\n");
         * BINARY DEBUGGING */
         /* Check for CRLF */
 diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc
 index a6a5d5d9e..3d19188e9 100644
 --- a/src/anyp/Uri.cc
 +++ b/src/anyp/Uri.cc
@@ -70,7 +70,7 @@ AnyP::Uri::Encode(const SBuf &buf, const CharacterSet &ignore)
     while (!tk.atEnd()) {
         // TODO: Add Tokenizer::parseOne(void).
         const auto ch = tk.remaining()[0];
 -        output.appendf("%%%02X", static_cast<unsigned int>(ch)); // TODO: Optimize using a table
 +        output.appendf("%%%02X", static_cast<unsigned int>(static_cast<unsigned char>(ch))); // TODO: Optimize using a table
         (void)tk.skip(ch);
         if (tk.prefix(goodSection, ignore))
 -- 
 2.25.1
--- a/SOURCES/squid-4.15-ip-bind-address-no-port.patch
+++ b/SOURCES/squid-4.15-ip-bind-address-no-port.patch
@ -1,14 +1,14 @@
-commit c08948c8b831a2ba73c676b48aa11ba1b58cc542
+commit c54122584d175cf1d292b239a5b70f2d1aa77c3a
 Author: Tomas Korbar <tkorbar@redhat.com>
-Date:   Thu Dec 8 11:03:08 2022 +0100
+Date:   Mon Dec 5 15:03:07 2022 +0100
    Backport adding IP_BIND_ADDRESS_NO_PORT flag to outgoing connections
 diff --git a/src/comm.cc b/src/comm.cc
-index 0d5f34d..6811b54 100644
+index b4818f3..b18d175 100644
 --- a/src/comm.cc
 +++ b/src/comm.cc
-@@ -58,6 +58,7 @@
+@@ -59,6 +59,7 @@
  */
 static IOCB commHalfClosedReader;
@ -16,7 +16,7 @@ index 0d5f34d..6811b54 100644
 static void comm_init_opened(const Comm::ConnectionPointer &conn, const char *note, struct addrinfo *AI);
 static int comm_apply_flags(int new_socket, Ip::Address &addr, int flags, struct addrinfo *AI);
-@@ -75,6 +76,7 @@ static EVH commHalfClosedCheck;
+@@ -76,6 +77,7 @@ static EVH commHalfClosedCheck;
 static void commPlanHalfClosedCheck();
 static Comm::Flag commBind(int s, struct addrinfo &);
@ -24,7 +24,7 @@ index 0d5f34d..6811b54 100644
 static void commSetReuseAddr(int);
 static void commSetNoLinger(int);
 #ifdef TCP_NODELAY
-@@ -201,6 +203,22 @@ comm_local_port(int fd)
+@@ -202,6 +204,22 @@ comm_local_port(int fd)
     return F->local_addr.port();
 }
@ -47,7 +47,7 @@ index 0d5f34d..6811b54 100644
 static Comm::Flag
 commBind(int s, struct addrinfo &inaddr)
 {
-@@ -227,6 +245,10 @@ comm_open(int sock_type,
+@@ -228,6 +246,10 @@ comm_open(int sock_type,
           int flags,
           const char *note)
 {
@ -58,7 +58,7 @@ index 0d5f34d..6811b54 100644
     return comm_openex(sock_type, proto, addr, flags, note);
 }
-@@ -328,7 +350,7 @@ comm_set_transparent(int fd)
+@@ -329,7 +351,7 @@ comm_set_transparent(int fd)
  * Create a socket. Default is blocking, stream (TCP) socket.  IO_TYPE
  * is OR of flags specified in defines.h:COMM_*
  */
@ -67,10 +67,10 @@ index 0d5f34d..6811b54 100644
 comm_openex(int sock_type,
             int proto,
             Ip::Address &addr,
-@@ -476,6 +498,9 @@ comm_apply_flags(int new_socket,
+@@ -488,6 +510,9 @@ comm_apply_flags(int new_socket,
-         if ( addr.isNoAddr() )
+             }
-             debugs(5,0,"CRITICAL: Squid is attempting to bind() port " << addr << "!!");
+         }
- 
+ #endif
 +        if ((flags & COMM_DOBIND_PORT_LATER))
 +            commSetBindAddressNoPort(new_socket);
 +
@ -78,7 +78,7 @@ index 0d5f34d..6811b54 100644
             comm_close(new_socket);
             return -1;
 diff --git a/src/comm.h b/src/comm.h
-index c963e1c..9ff201d 100644
+index 5a1a7c2..a9f33db 100644
 --- a/src/comm.h
 +++ b/src/comm.h
@@ -43,7 +43,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc
@ -98,10 +98,10 @@ index c963e1c..9ff201d 100644
 int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen);
 diff --git a/src/comm/ConnOpener.cc b/src/comm/ConnOpener.cc
-index 25a30e4..2082214 100644
+index 19c1237..79fa2ed 100644
 --- a/src/comm/ConnOpener.cc
 +++ b/src/comm/ConnOpener.cc
-@@ -263,7 +263,7 @@ Comm::ConnOpener::createFd()
+@@ -285,7 +285,7 @@ Comm::ConnOpener::createFd()
     if (callback_ == NULL || callback_->canceled())
         return false;
@ -111,20 +111,20 @@ index 25a30e4..2082214 100644
         sendAnswer(Comm::ERR_CONNECT, 0, "Comm::ConnOpener::createFd");
         return false;
 diff --git a/src/comm/Connection.h b/src/comm/Connection.h
-index 4f2f23a..1e32c22 100644
+index 40c2249..2641f4e 100644
 --- a/src/comm/Connection.h
 +++ b/src/comm/Connection.h
-@@ -47,6 +47,8 @@ namespace Comm
+@@ -52,6 +52,8 @@ namespace Comm
- #define COMM_DOBIND             0x08  // requires a bind()
+ #define COMM_REUSEPORT          0x40 //< needs SO_REUSEPORT
- #define COMM_TRANSPARENT        0x10  // arrived via TPROXY
+ /// not registered with Comm and not owned by any connection-closing code
- #define COMM_INTERCEPTION       0x20  // arrived via NAT
+ #define COMM_ORPHANED           0x40
 +/// Internal Comm optimization: Keep the source port unassigned until connect(2)
 +#define COMM_DOBIND_PORT_LATER 0x100
 /**
  * Store data about the physical and logical attributes of a connection.
 diff --git a/src/ipc.cc b/src/ipc.cc
-index e1d48fc..e92a27f 100644
+index 45cab52..42e11e6 100644
 --- a/src/ipc.cc
 +++ b/src/ipc.cc
@@ -95,12 +95,12 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
@ -143,10 +143,10 @@ index e1d48fc..e92a27f 100644
                                 local_addr,
                                 0,          /* blocking */
 diff --git a/src/tests/stub_comm.cc b/src/tests/stub_comm.cc
-index 58f85e4..5381ab2 100644
+index a1d33d6..bf4bea6 100644
 --- a/src/tests/stub_comm.cc
 +++ b/src/tests/stub_comm.cc
-@@ -46,7 +46,6 @@ int comm_open_uds(int sock_type, int proto, struct sockaddr_un* addr, int flags)
+@@ -48,7 +48,6 @@ int comm_open_uds(int sock_type, int proto, struct sockaddr_un* addr, int flags)
 void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struct addrinfo *AI) STUB
 int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note) STUB_RETVAL(-1)
 void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note) STUB
--- a/SOURCES/squid-5.5.tar.xz.asc
+++ b/SOURCES/squid-5.5.tar.xz.asc
@ -0,0 +1,25 @@
 File: squid-5.5.tar.xz
 Date: Wed 13 Apr 2022 08:45:42 UTC
 Size: 2565732
 MD5 : 83ccc2d86ca0966e3555a3b78f5afd14
 SHA1: 42302bd9b8feff851a41420334cb8eaeab2806ab
 Key : CD6DBF8EF3B17D3E <squid3@treenet.co.nz>
            B068 84ED B779 C89B 044E  64E3 CD6D BF8E F3B1 7D3E
      keyring = http://www.squid-cache.org/pgp.asc
      keyserver = pool.sks-keyservers.net
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAmJWjb4ACgkQzW2/jvOx
 fT7t0A/9GjAdINfSP4gQyUr+Uvakz9O6fA9Jo3F30VafYimrSGm+VdGWntTsrOaP
 VcsCdG3/Dvrhnqtu9+hwfKKQ61lmmUC7KVycx3whEUepQbZu5kd05csD7nwQ+AFe
 7eJr0IwbRI4XdUhNW4AB52i/+hpHs/YSrSokumx5NVhwAUvT81TToUNzUjfKuXyy
 U+w6GQ9kJbVW1UgFYZGZdJwCmD5Z7fNdUllKZhLj4I5GZ+5Zz5+lJP3ZBC6qavde
 34hbpHbt+/lqz337eNoxwlyPNKPDiGIUEY9T4cdzA0BiLggTmlukDFErlYuHgCMX
 BmQ9elJtdRaCD2YD+U1H9J+2wqt9O01gdyFU1V3RnNLZphgWur9X808rujuE46+Q
 sxyV6SjeBh6Xs/I7wA9utX0pbVD+nLvna6Be49M1yAghBwTjiYN9fGC3ufj4St3k
 PCvkTkBUOop3m4aBCRtUVO6w4Y/YmF71qAHIiSLe1i6xoztEDTVI0CA+vfrwwu2G
 rFP5wuKsaYfBjkhQw4Jv6X30vnnOVqlxITGXcOnPXrHoD5KuYXv/Xsobqf8XsFdl
 3qyXUe8lSI5idCg+Ajj9m0IqGWA50iFBs28Ca7GDacl9KApGn4O7kPLQY+7nN5cz
 Nv3k8lYPh4KvRI1b2hcuoe3K63rEzty0e2vqG9zqxkpxOt20E/U=
 =9xr/
 -----END PGP SIGNATURE-----
--- a/SOURCES/squid.logrotate
+++ b/SOURCES/squid.logrotate
@ -2,6 +2,7 @@
    weekly
    rotate 5
    compress
    delaycompress
    notifempty
    missingok
    nocreate
@ -10,7 +11,5 @@
      # Asks squid to reopen its logs. (logfile_rotate 0 is set in squid.conf)
      # errors redirected to make it silent if squid is not running
      /usr/sbin/squid -k rotate 2>/dev/null
      # Wait a little to allow Squid to catch up before the logs is compressed
      sleep 1
    endscript
 }
--- a/SOURCES/squid.nm
+++ b/SOURCES/squid.nm
@ -2,6 +2,6 @@
 case "$2" in
        up|down|vpn-up|vpn-down)
-                /bin/systemctl -q reload squid.service || :
+                /usr/bin/systemctl -q reload squid.service || :
                ;;
 esac
--- a/SOURCES/squid.sysconfig
+++ b/SOURCES/squid.sysconfig
@ -1,9 +1,5 @@
 # default squid options
 SQUID_OPTS=""
 # Time to wait for Squid to shut down when asked. Should not be necessary
 # most of the time.
 SQUID_SHUTDOWN_TIMEOUT=100
 # default squid conf file
 SQUID_CONF="/etc/squid/squid.conf"
--- a/SOURCES/squid.sysusers
+++ b/SOURCES/squid.sysusers
@ -0,0 +1,2 @@
 g squid 23 -
 u squid 23 "Squid proxy user" /var/spool/squid /sbin/nologin
--- a/SPECS/squid.spec
+++ b/SPECS/squid.spec
@ -1,86 +1,69 @@
 %define __perl_requires %{SOURCE98}
 Name:     squid
-Version:  4.15
+Version:  5.5
-Release:  10%{?dist}.3
+Release:  5%{?dist}.1
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
 License:  GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain)
 URL:      http://www.squid-cache.org
-Source0:  http://www.squid-cache.org/Versions/v4/squid-%{version}.tar.xz
+
-Source1:  http://www.squid-cache.org/Versions/v4/squid-%{version}.tar.xz.asc
+Source0:  http://www.squid-cache.org/Versions/v5/squid-%{version}.tar.xz
-Source2:  squid.logrotate
+Source1:  http://www.squid-cache.org/Versions/v5/squid-%{version}.tar.xz.asc
-Source3:  squid.sysconfig
+Source2:  http://www.squid-cache.org/pgp.asc
-Source4:  squid.pam
+Source3:  squid.logrotate
-Source5:  squid.nm
+Source4:  squid.sysconfig
-Source6:  squid.service
+Source5:  squid.pam
-Source7:  cache_swap.sh
+Source6:  squid.nm
 Source7:  squid.service
 Source8:  cache_swap.sh
 Source9:  squid.sysusers
 Source98: perl-requires-squid.sh
 # Upstream patches
 # Backported patches
-Patch101: squid-4.15-ip-bind-address-no-port.patch
+Patch101: squid-5.5-ip-bind-address-no-port.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=2072988
+# https://bugzilla.redhat.com/show_bug.cgi?id=2151188
 # Local patches
 # Applying upstream patches first makes it less likely that local patches
 # will break upstream ones.
-Patch201: squid-4.11-config.patch
+Patch201: squid-4.0.11-config.patch
-Patch202: squid-4.11-location.patch
+Patch202: squid-3.1.0.9-location.patch
-Patch203: squid-4.11-perlpath.patch
+Patch203: squid-3.0.STABLE1-perlpath.patch
-Patch204: squid-4.11-include-guards.patch
+Patch204: squid-3.5.9-include-guards.patch
-Patch205: squid-4.11-large-acl.patch
+# revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422
-# https://bugzilla.redhat.com/show_bug.cgi?id=980511
+# workaround for #1934919
-Patch206: squid-4.11-active-ftp.patch
+Patch205: squid-5.0.5-symlink-lang-err.patch
-Patch208: squid-4.11-convert-ipv4.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1953505
-# https://bugzilla.redhat.com/show_bug.cgi?id=2006121
+Patch206: squid-5.0.6-openssl3.patch
-Patch209: squid-4.15-ftp-filename-extraction.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1969322
-# https://bugzilla.redhat.com/show_bug.cgi?id=2076717
+Patch207: squid-5.0.6-active-ftp.patch
-Patch210: squid-4.15-halfclosed.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1988122
 Patch208: squid-5.1-test-store-cppsuite.patch
-# Security fixes
+# Security patches
 # https://bugzilla.redhat.com/show_bug.cgi?id=1941506
 Patch300: squid-4.15-CVE-2021-28116.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2100721
-Patch301: squid-4.15-CVE-2021-46784.patch
+Patch501: squid-5.5-CVE-2021-46784.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2129771
-Patch302: squid-4.15-CVE-2022-41318.patch
+Patch502: squid-5.5-CVE-2022-41318.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2245910
-# +backported: https://github.com/squid-cache/squid/commit/417da4006cf5c97d44e74431b816fc58fec9e270
+Patch503: squid-5.5-CVE-2023-46846.patch
 Patch303: squid-4.15-CVE-2023-46846.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2245916
-Patch304: squid-4.15-CVE-2023-46847.patch
+Patch504: squid-5.5-CVE-2023-46847.patch
-# https://issues.redhat.com/browse/RHEL-14792
+# https://bugzilla.redhat.com/show_bug.cgi?id=2245919
-Patch305: squid-4.15-CVE-2023-5824.patch
+Patch505: squid-5.5-CVE-2023-46848.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=2248521
+
-Patch306: squid-4.15-CVE-2023-46728.patch
+# cache_swap.sh
-# https://bugzilla.redhat.com/show_bug.cgi?id=2247567
+Requires: bash gawk
-Patch307: squid-4.15-CVE-2023-46724.patch
+# for httpd conf file - cachemgr script alias
-# https://bugzilla.redhat.com/show_bug.cgi?id=2252926
+Requires: httpd-filesystem
 Patch308: squid-4.15-CVE-2023-49285.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2252923
 Patch309: squid-4.15-CVE-2023-49286.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2254663
 Patch310: squid-4.15-CVE-2023-50269.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2264309
 Patch311: squid-4.15-CVE-2024-25617.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2268366
 Patch312: squid-4.15-CVE-2024-25111.patch
 # Regression caused by squid-4.15-CVE-2023-46846.patch
 # Upstream PR: https://github.com/squid-cache/squid/pull/1914
 Patch313: squid-4.15-ignore-wsp-after-chunk-size.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2260051
 Patch314: squid-4.15-CVE-2024-23638.patch
 Requires: bash >= 2.0
 Requires(pre): shadow-utils
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
 # squid_ldap_auth and other LDAP helpers require OpenLDAP
 BuildRequires: make
 BuildRequires: openldap-devel
 # squid_pam_auth requires PAM development libs
 BuildRequires: pam-devel
@ -88,8 +71,10 @@ BuildRequires: pam-devel
 BuildRequires: openssl-devel
 # squid_kerb_aut requires Kerberos development libs
 BuildRequires: krb5-devel
-# time_quota requires DB
+# time_quota requires TrivialDB
-BuildRequires: libdb-devel
+BuildRequires: libtdb-devel
 # ESI support requires Expat & libxml2
 BuildRequires: expat-devel libxml2-devel
 # TPROXY requires libcap, and also increases security somewhat
 BuildRequires: libcap-devel
 # eCAP support
@ -100,10 +85,20 @@ BuildRequires: libtool libtool-ltdl-devel
 BuildRequires: perl-generators
 # For test suite
 BuildRequires: pkgconfig(cppunit)
-BuildRequires: autoconf
+# For verifying downloded src tarball
 BuildRequires: gnupg2
 # for _tmpfilesdir and _unitdir macro
 # see https://docs.fedoraproject.org/en-US/packaging-guidelines/Systemd/#_packaging
 BuildRequires: systemd-rpm-macros
 # systemd notify
 BuildRequires: systemd-devel
 %{?systemd_requires}
 %{?sysusers_requires_compat}
 # Old NetworkManager expects the dispatcher scripts in a different place
 Conflicts: NetworkManager < 1.20
 %description
 Squid is a high-performance proxy caching server for Web clients,
 supporting FTP, gopher, and HTTP data objects. Unlike traditional
@ -117,6 +112,7 @@ lookup program (dnsserver), a program for retrieving FTP data
 (ftpget), and some management and client tools.
 %prep
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %setup -q
 # Upstream patches
@ -128,37 +124,23 @@ lookup program (dnsserver), a program for retrieving FTP data
 %patch201 -p1 -b .config
 %patch202 -p1 -b .location
 %patch203 -p1 -b .perlpath
-%patch204 -p1 -b .include-guards
+%patch204 -p0 -b .include-guards
-%patch205 -p1 -b .large_acl
+%patch205 -p1 -R -b .symlink-lang-err
-%patch206 -p1 -b .active-ftp
+%patch206 -p1 -b .openssl3
-%patch208 -p1 -b .convert-ipv4
+%patch207 -p1 -b .active-ftp
-%patch209 -p1 -b .ftp-fn-extraction
+%patch208 -p1 -b .test-store-cpp
 %patch210 -p1 -b .halfclosed
-# Security patches
+%patch501 -p1 -b .CVE-2021-46784
-%patch300 -p1 -b .CVE-2021-28116
+%patch502 -p1 -b .CVE-2022-41318
-%patch301 -p1 -b .CVE-2021-46784
+%patch503 -p1 -b .CVE-2023-46846
-%patch302 -p1 -b .CVE-2022-41318
+%patch504 -p1 -b .CVE-2023-46847
-%patch303 -p1 -b .CVE-2023-46846
+%patch505 -p1 -b .CVE-2023-46848
 %patch304 -p1 -b .CVE-2023-46847
 %patch305 -p1 -b .CVE-2023-5824
 %patch306 -p1 -b .CVE-2023-46728
 %patch307 -p1 -b .CVE-2023-46724
 %patch308 -p1 -b .CVE-2023-49285
 %patch309 -p1 -b .CVE-2023-49286
 %patch310 -p1 -b .CVE-2023-50269
 %patch311 -p1 -b .CVE-2024-25617
 %patch312 -p1 -b .CVE-2024-25111
 %patch313 -p1 -b .ignore-wsp-chunk-sz
 %patch314 -p1 -b .CVE-2024-23638
 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526
 # Patch in the vendor documentation and used different location for documentation
 sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented|' src/squid.8.in
 %build
 # cppunit-config patch changes configure.ac
 autoconf
 # NIS helper has been removed because of the following bug
 # https://bugzilla.redhat.com/show_bug.cgi?id=1531540
@ -167,7 +149,7 @@ autoconf
   --datadir=%{_datadir}/squid \
   --sysconfdir=%{_sysconfdir}/squid \
   --with-logdir='%{_localstatedir}/log/squid' \
-   --with-pidfile='%{_localstatedir}/run/squid.pid' \
+   --with-pidfile='/run/squid.pid' \
   --disable-dependency-tracking \
   --enable-eui \
   --enable-follow-x-forwarded-for \
@ -195,7 +177,7 @@ autoconf
   --enable-storeio="aufs,diskd,ufs,rock" \
   --enable-diskio \
   --enable-wccpv2 \
-   --disable-esi \
+   --enable-esi \
   --enable-ecap \
   --with-aio \
   --with-default-user="squid" \
@ -204,8 +186,14 @@ autoconf
   --with-pthreads \
   --disable-arch-native \
   --disable-security-cert-validators \
   --disable-strict-error-checking \
   --with-swapdir=%{_localstatedir}/spool/squid
 # workaround to build squid v5
 mkdir -p src/icmp/tests
 mkdir -p tools/squidclient/tests
 mkdir -p tools/tests
 %make_build
 %check
@ -233,22 +221,20 @@ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pam.d
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/
-mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/NetworkManager/dispatcher.d
+mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d
 mkdir -p $RPM_BUILD_ROOT%{_unitdir}
 mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/squid
-install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/squid
+install -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/squid
-install -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/squid
+install -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/squid
-install -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/squid
+install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/squid
-install -m 644 %{SOURCE6} $RPM_BUILD_ROOT%{_unitdir}
+install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_unitdir}
-install -m 755 %{SOURCE7} $RPM_BUILD_ROOT%{_libexecdir}/squid
+install -m 755 %{SOURCE8} $RPM_BUILD_ROOT%{_libexecdir}/squid
 install -m 644 $RPM_BUILD_ROOT/squid.httpd.tmp $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/squid.conf
-install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/NetworkManager/dispatcher.d/20-squid
+install -m 755 %{SOURCE6} $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-squid
 mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/squid
 mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/spool/squid
-mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/run/squid
+mkdir -p $RPM_BUILD_ROOT/run/squid
 chmod 644 contrib/url-normalizer.pl contrib/user-agents.pl
 iconv -f ISO88591 -t UTF8 ChangeLog -o ChangeLog.tmp
 mv -f ChangeLog.tmp ChangeLog
 # install /usr/lib/tmpfiles.d/squid.conf
 mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir}
@ -266,11 +252,12 @@ mv $RPM_BUILD_ROOT/usr/share/squid/mib.txt $RPM_BUILD_ROOT/usr/share/snmp/mibs/S
 rm -f $RPM_BUILD_ROOT%{_sysconfdir}/squid/squid.conf.documented
 # remove unpackaged files from the buildroot
 rm -f $RPM_BUILD_ROOT%{_bindir}/{RunAccel,RunCache}
 rm -f $RPM_BUILD_ROOT/squid.httpd.tmp
 # sysusers.d
 install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf
 %files
 %defattr(-,root,root,-)
 %license COPYING 
 %doc CONTRIBUTORS README ChangeLog QUICKSTART src/squid.conf.documented
 %doc contrib/url-normalizer.pl contrib/user-agents.pl
@ -282,7 +269,7 @@ rm -f $RPM_BUILD_ROOT/squid.httpd.tmp
 %attr(755,root,root) %dir %{_libdir}/squid
 %attr(770,squid,root) %dir %{_localstatedir}/log/squid
 %attr(750,squid,squid) %dir %{_localstatedir}/spool/squid
-%attr(755,squid,squid) %dir %{_localstatedir}/run/squid
+%attr(755,squid,squid) %dir /run/squid
 %config(noreplace) %attr(644,root,root) %{_sysconfdir}/httpd/conf.d/squid.conf
 %config(noreplace) %attr(640,root,squid) %{_sysconfdir}/squid/squid.conf
@ -300,7 +287,7 @@ rm -f $RPM_BUILD_ROOT/squid.httpd.tmp
 %dir %{_datadir}/squid
 %attr(-,root,root) %{_datadir}/squid/errors
-%attr(755,root,root) %{_sysconfdir}/NetworkManager/dispatcher.d/20-squid
+%{_prefix}/lib/NetworkManager
 %{_datadir}/squid/icons
 %{_sbindir}/squid
 %{_bindir}/squidclient
@ -310,15 +297,10 @@ rm -f $RPM_BUILD_ROOT/squid.httpd.tmp
 %{_libdir}/squid/*
 %{_datadir}/snmp/mibs/SQUID-MIB.txt
 %{_tmpfilesdir}/squid.conf
 %{_sysusersdir}/squid.conf
 %pre
-if ! getent group squid >/dev/null 2>&1; then
+%sysusers_create_compat %{SOURCE9}
  /usr/sbin/groupadd -g 23 squid
 fi
 if ! getent passwd squid >/dev/null 2>&1 ; then
  /usr/sbin/useradd -g 23 -u 23 -d /var/spool/squid -r -s /sbin/nologin squid >/dev/null 2>&1 || exit 1 
 fi
 for i in /var/log/squid /var/spool/squid ; do
        if [ -d $i ] ; then
@ -331,6 +313,18 @@ done
 exit 0
 %pretrans -p <lua>
 -- temporarilly commented until https://bugzilla.redhat.com/show_bug.cgi?id=1936422 is resolved
 --
 -- previously /usr/share/squid/errors/es-mx was symlink, now it is directory since squid v5
 -- see https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/
 -- Define the path to the symlink being replaced below.
 --
 -- path = "/usr/share/squid/errors/es-mx"
 -- st = posix.stat(path)
 -- if st and st.type == "link" then
 --   os.remove(path)
 -- end
 -- Due to a bug #447156
 paths = {"/usr/share/squid/errors/zh-cn", "/usr/share/squid/errors/zh-tw"}
 for key,path in ipairs(paths)
@ -367,182 +361,203 @@ fi
 %changelog
-* Wed Nov 13 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.3
+* Thu Oct 26 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-5.1
- Resolves: RHEL-22593 - CVE-2024-23638 squid:4/squid: vulnerable to
+- Resolves: RHEL-14818 - squid: squid: denial of Servicein FTP
-  a Denial of Service attack against Cache Manager error responses
+- Resolves: RHEL-14805 - squid: squid: Denial of Service in HTTP Digest
  Authentication
 - Resolves: RHEL-14779 - squid: squid: Request/Response smuggling in HTTP/1.1
  and ICAP
-* Thu Nov 07 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.2
+* Tue Dec 06 2022 Tomas Korbar <tkorbar@redhat.com> - 7:5.5-5
- Disable ESI support
+- Resolves: #2151188 - [RFE] Add the "IP_BIND_ADDRESS_NO_PORT"
 - Resolves: RHEL-65075 - CVE-2024-45802 squid:4/squid: Denial of Service
  processing ESI response content
 * Mon Oct 14 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.1
 - Resolves: RHEL-56024 - (Regression) Transfer-encoding:chunked data is not sent
  to the client in its complementary
 * Tue Mar 19 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10
 - Resolves: RHEL-28529 - squid:4/squid: Denial of Service in HTTP Chunked
  Decoding (CVE-2024-25111)
 - Resolves: RHEL-26088 - squid:4/squid: denial of service in HTTP header
  parser (CVE-2024-25617)
 * Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-9
 - Resolves: RHEL-19552 - squid:4/squid: denial of service in HTTP request 
  parsing (CVE-2023-50269)
 * Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-8
 - Resolves: RHEL-18351 - squid:4/squid: Buffer over-read in the HTTP Message
  processing feature (CVE-2023-49285)
 - Resolves: RHEL-18342 - squid:4/squid: Incorrect Check of Function Return
  Value In Helper Process management (CVE-2023-49286)
 - Resolves: RHEL-18230 - squid:4/squid: Denial of Service in SSL Certificate
  validation (CVE-2023-46724)
 - Resolves: RHEL-15911 - squid:4/squid: NULL pointer dereference in the gopher
  protocol code (CVE-2023-46728)
 - Resolves: RHEL-18251 - squid crashes in assertion when a parent peer exists
 - Resolves: RHEL-14794 - squid: squid multiple issues in HTTP response caching
  (CVE-2023-5824)
 - Resolves: RHEL-14803 - squid: squid: Denial of Service in HTTP Digest
  Authentication (CVE-2023-46847)
 - Resolves: RHEL-14777 - squid: squid: Request/Response smuggling in HTTP/1.1
  and ICAP (CVE-2023-46846)
 * Wed Aug 16 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-7
 - Resolves: #2076717 - Crash with half_closed_client on
 * Thu Dec 08 2022 Tomas Korbar <tkorbar@redhat.com> - 4.15-6
 - Resolves: #2072988 - [RFE] Add the "IP_BIND_ADDRESS_NO_PORT"
  flag to sockets created for outgoing connections in the squid source code.
-* Wed Sep 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-5
+* Mon Nov 07 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-4
- Resolves: #2130260 - CVE-2022-41318 squid:4/squid: buffer-over-read in SSPI and SMB
+- Resolves: #2095468 - [RFE] squid use systemd-sysusers
 * Mon Nov 07 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-3
 - Resolves: #2130253 - CVE-2022-41318 squid: buffer-over-read in SSPI and SMB
  authentication
-* Tue Jun 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-4
+* Mon Jul 11 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-2
- Resolves: #2100783 - CVE-2021-46784 squid:4/squid: DoS when processing gopher
+- Resolves: #2100785 - CVE-2021-46784 squid: DoS when processing gopher server
-  server responses
+  responses
-* Wed Feb 09 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-3
+* Tue May 31 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-1
- Resolves: #1941506 - CVE-2021-28116 squid:4/squid: out-of-bounds read in WCCP
+- new version 5.5
-  protocol data may lead to information disclosure
+- Resolves: #2075727 - The memory usage of the squid process keeps increasing
-* Tue Jan 25 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-2
+* Thu Oct 07 2021 Luboš Uhliarik <luhliari@redhat.com> - 7:5.2-1
- Resolves: #2006121 - SQUID shortens FTP Link wrong that contains a semi-colon
+- new version 5.2
-  and as a result is not able to download zip file.CODE 404 TO CLIENT)
+- Resolves: #1934560 - squid: out-of-bounds read in WCCP protocol
 - Resolves: #2011637 - Rebase squid to 5.2
-* Fri Jun 18 2021 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-1
+* Wed Sep 15 2021 Luboš Uhliarik <luhliari@redhat.com> - 7:5.1-3
- new version 4.15
+- Resolves: #1988122 - Enable LTO build of squid for RHEL 9
 - Resolves: #1964384 - squid:4 rebase to 4.15
-* Wed Mar 31 2021 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-5
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 7:5.1-2
- Resolves: #1944261 - CVE-2020-25097 squid:4/squid: improper input validation
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  may allow a trusted client to perform HTTP Request Smuggling
+  Related: rhbz#1991688
-* Mon Oct 26 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-4
+* Thu Aug 05 2021 Luboš Uhliarik <luhliari@redhat.com> - 7:5.1-1
- Resolves: #1890606 - Fix for CVE 2019-13345 breaks authentication in
+- new version 5.1
-  cachemgr.cgi
+- Resolves: #1990517 - Rebase squid to 5.1
 - Resolves: #1985231 - squid: FTBFS because of OpenSSL 3.0 preprocessor macro
  changes
-* Wed Aug 26 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-3
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 7:5.0.6-4
- Resolves: #1871705 - CVE-2020-24606 squid: Improper Input Validation could
+- Rebuilt for RHEL 9 BETA for openssl 3.0
-  result in a DoS
+  Related: rhbz#1971065
 - Resolves: #1871702 - CVE-2020-15811 squid: HTTP Request Splitting could result
  in cache poisoning
 - Resolves: #1871700 - CVE-2020-15810 squid: HTTP Request Smuggling could result
  in cache poisoning
-* Thu Jul 02 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-2
+* Tue Jun 08 2021 Luboš Uhliarik <luhliari@redhat.com> - 7:5.0.6-3
- Resolves: #1853130 - CVE-2020-15049 squid:4/squid: request smuggling and
+- Resolves: #1969322 - squid doesn't work with active ftp
-  poisoning attack against the HTTP cache
+
- Resolves: #1853136 - CVE-2020-14058 squid:4/squid: DoS in TLS handshake
+* Mon May 17 2021 Lubos Uhliarik <luhliari@redhat.com> - 7:5.0.6-2
 - Resolves: #1953505 - squid: Port to OpenSSL 3.0
 * Mon May 17 2021 Lubos Uhliarik <luhliari@redhat.com> - 7:5.0.6-1
 - new version 5.0.6
 - Resolves: #1961253 - Rebase squid to 5.0.6
 * Fri Apr 23 2021 Lubos Uhliarik <luhliari@redhat.com> - 7:5.0.5-2
 - new version 5.0.5
 - Resolves: #1952896 - Rebase squid to >= 5.0.5
 - Resolves: #1940412 - Remove libdb dependency from squid
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 7:4.14-2
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 * Wed Mar 31 2021 Lubos Uhliarik <luhliari@redhat.com> - 7:4.14-1
 - new version 4.14
 - Resolves: #1939927 - CVE-2020-25097 squid: improper input validation may allow
  a trusted client to perform HTTP Request Smuggling
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7:4.13-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Sat Oct 17 2020 Jeff Law <law@redhat.com> - 7:4.13-2
 - Fix missing #includes for gcc-11
 * Tue Aug 25 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.13-1
 - new version 4.13
 * Fri Aug 07 2020 Jeff law <law@redhat.com> - 7:4.12-4
 - Disable LTO
 * Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7:4.12-3
 - Second attempt - Rebuilt for
  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7:4.12-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Mon Jun 15 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.12-1
 - new version 4.12
 * Thu May 07 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-1
 - new version 4.11
 - libsystemd integration
- Resolves: #1829467 - squid:4 rebase
+- Resolves: #1827564 - CVE-2020-11945 squid: improper access restriction upon
 - Resolves: #1828378 - CVE-2019-12521 squid:4/squid: off-by-one error in
  addStackElement allows for a heap buffer overflow and a crash
 - Resolves: #1828377 - CVE-2019-12520 squid:4/squid: improper input validation
  in request allows for proxy manipulation
 - Resolves: #1828375 - CVE-2019-12524 squid:4/squid: improper access restriction
  in url_regex may lead to security bypass
 - Resolves: #1820664 - CVE-2019-18860 squid: mishandles HTML in the host
  parameter to cachemgr.cgi which could result in squid behaving in unsecure way
 - Resolves: #1802514 - CVE-2020-8449 squid:4/squid: Improper input validation
  issues in HTTP Request processing
 - Resolves: #1802513 - CVE-2020-8450 squid:4/squid: Buffer overflow in a Squid
  acting as reverse-proxy
 - Resolves: #1802512 - CVE-2019-12528 squid:4/squid: Information Disclosure
  issue in FTP Gateway
 - Resolves: #1771288 - CVE-2019-18678 squid:4/squid: HTTP Request Splitting
  issue in HTTP message processing
 - Resolves: #1771283 - CVE-2019-18679 squid:4/squid: Information Disclosure
  issue in HTTP Digest Authentication
 - Resolves: #1771280 - CVE-2019-18677 squid:4/squid: Cross-Site Request Forgery
  issue in HTTP Request processing
 - Resolves: #1771275 - CVE-2019-12523 squid:4/squid: Improper input validation
  in URI processor
 - Resolves: #1771272 - CVE-2019-18676 squid:4/squid: Buffer overflow in URI
  processor
 - Resolves: #1771264 - CVE-2019-12526 squid:4/squid: Heap overflow issue in URN
  processing
 - Resolves: #1738581 - CVE-2019-12529 squid: OOB read in Proxy-Authorization
  header causes DoS
 * Tue Apr 28 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-9
 - Resolves: #1738583 - CVE-2019-12525 squid:4/squid: parsing of header
  Proxy-Authentication leads to memory corruption
 - Resolves: #1828369 - CVE-2020-11945 squid: improper access restriction upon
  Digest Authentication nonce replay could lead to remote code execution
 - Resolves: #1828370 - CVE-2019-12519 squid: improper check for new member in
  ESIExpression::Evaluate allows for stack buffer overflow
-* Fri Aug 23 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-8
+* Thu Mar 26 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.10-4
- Resolves: # 1738485 - CVE-2019-12527 squid:4/squid: heap-based buffer overflow
+- Resolves: #1817208 - More cache_swap.sh optimizations
  in HttpHeader::getAuth
-* Wed Jul 31 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-7
+* Wed Mar 25 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.10-3
- Resolves: #1729436 - CVE-2019-13345 squid: XSS via user_name or auth parameter
+- Resolves: #1786485 - squid.service: use ${SQUID_CONF} rather than $SQUID_CONF
-  in cachemgr.cgi
+- Resolves: #1798535 - CVE-2019-12528 squid: Information Disclosure issue in
  FTP Gateway
 - Resolves: #1798554 - CVE-2020-8450 squid: Buffer overflow in a Squid acting
  as reverse-proxy
 - Resolves: #1798541 - CVE-2020-8449 squid: Improper input validation issues 
  in HTTP Request processing
-* Fri Jun 21 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-6
+* Tue Jan 28 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.10-1
- Resolves: #1679526 - Missing detailed configuration file
+- new version 4.10
 - Resolves: #1703117 - RHEL 7 to 8 fails with squid installed because dirs
  changed to symlinks
 - Resolves: #1691741 - Squid cache_peer DNS lookup failed when not all lower
  case
 - Resolves: #1683527 - "Reloading" message on a fresh reboot after enabling
  squid
-* Tue Dec 11 2018 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-4
+* Tue Dec 17 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.9-3
- Resolves: #1612524 - Man page scan results for squid 
+- Resolves: #1784383 - Add BuildRequires: systemd-rpm-macros
 - Resolves: #1783757 - Build with ./configure --with-pidfile=/run/squid.pid
 - Resolves: #1783768 - Optimize cache_swap.sh cache_dir search
-* Tue Dec 11 2018 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-3
+* Mon Nov 11 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.9-2
- Resolves: #1642384 - squid doesn't work with active ftp
+- new version 4.9
 - verify src taball signature by default in prep section
-* Tue Dec 11 2018 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-2
+* Tue Oct 08 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.8-6
- Resolves: #1657847 - Unable to start Squid in Selinux Enforcing mode
+- Resolves: #1741342 - Do not call autoconf at build time
 * Tue Oct 08 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.8-5
 - Resolves: #1716950 - Drop "sleep 1" from logrotate fragment
 * Thu Aug 22 2019 Lubomir Rintel <lkundrak@v3.sk> - 7:4.8-4
 - Move the NetworkManager dispatcher script out of /etc
 * Mon Aug 05 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.8-3
 - Resolves: #1737030 - depend on httpd-filesystem
 * Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7:4.8-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Wed Jul 10 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.8-1
 - new version 4.8
 - Resolves: #1727745 - squid: CVe-2019-13345 squid: XSS via user_name or auth
  parameter in cachemgr.cgi
 * Tue Jul 02 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.7-6
 - fix filepath to squid.conf.documented in squid's manpage
 - fix path to systemctl in nm script
 * Wed May 22 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.7-5
 - Related: #1709299 - Use upstream squid.service
 * Fri May 17 2019 Luboš Uhliarik <luhliari@redhat.com> - 7:4.7-1
 - new version 4.7
 * Fri May 17 2019 Luboš Uhliarik <luhliari@redhat.com> - 7:4.6-3
 - Resolves: #1709299 - Use upstream squid.service
 * Mon Apr 29 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.6-2
 - Resolves: #1599074 - squid: 3 coredumps every day
 * Wed Apr 24 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.6-1
 - new version 4.6
 - disabled strict checking due to gcc warnings
 * Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7:4.4-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 7:4.4-2
 - Rebuilt for libcrypt.so.2 (#1666033)
 * Mon Dec 10 2018 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-1
- Resolves: #1656871 - squid rebase to 4.4
+- new version 4.4
 - Resolves: #1645148 - CVE-2018-19131 squid: Cross-Site Scripting when
  generating HTTPS response messages about TLS errors
 - Resolves: #1645156 - CVE-2018-19132 squid: Memory leak in SNMP query
  rejection code
-* Mon Aug 06 2018 Lubos Uhliarik <luhliari@redhat.com> - 7:4.2-1
+* Sun Oct 14 2018 Peter Robinson <pbrobinson@fedoraproject.org> 7:4.2-3
 - Drop obsolete legacy sys-v remanents
 * Mon Aug 20 2018 Luboš Uhliarik <luhliari@redhat.com> - 7:4.2-2
 - Resolves: #1618790 - SELinux 'dac_override' denial for cache_swap.sh
 * Mon Aug 06 2018 Luboš Uhliarik <luhliari@redhat.com> - 7:4.2-1
 - new version 4.2
 - enable back strict error checking
 * Wed Aug 01 2018 Luboš Uhliarik <luhliari@redhat.com> - 7:4.1-1
 - new version 4.1
-* Mon Jun 04 2018 Luboš Uhliarik <luhliari@redhat.com> - 7:4.0.23-5
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 7:4.0.25-2
- Resolves: #1585617 - Build against libdb only instead of libdb4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 - disabled strict checking for now (squid can not be built with GCC8)
-* Mon Apr 16 2018 Luboš Uhliarik <luhliari@redhat.com> - 7:4.0.23-4
+* Thu Jun 28 2018 Luboš Uhliarik <luhliari@redhat.com> - 7:4.0.25-1
- Resolves: #1566055 - module squid cannot be installed due to missing
+- new version 4.0.25
-  perl(Crypt::OpenSSL::X509)
+
 * Mon Jun 04 2018 Luboš Uhliarik <luhliari@redhat.com> - 7:4.0.24-2
 - removed obsolete BuildRequires (libdb4-devel)
 * Thu Mar 08 2018 Luboš Uhliarik <luhliari@redhat.com> - 7:4.0.24-1
 - new version 4.0.24
 - disabled strict checking (removed -Werror)
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 7:4.0.23-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
`@ -1 +1,2 @@`
	`SOURCES/squid-4.15.tar.xz`	`SOURCES/pgp.asc`
		`SOURCES/squid-5.5.tar.xz`
`@ -1 +1,2 @@`
	`60bda34ba39657e2d870c8c1d2acece8a69c3075 SOURCES/squid-4.15.tar.xz`	`8e3de63f3bef0c9c4edbcfe000c567119f687143 SOURCES/pgp.asc`
		`42302bd9b8feff851a41420334cb8eaeab2806ab SOURCES/squid-5.5.tar.xz`
		`@ -0,0 +1,2 @@`
							`g squid 23 -`
							`u squid 23 "Squid proxy user" /var/spool/squid /sbin/nologin`