import CS squid-4.15-10.module_el8+997+5764cec8

.gitignore

@@ -1 +1 @@
-SOURCES/squid-4.4.tar.xz
+SOURCES/squid-4.15.tar.xz

.squid.metadata

@@ -1 +1 @@
-0ab6b133f65866d825bf72cbbe8cef209768b2fa SOURCES/squid-4.4.tar.xz
+60bda34ba39657e2d870c8c1d2acece8a69c3075 SOURCES/squid-4.15.tar.xz

SOURCES/squid-3.5.9-include-guards.patch

@@ -1,95 +0,0 @@
-------------------------------------------------------------
-revno: 14311
-revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
-parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr
-------------------------------------------------------------
-revno: 14311
-revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
-parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr
-fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323
-author: Francesco Chemolli <kinkie@squid-cache.org>
-committer: Amos Jeffries <squid3@treenet.co.nz>
-branch nick: trunk
-timestamp: Thu 2015-09-24 06:05:37 -0700
-message:
-  Bug 4323: Netfilter broken cross-includes with Linux 4.2
-------------------------------------------------------------
-# Bazaar merge directive format 2 (Bazaar 0.90)
-# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
-# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
-# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b
-# timestamp: 2015-09-24 13:06:33 +0000
-# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk
-# base_revision_id: squid3@treenet.co.nz-20150924032241-\
-#   6cx3g6hwz9xfoybr
-# 
-# Begin patch
-=== modified file 'compat/os/linux.h'
---- compat/os/linux.h	2015-01-13 07:25:36 +0000
-+++ compat/os/linux.h	2015-09-24 13:05:37 +0000
-@@ -30,6 +30,21 @@
- #endif
- 
- /*
-+ * Netfilter header madness. (see Bug 4323)
-+ *
-+ * Netfilter have a history of defining their own versions of network protocol
-+ * primitives without sufficient protection against the POSIX defines which are
-+ * aways present in Linux.
-+ *
-+ * netinet/in.h must be included before any other sys header in order to properly
-+ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
-+ * to workaround it.
-+ */
-+#if HAVE_NETINET_IN_H
-+#include <netinet/in.h>
-+#endif
-+
-+/*
-  * sys/capability.h is only needed in Linux apparently.
-  *
-  * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc
-fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323
-author: Francesco Chemolli <kinkie@squid-cache.org>
-committer: Amos Jeffries <squid3@treenet.co.nz>
-branch nick: trunk
-timestamp: Thu 2015-09-24 06:05:37 -0700
-message:
-  Bug 4323: Netfilter broken cross-includes with Linux 4.2
-------------------------------------------------------------
-# Bazaar merge directive format 2 (Bazaar 0.90)
-# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
-# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
-# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b
-# timestamp: 2015-09-24 13:06:33 +0000
-# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk
-# base_revision_id: squid3@treenet.co.nz-20150924032241-\
-#   6cx3g6hwz9xfoybr
-# 
-# Begin patch
-=== modified file 'compat/os/linux.h'
---- compat/os/linux.h	2015-01-13 07:25:36 +0000
-+++ compat/os/linux.h	2015-09-24 13:05:37 +0000
-@@ -30,6 +30,21 @@
- #endif
- 
- /*
-+ * Netfilter header madness. (see Bug 4323)
-+ *
-+ * Netfilter have a history of defining their own versions of network protocol
-+ * primitives without sufficient protection against the POSIX defines which are
-+ * aways present in Linux.
-+ *
-+ * netinet/in.h must be included before any other sys header in order to properly
-+ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
-+ * to workaround it.
-+ */
-+#if HAVE_NETINET_IN_H
-+#include <netinet/in.h>
-+#endif
-+
-+/*
-  * sys/capability.h is only needed in Linux apparently.
-  *
-  * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc
-

SOURCES/squid-4.11-active-ftp.patch

@@ -1,5 +1,5 @@
 diff --git a/src/clients/FtpClient.cc b/src/clients/FtpClient.cc
-index 777210c..4c80511 100644
+index b665bcf..d287e55 100644
 --- a/src/clients/FtpClient.cc
 +++ b/src/clients/FtpClient.cc
 @@ -778,7 +778,8 @@ Ftp::Client::connectDataChannel()
@@ -13,7 +13,7 @@ index 777210c..4c80511 100644
  
  /// creates a data channel Comm close callback
 diff --git a/src/clients/FtpClient.h b/src/clients/FtpClient.h
-index 465fdb7..75dbd3b 100644
+index a76a5a0..218d696 100644
 --- a/src/clients/FtpClient.h
 +++ b/src/clients/FtpClient.h
 @@ -118,7 +118,7 @@ public:
@@ -26,7 +26,7 @@ index 465fdb7..75dbd3b 100644
  
      CtrlChannel ctrl; ///< FTP control channel state
 diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc
-index a13cdda..b958b14 100644
+index 411bce9..31d3e36 100644
 --- a/src/clients/FtpGateway.cc
 +++ b/src/clients/FtpGateway.cc
 @@ -87,6 +87,13 @@ struct GatewayFlags {
@@ -56,7 +56,7 @@ index a13cdda..b958b14 100644
      int checkAuth(const HttpHeader * req_hdr);
      void checkUrlpath();
      void buildTitleUrl();
-@@ -1792,6 +1803,7 @@ ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback)
+@@ -1787,6 +1798,7 @@ ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback)
      }
  
      ftpState->listenForDataChannel(temp);
@@ -64,7 +64,7 @@ index a13cdda..b958b14 100644
  }
  
  static void
-@@ -1827,13 +1839,19 @@ ftpSendPORT(Ftp::Gateway * ftpState)
+@@ -1822,13 +1834,19 @@ ftpSendPORT(Ftp::Gateway * ftpState)
      // pull out the internal IP address bytes to send in PORT command...
      // source them from the listen_conn->local
  
@@ -86,7 +86,7 @@ index a13cdda..b958b14 100644
      ftpState->writeCommand(cbuf);
      ftpState->state = Ftp::Client::SENT_PORT;
  
-@@ -1886,14 +1904,27 @@ ftpSendEPRT(Ftp::Gateway * ftpState)
+@@ -1881,14 +1899,27 @@ ftpSendEPRT(Ftp::Gateway * ftpState)
          return;
      }
  
@@ -116,7 +116,7 @@ index a13cdda..b958b14 100644
  
      ftpState->writeCommand(cbuf);
      ftpState->state = Ftp::Client::SENT_EPRT;
-@@ -1912,7 +1943,7 @@ ftpReadEPRT(Ftp::Gateway * ftpState)
+@@ -1907,7 +1938,7 @@ ftpReadEPRT(Ftp::Gateway * ftpState)
          ftpSendPORT(ftpState);
          return;
      }

SOURCES/squid-4.11-config.patch

@@ -1,7 +1,8 @@
-diff -up squid-4.0.11/src/cf.data.pre.config squid-4.0.11/src/cf.data.pre
---- squid-4.0.11/src/cf.data.pre.config	2016-06-09 22:32:57.000000000 +0200
-+++ squid-4.0.11/src/cf.data.pre	2016-07-11 21:08:35.090976840 +0200
-@@ -4658,7 +4658,7 @@ DOC_END
+diff --git a/src/cf.data.pre b/src/cf.data.pre
+index 26ef576..30d5509 100644
+--- a/src/cf.data.pre
++++ b/src/cf.data.pre
+@@ -5006,7 +5006,7 @@ DOC_END
  
  NAME: logfile_rotate
  TYPE: int
@@ -10,7 +11,7 @@ diff -up squid-4.0.11/src/cf.data.pre.config squid-4.0.11/src/cf.data.pre
  LOC: Config.Log.rotateNumber
  DOC_START
  	Specifies the default number of logfile rotations to make when you
-@@ -6444,11 +6444,11 @@ COMMENT_END
+@@ -6857,11 +6857,11 @@ COMMENT_END
  
  NAME: cache_mgr
  TYPE: string

SOURCES/squid-4.11-convert-ipv4.patch

@@ -0,0 +1,143 @@
+From 771908d313ee9c255adfb5e4fdba4d6797c18409 Mon Sep 17 00:00:00 2001
+From: Amos Jeffries <yadij@users.noreply.github.com>
+Date: Thu, 7 Mar 2019 13:50:38 +0000
+Subject: [PATCH] Bug 4928: Cannot convert non-IPv4 to IPv4 (#379)
+
+... when reaching client_ip_max_connections
+
+The client_ip_max_connections limit is checked before the TCP dst-IP is located for the newly received TCP connection. This leaves Squid unable to fetch the NFMARK or similar
+details later on (they do not exist for [::]).
+
+Move client_ip_max_connections test later in the TCP accept process to ensure dst-IP is known when the error is produced.
+---
+ src/comm/TcpAcceptor.cc | 82 ++++++++++++++++++++---------------------
+ 1 file changed, 39 insertions(+), 43 deletions(-)
+
+diff --git a/src/comm/TcpAcceptor.cc b/src/comm/TcpAcceptor.cc
+index d4b576d..936aa30 100644
+--- a/src/comm/TcpAcceptor.cc
++++ b/src/comm/TcpAcceptor.cc
+@@ -282,7 +282,16 @@ Comm::TcpAcceptor::acceptOne()
+     ConnectionPointer newConnDetails = new Connection();
+     const Comm::Flag flag = oldAccept(newConnDetails);
+ 
+-    if (flag == Comm::COMM_ERROR) {
++    /* Check for errors */
++    if (!newConnDetails->isOpen()) {
++
++        if (flag == Comm::NOMESSAGE) {
++            /* register interest again */
++            debugs(5, 5, HERE << "try later: " << conn << " handler Subscription: " << theCallSub);
++            SetSelect(conn->fd, COMM_SELECT_READ, doAccept, this, 0);
++            return;
++        }
++
+         // A non-recoverable error; notify the caller */
+         debugs(5, 5, HERE << "non-recoverable error:" << status() << " handler Subscription: " << theCallSub);
+         if (intendedForUserConnections())
+@@ -292,16 +301,12 @@ Comm::TcpAcceptor::acceptOne()
+         return;
+     }
+ 
+-    if (flag == Comm::NOMESSAGE) {
+-        /* register interest again */
+-        debugs(5, 5, "try later: " << conn << " handler Subscription: " << theCallSub);
+-    } else {
+-        debugs(5, 5, "Listener: " << conn <<
+-               " accepted new connection " << newConnDetails <<
+-               " handler Subscription: " << theCallSub);
+-        notify(flag, newConnDetails);
+-    }
++    newConnDetails->nfmark = Ip::Qos::getNfmarkFromConnection(newConnDetails, Ip::Qos::dirAccepted);
+ 
++    debugs(5, 5, HERE << "Listener: " << conn <<
++           " accepted new connection " << newConnDetails <<
++           " handler Subscription: " << theCallSub);
++    notify(flag, newConnDetails);
+     SetSelect(conn->fd, COMM_SELECT_READ, doAccept, this, 0);
+ }
+ 
+@@ -341,8 +346,8 @@ Comm::TcpAcceptor::notify(const Comm::Flag flag, const Comm::ConnectionPointer &
+  *
+  * \retval Comm::OK          success. details parameter filled.
+  * \retval Comm::NOMESSAGE   attempted accept() but nothing useful came in.
+- *                           Or this client has too many connections already.
+  * \retval Comm::COMM_ERROR  an outright failure occurred.
++ *                           Or this client has too many connections already.
+  */
+ Comm::Flag
+ Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details)
+@@ -383,6 +388,15 @@ Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details)
+ 
+     details->remote = *gai;
+ 
++    if ( Config.client_ip_max_connections >= 0) {
++        if (clientdbEstablished(details->remote, 0) > Config.client_ip_max_connections) {
++            debugs(50, DBG_IMPORTANT, "WARNING: " << details->remote << " attempting more than " << Config.client_ip_max_connections << " connections.");
++            Ip::Address::FreeAddr(gai);
++            PROF_stop(comm_accept);
++            return Comm::COMM_ERROR;
++        }
++    }
++
+     // lookup the local-end details of this new connection
+     Ip::Address::InitAddr(gai);
+     details->local.setEmpty();
+@@ -396,6 +410,23 @@ Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details)
+     details->local = *gai;
+     Ip::Address::FreeAddr(gai);
+ 
++    /* fdstat update */
++    fdd_table[sock].close_file = NULL;
++    fdd_table[sock].close_line = 0;
++
++    fde *F = &fd_table[sock];
++    details->remote.toStr(F->ipaddr,MAX_IPSTRLEN);
++    F->remote_port = details->remote.port();
++    F->local_addr = details->local;
++    F->sock_family = details->local.isIPv6()?AF_INET6:AF_INET;
++
++    // set socket flags
++    commSetCloseOnExec(sock);
++    commSetNonBlocking(sock);
++
++    /* IFF the socket is (tproxy) transparent, pass the flag down to allow spoofing */
++    F->flags.transparent = fd_table[conn->fd].flags.transparent; // XXX: can we remove this line yet?
++
+     // Perform NAT or TPROXY operations to retrieve the real client/dest IP addresses
+     if (conn->flags&(COMM_TRANSPARENT|COMM_INTERCEPTION) && !Ip::Interceptor.Lookup(details, conn)) {
+         debugs(50, DBG_IMPORTANT, "ERROR: NAT/TPROXY lookup failed to locate original IPs on " << details);
+@@ -414,33 +445,6 @@ Comm::TcpAcceptor::oldAccept(Comm::ConnectionPointer &details)
+     }
+ #endif
+ 
+-    details->nfmark = Ip::Qos::getNfmarkFromConnection(details, Ip::Qos::dirAccepted);
+-
+-    if (Config.client_ip_max_connections >= 0) {
+-        if (clientdbEstablished(details->remote, 0) > Config.client_ip_max_connections) {
+-            debugs(50, DBG_IMPORTANT, "WARNING: " << details->remote << " attempting more than " << Config.client_ip_max_connections << " connections.");
+-            PROF_stop(comm_accept);
+-            return Comm::NOMESSAGE;
+-        }
+-    }
+-
+-    /* fdstat update */
+-    fdd_table[sock].close_file = NULL;
+-    fdd_table[sock].close_line = 0;
+-
+-    fde *F = &fd_table[sock];
+-    details->remote.toStr(F->ipaddr,MAX_IPSTRLEN);
+-    F->remote_port = details->remote.port();
+-    F->local_addr = details->local;
+-    F->sock_family = details->local.isIPv6()?AF_INET6:AF_INET;
+-
+-    // set socket flags
+-    commSetCloseOnExec(sock);
+-    commSetNonBlocking(sock);
+-
+-    /* IFF the socket is (tproxy) transparent, pass the flag down to allow spoofing */
+-    F->flags.transparent = fd_table[conn->fd].flags.transparent; // XXX: can we remove this line yet?
+-
+     PROF_stop(comm_accept);
+     return Comm::OK;
+ }

SOURCES/squid-4.11-include-guards.patch

@@ -0,0 +1,41 @@
+diff --git a/compat/os/linux.h b/compat/os/linux.h
+index 0ff05c6..d51389b 100644
+--- a/compat/os/linux.h
++++ b/compat/os/linux.h
+@@ -44,6 +44,36 @@
+ #include <netinet/in.h>
+ #endif
+ 
++/*
++ * Netfilter header madness. (see Bug 4323)
++ *
++ * Netfilter have a history of defining their own versions of network protocol
++ * primitives without sufficient protection against the POSIX defines which are
++ * aways present in Linux.
++ *
++ * netinet/in.h must be included before any other sys header in order to properly
++ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
++ * to workaround it.
++ */
++#if HAVE_NETINET_IN_H
++#include <netinet/in.h>
++#endif
++
++/*
++ * Netfilter header madness. (see Bug 4323)
++ *
++ * Netfilter have a history of defining their own versions of network protocol
++ * primitives without sufficient protection against the POSIX defines which are
++ * aways present in Linux.
++ *
++ * netinet/in.h must be included before any other sys header in order to properly
++ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
++ * to workaround it.
++ */
++#if HAVE_NETINET_IN_H
++#include <netinet/in.h>
++#endif
++
+ /*
+  * sys/capability.h is only needed in Linux apparently.
+  *

SOURCES/squid-4.11-location.patch

@@ -1,7 +1,8 @@
-diff -up squid-3.1.0.9/QUICKSTART.location squid-3.1.0.9/QUICKSTART
---- squid-3.1.0.9/QUICKSTART.location	2009-06-26 12:35:27.000000000 +0200
-+++ squid-3.1.0.9/QUICKSTART	2009-07-17 14:03:10.000000000 +0200
-@@ -10,10 +10,9 @@ After you retrieved, compiled and instal
+diff --git a/QUICKSTART b/QUICKSTART
+index e5299b4..a243437 100644
+--- a/QUICKSTART
++++ b/QUICKSTART
+@@ -10,10 +10,9 @@ After you retrieved, compiled and installed the Squid software (see
  INSTALL in the same directory), you have to configure the squid.conf
  file. This is the list of the values you *need* to change, because no
  sensible defaults could be defined. Do not touch the other variables
@@ -14,7 +15,7 @@ diff -up squid-3.1.0.9/QUICKSTART.location squid-3.1.0.9/QUICKSTART
  
  ==============================================================================
  
-@@ -82,12 +81,12 @@ After editing squid.conf to your liking,
+@@ -80,12 +79,12 @@ After editing squid.conf to your liking, run Squid from the command
  line TWICE:
  
  To create any disk cache_dir configured:

SOURCES/squid-4.11-perlpath.patch

@@ -6,5 +6,5 @@ index 90ac6a4..8dbed90 100755
 -#!/usr/local/bin/perl -Tw
 +#!/usr/bin/perl -Tw
  #
- # * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
+ # * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
  # *

SOURCES/squid-4.15-CVE-2021-28116.patch

@@ -0,0 +1,424 @@
+commit b003a0da7865caa25b5d1e70c79329b32409b02a (HEAD -> refs/heads/v4, refs/remotes/origin/v4)
+Author: Amos Jeffries <yadij@users.noreply.github.com>
+Date:   2021-09-24 21:53:11 +0000
+
+    WCCP: Validate packets better (#899)
+    
+    Update WCCP to support exception based error handling for
+    parsing and processing we are moving Squid to for protocol
+    handling.
+    
+    Update the main WCCPv2 parsing checks to throw meaningful
+    exceptions when detected.
+
+diff --git a/src/wccp2.cc b/src/wccp2.cc
+index ee592449c..6ef469e91 100644
+--- a/src/wccp2.cc
++++ b/src/wccp2.cc
+@@ -1108,6 +1108,59 @@ wccp2ConnectionClose(void)
+  * Functions for handling the requests.
+  */
+ 
++/// Checks that the given area section ends inside the given (whole) area.
++/// \param error the message to throw when the section does not fit
++static void
++CheckSectionLength(const void *sectionStart, const size_t sectionLength, const void *wholeStart, const size_t wholeSize, const char *error)
++{
++    assert(sectionStart);
++    assert(wholeStart);
++
++    const auto wholeEnd = static_cast<const char*>(wholeStart) + wholeSize;
++    assert(sectionStart >= wholeStart && "we never go backwards");
++    assert(sectionStart <= wholeEnd && "we never go beyond our whole (but zero-sized fields are OK)");
++    static_assert(sizeof(wccp2_i_see_you_t) <= PTRDIFF_MAX, "paranoid: no UB when subtracting in-whole pointers");
++    // subtraction safe due to the three assertions above
++    const auto remainderDiff = wholeEnd - static_cast<const char*>(sectionStart);
++
++    // casting safe due to the assertions above (and size_t definition)
++    assert(remainderDiff >= 0);
++    const auto remainderSize = static_cast<size_t>(remainderDiff);
++
++    if (sectionLength <= remainderSize)
++        return;
++
++    throw TextException(error, Here());
++}
++
++/// Checks that the area contains at least dataLength bytes after the header.
++/// The size of the field header itself is not included in dataLength.
++/// \returns the total field size -- the field header and field data combined
++template<class FieldHeader>
++static size_t
++CheckFieldDataLength(const FieldHeader *header, const size_t dataLength, const void *areaStart, const size_t areaSize, const char *error)
++{
++    assert(header);
++    const auto dataStart = reinterpret_cast<const char*>(header) + sizeof(header);
++    CheckSectionLength(dataStart, dataLength, areaStart, areaSize, error);
++    return sizeof(header) + dataLength; // no overflow after CheckSectionLength()
++}
++
++/// Positions the given field at a given start within a given packet area.
++/// The Field type determines the correct field size (used for bounds checking).
++/// \param field the field pointer the function should set
++/// \param areaStart the start of a packet (sub)structure containing the field
++/// \param areaSize the size of the packet (sub)structure starting at areaStart
++/// \param fieldStart the start of a field within the given area
++/// \param error the message to throw when the field does not fit the area
++template<class Field>
++static void
++SetField(Field *&field, const void *fieldStart, const void *areaStart, const size_t areaSize, const char *error)
++{
++    CheckSectionLength(fieldStart, sizeof(Field), areaStart, areaSize, error);
++    field = static_cast<Field*>(const_cast<void*>(fieldStart));
++}
++
+ /*
+  * Accept the UDP packet
+  */
+@@ -1124,8 +1177,6 @@ wccp2HandleUdp(int sock, void *)
+ 
+     /* These structs form the parts of the packet */
+ 
+-    struct wccp2_item_header_t *header = NULL;
+-
+     struct wccp2_security_none_t *security_info = NULL;
+ 
+     struct wccp2_service_info_t *service_info = NULL;
+@@ -1141,14 +1192,13 @@ wccp2HandleUdp(int sock, void *)
+     struct wccp2_cache_identity_info_t *cache_identity = NULL;
+ 
+     struct wccp2_capability_info_header_t *router_capability_header = NULL;
++    char *router_capability_data_start = nullptr;
+ 
+     struct wccp2_capability_element_t *router_capability_element;
+ 
+     struct sockaddr_in from;
+ 
+     struct in_addr cache_address;
+-    int len, found;
+-    short int data_length, offset;
+     uint32_t tmp;
+     char *ptr;
+     int num_caches;
+@@ -1161,20 +1211,18 @@ wccp2HandleUdp(int sock, void *)
+     Ip::Address from_tmp;
+     from_tmp.setIPv4();
+ 
+-    len = comm_udp_recvfrom(sock,
+-                            &wccp2_i_see_you,
+-                            WCCP_RESPONSE_SIZE,
+-                            0,
+-                            from_tmp);
++    const auto lenOrError = comm_udp_recvfrom(sock, &wccp2_i_see_you, WCCP_RESPONSE_SIZE, 0, from_tmp);
+ 
+-    if (len < 0)
++    if (lenOrError < 0)
+         return;
++    const auto len = static_cast<size_t>(lenOrError);
+ 
+-    if (ntohs(wccp2_i_see_you.version) != WCCP2_VERSION)
+-        return;
+-
+-    if (ntohl(wccp2_i_see_you.type) != WCCP2_I_SEE_YOU)
+-        return;
++    try {
++        // TODO: Remove wccp2_i_see_you.data and use a buffer to read messages.
++        const auto message_header_size = sizeof(wccp2_i_see_you) - sizeof(wccp2_i_see_you.data);
++        Must2(len >= message_header_size, "incomplete WCCP message header");
++        Must2(ntohs(wccp2_i_see_you.version) == WCCP2_VERSION, "WCCP version unsupported");
++        Must2(ntohl(wccp2_i_see_you.type) == WCCP2_I_SEE_YOU, "WCCP packet type unsupported");
+ 
+     /* FIXME INET6 : drop conversion boundary */
+     from_tmp.getSockAddr(from);
+@@ -1182,73 +1230,60 @@ wccp2HandleUdp(int sock, void *)
+     debugs(80, 3, "Incoming WCCPv2 I_SEE_YOU length " << ntohs(wccp2_i_see_you.length) << ".");
+ 
+     /* Record the total data length */
+-    data_length = ntohs(wccp2_i_see_you.length);
++    const auto data_length = ntohs(wccp2_i_see_you.length);
++    Must2(data_length <= len - message_header_size,
++          "malformed packet claiming it's bigger than received data");
+ 
+-    offset = 0;
+-
+-    if (data_length > len) {
+-        debugs(80, DBG_IMPORTANT, "ERROR: Malformed WCCPv2 packet claiming it's bigger than received data");
+-        return;
+-    }
++    size_t offset = 0;
+ 
+     /* Go through the data structure */
+-    while (data_length > offset) {
++    while (offset + sizeof(struct wccp2_item_header_t) <= data_length) {
+ 
+         char *data = wccp2_i_see_you.data;
+ 
+-        header = (struct wccp2_item_header_t *) &data[offset];
++        const auto itemHeader = reinterpret_cast<const wccp2_item_header_t*>(&data[offset]);
++        const auto itemSize = CheckFieldDataLength(itemHeader, ntohs(itemHeader->length),
++                              data, data_length, "truncated record");
++        // XXX: Check "The specified length must be a multiple of 4 octets"
++        // requirement to avoid unaligned memory reads after the first item.
+ 
+-        switch (ntohs(header->type)) {
++        switch (ntohs(itemHeader->type)) {
+ 
+         case WCCP2_SECURITY_INFO:
+-
+-            if (security_info != NULL) {
+-                debugs(80, DBG_IMPORTANT, "Duplicate security definition");
+-                return;
+-            }
+-
+-            security_info = (struct wccp2_security_none_t *) &wccp2_i_see_you.data[offset];
++            Must2(!security_info, "duplicate security definition");
++            SetField(security_info, itemHeader, itemHeader, itemSize,
++                     "security definition truncated");
+             break;
+ 
+         case WCCP2_SERVICE_INFO:
+-
+-            if (service_info != NULL) {
+-                debugs(80, DBG_IMPORTANT, "Duplicate service_info definition");
+-                return;
+-            }
+-
+-            service_info = (struct wccp2_service_info_t *) &wccp2_i_see_you.data[offset];
++            Must2(!service_info, "duplicate service_info definition");
++            SetField(service_info, itemHeader, itemHeader, itemSize,
++                     "service_info definition truncated");
+             break;
+ 
+         case WCCP2_ROUTER_ID_INFO:
+-
+-            if (router_identity_info != NULL) {
+-                debugs(80, DBG_IMPORTANT, "Duplicate router_identity_info definition");
+-                return;
+-            }
+-
+-            router_identity_info = (struct router_identity_info_t *) &wccp2_i_see_you.data[offset];
++            Must2(!router_identity_info, "duplicate router_identity_info definition");
++            SetField(router_identity_info, itemHeader, itemHeader, itemSize,
++                     "router_identity_info definition truncated");
+             break;
+ 
+         case WCCP2_RTR_VIEW_INFO:
+-
+-            if (router_view_header != NULL) {
+-                debugs(80, DBG_IMPORTANT, "Duplicate router_view definition");
+-                return;
+-            }
+-
+-            router_view_header = (struct router_view_t *) &wccp2_i_see_you.data[offset];
++            Must2(!router_view_header, "duplicate router_view definition");
++            SetField(router_view_header, itemHeader, itemHeader, itemSize,
++                     "router_view definition truncated");
+             break;
+ 
+-        case WCCP2_CAPABILITY_INFO:
+-
+-            if (router_capability_header != NULL) {
+-                debugs(80, DBG_IMPORTANT, "Duplicate router_capability definition");
+-                return;
+-            }
++        case WCCP2_CAPABILITY_INFO: {
++            Must2(!router_capability_header, "duplicate router_capability definition");
++            SetField(router_capability_header, itemHeader, itemHeader, itemSize,
++                     "router_capability definition truncated");
+ 
+-            router_capability_header = (struct wccp2_capability_info_header_t *) &wccp2_i_see_you.data[offset];
++            CheckFieldDataLength(router_capability_header, ntohs(router_capability_header->capability_info_length),
++                                 itemHeader, itemSize, "capability info truncated");
++            router_capability_data_start = reinterpret_cast<char*>(router_capability_header) +
++                                           sizeof(*router_capability_header);
+             break;
++        }
+ 
+         /* Nothing to do for the types below */
+ 
+@@ -1257,22 +1292,17 @@ wccp2HandleUdp(int sock, void *)
+             break;
+ 
+         default:
+-            debugs(80, DBG_IMPORTANT, "Unknown record type in WCCPv2 Packet (" << ntohs(header->type) << ").");
++            debugs(80, DBG_IMPORTANT, "Unknown record type in WCCPv2 Packet (" << ntohs(itemHeader->type) << ").");
+         }
+ 
+-        offset += sizeof(struct wccp2_item_header_t);
+-        offset += ntohs(header->length);
+-
+-        if (offset > data_length) {
+-            debugs(80, DBG_IMPORTANT, "Error: WCCPv2 packet tried to tell us there is data beyond the end of the packet");
+-            return;
+-        }
++        offset += itemSize;
++        assert(offset <= data_length && "CheckFieldDataLength(itemHeader...) established that");
+     }
+ 
+-    if ((security_info == NULL) || (service_info == NULL) || (router_identity_info == NULL) || (router_view_header == NULL)) {
+-        debugs(80, DBG_IMPORTANT, "Incomplete WCCPv2 Packet");
+-        return;
+-    }
++    Must2(security_info, "packet missing security definition");
++    Must2(service_info, "packet missing service_info definition");
++    Must2(router_identity_info, "packet missing router_identity_info definition");
++    Must2(router_view_header, "packet missing router_view definition");
+ 
+     debugs(80, 5, "Complete packet received");
+ 
+@@ -1308,10 +1338,7 @@ wccp2HandleUdp(int sock, void *)
+             break;
+     }
+ 
+-    if (router_list_ptr->next == NULL) {
+-        debugs(80, DBG_IMPORTANT, "WCCPv2 Packet received from unknown router");
+-        return;
+-    }
++    Must2(router_list_ptr->next, "packet received from unknown router");
+ 
+     /* Set the router id */
+     router_list_ptr->info->router_address = router_identity_info->router_id_element.router_address;
+@@ -1331,11 +1358,20 @@ wccp2HandleUdp(int sock, void *)
+         }
+     } else {
+ 
+-        char *end = ((char *) router_capability_header) + sizeof(*router_capability_header) + ntohs(router_capability_header->capability_info_length) - sizeof(struct wccp2_capability_info_header_t);
+-
+-        router_capability_element = (struct wccp2_capability_element_t *) (((char *) router_capability_header) + sizeof(*router_capability_header));
+-
+-        while ((char *) router_capability_element <= end) {
++        const auto router_capability_data_length = ntohs(router_capability_header->capability_info_length);
++        assert(router_capability_data_start);
++        const auto router_capability_data_end = router_capability_data_start +
++                                                router_capability_data_length;
++        for (auto router_capability_data_current = router_capability_data_start;
++                router_capability_data_current < router_capability_data_end;) {
++
++            SetField(router_capability_element, router_capability_data_current,
++                     router_capability_data_start, router_capability_data_length,
++                     "capability element header truncated");
++            const auto elementSize = CheckFieldDataLength(
++                                         router_capability_element, ntohs(router_capability_element->capability_length),
++                                         router_capability_data_start, router_capability_data_length,
++                                         "capability element truncated");
+ 
+             switch (ntohs(router_capability_element->capability_type)) {
+ 
+@@ -1377,7 +1413,7 @@ wccp2HandleUdp(int sock, void *)
+                 debugs(80, DBG_IMPORTANT, "Unknown capability type in WCCPv2 Packet (" << ntohs(router_capability_element->capability_type) << ").");
+             }
+ 
+-            router_capability_element = (struct wccp2_capability_element_t *) (((char *) router_capability_element) + sizeof(struct wccp2_item_header_t) + ntohs(router_capability_element->capability_length));
++            router_capability_data_current += elementSize;
+         }
+     }
+ 
+@@ -1396,23 +1432,34 @@ wccp2HandleUdp(int sock, void *)
+     num_caches = 0;
+ 
+     /* Check to see if we're the master cache and update the cache list */
+-    found = 0;
++    bool found = false;
+     service_list_ptr->lowest_ip = 1;
+     cache_list_ptr = &router_list_ptr->cache_list_head;
+ 
+     /* to find the list of caches, we start at the end of the router view header */
+ 
+     ptr = (char *) (router_view_header) + sizeof(struct router_view_t);
++    const auto router_view_size = sizeof(struct router_view_t) +
++                                  ntohs(router_view_header->header.length);
+ 
+     /* Then we read the number of routers */
+-    memcpy(&tmp, ptr, sizeof(tmp));
++    const uint32_t *routerCountRaw = nullptr;
++    SetField(routerCountRaw, ptr, router_view_header, router_view_size,
++             "malformed packet (truncated router view info w/o number of routers)");
+ 
+     /* skip the number plus all the ip's */
+-
+-    ptr += sizeof(tmp) + (ntohl(tmp) * sizeof(struct in_addr));
++    ptr += sizeof(*routerCountRaw);
++    const auto ipCount = ntohl(*routerCountRaw);
++    const auto ipsSize = ipCount * sizeof(struct in_addr); // we check for unsigned overflow below
++    Must2(ipsSize / sizeof(struct in_addr) != ipCount, "huge IP address count");
++    CheckSectionLength(ptr, ipsSize, router_view_header, router_view_size, "invalid IP address count");
++    ptr += ipsSize;
+ 
+     /* Then read the number of caches */
+-    memcpy(&tmp, ptr, sizeof(tmp));
++    const uint32_t *cacheCountRaw = nullptr;
++    SetField(cacheCountRaw, ptr, router_view_header, router_view_size,
++             "malformed packet (truncated router view info w/o cache count)");
++    memcpy(&tmp, cacheCountRaw, sizeof(tmp)); // TODO: Replace tmp with cacheCount
+     ptr += sizeof(tmp);
+ 
+     if (ntohl(tmp) != 0) {
+@@ -1426,7 +1473,8 @@ wccp2HandleUdp(int sock, void *)
+ 
+             case WCCP2_ASSIGNMENT_METHOD_HASH:
+ 
+-                cache_identity = (struct wccp2_cache_identity_info_t *) ptr;
++                SetField(cache_identity, ptr, router_view_header, router_view_size,
++                         "malformed packet (truncated router view info cache w/o assignment hash)");
+ 
+                 ptr += sizeof(struct wccp2_cache_identity_info_t);
+ 
+@@ -1437,13 +1485,15 @@ wccp2HandleUdp(int sock, void *)
+ 
+             case WCCP2_ASSIGNMENT_METHOD_MASK:
+ 
+-                cache_mask_info = (struct cache_mask_info_t *) ptr;
++                SetField(cache_mask_info, ptr, router_view_header, router_view_size,
++                         "malformed packet (truncated router view info cache w/o assignment mask)");
+ 
+                 /* The mask assignment has an undocumented variable length entry here */
+ 
+                 if (ntohl(cache_mask_info->num1) == 3) {
+ 
+-                    cache_mask_identity = (struct wccp2_cache_mask_identity_info_t *) ptr;
++                    SetField(cache_mask_identity, ptr, router_view_header, router_view_size,
++                             "malformed packet (truncated router view info cache w/o assignment mask identity)");
+ 
+                     ptr += sizeof(struct wccp2_cache_mask_identity_info_t);
+ 
+@@ -1474,10 +1524,7 @@ wccp2HandleUdp(int sock, void *)
+             debugs (80, 5,  "checking cache list: (" << std::hex << cache_address.s_addr << ":" <<  router_list_ptr->local_ip.s_addr << ")");
+ 
+             /* Check to see if it's the master, or us */
+-
+-            if (cache_address.s_addr == router_list_ptr->local_ip.s_addr) {
+-                found = 1;
+-            }
++            found = found || (cache_address.s_addr == router_list_ptr->local_ip.s_addr);
+ 
+             if (cache_address.s_addr < router_list_ptr->local_ip.s_addr) {
+                 service_list_ptr->lowest_ip = 0;
+@@ -1494,7 +1541,7 @@ wccp2HandleUdp(int sock, void *)
+         cache_list_ptr->next = NULL;
+ 
+         service_list_ptr->lowest_ip = 1;
+-        found = 1;
++        found = true;
+         num_caches = 1;
+     }
+ 
+@@ -1502,7 +1549,7 @@ wccp2HandleUdp(int sock, void *)
+ 
+     router_list_ptr->num_caches = htonl(num_caches);
+ 
+-    if ((found == 1) && (service_list_ptr->lowest_ip == 1)) {
++    if (found && (service_list_ptr->lowest_ip == 1)) {
+         if (ntohl(router_view_header->change_number) != router_list_ptr->member_change) {
+             debugs(80, 4, "Change detected - queueing up new assignment");
+             router_list_ptr->member_change = ntohl(router_view_header->change_number);
+@@ -1515,6 +1562,10 @@ wccp2HandleUdp(int sock, void *)
+         eventDelete(wccp2AssignBuckets, NULL);
+         debugs(80, 5, "I am not the lowest ip cache - not assigning buckets");
+     }
++
++    } catch (...) {
++        debugs(80, DBG_IMPORTANT, "ERROR: Ignoring WCCPv2 message: " << CurrentException);
++    }
+ }
+ 
+ static void

SOURCES/squid-4.15-CVE-2021-46784.patch

@@ -0,0 +1,129 @@
+From 780c4ea1b4c9d2fb41f6962aa6ed73ae57f74b2b Mon Sep 17 00:00:00 2001
+From: Joshua Rogers <MegaManSec@users.noreply.github.com>
+Date: Mon, 18 Apr 2022 13:42:36 +0000
+Subject: [PATCH] Improve handling of Gopher responses (#1022)
+
+---
+ src/gopher.cc | 45 ++++++++++++++++++++-------------------------
+ 1 file changed, 20 insertions(+), 25 deletions(-)
+
+diff --git a/src/gopher.cc b/src/gopher.cc
+index 169b0e18299..6187da18bcd 100644
+--- a/src/gopher.cc
++++ b/src/gopher.cc
+@@ -371,7 +371,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+     char *lpos = NULL;
+     char *tline = NULL;
+     LOCAL_ARRAY(char, line, TEMP_BUF_SIZE);
+-    LOCAL_ARRAY(char, tmpbuf, TEMP_BUF_SIZE);
+     char *name = NULL;
+     char *selector = NULL;
+     char *host = NULL;
+@@ -381,7 +380,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+     char gtype;
+     StoreEntry *entry = NULL;
+ 
+-    memset(tmpbuf, '\0', TEMP_BUF_SIZE);
+     memset(line, '\0', TEMP_BUF_SIZE);
+ 
+     entry = gopherState->entry;
+@@ -416,7 +414,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+         return;
+     }
+ 
+-    String outbuf;
++    SBuf outbuf;
+ 
+     if (!gopherState->HTML_header_added) {
+         if (gopherState->conversion == GopherStateData::HTML_CSO_RESULT)
+@@ -583,34 +581,34 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+                         break;
+                     }
+ 
+-                    memset(tmpbuf, '\0', TEMP_BUF_SIZE);
+-
+                     if ((gtype == GOPHER_TELNET) || (gtype == GOPHER_3270)) {
+                         if (strlen(escaped_selector) != 0)
+-                            snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s@%s%s%s/\">%s</A>\n",
+-                                     icon_url, escaped_selector, rfc1738_escape_part(host),
+-                                     *port ? ":" : "", port, html_quote(name));
++                            outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s@%s%s%s/\">%s</A>\n",
++                                           icon_url, escaped_selector, rfc1738_escape_part(host),
++                                           *port ? ":" : "", port, html_quote(name));
+                         else
+-                            snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s%s%s/\">%s</A>\n",
+-                                     icon_url, rfc1738_escape_part(host), *port ? ":" : "",
+-                                     port, html_quote(name));
++                            outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s%s%s/\">%s</A>\n",
++                                           icon_url, rfc1738_escape_part(host), *port ? ":" : "",
++                                           port, html_quote(name));
+ 
+                     } else if (gtype == GOPHER_INFO) {
+-                        snprintf(tmpbuf, TEMP_BUF_SIZE, "\t%s\n", html_quote(name));
++                        outbuf.appendf("\t%s\n", html_quote(name));
+                     } else {
+                         if (strncmp(selector, "GET /", 5) == 0) {
+                             /* WWW link */
+-                            snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"http://%s/%s\">%s</A>\n",
+-                                     icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name));
++                            outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"http://%s/%s\">%s</A>\n",
++                                           icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name));
++                        } else if (gtype == GOPHER_WWW) {
++                            outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
++                                           icon_url, rfc1738_escape_unescaped(selector), html_quote(name));
+                         } else {
+                             /* Standard link */
+-                            snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
+-                                     icon_url, host, gtype, escaped_selector, html_quote(name));
++                            outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
++                                           icon_url, host, gtype, escaped_selector, html_quote(name));
+                         }
+                     }
+ 
+                     safe_free(escaped_selector);
+-                    outbuf.append(tmpbuf);
+                 } else {
+                     memset(line, '\0', TEMP_BUF_SIZE);
+                     continue;
+@@ -643,13 +641,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+                     break;
+ 
+                 if (gopherState->cso_recno != recno) {
+-                    snprintf(tmpbuf, TEMP_BUF_SIZE, "</PRE><HR noshade size=\"1px\"><H2>Record# %d<br><i>%s</i></H2>\n<PRE>", recno, html_quote(result));
++                    outbuf.appendf("</PRE><HR noshade size=\"1px\"><H2>Record# %d<br><i>%s</i></H2>\n<PRE>", recno, html_quote(result));
+                     gopherState->cso_recno = recno;
+                 } else {
+-                    snprintf(tmpbuf, TEMP_BUF_SIZE, "%s\n", html_quote(result));
++                    outbuf.appendf("%s\n", html_quote(result));
+                 }
+ 
+-                outbuf.append(tmpbuf);
+                 break;
+             } else {
+                 int code;
+@@ -677,8 +674,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+ 
+                 case 502: { /* Too Many Matches */
+                     /* Print the message the server returns */
+-                    snprintf(tmpbuf, TEMP_BUF_SIZE, "</PRE><HR noshade size=\"1px\"><H2>%s</H2>\n<PRE>", html_quote(result));
+-                    outbuf.append(tmpbuf);
++                    outbuf.appendf("</PRE><HR noshade size=\"1px\"><H2>%s</H2>\n<PRE>", html_quote(result));
+                     break;
+                 }
+ 
+@@ -694,13 +690,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
+ 
+     }               /* while loop */
+ 
+-    if (outbuf.size() > 0) {
+-        entry->append(outbuf.rawBuf(), outbuf.size());
++    if (outbuf.length() > 0) {
++        entry->append(outbuf.rawContent(), outbuf.length());
+         /* now let start sending stuff to client */
+         entry->flush();
+     }
+ 
+-    outbuf.clean();
+     return;
+ }
+ 

SOURCES/squid-4.15-CVE-2022-41318.patch

@@ -0,0 +1,38 @@
+commit 4031c6c2b004190fdffbc19dab7cd0305a2025b7 (refs/remotes/origin/v4, refs/remotes/github/v4, refs/heads/v4)
+Author: Amos Jeffries <yadij@users.noreply.github.com>
+Date:   2022-08-09 23:34:54 +0000
+
+    Bug 3193 pt2: NTLM decoder truncating strings (#1114)
+    
+    The initial bug fix overlooked large 'offset' causing integer
+    wrap to extract a too-short length string.
+    
+    Improve debugs and checks sequence to clarify cases and ensure
+    that all are handled correctly.
+
+diff --git a/lib/ntlmauth/ntlmauth.cc b/lib/ntlmauth/ntlmauth.cc
+index 5d9637290..f00fd51f8 100644
+--- a/lib/ntlmauth/ntlmauth.cc
++++ b/lib/ntlmauth/ntlmauth.cc
+@@ -107,10 +107,19 @@ ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr
+     int32_t o = le32toh(str->offset);
+     // debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o);
+ 
+-    if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) {
+-        debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
++    if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) {
++        debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
+         return rv;
+     }
++    else if (o <= 0 || o > packet_size) {
++        debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
++        return rv;
++    }
++    else if (l > packet_size - o) {
++        debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
++        return rv;
++    }
++
+     rv.str = (char *)packet + o;
+     rv.l = 0;
+     if ((flags & NTLM_NEGOTIATE_ASCII) == 0) {

SOURCES/squid-4.15-CVE-2023-46724.patch

@@ -0,0 +1,24 @@
+diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc
+index 20b9bf1..81ebb18 100644
+--- a/src/anyp/Uri.cc
++++ b/src/anyp/Uri.cc
+@@ -173,6 +173,10 @@ urlInitialize(void)
+     assert(0 == matchDomainName("*.foo.com", ".foo.com", mdnHonorWildcards));
+     assert(0 != matchDomainName("*.foo.com", "foo.com", mdnHonorWildcards));
+ 
++    assert(0 != matchDomainName("foo.com", ""));
++    assert(0 != matchDomainName("foo.com", "", mdnHonorWildcards));
++    assert(0 != matchDomainName("foo.com", "", mdnRejectSubsubDomains));
++
+     /* more cases? */
+ }
+ 
+@@ -756,6 +760,8 @@ matchDomainName(const char *h, const char *d, MatchDomainNameFlags flags)
+         return -1;
+ 
+     dl = strlen(d);
++    if (dl == 0)
++        return 1;
+ 
+     /*
+      * Start at the ends of the two strings and work towards the

SOURCES/squid-4.15-CVE-2023-46847.patch

@@ -0,0 +1,23 @@
+diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
+index 6a9736f..0a883fa 100644
+--- a/src/auth/digest/Config.cc
++++ b/src/auth/digest/Config.cc
+@@ -847,11 +847,15 @@ Auth::Digest::Config::decode(char const *proxy_auth, const char *aRequestRealm)
+             break;
+ 
+         case DIGEST_NC:
+-            if (value.size() != 8) {
++            if (value.size() == 8) {
++                // for historical reasons, the nc value MUST be exactly 8 bytes
++                static_assert(sizeof(digest_request->nc) == 8 + 1, "bad nc buffer size");
++                xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
++                debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
++            } else {
+                 debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'");
++                digest_request->nc[0] = 0;
+             }
+-            xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
+-            debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
+             break;
+ 
+         case DIGEST_CNONCE:

SOURCES/squid-4.15-CVE-2023-49285.patch

@@ -0,0 +1,30 @@
+commit 77b3fb4df0f126784d5fd4967c28ed40eb8d521b
+Author: Alex Rousskov <rousskov@measurement-factory.com>
+Date:   Wed Oct 25 19:41:45 2023 +0000
+
+    RFC 1123: Fix date parsing (#1538)
+    
+    The bug was discovered and detailed by Joshua Rogers at
+    https://megamansec.github.io/Squid-Security-Audit/datetime-overflow.html
+    where it was filed as "1-Byte Buffer OverRead in RFC 1123 date/time
+    Handling".
+
+diff --git a/lib/rfc1123.c b/lib/rfc1123.c
+index e5bf9a4d7..cb484cc00 100644
+--- a/lib/rfc1123.c
++++ b/lib/rfc1123.c
+@@ -50,7 +50,13 @@ make_month(const char *s)
+     char month[3];
+ 
+     month[0] = xtoupper(*s);
++    if (!month[0])
++        return -1; // protects *(s + 1) below
++
+     month[1] = xtolower(*(s + 1));
++    if (!month[1])
++        return -1; // protects *(s + 2) below
++
+     month[2] = xtolower(*(s + 2));
+ 
+     for (i = 0; i < 12; i++)
+

SOURCES/squid-4.15-CVE-2023-49286.patch

@@ -0,0 +1,62 @@
+diff --git a/src/ipc.cc b/src/ipc.cc
+index 42e11e6..a68e623 100644
+--- a/src/ipc.cc
++++ b/src/ipc.cc
+@@ -19,6 +19,11 @@
+ #include "SquidConfig.h"
+ #include "SquidIpc.h"
+ #include "tools.h"
++#include <cstdlib>
++
++#if HAVE_UNISTD_H
++#include <unistd.h>
++#endif
+ 
+ static const char *hello_string = "hi there\n";
+ #ifndef HELLO_BUF_SZ
+@@ -365,6 +370,22 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
+     }
+ 
+     PutEnvironment();
++
++    // A dup(2) wrapper that reports and exits the process on errors. The
++    // exiting logic is only suitable for this child process context.
++    const auto dupOrExit = [prog,name](const int oldFd) {
++        const auto newFd = dup(oldFd);
++        if (newFd < 0) {
++            const auto savedErrno = errno;
++            debugs(54, DBG_CRITICAL, "ERROR: Helper process initialization failure: " << name <<
++                   Debug::Extra << "helper (CHILD) PID: " << getpid() <<
++                   Debug::Extra << "helper program name: " << prog <<
++                   Debug::Extra << "dup(2) system call error for FD " << oldFd << ": " << xstrerr(savedErrno));
++            _exit(EXIT_FAILURE);
++        }
++        return newFd;
++    };
++
+     /*
+      * This double-dup stuff avoids problems when one of
+      *  crfd, cwfd, or debug_log are in the rage 0-2.
+@@ -372,17 +393,16 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
+ 
+     do {
+         /* First make sure 0-2 is occupied by something. Gets cleaned up later */
+-        x = dup(crfd);
+-        assert(x > -1);
+-    } while (x < 3 && x > -1);
++        x = dupOrExit(crfd);
++    } while (x < 3);
+ 
+     close(x);
+ 
+-    t1 = dup(crfd);
++    t1 = dupOrExit(crfd);
+ 
+-    t2 = dup(cwfd);
++    t2 = dupOrExit(cwfd);
+ 
+-    t3 = dup(fileno(debug_log));
++    t3 = dupOrExit(fileno(debug_log));
+ 
+     assert(t1 > 2 && t2 > 2 && t3 > 2);
+ 

SOURCES/squid-4.15-CVE-2023-50269.patch

@@ -0,0 +1,50 @@
+diff --git a/src/ClientRequestContext.h b/src/ClientRequestContext.h
+index fe2edf6..47aa935 100644
+--- a/src/ClientRequestContext.h
++++ b/src/ClientRequestContext.h
+@@ -81,6 +81,10 @@ public:
+ #endif
+     ErrorState *error; ///< saved error page for centralized/delayed processing
+     bool readNextRequest; ///< whether Squid should read after error handling
++
++#if FOLLOW_X_FORWARDED_FOR
++    size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far
++#endif
+ };
+ 
+ #endif /* SQUID_CLIENTREQUESTCONTEXT_H */
+diff --git a/src/client_side_request.cc b/src/client_side_request.cc
+index 1c6ff62..b758f6f 100644
+--- a/src/client_side_request.cc
++++ b/src/client_side_request.cc
+@@ -78,6 +78,11 @@
+ static const char *const crlf = "\r\n";
+ 
+ #if FOLLOW_X_FORWARDED_FOR
++
++#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX)
++#define SQUID_X_FORWARDED_FOR_HOP_MAX 64
++#endif
++
+ static void clientFollowXForwardedForCheck(allow_t answer, void *data);
+ #endif /* FOLLOW_X_FORWARDED_FOR */
+ 
+@@ -485,8 +490,16 @@ clientFollowXForwardedForCheck(allow_t answer, void *data)
+                 /* override the default src_addr tested if we have to go deeper than one level into XFF */
+                 Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr;
+             }
+-            calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
+-            return;
++            if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) {
++                calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
++                return;
++            }
++            const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name;
++            debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses" <<
++                   Debug::Extra << "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber <<
++                   Debug::Extra << "last/accepted address: " << request->indirect_client_addr <<
++                   Debug::Extra << "ignored trailing addresses: " << request->x_forwarded_for_iterator);
++            // fall through to resume clientAccessCheck() processing
+         }
+     }
+ 

SOURCES/squid-4.15-CVE-2024-25111.patch

@@ -0,0 +1,193 @@
+diff --git a/src/http.cc b/src/http.cc
+index b006300..023e411 100644
+--- a/src/http.cc
++++ b/src/http.cc
+@@ -52,6 +52,7 @@
+ #include "rfc1738.h"
+ #include "SquidConfig.h"
+ #include "SquidTime.h"
++#include "SquidMath.h"
+ #include "StatCounters.h"
+ #include "Store.h"
+ #include "StrList.h"
+@@ -1150,18 +1151,26 @@ HttpStateData::readReply(const CommIoCbParams &io)
+      * Plus, it breaks our lame *HalfClosed() detection
+      */
+ 
+-    Must(maybeMakeSpaceAvailable(true));
+-    CommIoCbParams rd(this); // will be expanded with ReadNow results
+-    rd.conn = io.conn;
+-    rd.size = entry->bytesWanted(Range<size_t>(0, inBuf.spaceSize()));
++    size_t moreDataPermission = 0;
++    if ((!canBufferMoreReplyBytes(&moreDataPermission) || !moreDataPermission)) {
++        abortTransaction("ready to read required data, but the read buffer is full and cannot be drained");
++        return;
++    }
++
++    const auto readSizeMax = maybeMakeSpaceAvailable(moreDataPermission);
++    // TODO: Move this logic inside maybeMakeSpaceAvailable():
++    const auto readSizeWanted = readSizeMax ? entry->bytesWanted(Range<size_t>(0, readSizeMax)) : 0;
+ 
+-    if (rd.size <= 0) {
++    if (readSizeWanted <= 0) {
+         assert(entry->mem_obj);
+         AsyncCall::Pointer nilCall;
+         entry->mem_obj->delayRead(DeferredRead(readDelayed, this, CommRead(io.conn, NULL, 0, nilCall)));
+         return;
+     }
+ 
++    CommIoCbParams rd(this); // will be expanded with ReadNow results
++    rd.conn = io.conn;
++    rd.size = readSizeWanted;
+     switch (Comm::ReadNow(rd, inBuf)) {
+     case Comm::INPROGRESS:
+         if (inBuf.isEmpty())
+@@ -1520,8 +1529,11 @@ HttpStateData::maybeReadVirginBody()
+     if (!Comm::IsConnOpen(serverConnection) || fd_table[serverConnection->fd].closing())
+         return;
+ 
+-    if (!maybeMakeSpaceAvailable(false))
++    size_t moreDataPermission = 0;
++    if ((!canBufferMoreReplyBytes(&moreDataPermission)) || !moreDataPermission) {
++        abortTransaction("more response bytes required, but the read buffer is full and cannot be drained");
+         return;
++    }
+ 
+     // XXX: get rid of the do_next_read flag
+     // check for the proper reasons preventing read(2)
+@@ -1539,40 +1551,79 @@ HttpStateData::maybeReadVirginBody()
+     Comm::Read(serverConnection, call);
+ }
+ 
++/// Desired inBuf capacity based on various capacity preferences/limits:
++/// * a smaller buffer may not hold enough for look-ahead header/body parsers;
++/// * a smaller buffer may result in inefficient tiny network reads;
++/// * a bigger buffer may waste memory;
++/// * a bigger buffer may exceed SBuf storage capabilities (SBuf::maxSize);
++size_t
++HttpStateData::calcReadBufferCapacityLimit() const
++{
++    if (!flags.headers_parsed)
++        return Config.maxReplyHeaderSize;
++
++    // XXX: Our inBuf is not used to maintain the read-ahead gap, and using
++    // Config.readAheadGap like this creates huge read buffers for large
++    // read_ahead_gap values. TODO: Switch to using tcp_recv_bufsize as the
++    // primary read buffer capacity factor.
++    //
++    // TODO: Cannot reuse throwing NaturalCast() here. Consider removing
++    // .value() dereference in NaturalCast() or add/use NaturalCastOrMax().
++    const auto configurationPreferences = NaturalSum<size_t>(Config.readAheadGap).second ? NaturalSum<size_t>(Config.readAheadGap).first : SBuf::maxSize;
++
++    // TODO: Honor TeChunkedParser look-ahead and trailer parsing requirements
++    // (when explicit configurationPreferences are set too low).
++
++    return std::min<size_t>(configurationPreferences, SBuf::maxSize);
++}
++
++/// The maximum number of virgin reply bytes we may buffer before we violate
++/// the currently configured response buffering limits.
++/// \retval std::nullopt means that no more virgin response bytes can be read
++/// \retval 0 means that more virgin response bytes may be read later
++/// \retval >0 is the number of bytes that can be read now (subject to other constraints)
+ bool
+-HttpStateData::maybeMakeSpaceAvailable(bool doGrow)
++HttpStateData::canBufferMoreReplyBytes(size_t *maxReadSize) const
+ {
+-    // how much we are allowed to buffer
+-    const int limitBuffer = (flags.headers_parsed ? Config.readAheadGap : Config.maxReplyHeaderSize);
+-
+-    if (limitBuffer < 0 || inBuf.length() >= (SBuf::size_type)limitBuffer) {
+-        // when buffer is at or over limit already
+-        debugs(11, 7, "will not read up to " << limitBuffer << ". buffer has (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection);
+-        debugs(11, DBG_DATA, "buffer has {" << inBuf << "}");
+-        // Process next response from buffer
+-        processReply();
+-        return false;
++#if USE_ADAPTATION
++    // If we do not check this now, we may say the final "no" prematurely below
++    // because inBuf.length() will decrease as adaptation drains buffered bytes.
++    if (responseBodyBuffer) {
++        debugs(11, 3, "yes, but waiting for adaptation to drain read buffer");
++        *maxReadSize = 0; // yes, we may be able to buffer more (but later)
++        return true;
++    }
++#endif
++
++    const auto maxCapacity = calcReadBufferCapacityLimit();
++    if (inBuf.length() >= maxCapacity) {
++        debugs(11, 3, "no, due to a full buffer: " << inBuf.length() << '/' << inBuf.spaceSize() << "; limit: " << maxCapacity);
++        return false; // no, configuration prohibits buffering more
+     }
+ 
++    *maxReadSize = (maxCapacity - inBuf.length()); // positive
++    debugs(11, 7, "yes, may read up to " << *maxReadSize << " into " << inBuf.length() << '/' << inBuf.spaceSize());
++    return true; // yes, can read up to this many bytes (subject to other constraints)
++}
++
++/// prepare read buffer for reading
++/// \return the maximum number of bytes the caller should attempt to read
++/// \retval 0 means that the caller should delay reading
++size_t
++HttpStateData::maybeMakeSpaceAvailable(const size_t maxReadSize)
++{
+     // how much we want to read
+-    const size_t read_size = calcBufferSpaceToReserve(inBuf.spaceSize(), (limitBuffer - inBuf.length()));
++    const size_t read_size = calcBufferSpaceToReserve(inBuf.spaceSize(), maxReadSize);
+ 
+-    if (!read_size) {
++    if (read_size < 2) {
+         debugs(11, 7, "will not read up to " << read_size << " into buffer (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection);
+-        return false;
++        return 0;
+     }
+ 
+-    // just report whether we could grow or not, do not actually do it
+-    if (doGrow)
+-        return (read_size >= 2);
+-
+     // we may need to grow the buffer
+     inBuf.reserveSpace(read_size);
+-    debugs(11, 8, (!flags.do_next_read ? "will not" : "may") <<
+-           " read up to " << read_size << " bytes info buf(" << inBuf.length() << "/" << inBuf.spaceSize() <<
+-           ") from " << serverConnection);
+-
+-    return (inBuf.spaceSize() >= 2); // only read if there is 1+ bytes of space available
++    debugs(11, 7, "may read up to " << read_size << " bytes info buffer (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection);
++    return read_size;
+ }
+ 
+ /// called after writing the very last request byte (body, last-chunk, etc)
+diff --git a/src/http.h b/src/http.h
+index 8965b77..007d2e6 100644
+--- a/src/http.h
++++ b/src/http.h
+@@ -15,6 +15,8 @@
+ #include "http/StateFlags.h"
+ #include "sbuf/SBuf.h"
+ 
++#include <optional>
++
+ class FwdState;
+ class HttpHeader;
+ 
+@@ -107,16 +109,9 @@ private:
+ 
+     void abortTransaction(const char *reason) { abortAll(reason); } // abnormal termination
+ 
+-    /**
+-     * determine if read buffer can have space made available
+-     * for a read.
+-     *
+-     * \param grow  whether to actually expand the buffer
+-     *
+-     * \return whether the buffer can be grown to provide space
+-     *         regardless of whether the grow actually happened.
+-     */
+-    bool maybeMakeSpaceAvailable(bool grow);
++    size_t calcReadBufferCapacityLimit() const;
++    bool canBufferMoreReplyBytes(size_t *maxReadSize) const;
++    size_t maybeMakeSpaceAvailable(size_t maxReadSize);
+ 
+     // consuming request body
+     virtual void handleMoreRequestBodyAvailable();

SOURCES/squid-4.15-CVE-2024-25617.patch

@@ -0,0 +1,105 @@
+diff --git a/src/SquidString.h b/src/SquidString.h
+index a791885..b9aef38 100644
+--- a/src/SquidString.h
++++ b/src/SquidString.h
+@@ -114,7 +114,16 @@ private:
+ 
+     size_type len_;  /* current length  */
+ 
+-    static const size_type SizeMax_ = 65535; ///< 64K limit protects some fixed-size buffers
++    /// An earlier 64KB limit was meant to protect some fixed-size buffers, but
++    /// (a) we do not know where those buffers are (or whether they still exist)
++    /// (b) too many String users unknowingly exceeded that limit and asserted.
++    /// We are now using a larger limit to reduce the number of (b) cases,
++    /// especially cases where "compact" lists of items grow 50% in size when we
++    /// convert them to canonical form. The new limit is selected to withstand
++    /// concatenation and ~50% expansion of two HTTP headers limited by default
++    /// request_header_max_size and reply_header_max_size settings.
++    static const size_type SizeMax_ = 3*64*1024 - 1;
++
+     /// returns true after increasing the first argument by extra if the sum does not exceed SizeMax_
+     static bool SafeAdd(size_type &base, size_type extra) { if (extra <= SizeMax_ && base <= SizeMax_ - extra) { base += extra; return true; } return false; }
+ 
+diff --git a/src/cache_cf.cc b/src/cache_cf.cc
+index a9c1b7e..46f07bb 100644
+--- a/src/cache_cf.cc
++++ b/src/cache_cf.cc
+@@ -935,6 +935,18 @@ configDoConfigure(void)
+                (uint32_t)Config.maxRequestBufferSize, (uint32_t)Config.maxRequestHeaderSize);
+     }
+ 
++    // Warn about the dangers of exceeding String limits when manipulating HTTP
++    // headers. Technically, we do not concatenate _requests_, so we could relax
++    // their check, but we keep the two checks the same for simplicity sake.
++    const auto safeRawHeaderValueSizeMax = (String::SizeMaxXXX()+1)/3;
++    // TODO: static_assert(safeRawHeaderValueSizeMax >= 64*1024); // no WARNINGs for default settings
++    if (Config.maxRequestHeaderSize > safeRawHeaderValueSizeMax)
++        debugs(3, DBG_CRITICAL, "WARNING: Increasing request_header_max_size beyond " << safeRawHeaderValueSizeMax <<
++               " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxRequestHeaderSize << " bytes");
++    if (Config.maxReplyHeaderSize > safeRawHeaderValueSizeMax)
++        debugs(3, DBG_CRITICAL, "WARNING: Increasing reply_header_max_size beyond " << safeRawHeaderValueSizeMax <<
++               " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxReplyHeaderSize << " bytes");
++
+     /*
+      * Disable client side request pipelining if client_persistent_connections OFF.
+      * Waste of resources queueing any pipelined requests when the first will close the connection.
+diff --git a/src/cf.data.pre b/src/cf.data.pre
+index bc2ddcd..d55b870 100644
+--- a/src/cf.data.pre
++++ b/src/cf.data.pre
+@@ -6196,11 +6196,14 @@ TYPE: b_size_t
+ DEFAULT: 64 KB
+ LOC: Config.maxRequestHeaderSize
+ DOC_START
+-	This specifies the maximum size for HTTP headers in a request.
+-	Request headers are usually relatively small (about 512 bytes).
+-	Placing a limit on the request header size will catch certain
+-	bugs (for example with persistent connections) and possibly
+-	buffer-overflow or denial-of-service attacks.
++	This directives limits the header size of a received HTTP request
++	(including request-line). Increasing this limit beyond its 64 KB default
++	exposes certain old Squid code to various denial-of-service attacks. This
++	limit also applies to received FTP commands.
++
++	This limit has no direct affect on Squid memory consumption.
++
++	Squid does not check this limit when sending requests.
+ DOC_END
+ 
+ NAME: reply_header_max_size
+@@ -6209,11 +6212,14 @@ TYPE: b_size_t
+ DEFAULT: 64 KB
+ LOC: Config.maxReplyHeaderSize
+ DOC_START
+-	This specifies the maximum size for HTTP headers in a reply.
+-	Reply headers are usually relatively small (about 512 bytes).
+-	Placing a limit on the reply header size will catch certain
+-	bugs (for example with persistent connections) and possibly
+-	buffer-overflow or denial-of-service attacks.
++	This directives limits the header size of a received HTTP response
++	(including status-line). Increasing this limit beyond its 64 KB default
++	exposes certain old Squid code to various denial-of-service attacks. This
++	limit also applies to FTP command responses.
++
++	Squid also checks this limit when loading hit responses from disk cache.
++
++	Squid does not check this limit when sending responses.
+ DOC_END
+ 
+ NAME: request_body_max_size
+diff --git a/src/http.cc b/src/http.cc
+index 877172d..b006300 100644
+--- a/src/http.cc
++++ b/src/http.cc
+@@ -1820,8 +1820,9 @@ HttpStateData::httpBuildRequestHeader(HttpRequest * request,
+ 
+         String strFwd = hdr_in->getList(Http::HdrType::X_FORWARDED_FOR);
+ 
+-        // if we cannot double strFwd size, then it grew past 50% of the limit
+-        if (!strFwd.canGrowBy(strFwd.size())) {
++        // Detect unreasonably long header values. And paranoidly check String
++        // limits: a String ought to accommodate two reasonable-length values.
++        if (strFwd.size() > 32*1024 || !strFwd.canGrowBy(strFwd.size())) {
+             // There is probably a forwarding loop with Via detection disabled.
+             // If we do nothing, String will assert on overflow soon.
+             // TODO: Terminate all transactions with huge XFF?

SOURCES/squid-4.15-ftp-filename-extraction.patch

@@ -0,0 +1,32 @@
+diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc
+index da9867f..e992638 100644
+--- a/src/clients/FtpGateway.cc
++++ b/src/clients/FtpGateway.cc
+@@ -1084,16 +1084,17 @@ Ftp::Gateway::checkAuth(const HttpHeader * req_hdr)
+ void
+ Ftp::Gateway::checkUrlpath()
+ {
+-    static SBuf str_type_eq("type=");
+-    auto t = request->url.path().rfind(';');
+-
+-    if (t != SBuf::npos) {
+-        auto filenameEnd = t-1;
+-        if (request->url.path().substr(++t).cmp(str_type_eq, str_type_eq.length()) == 0) {
+-            t += str_type_eq.length();
+-            typecode = (char)xtoupper(request->url.path()[t]);
+-            request->url.path(request->url.path().substr(0,filenameEnd));
+-        }
++    // If typecode was specified, extract it and leave just the filename in
++    // url.path. Tolerate trailing garbage or missing typecode value. Roughly:
++    // [filename] ;type=[typecode char] [trailing garbage]
++    static const SBuf middle(";type=");
++    const auto typeSpecStart = request->url.path().find(middle);
++    if (typeSpecStart != SBuf::npos) {
++        const auto fullPath = request->url.path();
++        const auto typecodePos = typeSpecStart + middle.length();
++        typecode = (typecodePos < fullPath.length()) ?
++            static_cast<char>(xtoupper(fullPath[typecodePos])) : '\0';
++        request->url.path(fullPath.substr(0, typeSpecStart));
+     }
+ 
+     int l = request->url.path().length();

SOURCES/squid-4.15-halfclosed.patch

@@ -0,0 +1,163 @@
+diff --git a/src/client_side.cc b/src/client_side.cc
+index f57f3f7..ab393e4 100644
+--- a/src/client_side.cc
++++ b/src/client_side.cc
+@@ -906,7 +906,7 @@ ConnStateData::kick()
+      * We are done with the response, and we are either still receiving request
+      * body (early response!) or have already stopped receiving anything.
+      *
+-     * If we are still receiving, then clientParseRequest() below will fail.
++     * If we are still receiving, then parseRequests() below will fail.
+      * (XXX: but then we will call readNextRequest() which may succeed and
+      * execute a smuggled request as we are not done with the current request).
+      *
+@@ -926,28 +926,12 @@ ConnStateData::kick()
+      * Attempt to parse a request from the request buffer.
+      * If we've been fed a pipelined request it may already
+      * be in our read buffer.
+-     *
+-     \par
+-     * This needs to fall through - if we're unlucky and parse the _last_ request
+-     * from our read buffer we may never re-register for another client read.
+      */
+ 
+-    if (clientParseRequests()) {
+-        debugs(33, 3, clientConnection << ": parsed next request from buffer");
+-    }
++    parseRequests();
+ 
+-    /** \par
+-     * Either we need to kick-start another read or, if we have
+-     * a half-closed connection, kill it after the last request.
+-     * This saves waiting for half-closed connections to finished being
+-     * half-closed _AND_ then, sometimes, spending "Timeout" time in
+-     * the keepalive "Waiting for next request" state.
+-     */
+-    if (commIsHalfClosed(clientConnection->fd) && pipeline.empty()) {
+-        debugs(33, 3, "half-closed client with no pending requests, closing");
+-        clientConnection->close();
++    if (!isOpen())
+         return;
+-    }
+ 
+     /** \par
+      * At this point we either have a parsed request (which we've
+@@ -2058,16 +2042,11 @@ ConnStateData::receivedFirstByte()
+     commSetConnTimeout(clientConnection, Config.Timeout.request, timeoutCall);
+ }
+ 
+-/**
+- * Attempt to parse one or more requests from the input buffer.
+- * Returns true after completing parsing of at least one request [header]. That
+- * includes cases where parsing ended with an error (e.g., a huge request).
+- */
+-bool
+-ConnStateData::clientParseRequests()
++/// Attempt to parse one or more requests from the input buffer.
++/// May close the connection.
++void
++ConnStateData::parseRequests()
+ {
+-    bool parsed_req = false;
+-
+     debugs(33, 5, HERE << clientConnection << ": attempting to parse");
+ 
+     // Loop while we have read bytes that are not needed for producing the body
+@@ -2116,8 +2095,6 @@ ConnStateData::clientParseRequests()
+ 
+             processParsedRequest(context);
+ 
+-            parsed_req = true; // XXX: do we really need to parse everything right NOW ?
+-
+             if (context->mayUseConnection()) {
+                 debugs(33, 3, HERE << "Not parsing new requests, as this request may need the connection");
+                 break;
+@@ -2130,8 +2107,19 @@ ConnStateData::clientParseRequests()
+         }
+     }
+ 
+-    /* XXX where to 'finish' the parsing pass? */
+-    return parsed_req;
++    debugs(33, 7, "buffered leftovers: " << inBuf.length());
++
++    if (isOpen() && commIsHalfClosed(clientConnection->fd)) {
++        if (pipeline.empty()) {
++            // we processed what we could parse, and no more data is coming
++            debugs(33, 5, "closing half-closed without parsed requests: " << clientConnection);
++            clientConnection->close();
++        } else {
++            // we parsed what we could, and no more data is coming
++            debugs(33, 5, "monitoring half-closed while processing parsed requests: " << clientConnection);
++            flags.readMore = false; // may already be false
++        }
++    }
+ }
+ 
+ void
+@@ -2148,23 +2136,7 @@ ConnStateData::afterClientRead()
+     if (pipeline.empty())
+         fd_note(clientConnection->fd, "Reading next request");
+ 
+-    if (!clientParseRequests()) {
+-        if (!isOpen())
+-            return;
+-        /*
+-         * If the client here is half closed and we failed
+-         * to parse a request, close the connection.
+-         * The above check with connFinishedWithConn() only
+-         * succeeds _if_ the buffer is empty which it won't
+-         * be if we have an incomplete request.
+-         * XXX: This duplicates ConnStateData::kick
+-         */
+-        if (pipeline.empty() && commIsHalfClosed(clientConnection->fd)) {
+-            debugs(33, 5, clientConnection << ": half-closed connection, no completed request parsed, connection closing.");
+-            clientConnection->close();
+-            return;
+-        }
+-    }
++    parseRequests();
+ 
+     if (!isOpen())
+         return;
+@@ -3945,7 +3917,7 @@ ConnStateData::notePinnedConnectionBecameIdle(PinnedIdleContext pic)
+     startPinnedConnectionMonitoring();
+ 
+     if (pipeline.empty())
+-        kick(); // in case clientParseRequests() was blocked by a busy pic.connection
++        kick(); // in case parseRequests() was blocked by a busy pic.connection
+ }
+ 
+ /// Forward future client requests using the given server connection.
+diff --git a/src/client_side.h b/src/client_side.h
+index 9fe8463..dfb4d8e 100644
+--- a/src/client_side.h
++++ b/src/client_side.h
+@@ -85,7 +85,6 @@ public:
+     virtual void doneWithControlMsg();
+ 
+     /// Traffic parsing
+-    bool clientParseRequests();
+     void readNextRequest();
+ 
+     /// try to make progress on a transaction or read more I/O
+@@ -373,6 +372,7 @@ private:
+     virtual bool connFinishedWithConn(int size);
+     virtual void checkLogging();
+ 
++    void parseRequests();
+     void clientAfterReadingRequests();
+     bool concurrentRequestQueueFilled() const;
+ 
+diff --git a/src/tests/stub_client_side.cc b/src/tests/stub_client_side.cc
+index d7efb0f..655ed83 100644
+--- a/src/tests/stub_client_side.cc
++++ b/src/tests/stub_client_side.cc
+@@ -14,7 +14,7 @@
+ #include "tests/STUB.h"
+ 
+ #include "client_side.h"
+-bool ConnStateData::clientParseRequests() STUB_RETVAL(false)
++void ConnStateData::parseRequests() STUB
+ void ConnStateData::readNextRequest() STUB
+ bool ConnStateData::isOpen() const STUB_RETVAL(false)
+ void ConnStateData::kick() STUB

SOURCES/squid-4.15-ip-bind-address-no-port.patch

@@ -0,0 +1,156 @@
+commit c08948c8b831a2ba73c676b48aa11ba1b58cc542
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date:   Thu Dec 8 11:03:08 2022 +0100
+
+    Backport adding IP_BIND_ADDRESS_NO_PORT flag to outgoing connections
+
+diff --git a/src/comm.cc b/src/comm.cc
+index 0d5f34d..6811b54 100644
+--- a/src/comm.cc
++++ b/src/comm.cc
+@@ -58,6 +58,7 @@
+  */
+ 
+ static IOCB commHalfClosedReader;
++static int comm_openex(int sock_type, int proto, Ip::Address &, int flags, const char *note);
+ static void comm_init_opened(const Comm::ConnectionPointer &conn, const char *note, struct addrinfo *AI);
+ static int comm_apply_flags(int new_socket, Ip::Address &addr, int flags, struct addrinfo *AI);
+ 
+@@ -75,6 +76,7 @@ static EVH commHalfClosedCheck;
+ static void commPlanHalfClosedCheck();
+ 
+ static Comm::Flag commBind(int s, struct addrinfo &);
++static void commSetBindAddressNoPort(int);
+ static void commSetReuseAddr(int);
+ static void commSetNoLinger(int);
+ #ifdef TCP_NODELAY
+@@ -201,6 +203,22 @@ comm_local_port(int fd)
+     return F->local_addr.port();
+ }
+ 
++/// sets the IP_BIND_ADDRESS_NO_PORT socket option to optimize ephemeral port
++/// reuse by outgoing TCP connections that must bind(2) to a source IP address
++static void
++commSetBindAddressNoPort(const int fd)
++{
++#if defined(IP_BIND_ADDRESS_NO_PORT)
++    int flag = 1;
++    if (setsockopt(fd, IPPROTO_IP, IP_BIND_ADDRESS_NO_PORT, reinterpret_cast<char*>(&flag), sizeof(flag)) < 0) {
++        const auto savedErrno = errno;
++        debugs(50, DBG_IMPORTANT, "ERROR: setsockopt(IP_BIND_ADDRESS_NO_PORT) failure: " << xstrerr(savedErrno));
++    }
++#else
++    (void)fd;
++#endif
++}
++
+ static Comm::Flag
+ commBind(int s, struct addrinfo &inaddr)
+ {
+@@ -227,6 +245,10 @@ comm_open(int sock_type,
+           int flags,
+           const char *note)
+ {
++    // assume zero-port callers do not need to know the assigned port right away
++    if (sock_type == SOCK_STREAM && addr.port() == 0 && ((flags & COMM_DOBIND) || !addr.isAnyAddr()))
++        flags |= COMM_DOBIND_PORT_LATER;
++
+     return comm_openex(sock_type, proto, addr, flags, note);
+ }
+ 
+@@ -328,7 +350,7 @@ comm_set_transparent(int fd)
+  * Create a socket. Default is blocking, stream (TCP) socket.  IO_TYPE
+  * is OR of flags specified in defines.h:COMM_*
+  */
+-int
++static int
+ comm_openex(int sock_type,
+             int proto,
+             Ip::Address &addr,
+@@ -476,6 +498,9 @@ comm_apply_flags(int new_socket,
+         if ( addr.isNoAddr() )
+             debugs(5,0,"CRITICAL: Squid is attempting to bind() port " << addr << "!!");
+ 
++        if ((flags & COMM_DOBIND_PORT_LATER))
++            commSetBindAddressNoPort(new_socket);
++
+         if (commBind(new_socket, *AI) != Comm::OK) {
+             comm_close(new_socket);
+             return -1;
+diff --git a/src/comm.h b/src/comm.h
+index c963e1c..9ff201d 100644
+--- a/src/comm.h
++++ b/src/comm.h
+@@ -43,7 +43,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc
+ 
+ /**
+  * Open a port specially bound for listening or sending through a specific port.
+- * This is a wrapper providing IPv4/IPv6 failover around comm_openex().
+  * Please use for all listening sockets and bind() outbound sockets.
+  *
+  * It will open a socket bound for:
+@@ -59,7 +58,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc
+ int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note);
+ void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note);
+ 
+-int comm_openex(int, int, Ip::Address &, int, const char *);
+ unsigned short comm_local_port(int fd);
+ 
+ int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen);
+diff --git a/src/comm/ConnOpener.cc b/src/comm/ConnOpener.cc
+index 25a30e4..2082214 100644
+--- a/src/comm/ConnOpener.cc
++++ b/src/comm/ConnOpener.cc
+@@ -263,7 +263,7 @@ Comm::ConnOpener::createFd()
+     if (callback_ == NULL || callback_->canceled())
+         return false;
+ 
+-    temporaryFd_ = comm_openex(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_);
++    temporaryFd_ = comm_open(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_);
+     if (temporaryFd_ < 0) {
+         sendAnswer(Comm::ERR_CONNECT, 0, "Comm::ConnOpener::createFd");
+         return false;
+diff --git a/src/comm/Connection.h b/src/comm/Connection.h
+index 4f2f23a..1e32c22 100644
+--- a/src/comm/Connection.h
++++ b/src/comm/Connection.h
+@@ -47,6 +47,8 @@ namespace Comm
+ #define COMM_DOBIND             0x08  // requires a bind()
+ #define COMM_TRANSPARENT        0x10  // arrived via TPROXY
+ #define COMM_INTERCEPTION       0x20  // arrived via NAT
++/// Internal Comm optimization: Keep the source port unassigned until connect(2)
++#define COMM_DOBIND_PORT_LATER 0x100
+ 
+ /**
+  * Store data about the physical and logical attributes of a connection.
+diff --git a/src/ipc.cc b/src/ipc.cc
+index e1d48fc..e92a27f 100644
+--- a/src/ipc.cc
++++ b/src/ipc.cc
+@@ -95,12 +95,12 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
+     } else void(0)
+ 
+     if (type == IPC_TCP_SOCKET) {
+-        crfd = cwfd = comm_open(SOCK_STREAM,
++        crfd = cwfd = comm_open_listener(SOCK_STREAM,
+                                 0,
+                                 local_addr,
+                                 COMM_NOCLOEXEC,
+                                 name);
+-        prfd = pwfd = comm_open(SOCK_STREAM,
++        prfd = pwfd = comm_open_listener(SOCK_STREAM,
+                                 0,          /* protocol */
+                                 local_addr,
+                                 0,          /* blocking */
+diff --git a/src/tests/stub_comm.cc b/src/tests/stub_comm.cc
+index 58f85e4..5381ab2 100644
+--- a/src/tests/stub_comm.cc
++++ b/src/tests/stub_comm.cc
+@@ -46,7 +46,6 @@ int comm_open_uds(int sock_type, int proto, struct sockaddr_un* addr, int flags)
+ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struct addrinfo *AI) STUB
+ int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note) STUB_RETVAL(-1)
+ void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note) STUB
+-int comm_openex(int, int, Ip::Address &, int, tos_t tos, nfmark_t nfmark, const char *) STUB_RETVAL(-1)
+ unsigned short comm_local_port(int fd) STUB_RETVAL(0)
+ int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen) STUB_RETVAL(-1)
+ void commCallCloseHandlers(int fd) STUB

SOURCES/squid-4.15.tar.xz.asc

@@ -0,0 +1,25 @@
+File: squid-4.15.tar.xz
+Date: Mon 10 May 2021 10:50:22 UTC
+Size: 2454176
+MD5 : a593de9dc888dfeca4f1f7db2cd7d3b9
+SHA1: 60bda34ba39657e2d870c8c1d2acece8a69c3075
+Key : CD6DBF8EF3B17D3E <squid3@treenet.co.nz>
+            B068 84ED B779 C89B 044E  64E3 CD6D BF8E F3B1 7D3E
+      keyring = http://www.squid-cache.org/pgp.asc
+      keyserver = pool.sks-keyservers.net
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAmCZD/UACgkQzW2/jvOx
+fT6zZg/+N8JMIYpmVJ7jm4lF0Ub2kEHGTOrc+tnlA3LGnlMQuTm61+BYk58g0SKW
+96NbJ0cycW215Q34L+Y0tWuxEbIU01vIc3AA7rQd0LKy+fQU0OtBuhk5Vf4bKilW
+uHEVIQZs9HmY6bqC+kgtCf49tVZvR8FZYNuilg/68+i/pQdwaDDmVb+j2oF7w+y2
+dgkTFWtM5NTL6bqUVC0E7lLFPjzMefKfxkkpWFdV/VrAhU25jN24kpnjcfotQhdW
+LDFy5okduz3ljso9pBYJfLeMXM1FZPpceC91zj32x3tcUyrD3yIoXob58rEKvfe4
+RDXN4SuClsNe4UQ4oNoGIES9XtaYlOzPR1PlbqPUrdp1cDnhgLJ+1fkAixlMqCml
+wuI1VIKSEY+nvRzQzFHnXJK9otV8QwMF76AHaytO9y+X6JuZmu/CcV1pq61qY9qv
+t1/8z99wWSxpu17zthZgq64J225GF/hkBedaFlYoS5k5YUMDLPlRSCC0yPmb8JBF
+Cns5i/aq2PmOx2ZhQ2RQIF416J3HK8Galw8ytFOjnEcn4ux9yzKNjL38p4+PJJA0
+7GCMAqYYNjok3LSkGbiR7cPgbHnkqRfYbPFLMj4FtruoFlZ9L5MIU3oFvqA3ZR6l
+Az6LaKLsAYPUmukAOPUSIrqpKXZHc7hdBWkT+7RYA4qaoU+9oIo=
+=1Re1
+-----END PGP SIGNATURE-----

SOURCES/squid-4.4.0-CVE-2019-12519.patch

@@ -1,296 +0,0 @@
-commit fdd4123629320aa1ee4c3481bb392437c90d188d
-Author: Amos Jeffries <yadij@users.noreply.github.com>
-Date:   2019-05-20 11:23:13 +0000
-
-    ESI: convert parse exceptions into 500 status response  (#411)
-    
-    Produce a valid HTTP 500 status reply and continue operations when
-    ESI parser throws an exception. This will prevent incomplete ESI
-    responses reaching clients on server errors. Such responses might
-    have been cacheable and thus corrupted, albeit corrupted consistently
-    and at source by the reverse-proxy delivering them.
-    
-    ESI: throw on large stack recursions (#408)
-    
-    This reduces the impact on concurrent clients to only those
-    accessing the malformed resource.
-    
-    Depending on what type of recursion is being performed the
-    resource may appear to the client with missing segments, or
-    not at all.
-
-diff --git a/src/esi/Context.h b/src/esi/Context.h
-index f3281a1..1b08cfb 100644
---- a/src/esi/Context.h
-+++ b/src/esi/Context.h
-@@ -12,6 +12,7 @@
- #include "clientStream.h"
- #include "err_type.h"
- #include "esi/Element.h"
-+#include "esi/Esi.h"
- #include "esi/Parser.h"
- #include "http/forward.h"
- #include "http/StatusCode.h"
-@@ -113,7 +114,7 @@ public:
-     {
- 
-     public:
--        ESIElement::Pointer stack[10]; /* a stack of esi elements that are open */
-+        ESIElement::Pointer stack[ESI_STACK_DEPTH_LIMIT]; /* a stack of esi elements that are open */
-         int stackdepth; /* self explanatory */
-         ESIParser::Pointer theParser;
-         ESIElement::Pointer top();
-diff --git a/src/esi/Esi.cc b/src/esi/Esi.cc
-index cc662c4..e41d593 100644
---- a/src/esi/Esi.cc
-+++ b/src/esi/Esi.cc
-@@ -29,6 +29,7 @@
- #include "esi/Expression.h"
- #include "esi/Segment.h"
- #include "esi/VarState.h"
-+#include "FadingCounter.h"
- #include "fatal.h"
- #include "http/Stream.h"
- #include "HttpHdrSc.h"
-@@ -930,13 +931,18 @@ void
- ESIContext::addStackElement (ESIElement::Pointer element)
- {
-     /* Put on the stack to allow skipping of 'invalid' markup */
--    assert (parserState.stackdepth <11);
-+
-+    // throw an error if the stack location would be invalid
-+    if (parserState.stackdepth >= ESI_STACK_DEPTH_LIMIT)
-+        throw Esi::Error("ESI Too many nested elements");
-+    if (parserState.stackdepth < 0)
-+        throw Esi::Error("ESI elements stack error, probable error in ESI template");
-+
-     assert (!failed());
-     debugs(86, 5, "ESIContext::addStackElement: About to add ESI Node " << element.getRaw());
- 
-     if (!parserState.top()->addElement(element)) {
--        debugs(86, DBG_IMPORTANT, "ESIContext::addStackElement: failed to add esi node, probable error in ESI template");
--        flags.error = 1;
-+        throw Esi::Error("ESIContext::addStackElement failed, probable error in ESI template");
-     } else {
-         /* added ok, push onto the stack */
-         parserState.stack[parserState.stackdepth] = element;
-@@ -1188,13 +1194,10 @@ ESIContext::addLiteral (const char *s, int len)
-     assert (len);
-     debugs(86, 5, "literal length is " << len);
-     /* give a literal to the current element */
--    assert (parserState.stackdepth <11);
-     ESIElement::Pointer element (new esiLiteral (this, s, len));
- 
--    if (!parserState.top()->addElement(element)) {
--        debugs(86, DBG_IMPORTANT, "ESIContext::addLiteral: failed to add esi node, probable error in ESI template");
--        flags.error = 1;
--    }
-+    if (!parserState.top()->addElement(element))
-+        throw Esi::Error("ESIContext::addLiteral failed, probable error in ESI template");
- }
- 
- void
-@@ -1256,8 +1259,24 @@ ESIContext::parse()
- 
-         PROF_start(esiParsing);
- 
--        while (buffered.getRaw() && !flags.error)
--            parseOneBuffer();
-+        try {
-+            while (buffered.getRaw() && !flags.error)
-+                parseOneBuffer();
-+
-+        } catch (Esi::ErrorDetail &errMsg) { // FIXME: non-const for c_str()
-+            // level-2: these are protocol/syntax errors from upstream
-+            debugs(86, 2, "WARNING: ESI syntax error: " << errMsg);
-+            setError();
-+            setErrorMessage(errMsg.c_str());
-+
-+        } catch (...) {
-+            // DBG_IMPORTANT because these are local issues the admin needs to fix
-+            static FadingCounter logEntries; // TODO: set horizon less than infinity
-+            if (logEntries.count(1) < 100)
-+                debugs(86, DBG_IMPORTANT, "ERROR: ESI parser: " << CurrentException);
-+            setError();
-+            setErrorMessage("ESI parser error");
-+        }
- 
-         PROF_stop(esiParsing);
- 
-diff --git a/src/esi/Esi.h b/src/esi/Esi.h
-index 180b2c4..6fd5aac 100644
---- a/src/esi/Esi.h
-+++ b/src/esi/Esi.h
-@@ -10,6 +10,11 @@
- #define SQUID_ESI_H
- 
- #include "clientStream.h"
-+#include "sbuf/SBuf.h"
-+
-+#if !defined(ESI_STACK_DEPTH_LIMIT)
-+#define ESI_STACK_DEPTH_LIMIT 20
-+#endif
- 
- /* ESI.c */
- extern CSR esiStreamRead;
-@@ -18,5 +23,14 @@ extern CSD esiStreamDetach;
- extern CSS esiStreamStatus;
- int esiEnableProcessing (HttpReply *);
- 
-+namespace Esi
-+{
-+
-+typedef SBuf ErrorDetail;
-+/// prepare an Esi::ErrorDetail for throw on ESI parser internal errors
-+inline Esi::ErrorDetail Error(const char *msg) { return ErrorDetail(msg); }
-+
-+} // namespace Esi
-+
- #endif /* SQUID_ESI_H */
- 
-diff --git a/src/esi/Expression.cc b/src/esi/Expression.cc
-index 2b5b762..8519b03 100644
---- a/src/esi/Expression.cc
-+++ b/src/esi/Expression.cc
-@@ -10,6 +10,7 @@
- 
- #include "squid.h"
- #include "Debug.h"
-+#include "esi/Esi.h"
- #include "esi/Expression.h"
- #include "profiler/Profiler.h"
- 
-@@ -97,6 +98,17 @@ stackpop(stackmember * s, int *depth)
-     cleanmember(&s[*depth]);
- }
- 
-+static void
-+stackpush(stackmember *stack, stackmember &item, int *depth)
-+{
-+    if (*depth < 0)
-+        throw Esi::Error("ESIExpression stack has negative size");
-+    if (*depth >= ESI_STACK_DEPTH_LIMIT)
-+        throw Esi::Error("ESIExpression stack is full, cannot push");
-+
-+    stack[(*depth)++] = item;
-+}
-+
- static evaluate evalnegate;
- static evaluate evalliteral;
- static evaluate evalor;
-@@ -208,6 +220,11 @@ evalnegate(stackmember * stack, int *depth, int whereAmI, stackmember * candidat
-         /* invalid stack */
-         return 1;
- 
-+    if (whereAmI < 0)
-+        throw Esi::Error("negate expression location too small");
-+    if (*depth >= ESI_STACK_DEPTH_LIMIT)
-+        throw Esi::Error("negate expression too complex");
-+
-     if (stack[whereAmI + 1].valuetype != ESI_EXPR_EXPR)
-         /* invalid operand */
-         return 1;
-@@ -280,7 +297,7 @@ evalor(stackmember * stack, int *depth, int whereAmI, stackmember * candidate)
- 
-     srv.precedence = 1;
- 
--    stack[(*depth)++] = srv;
-+    stackpush(stack, srv, depth);
- 
-     /* we're out of way, try adding now */
-     if (!addmember(stack, depth, candidate))
-@@ -327,7 +344,7 @@ evaland(stackmember * stack, int *depth, int whereAmI, stackmember * candidate)
- 
-     srv.precedence = 1;
- 
--    stack[(*depth)++] = srv;
-+    stackpush(stack, srv, depth);
- 
-     /* we're out of way, try adding now */
-     if (!addmember(stack, depth, candidate))
-@@ -373,7 +390,7 @@ evallesseq(stackmember * stack, int *depth, int whereAmI, stackmember * candidat
- 
-     srv.precedence = 1;
- 
--    stack[(*depth)++] = srv;
-+    stackpush(stack, srv, depth);
- 
-     /* we're out of way, try adding now */
-     if (!addmember(stack, depth, candidate))
-@@ -421,7 +438,7 @@ evallessthan(stackmember * stack, int *depth, int whereAmI, stackmember * candid
- 
-     srv.precedence = 1;
- 
--    stack[(*depth)++] = srv;
-+    stackpush(stack, srv, depth);
- 
-     /* we're out of way, try adding now */
-     if (!addmember(stack, depth, candidate))
-@@ -469,7 +486,7 @@ evalmoreeq(stackmember * stack, int *depth, int whereAmI, stackmember * candidat
- 
-     srv.precedence = 1;
- 
--    stack[(*depth)++] = srv;
-+    stackpush(stack, srv, depth);
- 
-     /* we're out of way, try adding now */
-     if (!addmember(stack, depth, candidate))
-@@ -517,7 +534,7 @@ evalmorethan(stackmember * stack, int *depth, int whereAmI, stackmember * candid
- 
-     srv.precedence = 1;
- 
--    stack[(*depth)++] = srv;
-+    stackpush(stack, srv, depth);
- 
-     /* we're out of way, try adding now */
-     if (!addmember(stack, depth, candidate))
-@@ -566,7 +583,7 @@ evalequals(stackmember * stack, int *depth, int whereAmI,
- 
-     srv.precedence = 1;
- 
--    stack[(*depth)++] = srv;
-+    stackpush(stack, srv, depth);
- 
-     /* we're out of way, try adding now */
-     if (!addmember(stack, depth, candidate))
-@@ -613,7 +630,7 @@ evalnotequals(stackmember * stack, int *depth, int whereAmI, stackmember * candi
- 
-     srv.precedence = 1;
- 
--    stack[(*depth)++] = srv;
-+    stackpush(stack, srv, depth);
- 
-     /* we're out of way, try adding now */
-     if (!addmember(stack, depth, candidate))
-@@ -953,6 +970,9 @@ addmember(stackmember * stack, int *stackdepth, stackmember * candidate)
-         /* !(!(a==b))) is why thats safe */
-         /* strictly less than until we unwind */
- 
-+        if (*stackdepth >= ESI_STACK_DEPTH_LIMIT)
-+            throw Esi::Error("ESI expression too complex to add member");
-+
-         if (candidate->precedence < stack[*stackdepth - 1].precedence ||
-                 candidate->precedence < stack[*stackdepth - 2].precedence) {
-             /* must be an operator */
-@@ -968,10 +988,10 @@ addmember(stackmember * stack, int *stackdepth, stackmember * candidate)
-                 return 0;
-             }
-         } else {
--            stack[(*stackdepth)++] = *candidate;
-+            stackpush(stack, *candidate, stackdepth);
-         }
-     } else if (candidate->valuetype != ESI_EXPR_INVALID)
--        stack[(*stackdepth)++] = *candidate;
-+        stackpush(stack, *candidate, stackdepth);
- 
-     return 1;
- }
-@@ -979,7 +999,7 @@ addmember(stackmember * stack, int *stackdepth, stackmember * candidate)
- int
- ESIExpression::Evaluate(char const *s)
- {
--    stackmember stack[20];
-+    stackmember stack[ESI_STACK_DEPTH_LIMIT];
-     int stackdepth = 0;
-     char const *end;
-     PROF_start(esiExpressionEval);

SOURCES/squid-4.4.0-CVE-2019-12525.patch

@@ -1,30 +0,0 @@
-commit 409956536647b3a05ee1e367424a24ae6b8f13fd
-Author: Amos Jeffries <yadij@users.noreply.github.com>
-Date:   2019-06-08 21:09:23 +0000
-
-    Fix Digest auth parameter parsing (#415)
-    
-    Only remove quoting if the domain=, uri= or qop= parameter
-    value is surrounded by double-quotes.
-
-diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
-index a8a07cd..b547bf8 100644
---- a/src/auth/digest/Config.cc
-+++ b/src/auth/digest/Config.cc
-@@ -787,14 +787,14 @@ Auth::Digest::Config::decode(char const *proxy_auth, const char *aRequestRealm)
-             if (keyName == SBuf("domain",6) || keyName == SBuf("uri",3)) {
-                 // domain is Special. Not a quoted-string, must not be de-quoted. But is wrapped in '"'
-                 // BUG 3077: uri= can also be sent to us in a mangled (invalid!) form like domain
--                if (*p == '"' && *(p + vlen -1) == '"') {
-+                if (vlen > 1 && *p == '"' && *(p + vlen -1) == '"') {
-                     value.limitInit(p+1, vlen-2);
-                 }
-             } else if (keyName == SBuf("qop",3)) {
-                 // qop is more special.
-                 // On request this must not be quoted-string de-quoted. But is several values wrapped in '"'
-                 // On response this is a single un-quoted token.
--                if (*p == '"' && *(p + vlen -1) == '"') {
-+                if (vlen > 1 && *p == '"' && *(p + vlen -1) == '"') {
-                     value.limitInit(p+1, vlen-2);
-                 } else {
-                     value.limitInit(p, vlen);

SOURCES/squid-4.4.0-CVE-2019-12527.patch

@@ -1,139 +0,0 @@
-commit 7f73e9c5d17664b882ed32590e6af310c247f320
-Author: Amos Jeffries <yadij@users.noreply.github.com>
-Date:   2019-06-19 05:58:36 +0000
-
-    Update HttpHeader::getAuth to SBuf (#416)
-    
-    Replace the fixed-size buffer for decoding base64 tokens with an
-    SBuf to avoid decoder issues on large inputs.
-    
-    Update callers to SBuf API operations for more efficient memory
-    management.
-
-diff --git a/src/HttpHeader.cc b/src/HttpHeader.cc
-index 1e2b650..284a057 100644
---- a/src/HttpHeader.cc
-+++ b/src/HttpHeader.cc
-@@ -1268,43 +1268,46 @@ HttpHeader::getContRange() const
-     return cr;
- }
- 
--const char *
--HttpHeader::getAuth(Http::HdrType id, const char *auth_scheme) const
-+SBuf
-+HttpHeader::getAuthToken(Http::HdrType id, const char *auth_scheme) const
- {
-     const char *field;
-     int l;
-     assert(auth_scheme);
-     field = getStr(id);
- 
-+    static const SBuf nil;
-     if (!field)         /* no authorization field */
--        return NULL;
-+        return nil;
- 
-     l = strlen(auth_scheme);
- 
-     if (!l || strncasecmp(field, auth_scheme, l))   /* wrong scheme */
--        return NULL;
-+        return nil;
- 
-     field += l;
- 
-     if (!xisspace(*field))  /* wrong scheme */
--        return NULL;
-+        return nil;
- 
-     /* skip white space */
-     for (; field && xisspace(*field); ++field);
- 
-     if (!*field)        /* no authorization cookie */
--        return NULL;
-+        return nil;
- 
--    static char decodedAuthToken[8192];
-+    const auto fieldLen = strlen(field);
-+    SBuf result;
-+    char *decodedAuthToken = result.rawAppendStart(BASE64_DECODE_LENGTH(fieldLen));
-     struct base64_decode_ctx ctx;
-     base64_decode_init(&ctx);
-     size_t decodedLen = 0;
--    if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(decodedAuthToken), strlen(field), field) ||
-+    if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(decodedAuthToken), fieldLen, field) ||
-             !base64_decode_final(&ctx)) {
--        return NULL;
-+        return nil;
-     }
--    decodedAuthToken[decodedLen] = '\0';
--    return decodedAuthToken;
-+    result.rawAppendFinish(decodedAuthToken, decodedLen);
-+    return result;
- }
- 
- ETag
-diff --git a/src/HttpHeader.h b/src/HttpHeader.h
-index a26b127..3b262be 100644
---- a/src/HttpHeader.h
-+++ b/src/HttpHeader.h
-@@ -134,7 +134,7 @@ public:
-     HttpHdrRange *getRange() const;
-     HttpHdrSc *getSc() const;
-     HttpHdrContRange *getContRange() const;
--    const char *getAuth(Http::HdrType id, const char *auth_scheme) const;
-+    SBuf getAuthToken(Http::HdrType id, const char *auth_scheme) const;
-     ETag getETag(Http::HdrType id) const;
-     TimeOrTag getTimeOrTag(Http::HdrType id) const;
-     int hasListMember(Http::HdrType id, const char *member, const char separator) const;
-diff --git a/src/cache_manager.cc b/src/cache_manager.cc
-index da22f7a..2fae767 100644
---- a/src/cache_manager.cc
-+++ b/src/cache_manager.cc
-@@ -27,6 +27,7 @@
- #include "mgr/FunAction.h"
- #include "mgr/QueryParams.h"
- #include "protos.h"
-+#include "sbuf/StringConvert.h"
- #include "SquidConfig.h"
- #include "SquidTime.h"
- #include "Store.h"
-@@ -243,20 +244,20 @@ CacheManager::ParseHeaders(const HttpRequest * request, Mgr::ActionParams &param
-     // TODO: use the authentication system decode to retrieve these details properly.
- 
-     /* base 64 _decoded_ user:passwd pair */
--    const char *basic_cookie = request->header.getAuth(Http::HdrType::AUTHORIZATION, "Basic");
-+    const auto basic_cookie(request->header.getAuthToken(Http::HdrType::AUTHORIZATION, "Basic"));
- 
--    if (!basic_cookie)
-+    if (basic_cookie.isEmpty())
-         return;
- 
--    const char *passwd_del;
--    if (!(passwd_del = strchr(basic_cookie, ':'))) {
-+    const auto colonPos = basic_cookie.find(':');
-+    if (colonPos == SBuf::npos) {
-         debugs(16, DBG_IMPORTANT, "CacheManager::ParseHeaders: unknown basic_cookie format '" << basic_cookie << "'");
-         return;
-     }
- 
-     /* found user:password pair, reset old values */
--    params.userName.limitInit(basic_cookie, passwd_del - basic_cookie);
--    params.password = passwd_del + 1;
-+    params.userName = SBufToString(basic_cookie.substr(0, colonPos));
-+    params.password = SBufToString(basic_cookie.substr(colonPos+1));
- 
-     /* warning: this prints decoded password which maybe not be what you want to do @?@ @?@ */
-     debugs(16, 9, "CacheManager::ParseHeaders: got user: '" <<
-diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc
-index b958b14..7ca5d24 100644
---- a/src/clients/FtpGateway.cc
-+++ b/src/clients/FtpGateway.cc
-@@ -1050,7 +1050,7 @@ Ftp::Gateway::checkAuth(const HttpHeader * req_hdr)
- 
- #if HAVE_AUTH_MODULE_BASIC
-     /* Check HTTP Authorization: headers (better than defaults, but less than URL) */
--    const SBuf auth(req_hdr->getAuth(Http::HdrType::AUTHORIZATION, "Basic"));
-+    const auto auth(req_hdr->getAuthToken(Http::HdrType::AUTHORIZATION, "Basic"));
-     if (!auth.isEmpty()) {
-         flags.authenticated = 1;
-         loginParser(auth, false);

SOURCES/squid-4.4.0-CVE-2019-13345.patch

@@ -1,64 +0,0 @@
-diff --git a/tools/cachemgr.cc b/tools/cachemgr.cc
-index 0c745c2..8a67eba 100644
---- a/tools/cachemgr.cc
-+++ b/tools/cachemgr.cc
-@@ -355,7 +355,7 @@ auth_html(const char *host, int port, const char *user_name)
- 
-     printf("<TR><TH ALIGN=\"left\">Manager name:</TH><TD><INPUT NAME=\"user_name\" ");
- 
--    printf("size=\"30\" VALUE=\"%s\"></TD></TR>\n", user_name);
-+    printf("size=\"30\" VALUE=\"%s\"></TD></TR>\n", rfc1738_escape(user_name));
- 
-     printf("<TR><TH ALIGN=\"left\">Password:</TH><TD><INPUT TYPE=\"password\" NAME=\"passwd\" ");
- 
-@@ -419,7 +419,7 @@ menu_url(cachemgr_request * req, const char *action)
-              script_name,
-              req->hostname,
-              req->port,
--             safe_str(req->user_name),
-+             rfc1738_escape(safe_str(req->user_name)),
-              action,
-              safe_str(req->pub_auth));
-     return url;
-@@ -1074,8 +1074,8 @@ make_pub_auth(cachemgr_request * req)
-     const int bufLen = snprintf(buf, sizeof(buf), "%s|%d|%s|%s",
-                                 req->hostname,
-                                 (int) now,
--                                req->user_name ? req->user_name : "",
--                                req->passwd);
-+                                rfc1738_escape(safe_str(req->user_name)),
-+                                rfc1738_escape(req->passwd));
-     debug("cmgr: pre-encoded for pub: %s\n", buf);
- 
-     const int encodedLen = base64_encode_len(bufLen);
-@@ -1094,8 +1094,6 @@ decode_pub_auth(cachemgr_request * req)
-     char *buf;
-     const char *host_name;
-     const char *time_str;
--    const char *user_name;
--    const char *passwd;
- 
-     debug("cmgr: decoding pub: '%s'\n", safe_str(req->pub_auth));
-     safe_free(req->passwd);
-@@ -1131,17 +1129,21 @@ decode_pub_auth(cachemgr_request * req)
- 
-     debug("cmgr: decoded time: '%s' (now: %d)\n", time_str, (int) now);
- 
-+    char *user_name;
-     if ((user_name = strtok(NULL, "|")) == NULL) {
-         xfree(buf);
-         return;
-     }
-+    rfc1738_unescape(user_name);
- 
-     debug("cmgr: decoded uname: '%s'\n", user_name);
- 
-+    char *passwd;
-     if ((passwd = strtok(NULL, "|")) == NULL) {
-         xfree(buf);
-         return;
-     }
-+    rfc1738_unescape(passwd);
- 
-     debug("cmgr: decoded passwd: '%s'\n", passwd);
- 

SOURCES/squid-4.4.0-CVE-2020-11945.patch

@@ -1,50 +0,0 @@
-diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
-index 45e46c0..433335a 100644
---- a/src/auth/digest/Config.cc
-+++ b/src/auth/digest/Config.cc
-@@ -94,9 +94,6 @@ static void authenticateDigestNonceDelete(digest_nonce_h * nonce);
- static void authenticateDigestNonceSetup(void);
- static void authDigestNonceEncode(digest_nonce_h * nonce);
- static void authDigestNonceLink(digest_nonce_h * nonce);
--#if NOT_USED
--static int authDigestNonceLinks(digest_nonce_h * nonce);
--#endif
- static void authDigestNonceUserUnlink(digest_nonce_h * nonce);
- 
- static void
-@@ -287,21 +284,10 @@ authDigestNonceLink(digest_nonce_h * nonce)
- {
-     assert(nonce != NULL);
-     ++nonce->references;
-+    assert(nonce->references != 0); // no overflows
-     debugs(29, 9, "nonce '" << nonce << "' now at '" << nonce->references << "'.");
- }
- 
--#if NOT_USED
--static int
--authDigestNonceLinks(digest_nonce_h * nonce)
--{
--    if (!nonce)
--        return -1;
--
--    return nonce->references;
--}
--
--#endif
--
- void
- authDigestNonceUnlink(digest_nonce_h * nonce)
- {
-diff --git a/src/auth/digest/Config.h b/src/auth/digest/Config.h
-index b79ff30..2840865 100644
---- a/src/auth/digest/Config.h
-+++ b/src/auth/digest/Config.h
-@@ -44,7 +44,7 @@ struct _digest_nonce_h : public hash_link {
-     /* number of uses we've seen of this nonce */
-     unsigned long nc;
-     /* reference count */
--    short references;
-+    uint64_t references;
-     /* the auth_user this nonce has been tied to */
-     Auth::Digest::User *user;
-     /* has this nonce been invalidated ? */

SOURCES/squid-4.4.0-lower-cachepeer.patch

@@ -1,12 +0,0 @@
-diff --git a/src/cache_cf.cc b/src/cache_cf.cc
-index 9165ef99c..32a3df322 100644
---- a/src/cache_cf.cc
-+++ b/src/cache_cf.cc
-@@ -2081,6 +2081,7 @@ parse_peer(CachePeer ** head)
- 
-     CachePeer *p = new CachePeer;
-     p->host = xstrdup(host_str);
-+    Tolower(p->host);
-     p->name = xstrdup(host_str);
-     p->type = parseNeighborType(token);
- 

SOURCES/squid-4.4.0-man-pages.patch

@@ -1,26 +0,0 @@
-diff --git a/src/http/url_rewriters/LFS/url_lfs_rewrite.8 b/src/http/url_rewriters/LFS/url_lfs_rewrite.8
-index 3053180..1d295fb 100644
---- a/src/http/url_rewriters/LFS/url_lfs_rewrite.8
-+++ b/src/http/url_rewriters/LFS/url_lfs_rewrite.8
-@@ -135,7 +135,7 @@
- .if n .ad l
- .nh
- .SH "NAME"
--url_lfs_rewrite
-+\& url_lfs_rewrite \- a URL-rewriter based on local file existence
- .SH "SYNOPSIS"
- .IX Header "SYNOPSIS"
- .Vb 1
-diff --git a/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in b/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in
-index a7168e0..da7055c 100755
---- a/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in
-+++ b/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in
-@@ -8,7 +8,7 @@ use Pod::Usage;
- 
- =head1 NAME
- 
--B<url_lfs_rewrite>
-+B<url_lfs_rewrite> - a URL-rewriter based on local file existence
- 
- =head1 SYNOPSIS
- 

SOURCES/squid-4.4.tar.xz.asc

@@ -1,25 +0,0 @@
-File: squid-4.4.tar.xz
-Date: Sat Oct 27 21:20:24 UTC 2018
-Size: 2436468
-MD5 : 892504ca9700e1f139a53f84098613bd
-SHA1: 0ab6b133f65866d825bf72cbbe8cef209768b2fa
-Key : CD6DBF8EF3B17D3E <squid3@treenet.co.nz>
-            B068 84ED B779 C89B 044E  64E3 CD6D BF8E F3B1 7D3E
-      keyring = http://www.squid-cache.org/pgp.asc
-      keyserver = pool.sks-keyservers.net
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAlvU1qAACgkQzW2/jvOx
-fT5Y3Q//R3/ZtDHal9H9c4VUB1fEzkk22JfgXTzRRUdzNkN+XxDkVGmM9R0E0Opo
-9E/lsE9PcLX1EBtBXbPfwLESzfMe4QJgqq1B4FocpJcdtfCQX6ADU4Qdfc+oo8Z1
-J/xCf8XrU3yUgXn3pMnQ9DT+IuPYe+Jte7Awm148mC15GMC49NBAYAd793XZ+L2t
-fVPCbVYA40AU3xVJkxlblh7O0E8UEQ7zQMxcXM2jJJ4jJOjqecOIoJt6lyPD59q3
-UjD0EmcjTj54BpaU8r++kAc2TkLyBvFV1vWQuQRNG5IAMEOF3H8OfujCXl3lX9fD
-Tvi9763f9LxdImLJttkzgTt20XAudlUmKOdpj6t1uF+7EmNJg/ChowyLsLzlLLST
-1mGNdcUdP9VhX2aoTXN/ctn8BTQ/cNIx2VY8kKWsXB+ymFcCJRBW1cBAr3R+UzuX
-KVlsDzlxP6Dp8EFvKN3sIbM/QtpstKgbTkxro7d9XBkeldsasd5uI2Yt5PSMIs+y
-VtscqCnwDjxAIW6FNqB96J4hcOYECdWHDL3s46wEDnQaiR0IdBAN5QHn1imzM5e1
-eHuwZimqBW6vE4rPnVpPIr1Gml5OlLl3te2jsbUVmBiOwDVlQLZJQGzI5UTazvnN
-eR3QeTW+ggSAdVc6GEApELARfKPRxywLQTOlAhEPn0xayy4ByME=
-=1eSQ
------END PGP SIGNATURE-----

SOURCES/squid.service

@@ -4,14 +4,15 @@ Documentation=man:squid(8)
 After=network.target network-online.target nss-lookup.target
 
 [Service]
-Type=forking
+Type=notify
 LimitNOFILE=16384
+PIDFile=/run/squid.pid
 EnvironmentFile=/etc/sysconfig/squid
 ExecStartPre=/usr/libexec/squid/cache_swap.sh
-ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF
-ExecReload=/usr/sbin/squid $SQUID_OPTS -k reconfigure -f $SQUID_CONF
-ExecStop=/usr/sbin/squid -k shutdown -f $SQUID_CONF
-TimeoutSec=0
+ExecStart=/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF}
+ExecReload=/usr/bin/kill -HUP $MAINPID
+KillMode=mixed
+NotifyAccess=all
 
 [Install]
 WantedBy=multi-user.target

SPECS/squid.spec

@@ -1,8 +1,8 @@
 %define __perl_requires %{SOURCE98}
 
 Name:     squid
-Version:  4.4
-Release:  8%{?dist}.1
+Version:  4.15
+Release:  10%{?dist}
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@@ -22,33 +22,54 @@ Source98: perl-requires-squid.sh
 # Upstream patches
 
 # Backported patches
+Patch101: squid-4.15-ip-bind-address-no-port.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2072988
 
 # Local patches
 # Applying upstream patches first makes it less likely that local patches
 # will break upstream ones.
-Patch201: squid-4.0.11-config.patch
-Patch202: squid-3.1.0.9-location.patch
-Patch203: squid-3.0.STABLE1-perlpath.patch
-Patch204: squid-3.5.9-include-guards.patch
-Patch205: squid-4.0.21-large-acl.patch
+Patch201: squid-4.11-config.patch
+Patch202: squid-4.11-location.patch
+Patch203: squid-4.11-perlpath.patch
+Patch204: squid-4.11-include-guards.patch
+Patch205: squid-4.11-large-acl.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=980511
-Patch206: squid-4.4.0-active-ftp.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1612524
-Patch207: squid-4.4.0-man-pages.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1691741
-Patch208: squid-4.4.0-lower-cachepeer.patch
+Patch206: squid-4.11-active-ftp.patch
+Patch208: squid-4.11-convert-ipv4.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2006121
+Patch209: squid-4.15-ftp-filename-extraction.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2076717
+Patch210: squid-4.15-halfclosed.patch
 
 # Security fixes
-# https://bugzilla.redhat.com/show_bug.cgi?id=1729436
-Patch500: squid-4.4.0-CVE-2019-13345.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1738485
-Patch501: squid-4.4.0-CVE-2019-12527.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1828368
-Patch502: squid-4.4.0-CVE-2019-12519.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1828367
-Patch503: squid-4.4.0-CVE-2020-11945.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1829402
-Patch504: squid-4.4.0-CVE-2019-12525.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1941506
+Patch300: squid-4.15-CVE-2021-28116.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2100721
+Patch301: squid-4.15-CVE-2021-46784.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2129771
+Patch302: squid-4.15-CVE-2022-41318.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2245910
+# +backported: https://github.com/squid-cache/squid/commit/417da4006cf5c97d44e74431b816fc58fec9e270
+Patch303: squid-4.15-CVE-2023-46846.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2245916
+Patch304: squid-4.15-CVE-2023-46847.patch
+# https://issues.redhat.com/browse/RHEL-14792
+Patch305: squid-4.15-CVE-2023-5824.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2248521
+Patch306: squid-4.15-CVE-2023-46728.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2247567
+Patch307: squid-4.15-CVE-2023-46724.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2252926
+Patch308: squid-4.15-CVE-2023-49285.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2252923
+Patch309: squid-4.15-CVE-2023-49286.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2254663
+Patch310: squid-4.15-CVE-2023-50269.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2264309
+Patch311: squid-4.15-CVE-2024-25617.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2268366
+Patch312: squid-4.15-CVE-2024-25111.patch
+
 
 Requires: bash >= 2.0
 Requires(pre): shadow-utils
@@ -78,6 +99,8 @@ BuildRequires: perl-generators
 # For test suite
 BuildRequires: pkgconfig(cppunit)
 BuildRequires: autoconf
+# systemd notify
+BuildRequires: systemd-devel
 
 %description
 Squid is a high-performance proxy caching server for Web clients,
@@ -97,22 +120,34 @@ lookup program (dnsserver), a program for retrieving FTP data
 # Upstream patches
 
 # Backported patches
+%patch101 -p1 -b .ip-bind-address-no-port
 
 # Local patches
 %patch201 -p1 -b .config
 %patch202 -p1 -b .location
 %patch203 -p1 -b .perlpath
-%patch204 -p0 -b .include-guards
+%patch204 -p1 -b .include-guards
 %patch205 -p1 -b .large_acl
 %patch206 -p1 -b .active-ftp
-%patch207 -p1 -b .man-pages
-%patch208 -p1 -b .lower-cachepeer
+%patch208 -p1 -b .convert-ipv4
+%patch209 -p1 -b .ftp-fn-extraction
+%patch210 -p1 -b .halfclosed
+
+# Security patches
+%patch300 -p1 -b .CVE-2021-28116
+%patch301 -p1 -b .CVE-2021-46784
+%patch302 -p1 -b .CVE-2022-41318
+%patch303 -p1 -b .CVE-2023-46846
+%patch304 -p1 -b .CVE-2023-46847
+%patch305 -p1 -b .CVE-2023-5824
+%patch306 -p1 -b .CVE-2023-46728
+%patch307 -p1 -b .CVE-2023-46724
+%patch308 -p1 -b .CVE-2023-49285
+%patch309 -p1 -b .CVE-2023-49286
+%patch310 -p1 -b .CVE-2023-50269
+%patch311 -p1 -b .CVE-2024-25617
+%patch312 -p1 -b .CVE-2024-25111
 
-%patch500 -p1 -b .CVE-2019-13345
-%patch501 -p1 -b .CVE-2019-12527
-%patch502 -p1 -b .CVE-2019-12519
-%patch503 -p1 -b .CVE-2020-11945
-%patch504 -p1 -b .CVE-2019-12525
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526
 # Patch in the vendor documentation and used different location for documentation
@@ -329,13 +364,121 @@ fi
 
 
 %changelog
-* Wed Apr 29 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-8.1
-- Resolves: #1828368 - CVE-2019-12519 squid: improper check for new member in
-  ESIExpression::Evaluate allows for stack buffer overflow
-- Resolves: #1828367 - CVE-2020-11945 squid: improper access restriction upon
-  Digest Authentication nonce replay could lead to remote code execution
-- Resolves: #1829402 - CVE-2019-12525 squid:4/squid: parsing of header
+* Tue Mar 19 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10
+- Resolves: RHEL-28529 - squid:4/squid: Denial of Service in HTTP Chunked
+  Decoding (CVE-2024-25111)
+- Resolves: RHEL-26088 - squid:4/squid: denial of service in HTTP header
+  parser (CVE-2024-25617)
+
+* Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-9
+- Resolves: RHEL-19552 - squid:4/squid: denial of service in HTTP request 
+  parsing (CVE-2023-50269)
+
+* Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-8
+- Resolves: RHEL-18351 - squid:4/squid: Buffer over-read in the HTTP Message
+  processing feature (CVE-2023-49285)
+- Resolves: RHEL-18342 - squid:4/squid: Incorrect Check of Function Return
+  Value In Helper Process management (CVE-2023-49286)
+- Resolves: RHEL-18230 - squid:4/squid: Denial of Service in SSL Certificate
+  validation (CVE-2023-46724)
+- Resolves: RHEL-15911 - squid:4/squid: NULL pointer dereference in the gopher
+  protocol code (CVE-2023-46728)
+- Resolves: RHEL-18251 - squid crashes in assertion when a parent peer exists
+- Resolves: RHEL-14794 - squid: squid multiple issues in HTTP response caching
+  (CVE-2023-5824)
+- Resolves: RHEL-14803 - squid: squid: Denial of Service in HTTP Digest
+  Authentication (CVE-2023-46847)
+- Resolves: RHEL-14777 - squid: squid: Request/Response smuggling in HTTP/1.1
+  and ICAP (CVE-2023-46846)
+
+* Wed Aug 16 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-7
+- Resolves: #2076717 - Crash with half_closed_client on
+
+* Thu Dec 08 2022 Tomas Korbar <tkorbar@redhat.com> - 4.15-6
+- Resolves: #2072988 - [RFE] Add the "IP_BIND_ADDRESS_NO_PORT"
+  flag to sockets created for outgoing connections in the squid source code.
+
+* Wed Sep 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-5
+- Resolves: #2130260 - CVE-2022-41318 squid:4/squid: buffer-over-read in SSPI and SMB
+  authentication
+
+* Tue Jun 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-4
+- Resolves: #2100783 - CVE-2021-46784 squid:4/squid: DoS when processing gopher
+  server responses
+
+* Wed Feb 09 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-3
+- Resolves: #1941506 - CVE-2021-28116 squid:4/squid: out-of-bounds read in WCCP
+  protocol data may lead to information disclosure
+
+* Tue Jan 25 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-2
+- Resolves: #2006121 - SQUID shortens FTP Link wrong that contains a semi-colon
+  and as a result is not able to download zip file.CODE 404 TO CLIENT)
+
+* Fri Jun 18 2021 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-1
+- new version 4.15
+- Resolves: #1964384 - squid:4 rebase to 4.15
+
+* Wed Mar 31 2021 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-5
+- Resolves: #1944261 - CVE-2020-25097 squid:4/squid: improper input validation
+  may allow a trusted client to perform HTTP Request Smuggling
+
+* Mon Oct 26 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-4
+- Resolves: #1890606 - Fix for CVE 2019-13345 breaks authentication in
+  cachemgr.cgi
+
+* Wed Aug 26 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-3
+- Resolves: #1871705 - CVE-2020-24606 squid: Improper Input Validation could
+  result in a DoS
+- Resolves: #1871702 - CVE-2020-15811 squid: HTTP Request Splitting could result
+  in cache poisoning
+- Resolves: #1871700 - CVE-2020-15810 squid: HTTP Request Smuggling could result
+  in cache poisoning
+
+* Thu Jul 02 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-2
+- Resolves: #1853130 - CVE-2020-15049 squid:4/squid: request smuggling and
+  poisoning attack against the HTTP cache
+- Resolves: #1853136 - CVE-2020-14058 squid:4/squid: DoS in TLS handshake
+
+* Thu May 07 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-1
+- new version 4.11
+- libsystemd integration
+- Resolves: #1829467 - squid:4 rebase
+- Resolves: #1828378 - CVE-2019-12521 squid:4/squid: off-by-one error in
+  addStackElement allows for a heap buffer overflow and a crash
+- Resolves: #1828377 - CVE-2019-12520 squid:4/squid: improper input validation
+  in request allows for proxy manipulation
+- Resolves: #1828375 - CVE-2019-12524 squid:4/squid: improper access restriction
+  in url_regex may lead to security bypass
+- Resolves: #1820664 - CVE-2019-18860 squid: mishandles HTML in the host
+  parameter to cachemgr.cgi which could result in squid behaving in unsecure way
+- Resolves: #1802514 - CVE-2020-8449 squid:4/squid: Improper input validation
+  issues in HTTP Request processing
+- Resolves: #1802513 - CVE-2020-8450 squid:4/squid: Buffer overflow in a Squid
+  acting as reverse-proxy
+- Resolves: #1802512 - CVE-2019-12528 squid:4/squid: Information Disclosure
+  issue in FTP Gateway
+- Resolves: #1771288 - CVE-2019-18678 squid:4/squid: HTTP Request Splitting
+  issue in HTTP message processing
+- Resolves: #1771283 - CVE-2019-18679 squid:4/squid: Information Disclosure
+  issue in HTTP Digest Authentication
+- Resolves: #1771280 - CVE-2019-18677 squid:4/squid: Cross-Site Request Forgery
+  issue in HTTP Request processing
+- Resolves: #1771275 - CVE-2019-12523 squid:4/squid: Improper input validation
+  in URI processor
+- Resolves: #1771272 - CVE-2019-18676 squid:4/squid: Buffer overflow in URI
+  processor
+- Resolves: #1771264 - CVE-2019-12526 squid:4/squid: Heap overflow issue in URN
+  processing
+- Resolves: #1738581 - CVE-2019-12529 squid: OOB read in Proxy-Authorization
+  header causes DoS
+
+* Tue Apr 28 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-9
+- Resolves: #1738583 - CVE-2019-12525 squid:4/squid: parsing of header
   Proxy-Authentication leads to memory corruption
+- Resolves: #1828369 - CVE-2020-11945 squid: improper access restriction upon
+  Digest Authentication nonce replay could lead to remote code execution
+- Resolves: #1828370 - CVE-2019-12519 squid: improper check for new member in
+  ESIExpression::Evaluate allows for stack buffer overflow
 
 * Fri Aug 23 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-8
 - Resolves: # 1738485 - CVE-2019-12527 squid:4/squid: heap-based buffer overflow