diff --git a/SOURCES/squid-3.3.8-fd-leaks.patch b/SOURCES/squid-3.3.8-fd-leaks.patch
new file mode 100644
index 0000000..dc28954
--- /dev/null
+++ b/SOURCES/squid-3.3.8-fd-leaks.patch
@@ -0,0 +1,92 @@
+diff -Naurp squid-3.3.8.orig/src/ipc/TypedMsgHdr.cc squid-3.3.8/src/ipc/TypedMsgHdr.cc
+--- squid-3.3.8.orig/src/ipc/TypedMsgHdr.cc 2013-07-13 15:25:14.000000000 +0200
++++ squid-3.3.8/src/ipc/TypedMsgHdr.cc 2015-04-20 14:28:32.971000390 +0200
+@@ -167,10 +167,20 @@ Ipc::TypedMsgHdr::putRaw(const void *raw
+ }
+ }
+
++bool
++Ipc::TypedMsgHdr::hasFd() const
++{
++ struct cmsghdr *cmsg = CMSG_FIRSTHDR(this);
++ return cmsg &&
++ cmsg->cmsg_level == SOL_SOCKET &&
++ cmsg->cmsg_type == SCM_RIGHTS;
++}
++
+ void
+ Ipc::TypedMsgHdr::putFd(int fd)
+ {
+ Must(fd >= 0);
++ Must(!hasFd());
+ allocControl();
+
+ const int fdCount = 1;
+@@ -183,12 +193,15 @@ Ipc::TypedMsgHdr::putFd(int fd)
+ int *fdStore = reinterpret_cast<int*>(CMSG_DATA(cmsg));
+ memcpy(fdStore, &fd, fdCount * sizeof(int));
+ msg_controllen = cmsg->cmsg_len;
++
++ Must(hasFd());
+ }
+
+ int
+ Ipc::TypedMsgHdr::getFd() const
+ {
+ Must(msg_control && msg_controllen);
++ Must(hasFd());
+
+ struct cmsghdr *cmsg = CMSG_FIRSTHDR(this);
+ Must(cmsg->cmsg_level == SOL_SOCKET);
+diff -Naurp squid-3.3.8.orig/src/ipc/TypedMsgHdr.h squid-3.3.8/src/ipc/TypedMsgHdr.h
+--- squid-3.3.8.orig/src/ipc/TypedMsgHdr.h 2013-07-13 15:25:14.000000000 +0200
++++ squid-3.3.8/src/ipc/TypedMsgHdr.h 2015-04-20 14:12:57.509303004 +0200
+@@ -59,8 +59,8 @@ public:
+
+ /* access to a "file" descriptor that can be passed between processes */
+ void putFd(int aFd); ///< stores descriptor
+- int getFd() const; ///< returns descriptor
+-
++ int getFd() const; ///< returns stored descriptor
++ bool hasFd() const; ///< whether the message has a descriptor stored
+ /* raw, type-independent access for I/O */
+ void prepForReading(); ///< reset and provide all buffers
+ char *raw() { return reinterpret_cast<char*>(this); }
+diff -Naurp squid-3.3.8.orig/src/snmp/Inquirer.cc squid-3.3.8/src/snmp/Inquirer.cc
+--- squid-3.3.8.orig/src/snmp/Inquirer.cc 2013-07-13 15:25:14.000000000 +0200
++++ squid-3.3.8/src/snmp/Inquirer.cc 2015-04-20 14:15:12.324970907 +0200
+@@ -28,6 +28,10 @@ Snmp::Inquirer::Inquirer(const Request&
+ closer = asyncCall(49, 5, "Snmp::Inquirer::noteCommClosed",
+ CommCbMemFunT<Inquirer, CommCloseCbParams>(this, &Inquirer::noteCommClosed));
+ comm_add_close_handler(conn->fd, closer);
++
++ // forget client FD to avoid sending it to strands that may forget to close
++ if (Request *snmpRequest = dynamic_cast<Request*>(request.getRaw()))
++ snmpRequest->fd = -1;
+ }
+
+ /// closes our copy of the client connection socket
+diff -Naurp squid-3.3.8.orig/src/snmp/Request.cc squid-3.3.8/src/snmp/Request.cc
+--- squid-3.3.8.orig/src/snmp/Request.cc 2013-07-13 15:25:14.000000000 +0200
++++ squid-3.3.8/src/snmp/Request.cc 2015-04-20 14:21:16.676074181 +0200
+@@ -33,7 +33,8 @@ Snmp::Request::Request(const Ipc::TypedM
+ session.unpack(msg);
+ msg.getPod(address);
+
+- fd = msg.getFd();
++ // Requests from strands have FDs. Requests from Coordinator do not.
++ fd = msg.hasFd() ? msg.getFd() : -1;
+ }
+
+ void
+@@ -46,7 +47,9 @@ Snmp::Request::pack(Ipc::TypedMsgHdr& ms
+ session.pack(msg);
+ msg.putPod(address);
+
+- msg.putFd(fd);
++ // Requests sent to Coordinator have FDs. Requests sent to strands do not.
++ if (fd >= 0)
++ msg.putFd(fd);
+ }
+
+ Ipc::Request::Pointer
diff --git a/SOURCES/squid-3.3.8-incorrect-cert.patch b/SOURCES/squid-3.3.8-incorrect-cert.patch
new file mode 100644
index 0000000..76dfc9f
--- /dev/null
+++ b/SOURCES/squid-3.3.8-incorrect-cert.patch
@@ -0,0 +1,17 @@
+--- a/src/ssl/support.cc
++++ b/src/ssl/support.cc
+@@ -208,7 +208,13 @@ static int check_domain( void *check_data, ASN1_STRING *cn_data)
+ if (cn_data->length > (int)sizeof(cn) - 1) {
+ return 1; //if does not fit our buffer just ignore
+ }
+- memcpy(cn, cn_data->data, cn_data->length);
++ char *s = reinterpret_cast<char*>(cn_data->data);
++ char *d = cn;
++ for (int i = 0; i < cn_data->length; ++i, ++d, ++s){
++ if (*s == '\0')
++ return 1; // always a domain mismatch. contains 0x00
++ *d = *s;
++ }
+ cn[cn_data->length] = '\0';
+ debugs(83, 4, "Verifying server domain " << server << " to certificate name/subjectAltName " << cn);
+ return matchDomainName(server, cn[0] == '*' ? cn + 1 : cn);
diff --git a/SOURCES/squid-3.3.8-incorrect-ssl.patch b/SOURCES/squid-3.3.8-incorrect-ssl.patch
new file mode 100644
index 0000000..0fe4463
--- /dev/null
+++ b/SOURCES/squid-3.3.8-incorrect-ssl.patch
@@ -0,0 +1,39 @@
+diff -Naurp squid-3.3.8.orig/src/client_side.cc squid-3.3.8/src/client_side.cc
+--- squid-3.3.8.orig/src/client_side.cc 2015-03-26 12:46:28.000000000 +0100
++++ squid-3.3.8/src/client_side.cc 2015-03-26 11:11:17.000000000 +0100
+@@ -3859,8 +3859,18 @@ ConnStateData::getSslContextDone(SSL_CTX
+ // Try to add generated ssl context to storage.
+ if (port->generateHostCertificates && isNew) {
+
+- if (signAlgorithm == Ssl::algSignTrusted)
++ if (signAlgorithm == Ssl::algSignTrusted) {
++ // Add signing certificate to the certificates chain
++ X509 *cert = port->signingCert.get();
++ if (SSL_CTX_add_extra_chain_cert(sslContext, cert)) {
++ // increase the certificate lock
++ CRYPTO_add(&(cert->references),1,CRYPTO_LOCK_X509);
++ } else {
++ const int ssl_error = ERR_get_error();
++ debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL));
++ }
+ Ssl::addChainToSslContext(sslContext, port->certsToChain.get());
++ }
+ //else it is self-signed or untrusted do not attrach any certificate
+
+ Ssl::LocalContextStorage & ssl_ctx_cache(Ssl::TheGlobalContextStorage.getLocalStorage(port->s));
+diff -Naurp squid-3.3.8.orig/src/ssl/support.cc squid-3.3.8/src/ssl/support.cc
+--- squid-3.3.8.orig/src/ssl/support.cc 2013-07-13 15:25:14.000000000 +0200
++++ squid-3.3.8/src/ssl/support.cc 2015-03-26 12:44:15.104570937 +0100
+@@ -1488,11 +1488,7 @@ static X509 * readSslX509CertificatesCha
+ if (X509_check_issued(certificate, certificate) == X509_V_OK)
+ debugs(83, 5, "Certificate is self-signed, will not be chained");
+ else {
+- if (sk_X509_push(chain, certificate))
+- CRYPTO_add(&(certificate->references), 1, CRYPTO_LOCK_X509);
+- else
+- debugs(83, DBG_IMPORTANT, "WARNING: unable to add signing certificate to cert chain");
+- // and add to the chain any certificate loaded from the file
++ // and add to the chain any other certificate exist in the file
+ while (X509 *ca = PEM_read_bio_X509(bio.get(), NULL, NULL, NULL)) {
+ if (!sk_X509_push(chain, ca))
+ debugs(83, DBG_IMPORTANT, "WARNING: unable to add CA certificate to cert chain");
diff --git a/SOURCES/squid-3.3.8-le-looping.patch b/SOURCES/squid-3.3.8-le-looping.patch
new file mode 100644
index 0000000..c7eeb96
--- /dev/null
+++ b/SOURCES/squid-3.3.8-le-looping.patch
@@ -0,0 +1,12 @@
+=== modified file 'lib/base64.c'
+--- lib/base64.c 2015-01-13 09:13:49 +0000
++++ lib/base64.c 2015-09-21 11:43:00 +0000
+@@ -149,7 +149,7 @@
+ int char_count = 0;
+ int out_cnt = 0;
+
+- if (!data || !*data || !result || result_size < 1 || data_size < 1)
++ if (!data || !result || result_size < 1 || data_size < 1)
+ return 0;
+
+ if (!base64_initialized)
diff --git a/SOURCES/squid-3.3.8-segfault-reboot.patch b/SOURCES/squid-3.3.8-segfault-reboot.patch
new file mode 100644
index 0000000..8ca47bf
--- /dev/null
+++ b/SOURCES/squid-3.3.8-segfault-reboot.patch
@@ -0,0 +1,11 @@
+--- a/src/comm.cc
++++ b/src/comm.cc
+@@ -2001,7 +2001,7 @@ DeferredReadManager::popHead(CbDataListContainer<DeferredRead> &deferredReads)
+ // amount of time. We must re-validate that it is active and usable.
+
+ // If the connection has been closed already. Cancel this read.
+- if (!Comm::IsConnOpen(read.theRead.conn)) {
++ if (!fd_table || !Comm::IsConnOpen(read.theRead.conn)) {
+ if (read.closer != NULL) {
+ read.closer->cancel("Connection closed before.");
+ read.closer = NULL;
diff --git a/SOURCES/squid-3.3.8-vary-headers.patch b/SOURCES/squid-3.3.8-vary-headers.patch
new file mode 100644
index 0000000..fdada52
--- /dev/null
+++ b/SOURCES/squid-3.3.8-vary-headers.patch
@@ -0,0 +1,63 @@
+diff -Naurp squid-3.3.8.orig/src/client_side_reply.cc squid-3.3.8/src/client_side_reply.cc
+--- squid-3.3.8.orig/src/client_side_reply.cc 2015-04-22 13:38:31.000000000 +0200
++++ squid-3.3.8/src/client_side_reply.cc 2015-04-22 13:42:29.332950760 +0200
+@@ -506,6 +506,7 @@ clientReplyContext::cacheHit(StoreIOBuff
+
+ if (strcmp(e->mem_obj->url, urlCanonical(r)) != 0) {
+ debugs(33, DBG_IMPORTANT, "clientProcessHit: URL mismatch, '" << e->mem_obj->url << "' != '" << urlCanonical(r) << "'");
++ http->logType = LOG_TCP_MISS; // we lack a more precise LOG_*_MISS code
+ processMiss();
+ return;
+ }
+@@ -537,6 +538,7 @@ clientReplyContext::cacheHit(StoreIOBuff
+ case VARY_CANCEL:
+ /* varyEvaluateMatch found a object loop. Process as miss */
+ debugs(88, DBG_IMPORTANT, "clientProcessHit: Vary object loop!");
++ http->logType = LOG_TCP_MISS; // we lack a more precise LOG_*_MISS code
+ processMiss();
+ return;
+ }
+diff -Naurp squid-3.3.8.orig/src/MemStore.cc squid-3.3.8/src/MemStore.cc
+--- squid-3.3.8.orig/src/MemStore.cc 2013-07-13 15:25:14.000000000 +0200
++++ squid-3.3.8/src/MemStore.cc 2015-04-22 13:25:35.879901955 +0200
+@@ -310,6 +310,12 @@ MemStore::considerKeeping(StoreEntry &e)
+ return;
+ }
+
++ if (e.mem_obj->vary_headers) {
++ // XXX: We must store/load SerialisedMetaData to cache Vary in RAM
++ debugs(20, 5, "Vary not yet supported: " << e.mem_obj->vary_headers);
++ return;
++ }
++
+ keep(e); // may still fail
+ }
+
+diff -Naurp squid-3.3.8.orig/src/store.cc squid-3.3.8/src/store.cc
+--- squid-3.3.8.orig/src/store.cc 2013-07-13 15:25:14.000000000 +0200
++++ squid-3.3.8/src/store.cc 2015-04-22 13:43:44.675657018 +0200
+@@ -761,7 +761,7 @@ StoreEntry::setPublicKey()
+ StoreEntry *pe = storeCreateEntry(mem_obj->url, mem_obj->log_url, request->flags, request->method);
+ /* We are allowed to do this typecast */
+ HttpReply *rep = new HttpReply;
+- rep->setHeaders(HTTP_OK, "Internal marker object", "x-squid-internal/vary", -1, -1, squid_curtime + 100000);
++ rep->setHeaders(HTTP_OK, "Internal marker object", "x-squid-internal/vary", 0, -1, squid_curtime + 100000);
+ vary = mem_obj->getReply()->header.getList(HDR_VARY);
+
+ if (vary.size()) {
+@@ -780,12 +780,13 @@ StoreEntry::setPublicKey()
+ }
+
+ #endif
+- pe->replaceHttpReply(rep);
+-
++ pe->replaceHttpReply(rep, false); // no write until key is public
+ pe->timestampsSet();
+
+ pe->makePublic();
+
++ pe->startWriting(); // after makePublic()
++
+ pe->complete();
+
+ pe->unlock();
diff --git a/SOURCES/squid.xml b/SOURCES/squid.xml
new file mode 100644
index 0000000..781e11c
--- /dev/null
+++ b/SOURCES/squid.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+ <short>Squid</short>
+ <description>Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests.</description>
+ <port protocol="tcp" port="3128"/>
+</service>
diff --git a/SPECS/squid.spec b/SPECS/squid.spec
index cad4b2d..0b16931 100644
--- a/SPECS/squid.spec
+++ b/SPECS/squid.spec
@@ -4,7 +4,7 @@
Name: squid
Version: 3.3.8
-Release: 12%{?dist}
+Release: 26%{?dist}
Summary: The Squid proxy caching server
Epoch: 7
# See CREDITS for breakdown of non GPLv2+ code
@@ -20,6 +20,7 @@ Source5: squid.pam
Source6: squid.nm
Source7: squid.service
Source8: cache_swap.sh
+Source9: squid.xml
Source98: perl-requires-squid.sh
## Source99: filter-requires-squid.sh
@@ -27,7 +28,7 @@ Source98: perl-requires-squid.sh
#Patch001: http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11480.patch
# Backported patches
-#Patch101: squid-3.2-mem_node.patch
+# Patch211: squid-3.3.8-incorrect-ssl.patch
# Local patches
# Applying upstream patches first makes it less likely that local patches
@@ -45,6 +46,12 @@ Patch208: squid-3.3.8-active-ftp-2.patch
# http://www.squid-cache.org/Advisories/SQUID-2014_1.txt
Patch209: squid-3.3-12677.patch
Patch210: squid-3.3.13-dos.patch
+Patch211: squid-3.3.8-incorrect-ssl.patch
+Patch212: squid-3.3.8-fd-leaks.patch
+Patch213: squid-3.3.8-vary-headers.patch
+Patch214: squid-3.3.8-incorrect-cert.patch
+Patch215: squid-3.3.8-segfault-reboot.patch
+Patch216: squid-3.3.8-le-looping.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: bash >= 2.0
@@ -101,7 +108,7 @@ The squid-sysvinit contains SysV initscritps support.
%setup -q
# Upstream patches
-#patch001 -p0
+#%patch001 -p1 -b
# Backported patches
#patch101 -p1 -b .mem_node
@@ -117,6 +124,12 @@ The squid-sysvinit contains SysV initscritps support.
%patch208 -p1 -b .active-ftp-2
%patch209 -p0
%patch210 -p0
+%patch211 -p1 -b .incorrect-ssl
+%patch212 -p1 -b .fd-leaks
+%patch213 -p1 -b .vary-headers
+%patch214 -p1 -b .incorrect-cert
+%patch215 -p1 -b .segfault-reboot
+%patch216 -p0 -b .le-looping
%build
%ifarch sparcv9 sparc64 s390 s390x
@@ -132,7 +145,7 @@ LDFLAGS="$RPM_LD_FLAGS -pie -Wl,-z,relro -Wl,-z,now"
--disable-strict-error-checking \
--exec_prefix=/usr \
--libexecdir=%{_libdir}/squid \
- --localstatedir=/var \
+ --localstatedir=%{_var} \
--datadir=%{_datadir}/squid \
--sysconfdir=%{_sysconfdir}/squid \
--with-logdir='$(localstatedir)/log/squid' \
@@ -206,6 +219,8 @@ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/NetworkManager/dispatcher.d
mkdir -p $RPM_BUILD_ROOT%{_unitdir}
mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/squid
+mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/firewalld/services
+
install -m 755 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/squid
install -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/squid
install -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/squid
@@ -214,12 +229,22 @@ install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_unitdir}
install -m 755 %{SOURCE8} $RPM_BUILD_ROOT%{_libexecdir}/squid
install -m 644 $RPM_BUILD_ROOT/squid.httpd.tmp $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/squid.conf
install -m 644 %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}/NetworkManager/dispatcher.d/20-squid
-mkdir -p $RPM_BUILD_ROOT/var/log/squid
-mkdir -p $RPM_BUILD_ROOT/var/spool/squid
+install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{_prefix}/lib/firewalld/services
+mkdir -p $RPM_BUILD_ROOT%{_var}/log/squid
+mkdir -p $RPM_BUILD_ROOT%{_var}/spool/squid
+mkdir -p $RPM_BUILD_ROOT%{_var}/run/squid
chmod 644 contrib/url-normalizer.pl contrib/rredir.* contrib/user-agents.pl
iconv -f ISO88591 -t UTF8 ChangeLog -o ChangeLog.tmp
mv -f ChangeLog.tmp ChangeLog
+# install /usr/lib/tmpfiles.d/squid.conf
+mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir}
+cat > ${RPM_BUILD_ROOT}%{_tmpfilesdir}/squid.conf <<EOF
+# See tmpfiles.d(5) for details
+
+d /run/squid 0755 squid squid - -
+EOF
+
# Move the MIB definition to the proper place (and name)
mkdir -p $RPM_BUILD_ROOT/usr/share/snmp/mibs
mv $RPM_BUILD_ROOT/usr/share/squid/mib.txt $RPM_BUILD_ROOT/usr/share/snmp/mibs/SQUID-MIB.txt
@@ -244,8 +269,9 @@ rm -rf $RPM_BUILD_ROOT
%attr(755,root,root) %{_libexecdir}/squid/cache_swap.sh
%attr(755,root,root) %dir %{_sysconfdir}/squid
%attr(755,root,root) %dir %{_libdir}/squid
-%attr(750,squid,squid) %dir /var/log/squid
-%attr(750,squid,squid) %dir /var/spool/squid
+%attr(750,squid,squid) %dir %{_var}/log/squid
+%attr(750,squid,squid) %dir %{_var}/spool/squid
+%attr(755,squid,squid) %dir %{_var}/run/squid
%config(noreplace) %attr(644,root,root) %{_sysconfdir}/httpd/conf.d/squid.conf
%config(noreplace) %attr(640,root,squid) %{_sysconfdir}/squid/squid.conf
@@ -254,6 +280,10 @@ rm -rf $RPM_BUILD_ROOT
%config(noreplace) %{_sysconfdir}/squid/errorpage.css
%config(noreplace) %{_sysconfdir}/sysconfig/squid
%config(noreplace) %{_sysconfdir}/squid/msntauth.conf
+
+# squid firewalld service file
+%config(noreplace) %attr(644,root,root) %{_prefix}/lib/firewalld/services/squid.xml
+
# These are not noreplace because they are just sample config files
%config %{_sysconfdir}/squid/msntauth.conf.default
%config %{_sysconfdir}/squid/squid.conf.default
@@ -274,6 +304,7 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/*
%{_libdir}/squid/*
%{_datadir}/snmp/mibs/SQUID-MIB.txt
+%{_tmpfilesdir}/squid.conf
%files sysvinit
%attr(755,root,root) %{_sysconfdir}/rc.d/init.d/squid
@@ -321,8 +352,61 @@ fi
/sbin/chkconfig --add squid >/dev/null 2>&1 || :
%changelog
+* Wed Oct 14 2015 Luboš Uhliarik <luhliari@redhat.com> - 7:3.3.8-26
+- Related: #1186768 - removing patch, because of missing tests and
+ incorrent patch
+
+* Tue Oct 13 2015 Luboš Uhliarik <luhliari@redhat.com> - 7:3.3.8-25
+- Related: #1102842 - squid rpm package misses /var/run/squid needed for
+ smp mode. Squid needs write access to /var/run/squid.
+
+* Fri Oct 09 2015 Luboš Uhliarik <luhliari@redhat.com> - 7:3.3.8-24
+- Related: #1102842 - squid rpm package misses /var/run/squid needed for
+ smp mode. Creation of /var/run/squid was also needed to be in SPEC file.
+
+* Tue Oct 06 2015 Luboš Uhliarik <luhliari@redhat.com> - 7:3.3.8-23
+- Related: #1102842 - squid rpm package misses /var/run/squid needed for
+ smp mode. Creation of this directory was moved to tmpfiles.d conf file.
+
+* Fri Oct 02 2015 Luboš Uhliarik <luhliari@redhat.com> - 7:3.3.8-22
+- Related: #1102842 - squid rpm package misses /var/run/squid needed for
+ smp mode. Creation of this directory was moved to service file.
+
+* Tue Sep 22 2015 Luboš Uhliarik <luhliari@redhat.com> - 7:3.3.8-21
+- Resolves: #1263338 - squid with digest auth on big endian systems
+ start looping
+
+* Mon Aug 10 2015 Luboš Uhliarik <luhliari@redhat.com> - 7:3.3.8-20
+- Resolves: #1186768 - security issue: Nonce replay vulnerability
+ in Digest authentication
+
+* Tue Jul 14 2015 Luboš Uhliarik <luhliari@redhat.com> - 7:3.3.8-19
+- Resolves: #1225640 - squid crashes by segfault when it reboots
+
+* Thu Jun 25 2015 Luboš Uhliarik <luhliari@redhat.com> - 7:3.3.8-18
+- Resolves: #1102842 - squid rpm package misses /var/run/squid needed for
+ smp mode
+
+* Wed Jun 24 2015 Luboš Uhliarik <luhliari@redhat.com> - 7:3.3.8-17
+- Resolves: #1233265 - CVE-2015-3455 squid: incorrect X509 server
+ certificate validation
+
+* Fri Jun 19 2015 Luboš Uhliarik <luhliari@redhat.com> - 7:3.3.8-16
+- Resolves: #1080042 - Supply a firewalld service file with squid
+
+* Wed Jun 17 2015 Luboš Uhliarik <luhliari@redhat.com> - 7:3.3.8-15
+- Resolves: #1161600 - Squid does not serve cached responses
+ with Vary headers
+
+* Wed Jun 17 2015 Luboš Uhliarik <luhliari@redhat.com> - 7:3.3.8-14
+- Resolves: #1198778 - Filedescriptor leaks on snmp
+
+* Wed Jun 17 2015 Luboš Uhliarik <luhliari@redhat.com> - 7:3.3.8-13
+- Resolves: #1204375 - squid sends incorrect ssl chain breaking newer gnutls
+ using applications
+
* Fri Aug 29 2014 Michal Luscon <mluscon@redhat.com> - 7:3.3.8-12
-- Resolves: #1134933 - CVE-2014-3609 assertion failure in header processing
+- Resolves: #1134934 - CVE-2014-3609 assertion failure in header processing
* Mon Mar 17 2014 Pavel Šimerda <psimerda@redhat.com> - 7:3.3.8-11
- Resolves: #1074873 - CVE-2014-0128 squid: denial of service when using