diff --git a/.gitignore b/.gitignore
index aa9cebb..da80573 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/squid-4.4.tar.xz
+SOURCES/squid-4.11.tar.xz
diff --git a/.squid.metadata b/.squid.metadata
index 70ddf1b..94d7ed2 100644
--- a/.squid.metadata
+++ b/.squid.metadata
@@ -1 +1 @@
-0ab6b133f65866d825bf72cbbe8cef209768b2fa SOURCES/squid-4.4.tar.xz
+053277bf5497163ffc9261b9807abda5959bb6fc SOURCES/squid-4.11.tar.xz
diff --git a/SOURCES/squid-3.0.STABLE1-perlpath.patch b/SOURCES/squid-3.0.STABLE1-perlpath.patch
deleted file mode 100644
index 052b8d7..0000000
--- a/SOURCES/squid-3.0.STABLE1-perlpath.patch
+++ /dev/null
@@ -1,10 +0,0 @@
-diff --git a/contrib/url-normalizer.pl b/contrib/url-normalizer.pl
-index 90ac6a4..8dbed90 100755
---- a/contrib/url-normalizer.pl
-+++ b/contrib/url-normalizer.pl
-@@ -1,4 +1,4 @@
--#!/usr/local/bin/perl -Tw
-+#!/usr/bin/perl -Tw
- #
- # * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
- # *
diff --git a/SOURCES/squid-3.1.0.9-location.patch b/SOURCES/squid-3.1.0.9-location.patch
deleted file mode 100644
index 4abd519..0000000
--- a/SOURCES/squid-3.1.0.9-location.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-diff -up squid-3.1.0.9/QUICKSTART.location squid-3.1.0.9/QUICKSTART
---- squid-3.1.0.9/QUICKSTART.location 2009-06-26 12:35:27.000000000 +0200
-+++ squid-3.1.0.9/QUICKSTART 2009-07-17 14:03:10.000000000 +0200
-@@ -10,10 +10,9 @@ After you retrieved, compiled and instal
- INSTALL in the same directory), you have to configure the squid.conf
- file. This is the list of the values you *need* to change, because no
- sensible defaults could be defined. Do not touch the other variables
--for now. We assume you have installed Squid in the default location:
--/usr/local/squid
-+for now.
-
--Uncomment and edit the following lines in /usr/local/squid/etc/squid.conf:
-+Uncomment and edit the following lines in /etc/squid/squid.conf:
-
- ==============================================================================
-
-@@ -82,12 +81,12 @@ After editing squid.conf to your liking,
- line TWICE:
-
- To create any disk cache_dir configured:
-- % /usr/local/squid/sbin/squid -z
-+ % /usr/sbin/squid -z
-
- To start squid:
-- % /usr/local/squid/sbin/squid
-+ % /usr/sbin/squid
-
--Check in the cache.log (/usr/local/squid/var/logs/cache.log) that
-+Check in the cache.log (/var/log/squid/cache.log) that
- everything is all right.
-
- Once Squid created all its files (it can take several minutes on some
diff --git a/SOURCES/squid-3.5.9-include-guards.patch b/SOURCES/squid-3.5.9-include-guards.patch
deleted file mode 100644
index e2d4ff9..0000000
--- a/SOURCES/squid-3.5.9-include-guards.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-------------------------------------------------------------
-revno: 14311
-revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
-parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr
-------------------------------------------------------------
-revno: 14311
-revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
-parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr
-fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323
-author: Francesco Chemolli <kinkie@squid-cache.org>
-committer: Amos Jeffries <squid3@treenet.co.nz>
-branch nick: trunk
-timestamp: Thu 2015-09-24 06:05:37 -0700
-message:
- Bug 4323: Netfilter broken cross-includes with Linux 4.2
-------------------------------------------------------------
-# Bazaar merge directive format 2 (Bazaar 0.90)
-# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
-# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
-# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b
-# timestamp: 2015-09-24 13:06:33 +0000
-# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk
-# base_revision_id: squid3@treenet.co.nz-20150924032241-\
-# 6cx3g6hwz9xfoybr
-#
-# Begin patch
-=== modified file 'compat/os/linux.h'
---- compat/os/linux.h 2015-01-13 07:25:36 +0000
-+++ compat/os/linux.h 2015-09-24 13:05:37 +0000
-@@ -30,6 +30,21 @@
- #endif
-
- /*
-+ * Netfilter header madness. (see Bug 4323)
-+ *
-+ * Netfilter have a history of defining their own versions of network protocol
-+ * primitives without sufficient protection against the POSIX defines which are
-+ * aways present in Linux.
-+ *
-+ * netinet/in.h must be included before any other sys header in order to properly
-+ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
-+ * to workaround it.
-+ */
-+#if HAVE_NETINET_IN_H
-+#include <netinet/in.h>
-+#endif
-+
-+/*
- * sys/capability.h is only needed in Linux apparently.
- *
- * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc
-fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323
-author: Francesco Chemolli <kinkie@squid-cache.org>
-committer: Amos Jeffries <squid3@treenet.co.nz>
-branch nick: trunk
-timestamp: Thu 2015-09-24 06:05:37 -0700
-message:
- Bug 4323: Netfilter broken cross-includes with Linux 4.2
-------------------------------------------------------------
-# Bazaar merge directive format 2 (Bazaar 0.90)
-# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
-# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
-# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b
-# timestamp: 2015-09-24 13:06:33 +0000
-# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk
-# base_revision_id: squid3@treenet.co.nz-20150924032241-\
-# 6cx3g6hwz9xfoybr
-#
-# Begin patch
-=== modified file 'compat/os/linux.h'
---- compat/os/linux.h 2015-01-13 07:25:36 +0000
-+++ compat/os/linux.h 2015-09-24 13:05:37 +0000
-@@ -30,6 +30,21 @@
- #endif
-
- /*
-+ * Netfilter header madness. (see Bug 4323)
-+ *
-+ * Netfilter have a history of defining their own versions of network protocol
-+ * primitives without sufficient protection against the POSIX defines which are
-+ * aways present in Linux.
-+ *
-+ * netinet/in.h must be included before any other sys header in order to properly
-+ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
-+ * to workaround it.
-+ */
-+#if HAVE_NETINET_IN_H
-+#include <netinet/in.h>
-+#endif
-+
-+/*
- * sys/capability.h is only needed in Linux apparently.
- *
- * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc
-
diff --git a/SOURCES/squid-4.0.11-config.patch b/SOURCES/squid-4.0.11-config.patch
deleted file mode 100644
index a4faae8..0000000
--- a/SOURCES/squid-4.0.11-config.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff -up squid-4.0.11/src/cf.data.pre.config squid-4.0.11/src/cf.data.pre
---- squid-4.0.11/src/cf.data.pre.config 2016-06-09 22:32:57.000000000 +0200
-+++ squid-4.0.11/src/cf.data.pre 2016-07-11 21:08:35.090976840 +0200
-@@ -4658,7 +4658,7 @@ DOC_END
-
- NAME: logfile_rotate
- TYPE: int
--DEFAULT: 10
-+DEFAULT: 0
- LOC: Config.Log.rotateNumber
- DOC_START
- Specifies the default number of logfile rotations to make when you
-@@ -6444,11 +6444,11 @@ COMMENT_END
-
- NAME: cache_mgr
- TYPE: string
--DEFAULT: webmaster
-+DEFAULT: root
- LOC: Config.adminEmail
- DOC_START
- Email-address of local cache manager who will receive
-- mail if the cache dies. The default is "webmaster".
-+ mail if the cache dies. The default is "root".
- DOC_END
-
- NAME: mail_from
diff --git a/SOURCES/squid-4.0.21-large-acl.patch b/SOURCES/squid-4.0.21-large-acl.patch
deleted file mode 100644
index 8aacf38..0000000
--- a/SOURCES/squid-4.0.21-large-acl.patch
+++ /dev/null
@@ -1,178 +0,0 @@
-diff --git a/src/acl/RegexData.cc b/src/acl/RegexData.cc
-index 01a4c12..b5c1679 100644
---- a/src/acl/RegexData.cc
-+++ b/src/acl/RegexData.cc
-@@ -22,6 +22,7 @@
- #include "ConfigParser.h"
- #include "Debug.h"
- #include "sbuf/List.h"
-+#include "sbuf/Algorithms.h"
-
- ACLRegexData::~ACLRegexData()
- {
-@@ -129,6 +130,18 @@ compileRE(std::list<RegexPattern> &curlist, const char * RE, int flags)
- return true;
- }
-
-+static bool
-+compileRE(std::list<RegexPattern> &curlist, const SBufList &RE, int flags)
-+{
-+ if (RE.empty())
-+ return curlist.empty(); // XXX: old code did this. It looks wrong.
-+ SBuf regexp;
-+ static const SBuf openparen("("), closeparen(")"), separator(")|(");
-+ JoinContainerIntoSBuf(regexp, RE.begin(), RE.end(), separator, openparen,
-+ closeparen);
-+ return compileRE(curlist, regexp.c_str(), flags);
-+}
-+
- /** Compose and compile one large RE from a set of (small) REs.
- * The ultimate goal is to have only one RE per ACL so that match() is
- * called only once per ACL.
-@@ -137,16 +150,11 @@ static int
- compileOptimisedREs(std::list<RegexPattern> &curlist, const SBufList &sl)
- {
- std::list<RegexPattern> newlist;
-- int numREs = 0;
-+ SBufList accumulatedRE;
-+ int numREs = 0, reSize = 0;
- int flags = REG_EXTENDED | REG_NOSUB;
-- int largeREindex = 0;
-- char largeRE[BUFSIZ];
-- *largeRE = 0;
-
- for (const SBuf & configurationLineWord : sl) {
-- int RElen;
-- RElen = configurationLineWord.length();
--
- static const SBuf minus_i("-i");
- static const SBuf plus_i("+i");
- if (configurationLineWord == minus_i) {
-@@ -155,10 +163,11 @@ compileOptimisedREs(std::list<RegexPattern> &curlist, const SBufList &sl)
- debugs(28, 2, "optimisation of -i ... -i" );
- } else {
- debugs(28, 2, "-i" );
-- if (!compileRE(newlist, largeRE, flags))
-+ if (!compileRE(newlist, accumulatedRE, flags))
- return 0;
- flags |= REG_ICASE;
-- largeRE[largeREindex=0] = '\0';
-+ accumulatedRE.clear();
-+ reSize = 0;
- }
- } else if (configurationLineWord == plus_i) {
- if ((flags & REG_ICASE) == 0) {
-@@ -166,37 +175,34 @@ compileOptimisedREs(std::list<RegexPattern> &curlist, const SBufList &sl)
- debugs(28, 2, "optimisation of +i ... +i");
- } else {
- debugs(28, 2, "+i");
-- if (!compileRE(newlist, largeRE, flags))
-+ if (!compileRE(newlist, accumulatedRE, flags))
- return 0;
- flags &= ~REG_ICASE;
-- largeRE[largeREindex=0] = '\0';
-+ accumulatedRE.clear();
-+ reSize = 0;
- }
-- } else if (RElen + largeREindex + 3 < BUFSIZ-1) {
-+ } else if (reSize < 1024) {
- debugs(28, 2, "adding RE '" << configurationLineWord << "'");
-- if (largeREindex > 0) {
-- largeRE[largeREindex] = '|';
-- ++largeREindex;
-- }
-- largeRE[largeREindex] = '(';
-- ++largeREindex;
-- configurationLineWord.copy(largeRE+largeREindex, BUFSIZ-largeREindex);
-- largeREindex += configurationLineWord.length();
-- largeRE[largeREindex] = ')';
-- ++largeREindex;
-- largeRE[largeREindex] = '\0';
-+ accumulatedRE.push_back(configurationLineWord);
- ++numREs;
-+ reSize += configurationLineWord.length();
- } else {
- debugs(28, 2, "buffer full, generating new optimised RE..." );
-- if (!compileRE(newlist, largeRE, flags))
-+ accumulatedRE.push_back(configurationLineWord);
-+ if (!compileRE(newlist, accumulatedRE, flags))
- return 0;
-- largeRE[largeREindex=0] = '\0';
-+ accumulatedRE.clear();
-+ reSize = 0;
- continue; /* do the loop again to add the RE to largeRE */
- }
- }
-
-- if (!compileRE(newlist, largeRE, flags))
-+ if (!compileRE(newlist, accumulatedRE, flags))
- return 0;
-
-+ accumulatedRE.clear();
-+ reSize = 0;
-+
- /* all was successful, so put the new list at the tail */
- curlist.splice(curlist.end(), newlist);
-
-diff --git a/src/sbuf/Algorithms.h b/src/sbuf/Algorithms.h
-index 21ee889..338e9c0 100644
---- a/src/sbuf/Algorithms.h
-+++ b/src/sbuf/Algorithms.h
-@@ -81,6 +81,57 @@ SBufContainerJoin(const Container &items, const SBuf& separator)
- return rv;
- }
-
-+/** Join container of SBufs and append to supplied target
-+ *
-+ * append to the target SBuf all elements in the [begin,end) range from
-+ * an iterable container, prefixed by prefix, separated by separator and
-+ * followed by suffix. Prefix and suffix are added also in case of empty
-+ * iterable
-+ *
-+ * \return the modified dest
-+ */
-+template <class ContainerIterator>
-+SBuf&
-+JoinContainerIntoSBuf(SBuf &dest, const ContainerIterator &begin,
-+ const ContainerIterator &end, const SBuf& separator,
-+ const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf())
-+{
-+ if (begin == end) {
-+ dest.append(prefix).append(suffix);
-+ return dest;
-+ }
-+
-+ // optimization: pre-calculate needed storage
-+ const SBuf::size_type totalContainerSize =
-+ std::accumulate(begin, end, 0, SBufAddLength(separator)) +
-+ dest.length() + prefix.length() + suffix.length();
-+ SBufReservationRequirements req;
-+ req.minSpace = totalContainerSize;
-+ dest.reserve(req);
-+
-+ auto i = begin;
-+ dest.append(prefix);
-+ dest.append(*i);
-+ ++i;
-+ for (; i != end; ++i)
-+ dest.append(separator).append(*i);
-+ dest.append(suffix);
-+ return dest;
-+}
-+
-+
-+/// convenience wrapper of JoinContainerIntoSBuf with no caller-supplied SBuf
-+template <class ContainerIterator>
-+SBuf
-+JoinContainerToSBuf(const ContainerIterator &begin,
-+ const ContainerIterator &end, const SBuf& separator,
-+ const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf())
-+{
-+ SBuf rv;
-+ return JoinContainerIntoSBuf(rv, begin, end, separator, prefix, suffix);
-+}
-+
-+
- namespace std {
- /// default hash functor to support std::unordered_map<SBuf,*>
- template <>
diff --git a/SOURCES/squid-4.11-active-ftp.patch b/SOURCES/squid-4.11-active-ftp.patch
new file mode 100644
index 0000000..00a9b56
--- /dev/null
+++ b/SOURCES/squid-4.11-active-ftp.patch
@@ -0,0 +1,127 @@
+diff --git a/src/clients/FtpClient.cc b/src/clients/FtpClient.cc
+index b665bcf..d287e55 100644
+--- a/src/clients/FtpClient.cc
++++ b/src/clients/FtpClient.cc
+@@ -778,7 +778,8 @@ Ftp::Client::connectDataChannel()
+ bool
+ Ftp::Client::openListenSocket()
+ {
+- return false;
++ debugs(9, 3, HERE);
++ return false;
+ }
+
+ /// creates a data channel Comm close callback
+diff --git a/src/clients/FtpClient.h b/src/clients/FtpClient.h
+index a76a5a0..218d696 100644
+--- a/src/clients/FtpClient.h
++++ b/src/clients/FtpClient.h
+@@ -118,7 +118,7 @@ public:
+ bool sendPort();
+ bool sendPassive();
+ void connectDataChannel();
+- bool openListenSocket();
++ virtual bool openListenSocket();
+ void switchTimeoutToDataChannel();
+
+ CtrlChannel ctrl; ///< FTP control channel state
+diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc
+index 411bce9..31d3e36 100644
+--- a/src/clients/FtpGateway.cc
++++ b/src/clients/FtpGateway.cc
+@@ -87,6 +87,13 @@ struct GatewayFlags {
+ class Gateway;
+ typedef void (StateMethod)(Ftp::Gateway *);
+
++} // namespace FTP
++
++static void ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback);
++
++namespace Ftp
++{
++
+ /// FTP Gateway: An FTP client that takes an HTTP request with an ftp:// URI,
+ /// converts it into one or more FTP commands, and then
+ /// converts one or more FTP responses into the final HTTP response.
+@@ -137,7 +144,11 @@ public:
+
+ /// create a data channel acceptor and start listening.
+ void listenForDataChannel(const Comm::ConnectionPointer &conn);
+-
++ virtual bool openListenSocket() {
++ debugs(9, 3, HERE);
++ ftpOpenListenSocket(this, 0);
++ return Comm::IsConnOpen(data.conn);
++ }
+ int checkAuth(const HttpHeader * req_hdr);
+ void checkUrlpath();
+ void buildTitleUrl();
+@@ -1787,6 +1798,7 @@ ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback)
+ }
+
+ ftpState->listenForDataChannel(temp);
++ ftpState->data.listenConn = temp;
+ }
+
+ static void
+@@ -1822,13 +1834,19 @@ ftpSendPORT(Ftp::Gateway * ftpState)
+ // pull out the internal IP address bytes to send in PORT command...
+ // source them from the listen_conn->local
+
++ struct sockaddr_in addr;
++ socklen_t addrlen = sizeof(addr);
++ getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen);
++ unsigned char port_high = ntohs(addr.sin_port) >> 8;
++ unsigned char port_low = ntohs(addr.sin_port) & 0xff;
++
+ struct addrinfo *AI = NULL;
+ ftpState->data.listenConn->local.getAddrInfo(AI, AF_INET);
+ unsigned char *addrptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_addr;
+- unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port;
++ // unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port;
+ snprintf(cbuf, CTRL_BUFLEN, "PORT %d,%d,%d,%d,%d,%d\r\n",
+ addrptr[0], addrptr[1], addrptr[2], addrptr[3],
+- portptr[0], portptr[1]);
++ port_high, port_low);
+ ftpState->writeCommand(cbuf);
+ ftpState->state = Ftp::Client::SENT_PORT;
+
+@@ -1881,14 +1899,27 @@ ftpSendEPRT(Ftp::Gateway * ftpState)
+ return;
+ }
+
++
++ unsigned int port;
++ struct sockaddr_storage addr;
++ socklen_t addrlen = sizeof(addr);
++ getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen);
++ if (addr.ss_family == AF_INET) {
++ struct sockaddr_in *addr4 = (struct sockaddr_in*) &addr;
++ port = ntohs( addr4->sin_port );
++ } else {
++ struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &addr;
++ port = ntohs( addr6->sin6_port );
++ }
++
+ char buf[MAX_IPSTRLEN];
+
+ /* RFC 2428 defines EPRT as IPv6 equivalent to IPv4 PORT command. */
+ /* Which can be used by EITHER protocol. */
+- snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%d|\r\n",
++ snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%u|\r\n",
+ ( ftpState->data.listenConn->local.isIPv6() ? 2 : 1 ),
+ ftpState->data.listenConn->local.toStr(buf,MAX_IPSTRLEN),
+- ftpState->data.listenConn->local.port() );
++ port);
+
+ ftpState->writeCommand(cbuf);
+ ftpState->state = Ftp::Client::SENT_EPRT;
+@@ -1907,7 +1938,7 @@ ftpReadEPRT(Ftp::Gateway * ftpState)
+ ftpSendPORT(ftpState);
+ return;
+ }
+-
++ ftpState->ctrl.message = NULL;
+ ftpRestOrList(ftpState);
+ }
+
diff --git a/SOURCES/squid-4.11-config.patch b/SOURCES/squid-4.11-config.patch
new file mode 100644
index 0000000..9b0e2d8
--- /dev/null
+++ b/SOURCES/squid-4.11-config.patch
@@ -0,0 +1,27 @@
+diff --git a/src/cf.data.pre b/src/cf.data.pre
+index 26ef576..30d5509 100644
+--- a/src/cf.data.pre
++++ b/src/cf.data.pre
+@@ -5006,7 +5006,7 @@ DOC_END
+
+ NAME: logfile_rotate
+ TYPE: int
+-DEFAULT: 10
++DEFAULT: 0
+ LOC: Config.Log.rotateNumber
+ DOC_START
+ Specifies the default number of logfile rotations to make when you
+@@ -6857,11 +6857,11 @@ COMMENT_END
+
+ NAME: cache_mgr
+ TYPE: string
+-DEFAULT: webmaster
++DEFAULT: root
+ LOC: Config.adminEmail
+ DOC_START
+ Email-address of local cache manager who will receive
+- mail if the cache dies. The default is "webmaster".
++ mail if the cache dies. The default is "root".
+ DOC_END
+
+ NAME: mail_from
diff --git a/SOURCES/squid-4.11-include-guards.patch b/SOURCES/squid-4.11-include-guards.patch
new file mode 100644
index 0000000..fb96c57
--- /dev/null
+++ b/SOURCES/squid-4.11-include-guards.patch
@@ -0,0 +1,41 @@
+diff --git a/compat/os/linux.h b/compat/os/linux.h
+index 0ff05c6..d51389b 100644
+--- a/compat/os/linux.h
++++ b/compat/os/linux.h
+@@ -44,6 +44,36 @@
+ #include <netinet/in.h>
+ #endif
+
++/*
++ * Netfilter header madness. (see Bug 4323)
++ *
++ * Netfilter have a history of defining their own versions of network protocol
++ * primitives without sufficient protection against the POSIX defines which are
++ * aways present in Linux.
++ *
++ * netinet/in.h must be included before any other sys header in order to properly
++ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
++ * to workaround it.
++ */
++#if HAVE_NETINET_IN_H
++#include <netinet/in.h>
++#endif
++
++/*
++ * Netfilter header madness. (see Bug 4323)
++ *
++ * Netfilter have a history of defining their own versions of network protocol
++ * primitives without sufficient protection against the POSIX defines which are
++ * aways present in Linux.
++ *
++ * netinet/in.h must be included before any other sys header in order to properly
++ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
++ * to workaround it.
++ */
++#if HAVE_NETINET_IN_H
++#include <netinet/in.h>
++#endif
++
+ /*
+ * sys/capability.h is only needed in Linux apparently.
+ *
diff --git a/SOURCES/squid-4.11-large-acl.patch b/SOURCES/squid-4.11-large-acl.patch
new file mode 100644
index 0000000..8aacf38
--- /dev/null
+++ b/SOURCES/squid-4.11-large-acl.patch
@@ -0,0 +1,178 @@
+diff --git a/src/acl/RegexData.cc b/src/acl/RegexData.cc
+index 01a4c12..b5c1679 100644
+--- a/src/acl/RegexData.cc
++++ b/src/acl/RegexData.cc
+@@ -22,6 +22,7 @@
+ #include "ConfigParser.h"
+ #include "Debug.h"
+ #include "sbuf/List.h"
++#include "sbuf/Algorithms.h"
+
+ ACLRegexData::~ACLRegexData()
+ {
+@@ -129,6 +130,18 @@ compileRE(std::list<RegexPattern> &curlist, const char * RE, int flags)
+ return true;
+ }
+
++static bool
++compileRE(std::list<RegexPattern> &curlist, const SBufList &RE, int flags)
++{
++ if (RE.empty())
++ return curlist.empty(); // XXX: old code did this. It looks wrong.
++ SBuf regexp;
++ static const SBuf openparen("("), closeparen(")"), separator(")|(");
++ JoinContainerIntoSBuf(regexp, RE.begin(), RE.end(), separator, openparen,
++ closeparen);
++ return compileRE(curlist, regexp.c_str(), flags);
++}
++
+ /** Compose and compile one large RE from a set of (small) REs.
+ * The ultimate goal is to have only one RE per ACL so that match() is
+ * called only once per ACL.
+@@ -137,16 +150,11 @@ static int
+ compileOptimisedREs(std::list<RegexPattern> &curlist, const SBufList &sl)
+ {
+ std::list<RegexPattern> newlist;
+- int numREs = 0;
++ SBufList accumulatedRE;
++ int numREs = 0, reSize = 0;
+ int flags = REG_EXTENDED | REG_NOSUB;
+- int largeREindex = 0;
+- char largeRE[BUFSIZ];
+- *largeRE = 0;
+
+ for (const SBuf & configurationLineWord : sl) {
+- int RElen;
+- RElen = configurationLineWord.length();
+-
+ static const SBuf minus_i("-i");
+ static const SBuf plus_i("+i");
+ if (configurationLineWord == minus_i) {
+@@ -155,10 +163,11 @@ compileOptimisedREs(std::list<RegexPattern> &curlist, const SBufList &sl)
+ debugs(28, 2, "optimisation of -i ... -i" );
+ } else {
+ debugs(28, 2, "-i" );
+- if (!compileRE(newlist, largeRE, flags))
++ if (!compileRE(newlist, accumulatedRE, flags))
+ return 0;
+ flags |= REG_ICASE;
+- largeRE[largeREindex=0] = '\0';
++ accumulatedRE.clear();
++ reSize = 0;
+ }
+ } else if (configurationLineWord == plus_i) {
+ if ((flags & REG_ICASE) == 0) {
+@@ -166,37 +175,34 @@ compileOptimisedREs(std::list<RegexPattern> &curlist, const SBufList &sl)
+ debugs(28, 2, "optimisation of +i ... +i");
+ } else {
+ debugs(28, 2, "+i");
+- if (!compileRE(newlist, largeRE, flags))
++ if (!compileRE(newlist, accumulatedRE, flags))
+ return 0;
+ flags &= ~REG_ICASE;
+- largeRE[largeREindex=0] = '\0';
++ accumulatedRE.clear();
++ reSize = 0;
+ }
+- } else if (RElen + largeREindex + 3 < BUFSIZ-1) {
++ } else if (reSize < 1024) {
+ debugs(28, 2, "adding RE '" << configurationLineWord << "'");
+- if (largeREindex > 0) {
+- largeRE[largeREindex] = '|';
+- ++largeREindex;
+- }
+- largeRE[largeREindex] = '(';
+- ++largeREindex;
+- configurationLineWord.copy(largeRE+largeREindex, BUFSIZ-largeREindex);
+- largeREindex += configurationLineWord.length();
+- largeRE[largeREindex] = ')';
+- ++largeREindex;
+- largeRE[largeREindex] = '\0';
++ accumulatedRE.push_back(configurationLineWord);
+ ++numREs;
++ reSize += configurationLineWord.length();
+ } else {
+ debugs(28, 2, "buffer full, generating new optimised RE..." );
+- if (!compileRE(newlist, largeRE, flags))
++ accumulatedRE.push_back(configurationLineWord);
++ if (!compileRE(newlist, accumulatedRE, flags))
+ return 0;
+- largeRE[largeREindex=0] = '\0';
++ accumulatedRE.clear();
++ reSize = 0;
+ continue; /* do the loop again to add the RE to largeRE */
+ }
+ }
+
+- if (!compileRE(newlist, largeRE, flags))
++ if (!compileRE(newlist, accumulatedRE, flags))
+ return 0;
+
++ accumulatedRE.clear();
++ reSize = 0;
++
+ /* all was successful, so put the new list at the tail */
+ curlist.splice(curlist.end(), newlist);
+
+diff --git a/src/sbuf/Algorithms.h b/src/sbuf/Algorithms.h
+index 21ee889..338e9c0 100644
+--- a/src/sbuf/Algorithms.h
++++ b/src/sbuf/Algorithms.h
+@@ -81,6 +81,57 @@ SBufContainerJoin(const Container &items, const SBuf& separator)
+ return rv;
+ }
+
++/** Join container of SBufs and append to supplied target
++ *
++ * append to the target SBuf all elements in the [begin,end) range from
++ * an iterable container, prefixed by prefix, separated by separator and
++ * followed by suffix. Prefix and suffix are added also in case of empty
++ * iterable
++ *
++ * \return the modified dest
++ */
++template <class ContainerIterator>
++SBuf&
++JoinContainerIntoSBuf(SBuf &dest, const ContainerIterator &begin,
++ const ContainerIterator &end, const SBuf& separator,
++ const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf())
++{
++ if (begin == end) {
++ dest.append(prefix).append(suffix);
++ return dest;
++ }
++
++ // optimization: pre-calculate needed storage
++ const SBuf::size_type totalContainerSize =
++ std::accumulate(begin, end, 0, SBufAddLength(separator)) +
++ dest.length() + prefix.length() + suffix.length();
++ SBufReservationRequirements req;
++ req.minSpace = totalContainerSize;
++ dest.reserve(req);
++
++ auto i = begin;
++ dest.append(prefix);
++ dest.append(*i);
++ ++i;
++ for (; i != end; ++i)
++ dest.append(separator).append(*i);
++ dest.append(suffix);
++ return dest;
++}
++
++
++/// convenience wrapper of JoinContainerIntoSBuf with no caller-supplied SBuf
++template <class ContainerIterator>
++SBuf
++JoinContainerToSBuf(const ContainerIterator &begin,
++ const ContainerIterator &end, const SBuf& separator,
++ const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf())
++{
++ SBuf rv;
++ return JoinContainerIntoSBuf(rv, begin, end, separator, prefix, suffix);
++}
++
++
+ namespace std {
+ /// default hash functor to support std::unordered_map<SBuf,*>
+ template <>
diff --git a/SOURCES/squid-4.11-location.patch b/SOURCES/squid-4.11-location.patch
new file mode 100644
index 0000000..e33e9a0
--- /dev/null
+++ b/SOURCES/squid-4.11-location.patch
@@ -0,0 +1,33 @@
+diff --git a/QUICKSTART b/QUICKSTART
+index e5299b4..a243437 100644
+--- a/QUICKSTART
++++ b/QUICKSTART
+@@ -10,10 +10,9 @@ After you retrieved, compiled and installed the Squid software (see
+ INSTALL in the same directory), you have to configure the squid.conf
+ file. This is the list of the values you *need* to change, because no
+ sensible defaults could be defined. Do not touch the other variables
+-for now. We assume you have installed Squid in the default location:
+-/usr/local/squid
++for now.
+
+-Uncomment and edit the following lines in /usr/local/squid/etc/squid.conf:
++Uncomment and edit the following lines in /etc/squid/squid.conf:
+
+ ==============================================================================
+
+@@ -80,12 +79,12 @@ After editing squid.conf to your liking, run Squid from the command
+ line TWICE:
+
+ To create any disk cache_dir configured:
+- % /usr/local/squid/sbin/squid -z
++ % /usr/sbin/squid -z
+
+ To start squid:
+- % /usr/local/squid/sbin/squid
++ % /usr/sbin/squid
+
+-Check in the cache.log (/usr/local/squid/var/logs/cache.log) that
++Check in the cache.log (/var/log/squid/cache.log) that
+ everything is all right.
+
+ Once Squid created all its files (it can take several minutes on some
diff --git a/SOURCES/squid-4.11-perlpath.patch b/SOURCES/squid-4.11-perlpath.patch
new file mode 100644
index 0000000..18c74a6
--- /dev/null
+++ b/SOURCES/squid-4.11-perlpath.patch
@@ -0,0 +1,10 @@
+diff --git a/contrib/url-normalizer.pl b/contrib/url-normalizer.pl
+index 90ac6a4..8dbed90 100755
+--- a/contrib/url-normalizer.pl
++++ b/contrib/url-normalizer.pl
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/perl -Tw
++#!/usr/bin/perl -Tw
+ #
+ # * Copyright (C) 1996-2020 The Squid Software Foundation and contributors
+ # *
diff --git a/SOURCES/squid-4.11-systemd.patch b/SOURCES/squid-4.11-systemd.patch
new file mode 100644
index 0000000..a461881
--- /dev/null
+++ b/SOURCES/squid-4.11-systemd.patch
@@ -0,0 +1,39 @@
+diff --git a/configure b/configure
+index 17b2ebf..9530f6b 100755
+--- a/configure
++++ b/configure
+@@ -33915,6 +33915,7 @@ done
+ fi
+ if test "x$SYSTEMD_LIBS" != "x" ; then
+ CXXFLAGS="$SYSTEMD_CFLAGS $CXXFLAGS"
++ LDFLAGS="$SYSTEMD_LIBS $LDFLAGS"
+
+ $as_echo "#define USE_SYSTEMD 1" >>confdefs.h
+
+diff --git a/src/Debug.h b/src/Debug.h
+index 6eecd01..ddd9e38 100644
+--- a/src/Debug.h
++++ b/src/Debug.h
+@@ -99,6 +99,10 @@ public:
+
+ /// configures the active debugging context to write syslog ALERT
+ static void ForceAlert();
++
++ /// prefixes each grouped debugs() line after the first one in the group
++ static std::ostream& Extra(std::ostream &os) { return os << "\n "; }
++
+ private:
+ static Context *Current; ///< deepest active context; nil outside debugs()
+ };
+diff --git a/configure.ac b/configure.ac
+index d3c5da8..806302c 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -2162,6 +2162,7 @@ if test "x$with_systemd" != "xno" -a "x$squid_host_os" = "xlinux"; then
+ fi
+ if test "x$SYSTEMD_LIBS" != "x" ; then
+ CXXFLAGS="$SYSTEMD_CFLAGS $CXXFLAGS"
++ LDFLAGS="$SYSTEMD_LIBS $LDFLAGS"
+ AC_DEFINE(USE_SYSTEMD,1,[systemd support is available])
+ else
+ with_systemd=no
diff --git a/SOURCES/squid-4.11.tar.xz.asc b/SOURCES/squid-4.11.tar.xz.asc
new file mode 100644
index 0000000..79a79ee
--- /dev/null
+++ b/SOURCES/squid-4.11.tar.xz.asc
@@ -0,0 +1,25 @@
+File: squid-4.11.tar.xz
+Date: Sun Apr 19 12:56:37 UTC 2020
+Size: 2447700
+MD5 : 10f34e852153a9996aa4614670e2bda1
+SHA1: 053277bf5497163ffc9261b9807abda5959bb6fc
+Key : CD6DBF8EF3B17D3E <squid3@treenet.co.nz>
+ B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E
+ keyring = http://www.squid-cache.org/pgp.asc
+ keyserver = pool.sks-keyservers.net
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAl6cSpEACgkQzW2/jvOx
+fT6YbA/6A+IbIbNBJUW45oj23Io9Tw/CzAcTeLHR+McKwV77qMbR+L+kQ+fUdM5F
+rHAmd8bVVlyHc4WanVfWItEmzBzHA/ifTNvVpefSGGEbDb80RF66k7ACiZUokg1b
+kkPwc/SjDhe2wvketIaBiVVd7pylrlCdVvazcF8gE9MWDOIlJND5mnHXidXvwkbJ
+T2//8JZVEmcmN9pdFGNAUVckFm+AnwWXcRM1SQPYDGSVUtjVlqido8snLTA1mZwl
+rIpjppujMV54OOWlj+Gqa3MZkpNzIaMCAfphzUFlsQY+/sRUYAOv1wmxw2WclxlK
+WlWM+fw8OsYNDMwkOScKZZWceoAkq6UsUHzCAdJIdLqV/R6mZ9nfuZ6BHIr0+2dP
+bDf9MU4KXbwEuXiRD/KPziUxxOZwSPivbm3wy9DqTTZfO9V+Iq6FVHX+ahxJ0XbM
+JWRYA3GW+DRLjorfsWxU5r4UJsrnBfhItPUAfGPjPjEGZ/pn8r9G6MGenNGPLMKy
+wP1rMlOhrZPwerzokzAvKx8G0WWkfN+IPv2JK3rDot6RiJIOuvnZZd4RIuVNTGbh
+liO7M24JlWX3WD2wHBzxQag46+plb3VvrrVChwIQnZ2Qzpf50w0Bife/wtNBGpK0
+k/Xi/nocO796YS8GZBnmhS1lEGEwp/YpJBFWmIjTWMUMEOcswVA=
+=PKl0
+-----END PGP SIGNATURE-----
diff --git a/SOURCES/squid-4.4.0-CVE-2019-12527.patch b/SOURCES/squid-4.4.0-CVE-2019-12527.patch
deleted file mode 100644
index ea950f5..0000000
--- a/SOURCES/squid-4.4.0-CVE-2019-12527.patch
+++ /dev/null
@@ -1,139 +0,0 @@
-commit 7f73e9c5d17664b882ed32590e6af310c247f320
-Author: Amos Jeffries <yadij@users.noreply.github.com>
-Date: 2019-06-19 05:58:36 +0000
-
- Update HttpHeader::getAuth to SBuf (#416)
-
- Replace the fixed-size buffer for decoding base64 tokens with an
- SBuf to avoid decoder issues on large inputs.
-
- Update callers to SBuf API operations for more efficient memory
- management.
-
-diff --git a/src/HttpHeader.cc b/src/HttpHeader.cc
-index 1e2b650..284a057 100644
---- a/src/HttpHeader.cc
-+++ b/src/HttpHeader.cc
-@@ -1268,43 +1268,46 @@ HttpHeader::getContRange() const
- return cr;
- }
-
--const char *
--HttpHeader::getAuth(Http::HdrType id, const char *auth_scheme) const
-+SBuf
-+HttpHeader::getAuthToken(Http::HdrType id, const char *auth_scheme) const
- {
- const char *field;
- int l;
- assert(auth_scheme);
- field = getStr(id);
-
-+ static const SBuf nil;
- if (!field) /* no authorization field */
-- return NULL;
-+ return nil;
-
- l = strlen(auth_scheme);
-
- if (!l || strncasecmp(field, auth_scheme, l)) /* wrong scheme */
-- return NULL;
-+ return nil;
-
- field += l;
-
- if (!xisspace(*field)) /* wrong scheme */
-- return NULL;
-+ return nil;
-
- /* skip white space */
- for (; field && xisspace(*field); ++field);
-
- if (!*field) /* no authorization cookie */
-- return NULL;
-+ return nil;
-
-- static char decodedAuthToken[8192];
-+ const auto fieldLen = strlen(field);
-+ SBuf result;
-+ char *decodedAuthToken = result.rawAppendStart(BASE64_DECODE_LENGTH(fieldLen));
- struct base64_decode_ctx ctx;
- base64_decode_init(&ctx);
- size_t decodedLen = 0;
-- if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(decodedAuthToken), strlen(field), field) ||
-+ if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(decodedAuthToken), fieldLen, field) ||
- !base64_decode_final(&ctx)) {
-- return NULL;
-+ return nil;
- }
-- decodedAuthToken[decodedLen] = '\0';
-- return decodedAuthToken;
-+ result.rawAppendFinish(decodedAuthToken, decodedLen);
-+ return result;
- }
-
- ETag
-diff --git a/src/HttpHeader.h b/src/HttpHeader.h
-index a26b127..3b262be 100644
---- a/src/HttpHeader.h
-+++ b/src/HttpHeader.h
-@@ -134,7 +134,7 @@ public:
- HttpHdrRange *getRange() const;
- HttpHdrSc *getSc() const;
- HttpHdrContRange *getContRange() const;
-- const char *getAuth(Http::HdrType id, const char *auth_scheme) const;
-+ SBuf getAuthToken(Http::HdrType id, const char *auth_scheme) const;
- ETag getETag(Http::HdrType id) const;
- TimeOrTag getTimeOrTag(Http::HdrType id) const;
- int hasListMember(Http::HdrType id, const char *member, const char separator) const;
-diff --git a/src/cache_manager.cc b/src/cache_manager.cc
-index da22f7a..2fae767 100644
---- a/src/cache_manager.cc
-+++ b/src/cache_manager.cc
-@@ -27,6 +27,7 @@
- #include "mgr/FunAction.h"
- #include "mgr/QueryParams.h"
- #include "protos.h"
-+#include "sbuf/StringConvert.h"
- #include "SquidConfig.h"
- #include "SquidTime.h"
- #include "Store.h"
-@@ -243,20 +244,20 @@ CacheManager::ParseHeaders(const HttpRequest * request, Mgr::ActionParams ¶m
- // TODO: use the authentication system decode to retrieve these details properly.
-
- /* base 64 _decoded_ user:passwd pair */
-- const char *basic_cookie = request->header.getAuth(Http::HdrType::AUTHORIZATION, "Basic");
-+ const auto basic_cookie(request->header.getAuthToken(Http::HdrType::AUTHORIZATION, "Basic"));
-
-- if (!basic_cookie)
-+ if (basic_cookie.isEmpty())
- return;
-
-- const char *passwd_del;
-- if (!(passwd_del = strchr(basic_cookie, ':'))) {
-+ const auto colonPos = basic_cookie.find(':');
-+ if (colonPos == SBuf::npos) {
- debugs(16, DBG_IMPORTANT, "CacheManager::ParseHeaders: unknown basic_cookie format '" << basic_cookie << "'");
- return;
- }
-
- /* found user:password pair, reset old values */
-- params.userName.limitInit(basic_cookie, passwd_del - basic_cookie);
-- params.password = passwd_del + 1;
-+ params.userName = SBufToString(basic_cookie.substr(0, colonPos));
-+ params.password = SBufToString(basic_cookie.substr(colonPos+1));
-
- /* warning: this prints decoded password which maybe not be what you want to do @?@ @?@ */
- debugs(16, 9, "CacheManager::ParseHeaders: got user: '" <<
-diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc
-index b958b14..7ca5d24 100644
---- a/src/clients/FtpGateway.cc
-+++ b/src/clients/FtpGateway.cc
-@@ -1050,7 +1050,7 @@ Ftp::Gateway::checkAuth(const HttpHeader * req_hdr)
-
- #if HAVE_AUTH_MODULE_BASIC
- /* Check HTTP Authorization: headers (better than defaults, but less than URL) */
-- const SBuf auth(req_hdr->getAuth(Http::HdrType::AUTHORIZATION, "Basic"));
-+ const auto auth(req_hdr->getAuthToken(Http::HdrType::AUTHORIZATION, "Basic"));
- if (!auth.isEmpty()) {
- flags.authenticated = 1;
- loginParser(auth, false);
diff --git a/SOURCES/squid-4.4.0-CVE-2019-13345.patch b/SOURCES/squid-4.4.0-CVE-2019-13345.patch
deleted file mode 100644
index 9a5754e..0000000
--- a/SOURCES/squid-4.4.0-CVE-2019-13345.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-diff --git a/tools/cachemgr.cc b/tools/cachemgr.cc
-index 0c745c2..8a67eba 100644
---- a/tools/cachemgr.cc
-+++ b/tools/cachemgr.cc
-@@ -355,7 +355,7 @@ auth_html(const char *host, int port, const char *user_name)
-
- printf("<TR><TH ALIGN=\"left\">Manager name:</TH><TD><INPUT NAME=\"user_name\" ");
-
-- printf("size=\"30\" VALUE=\"%s\"></TD></TR>\n", user_name);
-+ printf("size=\"30\" VALUE=\"%s\"></TD></TR>\n", rfc1738_escape(user_name));
-
- printf("<TR><TH ALIGN=\"left\">Password:</TH><TD><INPUT TYPE=\"password\" NAME=\"passwd\" ");
-
-@@ -419,7 +419,7 @@ menu_url(cachemgr_request * req, const char *action)
- script_name,
- req->hostname,
- req->port,
-- safe_str(req->user_name),
-+ rfc1738_escape(safe_str(req->user_name)),
- action,
- safe_str(req->pub_auth));
- return url;
-@@ -1074,8 +1074,8 @@ make_pub_auth(cachemgr_request * req)
- const int bufLen = snprintf(buf, sizeof(buf), "%s|%d|%s|%s",
- req->hostname,
- (int) now,
-- req->user_name ? req->user_name : "",
-- req->passwd);
-+ rfc1738_escape(safe_str(req->user_name)),
-+ rfc1738_escape(req->passwd));
- debug("cmgr: pre-encoded for pub: %s\n", buf);
-
- const int encodedLen = base64_encode_len(bufLen);
-@@ -1094,8 +1094,6 @@ decode_pub_auth(cachemgr_request * req)
- char *buf;
- const char *host_name;
- const char *time_str;
-- const char *user_name;
-- const char *passwd;
-
- debug("cmgr: decoding pub: '%s'\n", safe_str(req->pub_auth));
- safe_free(req->passwd);
-@@ -1131,17 +1129,21 @@ decode_pub_auth(cachemgr_request * req)
-
- debug("cmgr: decoded time: '%s' (now: %d)\n", time_str, (int) now);
-
-+ char *user_name;
- if ((user_name = strtok(NULL, "|")) == NULL) {
- xfree(buf);
- return;
- }
-+ rfc1738_unescape(user_name);
-
- debug("cmgr: decoded uname: '%s'\n", user_name);
-
-+ char *passwd;
- if ((passwd = strtok(NULL, "|")) == NULL) {
- xfree(buf);
- return;
- }
-+ rfc1738_unescape(passwd);
-
- debug("cmgr: decoded passwd: '%s'\n", passwd);
-
diff --git a/SOURCES/squid-4.4.0-active-ftp.patch b/SOURCES/squid-4.4.0-active-ftp.patch
deleted file mode 100644
index 64988fe..0000000
--- a/SOURCES/squid-4.4.0-active-ftp.patch
+++ /dev/null
@@ -1,127 +0,0 @@
-diff --git a/src/clients/FtpClient.cc b/src/clients/FtpClient.cc
-index 777210c..4c80511 100644
---- a/src/clients/FtpClient.cc
-+++ b/src/clients/FtpClient.cc
-@@ -778,7 +778,8 @@ Ftp::Client::connectDataChannel()
- bool
- Ftp::Client::openListenSocket()
- {
-- return false;
-+ debugs(9, 3, HERE);
-+ return false;
- }
-
- /// creates a data channel Comm close callback
-diff --git a/src/clients/FtpClient.h b/src/clients/FtpClient.h
-index 465fdb7..75dbd3b 100644
---- a/src/clients/FtpClient.h
-+++ b/src/clients/FtpClient.h
-@@ -118,7 +118,7 @@ public:
- bool sendPort();
- bool sendPassive();
- void connectDataChannel();
-- bool openListenSocket();
-+ virtual bool openListenSocket();
- void switchTimeoutToDataChannel();
-
- CtrlChannel ctrl; ///< FTP control channel state
-diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc
-index a13cdda..b958b14 100644
---- a/src/clients/FtpGateway.cc
-+++ b/src/clients/FtpGateway.cc
-@@ -87,6 +87,13 @@ struct GatewayFlags {
- class Gateway;
- typedef void (StateMethod)(Ftp::Gateway *);
-
-+} // namespace FTP
-+
-+static void ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback);
-+
-+namespace Ftp
-+{
-+
- /// FTP Gateway: An FTP client that takes an HTTP request with an ftp:// URI,
- /// converts it into one or more FTP commands, and then
- /// converts one or more FTP responses into the final HTTP response.
-@@ -137,7 +144,11 @@ public:
-
- /// create a data channel acceptor and start listening.
- void listenForDataChannel(const Comm::ConnectionPointer &conn);
--
-+ virtual bool openListenSocket() {
-+ debugs(9, 3, HERE);
-+ ftpOpenListenSocket(this, 0);
-+ return Comm::IsConnOpen(data.conn);
-+ }
- int checkAuth(const HttpHeader * req_hdr);
- void checkUrlpath();
- void buildTitleUrl();
-@@ -1792,6 +1803,7 @@ ftpOpenListenSocket(Ftp::Gateway * ftpState, int fallback)
- }
-
- ftpState->listenForDataChannel(temp);
-+ ftpState->data.listenConn = temp;
- }
-
- static void
-@@ -1827,13 +1839,19 @@ ftpSendPORT(Ftp::Gateway * ftpState)
- // pull out the internal IP address bytes to send in PORT command...
- // source them from the listen_conn->local
-
-+ struct sockaddr_in addr;
-+ socklen_t addrlen = sizeof(addr);
-+ getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen);
-+ unsigned char port_high = ntohs(addr.sin_port) >> 8;
-+ unsigned char port_low = ntohs(addr.sin_port) & 0xff;
-+
- struct addrinfo *AI = NULL;
- ftpState->data.listenConn->local.getAddrInfo(AI, AF_INET);
- unsigned char *addrptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_addr;
-- unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port;
-+ // unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port;
- snprintf(cbuf, CTRL_BUFLEN, "PORT %d,%d,%d,%d,%d,%d\r\n",
- addrptr[0], addrptr[1], addrptr[2], addrptr[3],
-- portptr[0], portptr[1]);
-+ port_high, port_low);
- ftpState->writeCommand(cbuf);
- ftpState->state = Ftp::Client::SENT_PORT;
-
-@@ -1886,14 +1904,27 @@ ftpSendEPRT(Ftp::Gateway * ftpState)
- return;
- }
-
-+
-+ unsigned int port;
-+ struct sockaddr_storage addr;
-+ socklen_t addrlen = sizeof(addr);
-+ getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen);
-+ if (addr.ss_family == AF_INET) {
-+ struct sockaddr_in *addr4 = (struct sockaddr_in*) &addr;
-+ port = ntohs( addr4->sin_port );
-+ } else {
-+ struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &addr;
-+ port = ntohs( addr6->sin6_port );
-+ }
-+
- char buf[MAX_IPSTRLEN];
-
- /* RFC 2428 defines EPRT as IPv6 equivalent to IPv4 PORT command. */
- /* Which can be used by EITHER protocol. */
-- snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%d|\r\n",
-+ snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%u|\r\n",
- ( ftpState->data.listenConn->local.isIPv6() ? 2 : 1 ),
- ftpState->data.listenConn->local.toStr(buf,MAX_IPSTRLEN),
-- ftpState->data.listenConn->local.port() );
-+ port);
-
- ftpState->writeCommand(cbuf);
- ftpState->state = Ftp::Client::SENT_EPRT;
-@@ -1912,7 +1943,7 @@ ftpReadEPRT(Ftp::Gateway * ftpState)
- ftpSendPORT(ftpState);
- return;
- }
--
-+ ftpState->ctrl.message = NULL;
- ftpRestOrList(ftpState);
- }
-
diff --git a/SOURCES/squid-4.4.0-lower-cachepeer.patch b/SOURCES/squid-4.4.0-lower-cachepeer.patch
deleted file mode 100644
index 42bc2aa..0000000
--- a/SOURCES/squid-4.4.0-lower-cachepeer.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/src/cache_cf.cc b/src/cache_cf.cc
-index 9165ef99c..32a3df322 100644
---- a/src/cache_cf.cc
-+++ b/src/cache_cf.cc
-@@ -2081,6 +2081,7 @@ parse_peer(CachePeer ** head)
-
- CachePeer *p = new CachePeer;
- p->host = xstrdup(host_str);
-+ Tolower(p->host);
- p->name = xstrdup(host_str);
- p->type = parseNeighborType(token);
-
diff --git a/SOURCES/squid-4.4.0-man-pages.patch b/SOURCES/squid-4.4.0-man-pages.patch
deleted file mode 100644
index 974795d..0000000
--- a/SOURCES/squid-4.4.0-man-pages.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff --git a/src/http/url_rewriters/LFS/url_lfs_rewrite.8 b/src/http/url_rewriters/LFS/url_lfs_rewrite.8
-index 3053180..1d295fb 100644
---- a/src/http/url_rewriters/LFS/url_lfs_rewrite.8
-+++ b/src/http/url_rewriters/LFS/url_lfs_rewrite.8
-@@ -135,7 +135,7 @@
- .if n .ad l
- .nh
- .SH "NAME"
--url_lfs_rewrite
-+\& url_lfs_rewrite \- a URL-rewriter based on local file existence
- .SH "SYNOPSIS"
- .IX Header "SYNOPSIS"
- .Vb 1
-diff --git a/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in b/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in
-index a7168e0..da7055c 100755
---- a/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in
-+++ b/src/http/url_rewriters/LFS/url_lfs_rewrite.pl.in
-@@ -8,7 +8,7 @@ use Pod::Usage;
-
- =head1 NAME
-
--B<url_lfs_rewrite>
-+B<url_lfs_rewrite> - a URL-rewriter based on local file existence
-
- =head1 SYNOPSIS
-
diff --git a/SOURCES/squid-4.4.tar.xz.asc b/SOURCES/squid-4.4.tar.xz.asc
deleted file mode 100644
index a0f8623..0000000
--- a/SOURCES/squid-4.4.tar.xz.asc
+++ /dev/null
@@ -1,25 +0,0 @@
-File: squid-4.4.tar.xz
-Date: Sat Oct 27 21:20:24 UTC 2018
-Size: 2436468
-MD5 : 892504ca9700e1f139a53f84098613bd
-SHA1: 0ab6b133f65866d825bf72cbbe8cef209768b2fa
-Key : CD6DBF8EF3B17D3E <squid3@treenet.co.nz>
- B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E
- keyring = http://www.squid-cache.org/pgp.asc
- keyserver = pool.sks-keyservers.net
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAlvU1qAACgkQzW2/jvOx
-fT5Y3Q//R3/ZtDHal9H9c4VUB1fEzkk22JfgXTzRRUdzNkN+XxDkVGmM9R0E0Opo
-9E/lsE9PcLX1EBtBXbPfwLESzfMe4QJgqq1B4FocpJcdtfCQX6ADU4Qdfc+oo8Z1
-J/xCf8XrU3yUgXn3pMnQ9DT+IuPYe+Jte7Awm148mC15GMC49NBAYAd793XZ+L2t
-fVPCbVYA40AU3xVJkxlblh7O0E8UEQ7zQMxcXM2jJJ4jJOjqecOIoJt6lyPD59q3
-UjD0EmcjTj54BpaU8r++kAc2TkLyBvFV1vWQuQRNG5IAMEOF3H8OfujCXl3lX9fD
-Tvi9763f9LxdImLJttkzgTt20XAudlUmKOdpj6t1uF+7EmNJg/ChowyLsLzlLLST
-1mGNdcUdP9VhX2aoTXN/ctn8BTQ/cNIx2VY8kKWsXB+ymFcCJRBW1cBAr3R+UzuX
-KVlsDzlxP6Dp8EFvKN3sIbM/QtpstKgbTkxro7d9XBkeldsasd5uI2Yt5PSMIs+y
-VtscqCnwDjxAIW6FNqB96J4hcOYECdWHDL3s46wEDnQaiR0IdBAN5QHn1imzM5e1
-eHuwZimqBW6vE4rPnVpPIr1Gml5OlLl3te2jsbUVmBiOwDVlQLZJQGzI5UTazvnN
-eR3QeTW+ggSAdVc6GEApELARfKPRxywLQTOlAhEPn0xayy4ByME=
-=1eSQ
------END PGP SIGNATURE-----
diff --git a/SOURCES/squid.service b/SOURCES/squid.service
index f49d7db..6978032 100644
--- a/SOURCES/squid.service
+++ b/SOURCES/squid.service
@@ -4,14 +4,15 @@ Documentation=man:squid(8)
After=network.target network-online.target nss-lookup.target
[Service]
-Type=forking
+Type=notify
LimitNOFILE=16384
+PIDFile=/run/squid.pid
EnvironmentFile=/etc/sysconfig/squid
ExecStartPre=/usr/libexec/squid/cache_swap.sh
-ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF
-ExecReload=/usr/sbin/squid $SQUID_OPTS -k reconfigure -f $SQUID_CONF
-ExecStop=/usr/sbin/squid -k shutdown -f $SQUID_CONF
-TimeoutSec=0
+ExecStart=/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF}
+ExecReload=/usr/bin/kill -HUP $MAINPID
+KillMode=mixed
+NotifyAccess=all
[Install]
WantedBy=multi-user.target
diff --git a/SPECS/squid.spec b/SPECS/squid.spec
index 81f9470..e1d36a2 100644
--- a/SPECS/squid.spec
+++ b/SPECS/squid.spec
@@ -1,8 +1,8 @@
%define __perl_requires %{SOURCE98}
Name: squid
-Version: 4.4
-Release: 8%{?dist}
+Version: 4.11
+Release: 1%{?dist}
Summary: The Squid proxy caching server
Epoch: 7
# See CREDITS for breakdown of non GPLv2+ code
@@ -26,23 +26,17 @@ Source98: perl-requires-squid.sh
# Local patches
# Applying upstream patches first makes it less likely that local patches
# will break upstream ones.
-Patch201: squid-4.0.11-config.patch
-Patch202: squid-3.1.0.9-location.patch
-Patch203: squid-3.0.STABLE1-perlpath.patch
-Patch204: squid-3.5.9-include-guards.patch
-Patch205: squid-4.0.21-large-acl.patch
+Patch201: squid-4.11-config.patch
+Patch202: squid-4.11-location.patch
+Patch203: squid-4.11-perlpath.patch
+Patch204: squid-4.11-include-guards.patch
+Patch205: squid-4.11-large-acl.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=980511
-Patch206: squid-4.4.0-active-ftp.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1612524
-Patch207: squid-4.4.0-man-pages.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1691741
-Patch208: squid-4.4.0-lower-cachepeer.patch
+Patch206: squid-4.11-active-ftp.patch
+# https://github.com/squid-cache/squid/commit/c26cd1cb6a60ff196ef13c00e82576d3bfeb2e30
+Patch207: squid-4.11-systemd.patch
# Security fixes
-# https://bugzilla.redhat.com/show_bug.cgi?id=1729436
-Patch500: squid-4.4.0-CVE-2019-13345.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1738485
-Patch501: squid-4.4.0-CVE-2019-12527.patch
Requires: bash >= 2.0
Requires(pre): shadow-utils
@@ -72,6 +66,8 @@ BuildRequires: perl-generators
# For test suite
BuildRequires: pkgconfig(cppunit)
BuildRequires: autoconf
+# systemd notify
+BuildRequires: systemd-devel
%description
Squid is a high-performance proxy caching server for Web clients,
@@ -96,14 +92,10 @@ lookup program (dnsserver), a program for retrieving FTP data
%patch201 -p1 -b .config
%patch202 -p1 -b .location
%patch203 -p1 -b .perlpath
-%patch204 -p0 -b .include-guards
+%patch204 -p1 -b .include-guards
%patch205 -p1 -b .large_acl
%patch206 -p1 -b .active-ftp
-%patch207 -p1 -b .man-pages
-%patch208 -p1 -b .lower-cachepeer
-
-%patch500 -p1 -b .CVE-2019-13345
-%patch501 -p1 -b .CVE-2019-12527
+%patch207 -p1 -b .systemd
# https://bugzilla.redhat.com/show_bug.cgi?id=1679526
# Patch in the vendor documentation and used different location for documentation
@@ -320,6 +312,47 @@ fi
%changelog
+* Thu May 07 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.11-1
+- new version 4.11
+- libsystemd integration
+- Resolves: #1829467 - squid:4 rebase
+- Resolves: #1828378 - CVE-2019-12521 squid:4/squid: off-by-one error in
+ addStackElement allows for a heap buffer overflow and a crash
+- Resolves: #1828377 - CVE-2019-12520 squid:4/squid: improper input validation
+ in request allows for proxy manipulation
+- Resolves: #1828375 - CVE-2019-12524 squid:4/squid: improper access restriction
+ in url_regex may lead to security bypass
+- Resolves: #1820664 - CVE-2019-18860 squid: mishandles HTML in the host
+ parameter to cachemgr.cgi which could result in squid behaving in unsecure way
+- Resolves: #1802514 - CVE-2020-8449 squid:4/squid: Improper input validation
+ issues in HTTP Request processing
+- Resolves: #1802513 - CVE-2020-8450 squid:4/squid: Buffer overflow in a Squid
+ acting as reverse-proxy
+- Resolves: #1802512 - CVE-2019-12528 squid:4/squid: Information Disclosure
+ issue in FTP Gateway
+- Resolves: #1771288 - CVE-2019-18678 squid:4/squid: HTTP Request Splitting
+ issue in HTTP message processing
+- Resolves: #1771283 - CVE-2019-18679 squid:4/squid: Information Disclosure
+ issue in HTTP Digest Authentication
+- Resolves: #1771280 - CVE-2019-18677 squid:4/squid: Cross-Site Request Forgery
+ issue in HTTP Request processing
+- Resolves: #1771275 - CVE-2019-12523 squid:4/squid: Improper input validation
+ in URI processor
+- Resolves: #1771272 - CVE-2019-18676 squid:4/squid: Buffer overflow in URI
+ processor
+- Resolves: #1771264 - CVE-2019-12526 squid:4/squid: Heap overflow issue in URN
+ processing
+- Resolves: #1738581 - CVE-2019-12529 squid: OOB read in Proxy-Authorization
+ header causes DoS
+
+* Tue Apr 28 2020 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-9
+- Resolves: #1738583 - CVE-2019-12525 squid:4/squid: parsing of header
+ Proxy-Authentication leads to memory corruption
+- Resolves: #1828369 - CVE-2020-11945 squid: improper access restriction upon
+ Digest Authentication nonce replay could lead to remote code execution
+- Resolves: #1828370 - CVE-2019-12519 squid: improper check for new member in
+ ESIExpression::Evaluate allows for stack buffer overflow
+
* Fri Aug 23 2019 Lubos Uhliarik <luhliari@redhat.com> - 7:4.4-8
- Resolves: # 1738485 - CVE-2019-12527 squid:4/squid: heap-based buffer overflow
in HttpHeader::getAuth