diff --git a/SOURCES/squid-4.15-ip-bind-address-no-port.patch b/SOURCES/squid-4.15-ip-bind-address-no-port.patch
new file mode 100644
index 0000000..85844ae
--- /dev/null
+++ b/SOURCES/squid-4.15-ip-bind-address-no-port.patch
@@ -0,0 +1,156 @@
+commit c08948c8b831a2ba73c676b48aa11ba1b58cc542
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date: Thu Dec 8 11:03:08 2022 +0100
+
+ Backport adding IP_BIND_ADDRESS_NO_PORT flag to outgoing connections
+
+diff --git a/src/comm.cc b/src/comm.cc
+index 0d5f34d..6811b54 100644
+--- a/src/comm.cc
++++ b/src/comm.cc
+@@ -58,6 +58,7 @@
+ */
+
+ static IOCB commHalfClosedReader;
++static int comm_openex(int sock_type, int proto, Ip::Address &, int flags, const char *note);
+ static void comm_init_opened(const Comm::ConnectionPointer &conn, const char *note, struct addrinfo *AI);
+ static int comm_apply_flags(int new_socket, Ip::Address &addr, int flags, struct addrinfo *AI);
+
+@@ -75,6 +76,7 @@ static EVH commHalfClosedCheck;
+ static void commPlanHalfClosedCheck();
+
+ static Comm::Flag commBind(int s, struct addrinfo &);
++static void commSetBindAddressNoPort(int);
+ static void commSetReuseAddr(int);
+ static void commSetNoLinger(int);
+ #ifdef TCP_NODELAY
+@@ -201,6 +203,22 @@ comm_local_port(int fd)
+ return F->local_addr.port();
+ }
+
++/// sets the IP_BIND_ADDRESS_NO_PORT socket option to optimize ephemeral port
++/// reuse by outgoing TCP connections that must bind(2) to a source IP address
++static void
++commSetBindAddressNoPort(const int fd)
++{
++#if defined(IP_BIND_ADDRESS_NO_PORT)
++ int flag = 1;
++ if (setsockopt(fd, IPPROTO_IP, IP_BIND_ADDRESS_NO_PORT, reinterpret_cast<char*>(&flag), sizeof(flag)) < 0) {
++ const auto savedErrno = errno;
++ debugs(50, DBG_IMPORTANT, "ERROR: setsockopt(IP_BIND_ADDRESS_NO_PORT) failure: " << xstrerr(savedErrno));
++ }
++#else
++ (void)fd;
++#endif
++}
++
+ static Comm::Flag
+ commBind(int s, struct addrinfo &inaddr)
+ {
+@@ -227,6 +245,10 @@ comm_open(int sock_type,
+ int flags,
+ const char *note)
+ {
++ // assume zero-port callers do not need to know the assigned port right away
++ if (sock_type == SOCK_STREAM && addr.port() == 0 && ((flags & COMM_DOBIND) || !addr.isAnyAddr()))
++ flags |= COMM_DOBIND_PORT_LATER;
++
+ return comm_openex(sock_type, proto, addr, flags, note);
+ }
+
+@@ -328,7 +350,7 @@ comm_set_transparent(int fd)
+ * Create a socket. Default is blocking, stream (TCP) socket. IO_TYPE
+ * is OR of flags specified in defines.h:COMM_*
+ */
+-int
++static int
+ comm_openex(int sock_type,
+ int proto,
+ Ip::Address &addr,
+@@ -476,6 +498,9 @@ comm_apply_flags(int new_socket,
+ if ( addr.isNoAddr() )
+ debugs(5,0,"CRITICAL: Squid is attempting to bind() port " << addr << "!!");
+
++ if ((flags & COMM_DOBIND_PORT_LATER))
++ commSetBindAddressNoPort(new_socket);
++
+ if (commBind(new_socket, *AI) != Comm::OK) {
+ comm_close(new_socket);
+ return -1;
+diff --git a/src/comm.h b/src/comm.h
+index c963e1c..9ff201d 100644
+--- a/src/comm.h
++++ b/src/comm.h
+@@ -43,7 +43,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc
+
+ /**
+ * Open a port specially bound for listening or sending through a specific port.
+- * This is a wrapper providing IPv4/IPv6 failover around comm_openex().
+ * Please use for all listening sockets and bind() outbound sockets.
+ *
+ * It will open a socket bound for:
+@@ -59,7 +58,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc
+ int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note);
+ void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note);
+
+-int comm_openex(int, int, Ip::Address &, int, const char *);
+ unsigned short comm_local_port(int fd);
+
+ int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen);
+diff --git a/src/comm/ConnOpener.cc b/src/comm/ConnOpener.cc
+index 25a30e4..2082214 100644
+--- a/src/comm/ConnOpener.cc
++++ b/src/comm/ConnOpener.cc
+@@ -263,7 +263,7 @@ Comm::ConnOpener::createFd()
+ if (callback_ == NULL || callback_->canceled())
+ return false;
+
+- temporaryFd_ = comm_openex(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_);
++ temporaryFd_ = comm_open(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_);
+ if (temporaryFd_ < 0) {
+ sendAnswer(Comm::ERR_CONNECT, 0, "Comm::ConnOpener::createFd");
+ return false;
+diff --git a/src/comm/Connection.h b/src/comm/Connection.h
+index 4f2f23a..1e32c22 100644
+--- a/src/comm/Connection.h
++++ b/src/comm/Connection.h
+@@ -47,6 +47,8 @@ namespace Comm
+ #define COMM_DOBIND 0x08 // requires a bind()
+ #define COMM_TRANSPARENT 0x10 // arrived via TPROXY
+ #define COMM_INTERCEPTION 0x20 // arrived via NAT
++/// Internal Comm optimization: Keep the source port unassigned until connect(2)
++#define COMM_DOBIND_PORT_LATER 0x100
+
+ /**
+ * Store data about the physical and logical attributes of a connection.
+diff --git a/src/ipc.cc b/src/ipc.cc
+index e1d48fc..e92a27f 100644
+--- a/src/ipc.cc
++++ b/src/ipc.cc
+@@ -95,12 +95,12 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
+ } else void(0)
+
+ if (type == IPC_TCP_SOCKET) {
+- crfd = cwfd = comm_open(SOCK_STREAM,
++ crfd = cwfd = comm_open_listener(SOCK_STREAM,
+ 0,
+ local_addr,
+ COMM_NOCLOEXEC,
+ name);
+- prfd = pwfd = comm_open(SOCK_STREAM,
++ prfd = pwfd = comm_open_listener(SOCK_STREAM,
+ 0, /* protocol */
+ local_addr,
+ 0, /* blocking */
+diff --git a/src/tests/stub_comm.cc b/src/tests/stub_comm.cc
+index 58f85e4..5381ab2 100644
+--- a/src/tests/stub_comm.cc
++++ b/src/tests/stub_comm.cc
+@@ -46,7 +46,6 @@ int comm_open_uds(int sock_type, int proto, struct sockaddr_un* addr, int flags)
+ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struct addrinfo *AI) STUB
+ int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note) STUB_RETVAL(-1)
+ void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note) STUB
+-int comm_openex(int, int, Ip::Address &, int, tos_t tos, nfmark_t nfmark, const char *) STUB_RETVAL(-1)
+ unsigned short comm_local_port(int fd) STUB_RETVAL(0)
+ int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen) STUB_RETVAL(-1)
+ void commCallCloseHandlers(int fd) STUB
diff --git a/SPECS/squid.spec b/SPECS/squid.spec
index ae833ec..617f96a 100644
--- a/SPECS/squid.spec
+++ b/SPECS/squid.spec
@@ -2,7 +2,7 @@
Name: squid
Version: 4.15
-Release: 3%{?dist}.2
+Release: 6%{?dist}
Summary: The Squid proxy caching server
Epoch: 7
# See CREDITS for breakdown of non GPLv2+ code
@@ -22,6 +22,8 @@ Source98: perl-requires-squid.sh
# Upstream patches
# Backported patches
+Patch101: squid-4.15-ip-bind-address-no-port.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2072988
# Local patches
# Applying upstream patches first makes it less likely that local patches
@@ -94,6 +96,7 @@ lookup program (dnsserver), a program for retrieving FTP data
# Upstream patches
# Backported patches
+%patch101 -p1 -b .ip-bind-address-no-port
# Local patches
%patch201 -p1 -b .config
@@ -325,12 +328,16 @@ fi
%changelog
-* Wed Sep 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-3.2
-- Resolves: #2130258 - CVE-2022-41318 squid:4/squid: buffer-over-read in SSPI and SMB
+* Thu Dec 08 2022 Tomas Korbar <tkorbar@redhat.com> - 4.15-6
+- Resolves: #2072988 - [RFE] Add the "IP_BIND_ADDRESS_NO_PORT"
+ flag to sockets created for outgoing connections in the squid source code.
+
+* Wed Sep 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-5
+- Resolves: #2130260 - CVE-2022-41318 squid:4/squid: buffer-over-read in SSPI and SMB
authentication
-* Tue Jun 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-3.1
-- Resolves: #2100782 - CVE-2021-46784 squid:4/squid: DoS when processing gopher
+* Tue Jun 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-4
+- Resolves: #2100783 - CVE-2021-46784 squid:4/squid: DoS when processing gopher
server responses
* Wed Feb 09 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-3