--- /dev/null
+------------------------------------------------------------
+revno: 14149
+revision-id: squid3@treenet.co.nz-20170330133122-zcpblbvnuq7mjvq3
+parent: squid3@treenet.co.nz-20170226110942-90rcwhx3fwa2l7is
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4508
+author: Christos Tsantilas <chtsanti@users.sourceforge.net>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Fri 2017-03-31 01:31:22 +1200
+message:
+ Bug 4508: Host forgery stalls intercepted being-spliced connections.
+
+ Most SslBump splicing happens after getting SNI. SNI goes into the
+ second fake CONNECT request, where it may fail the host forgery check.
+ A failed check triggers an HTTP error response from Squid. When
+ attempting to send that response to the TLS client, Squid checks whether
+ all previously pipelined HTTP requests on the connection have finished.
+
+ Prior to this fix, Squid left the first fake CONNECT request in the
+ connection pipeline despite adding the second fake CONNECT. That first
+ CONNECT stalled the error response described above, with Squid waiting,
+ in vain, for that already handled [fake] transaction to finish.
+
+ Also call quitAfterError() to force Squid to close the connection (after
+ writing the discussed error response) instead of just logging a
+ [misleading] "kick abandoning [connection]" message in cache.log.
+
+ TODO: Always pop the first CONNECT when generating a second one.
+ Unifying CONNECT treatment is difficult because code like tunnel.cc
+ wants that CONNECT to be in the pipeline. Polishing that would probably
+ require disassociating ConnStateData from tunnel.cc (at least).
+
+ TODO: Apply the existing "delayed error" logic (that optionally bumps
+ TLS connections to deliver [some] errors to [some] SSL/TLS clients) to
+ host forgery errors. Otherwise, the plain HTTP error message cannot be
+ understood by the intercepted TLS client.
+
+ This is a Measurement Factory project
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170330133122-zcpblbvnuq7mjvq3
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: db616fff2ac0df73cf41d380f07a96b773cf2be5
+# timestamp: 2017-03-30 13:51:17 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170226110942-\
+# 90rcwhx3fwa2l7is
+#
+# Begin patch
+=== modified file 'src/client_side.cc'
+--- src/client_side.cc 2017-01-27 13:38:24 +0000
++++ src/client_side.cc 2017-03-30 13:31:22 +0000
+@@ -4376,7 +4376,12 @@
+ fd_table[connState->clientConnection->fd].read_method = &default_read_method;
+ fd_table[connState->clientConnection->fd].write_method = &default_write_method;
+
++ ClientSocketContext::Pointer context = connState->getCurrentContext();
++ Must(context != NULL);
+ if (connState->transparent()) {
++ // If we are going to fake the second CONNECT, clear the first one.
++ context->connIsFinished();
++
+ // fake a CONNECT request to force connState to tunnel
+ // XXX: copy from MemBuf reallocates, not a regression since old code did too
+ SBuf temp;
+
+=== modified file 'src/client_side_request.cc'
+--- src/client_side_request.cc 2017-02-25 05:50:14 +0000
++++ src/client_side_request.cc 2017-03-30 13:31:22 +0000
+@@ -561,6 +561,7 @@
+ debugs(85, DBG_IMPORTANT, "SECURITY ALERT: on URL: " << urlCanonical(http->request));
+
+ // IP address validation for Host: failed. reject the connection.
++ http->getConn()->quitAfterError(http->request);
+ clientStreamNode *node = (clientStreamNode *)http->client_stream.tail->prev->data;
+ clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
+ assert (repContext);
+
--- /dev/null
+------------------------------------------------------------
+revno: 14153
+revision-id: squid3@treenet.co.nz-20170331234747-59glu40hhx0kf8fx
+parent: squid3@treenet.co.nz-20170331233921-efxhs8vy025fvrnl
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4688
+author: Lubos Uhliarik <luhliari@redhat.com>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Sat 2017-04-01 12:47:47 +1300
+message:
+ Bug 4688: various typo error(s) in man page(s)
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170331234747-59glu40hhx0kf8fx
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: a05d98a4e328e39f2a490cfeff72ad8735cc6b6e
+# timestamp: 2017-03-31 23:48:51 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170331233921-\
+# efxhs8vy025fvrnl
+#
+# Begin patch
+=== modified file 'compat/compat.h'
+--- compat/compat.h 2017-01-01 00:16:45 +0000
++++ compat/compat.h 2017-03-31 23:47:47 +0000
+@@ -11,7 +11,7 @@
+
+ /*
+ * From discussions it was chosen to push compat code as far down as possible.
+- * That means we can have a seperate compat for most
++ * That means we can have a separate compat for most
+ * compatability and portability hacks and resolutions.
+ *
+ * This file is meant to collate all those hacks files together and
+
+=== modified file 'helpers/basic_auth/DB/basic_db_auth.pl.in'
+--- helpers/basic_auth/DB/basic_db_auth.pl.in 2017-01-01 00:16:45 +0000
++++ helpers/basic_auth/DB/basic_db_auth.pl.in 2017-03-31 23:47:47 +0000
+@@ -14,7 +14,7 @@
+
+ basic_db_auth [options]
+
+-=head1 DESCRIPTOIN
++=head1 DESCRIPTION
+
+ This program verifies username & password to a database
+
+@@ -97,7 +97,7 @@
+ Copyright (C) 2007 Henrik Nordstrom <henrik@henriknordstrom.net>
+ Copyright (C) 2010 Luis Daniel Lucio Quiroz <dlucio@okay.com.mx> (Joomla support)
+ This program is free software. You may redistribute copies of it under the
+-terms of the GNU General Public License version 2, or (at youropinion) any
++terms of the GNU General Public License version 2, or (at your opinion) any
+ later version.
+
+ =head1 QUESTIONS
+
+=== modified file 'helpers/basic_auth/LDAP/basic_ldap_auth.8'
+--- helpers/basic_auth/LDAP/basic_ldap_auth.8 2017-01-01 00:16:45 +0000
++++ helpers/basic_auth/LDAP/basic_ldap_auth.8 2017-03-31 23:47:47 +0000
+@@ -98,7 +98,7 @@
+ .B Note:
+ This can only be done if all your users are located directly under
+ the same position in the LDAP tree and the login name is used for naming
+-each user object. If your LDAP tree does not match these criterias or if
++each user object. If your LDAP tree does not match these criteria or if
+ you want to filter who are valid users then you need to use a search filter
+ to search for your users DN (
+ .B \-f
+@@ -186,15 +186,15 @@
+ .B never
+ dereference aliases (default),
+ .B always
+-dereference aliases, only while
+-.B search ing
++dereference aliases, only during a
++.B search
+ or only to
+ .B find
+ the base object.
+ .
+ .if !'po4a'hide' .TP
+ .if !'po4a'hide' .B "\-H ldap_uri
+-Specity the LDAP server to connect to by LDAP URI (requires OpenLDAP libraries).
++Specify the LDAP server to connect to by LDAP URI (requires OpenLDAP libraries).
+ Servers can also be specified last on the command line.
+ .
+ .if !'po4a'hide' .TP
+
+=== modified file 'helpers/digest_auth/LDAP/digest_pw_auth.cc'
+--- helpers/digest_auth/LDAP/digest_pw_auth.cc 2017-01-01 00:16:45 +0000
++++ helpers/digest_auth/LDAP/digest_pw_auth.cc 2017-03-31 23:47:47 +0000
+@@ -30,7 +30,7 @@
+ * the file format. However storing such a triple does little to
+ * improve security: If compromised the username:realm:HA1 combination
+ * is "plaintext equivalent" - for the purposes of digest authentication
+- * they allow the user access. Password syncronisation is not tackled
++ * they allow the user access. Password synchronization is not tackled
+ * by digest - just preventing on the wire compromise.
+ *
+ * Copyright (c) 2003 Robert Collins <robertc@squid-cache.org>
+
+=== modified file 'helpers/digest_auth/eDirectory/digest_pw_auth.cc'
+--- helpers/digest_auth/eDirectory/digest_pw_auth.cc 2017-01-01 00:16:45 +0000
++++ helpers/digest_auth/eDirectory/digest_pw_auth.cc 2017-03-31 23:47:47 +0000
+@@ -30,7 +30,7 @@
+ * the file format. However storing such a triple does little to
+ * improve security: If compromised the username:realm:HA1 combination
+ * is "plaintext equivalent" - for the purposes of digest authentication
+- * they allow the user access. Password syncronisation is not tackled
++ * they allow the user access. Password synchronization is not tackled
+ * by digest - just preventing on the wire compromise.
+ *
+ * Copyright (c) 2003 Robert Collins <robertc@squid-cache.org>
+
+=== modified file 'helpers/digest_auth/file/digest_file_auth.8'
+--- helpers/digest_auth/file/digest_file_auth.8 2017-01-01 00:16:45 +0000
++++ helpers/digest_auth/file/digest_file_auth.8 2017-03-31 23:47:47 +0000
+@@ -15,7 +15,7 @@
+ is an installed binary authentication program for Squid. It handles digest
+ authentication protocol and authenticates against a text file backend.
+ .
+-This program will automatically detect the existence of a concurrecy channel-ID and adjust appropriately.
++This program will automatically detect the existence of a concurrency channel-ID and adjust appropriately.
+ It may be used with any value 0 or above for the auth_param children concurrency= parameter.
+ .
+ .SH OPTIONS
+@@ -54,7 +54,7 @@
+ improve security: If compromised the
+ .B username:realm:HA1
+ combination is "plaintext equivalent" - for the purposes of digest authentication
+-they allow the user access. Password syncronisation is not tackled
++they allow the user access. Password synchronization is not tackled
+ by digest - just preventing on the wire compromise.
+ .
+ .SH AUTHOR
+
+=== modified file 'helpers/digest_auth/file/digest_file_auth.cc'
+--- helpers/digest_auth/file/digest_file_auth.cc 2017-01-01 00:16:45 +0000
++++ helpers/digest_auth/file/digest_file_auth.cc 2017-03-31 23:47:47 +0000
+@@ -33,7 +33,7 @@
+ * the file format. However storing such a triple does little to
+ * improve security: If compromised the username:realm:HA1 combination
+ * is "plaintext equivalent" - for the purposes of digest authentication
+- * they allow the user access. Password syncronisation is not tackled
++ * they allow the user access. Password synchronization is not tackled
+ * by digest - just preventing on the wire compromise.
+ *
+ * Copyright (c) 2003 Robert Collins <robertc@squid-cache.org>
+
+=== modified file 'helpers/digest_auth/file/text_backend.cc'
+--- helpers/digest_auth/file/text_backend.cc 2017-01-01 00:16:45 +0000
++++ helpers/digest_auth/file/text_backend.cc 2017-03-31 23:47:47 +0000
+@@ -29,7 +29,7 @@
+ * the file format. However storing such a triple does little to
+ * improve security: If compromised the username:realm:HA1 combination
+ * is "plaintext equivalent" - for the purposes of digest authentication
+- * they allow the user access. Password syncronisation is not tackled
++ * they allow the user access. Password synchronization is not tackled
+ * by digest - just preventing on the wire compromise.
+ *
+ * Copyright (c) 2003 Robert Collins <robertc@squid-cache.org>
+
+=== modified file 'helpers/external_acl/LDAP_group/ext_ldap_group_acl.8'
+--- helpers/external_acl/LDAP_group/ext_ldap_group_acl.8 2017-01-01 00:16:45 +0000
++++ helpers/external_acl/LDAP_group/ext_ldap_group_acl.8 2017-03-31 23:47:47 +0000
+@@ -52,8 +52,8 @@
+ .BI never
+ dereference aliases (default),
+ .BI always
+-dereference aliases, only while
+-.BR search ing
++dereference aliases, only during a
++.BR search
+ or only to
+ .B find
+ the base object
+@@ -143,7 +143,7 @@
+ .
+ .if !'po4a'hide' .TP
+ .if !'po4a'hide' .BI \-H " ldapuri"
+-Specity the LDAP server to connect to by a LDAP URI (requires OpenLDAP libraries)
++Specify the LDAP server to connect to by a LDAP URI (requires OpenLDAP libraries)
+ .
+ .if !'po4a'hide' .TP
+ .if !'po4a'hide' .BI \-K
+
+=== modified file 'helpers/external_acl/kerberos_ldap_group/README'
+--- helpers/external_acl/kerberos_ldap_group/README 2010-08-13 10:17:20 +0000
++++ helpers/external_acl/kerberos_ldap_group/README 2017-03-31 23:47:47 +0000
+@@ -65,7 +65,7 @@
+ export KRB5_KTNAME
+
+ If you use a different Kerberos domain than the machine itself is in you can point squid to
+-the seperate Kerberos config file by setting the following environmnet variable in the startup
++the separate Kerberos config file by setting the following environment variable in the startup
+ script.
+
+ KRB5_CONFIG=/etc/krb5-squid.conf
+
+=== modified file 'helpers/external_acl/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8'
+--- helpers/external_acl/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8 2015-03-21 06:32:34 +0000
++++ helpers/external_acl/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8 2017-03-31 23:47:47 +0000
+@@ -163,7 +163,7 @@
+ .if !'po4a'hide' .ft
+ .
+ If you use a different Kerberos domain than the machine itself is in you can point squid to
+-the seperate Kerberos config file by setting the following environmnet variable in the startup
++the separate Kerberos config file by setting the following environment variable in the startup
+ script.
+ .if !'po4a'hide' .P
+ .if !'po4a'hide' .ft CR
+
+=== modified file 'helpers/external_acl/session/ext_session_acl.8'
+--- helpers/external_acl/session/ext_session_acl.8 2017-01-01 00:16:45 +0000
++++ helpers/external_acl/session/ext_session_acl.8 2017-03-31 23:47:47 +0000
+@@ -21,7 +21,7 @@
+ ) or a fixed period of time (
+ .B \-T
+ ). The former is suitable for displaying terms and conditions to a user; the
+-latter is suitable for the display of advertisments or other notices (both as a
++latter is suitable for the display of advertisements or other notices (both as a
+ splash page \- see config examples in the wiki online). The session helper can also be used
+ to force users to re\-authenticate if the
+ .B %LOGIN
+@@ -55,7 +55,7 @@
+ environment is created within the directory. The advantage of the latter
+ is better database support between multiple instances of the session
+ helper. Using multiple instances of the session helper with a single
+-database file will cause synchronisation problems between processes.
++database file will cause synchronization problems between processes.
+ If this option is not specified the session details will be kept in
+ memory only and all sessions will reset each time Squid restarts its
+ helpers (Squid restart or rotation of logs).
+
+=== modified file 'helpers/log_daemon/DB/log_db_daemon.pl.in'
+--- helpers/log_daemon/DB/log_db_daemon.pl.in 2017-01-01 00:16:45 +0000
++++ helpers/log_daemon/DB/log_db_daemon.pl.in 2017-03-31 23:47:47 +0000
+@@ -18,7 +18,7 @@
+
+ log_db_daemon DSN [options]
+
+-=head1 DESCRIPTOIN
++=head1 DESCRIPTION
+
+ This program writes Squid access.log entries to a database.
+ Presently only accepts the B<squid> native format
+@@ -373,7 +373,7 @@
+ WHERE squid_request_status LIKE '%MISS%')
+ /
+ (SELECT COUNT(*) FROM access_log)*100
+- AS pecentage;
++ AS percentage;
+
+ =item Response time ranges
+
+@@ -433,7 +433,7 @@
+
+ This script currently implements only the C<L> (i.e. "append a line to the log") command, therefore the log lines are never purged from the table. This approach has an obvious scalability problem.
+
+-One solution would be to implement e.g. the "rotate log" command in a way that would calculate some summary values, put them in a "summary table" and then delete the lines used to caluclate those values.
++One solution would be to implement e.g. the "rotate log" command in a way that would calculate some summary values, put them in a "summary table" and then delete the lines used to calculate those values.
+
+ Similar cleanup code could be implemented in an external script and run periodically independently from squid log commands.
+
+
+=== modified file 'helpers/negotiate_auth/kerberos/README'
+--- helpers/negotiate_auth/kerberos/README 2008-10-03 02:25:50 +0000
++++ helpers/negotiate_auth/kerberos/README 2017-03-31 23:47:47 +0000
+@@ -53,7 +53,7 @@
+ export KRB5_KTNAME
+
+ If you use a different Kerberos domain than the machine itself is in you can point squid to
+-the seperate Kerberos config file by setting the following environmnet variable in the startup
++the separate Kerberos config file by setting the following environment variable in the startup
+ script.
+
+ KRB5_CONFIG=/etc/krb-squid5.conf
+
+=== modified file 'helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8'
+--- helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8 2014-12-20 17:10:25 +0000
++++ helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8 2017-03-31 23:47:47 +0000
+@@ -69,7 +69,7 @@
+ export KRB5_KTNAME
+
+ If you use a different Kerberos domain than the machine itself is in you can point squid to
+-the seperate Kerberos config file by setting the following environmnet variable in the startup
++the separate Kerberos config file by setting the following environment variable in the startup
+ script.
+
+ KRB5_CONFIG=/etc/krb5\-squid.conf
+
+=== modified file 'helpers/storeid_rewrite/file/storeid_file_rewrite.pl.in'
+--- helpers/storeid_rewrite/file/storeid_file_rewrite.pl.in 2017-01-01 00:16:45 +0000
++++ helpers/storeid_rewrite/file/storeid_file_rewrite.pl.in 2017-03-31 23:47:47 +0000
+@@ -29,7 +29,7 @@
+ Rewrite rules are matched in the same order as they appear in the rules file.
+ So for best performance, sort it in order of frequency of occurrence.
+
+-This program will automatically detect the existence of a concurrecy channel-ID and adjust appropriately.
++This program will automatically detect the existence of a concurrency channel-ID and adjust appropriately.
+ It may be used with any value 0 or above for the store_id_children concurrency= parameter.
+
+ =head1 OPTIONS
+
+=== modified file 'src/StoreFileSystem.h'
+--- src/StoreFileSystem.h 2017-01-01 00:16:45 +0000
++++ src/StoreFileSystem.h 2017-03-31 23:47:47 +0000
+@@ -47,7 +47,7 @@
+ \par
+ * configure will take a list of storage types through the
+ * --enable-store-io parameter. This parameter takes a list of
+- * space seperated storage types. For example,
++ * space separated storage types. For example,
+ * --enable-store-io="ufs aufs" .
+ *
+ \par
+
+=== modified file 'src/ipcache.cc'
+--- src/ipcache.cc 2017-01-01 00:16:45 +0000
++++ src/ipcache.cc 2017-03-31 23:47:47 +0000
+@@ -50,7 +50,7 @@
+ \defgroup IPCacheInternal IP Cache Internals
+ \ingroup IPCacheAPI
+ \todo when IP cache is provided as a class. These sub-groups will be obsolete
+- * for now they are used to seperate the public and private functions.
++ * for now they are used to separate the public and private functions.
+ * with the private ones all being in IPCachInternal and public in IPCacheAPI
+ *
+ \section InternalOperation Internal Operation
+
+=== modified file 'src/ssl/ssl_crtd.8'
+--- src/ssl/ssl_crtd.8 2017-01-01 00:16:45 +0000
++++ src/ssl/ssl_crtd.8 2017-03-31 23:47:47 +0000
+@@ -33,7 +33,7 @@
+ Because the generation and signing of SSL certificates takes time
+ Squid must use external process to handle the work.
+ .
+-This process generates new SSL certificates and uses a disk cache of certificatess
++This process generates new SSL certificates and uses a disk cache of certificates
+ to improve response times on repeated requests.
+ Communication occurs via TCP sockets bound to the loopback interface.
+ .
+@@ -122,7 +122,7 @@
+ .
+ .PP
+ For simple configuration the helper defaults can be used.
+-Only HTTP listening port options are required to enable generation and set the signign CA certificate.
++Only HTTP listening port options are required to enable generation and set the signing CA certificate.
+ For Example:
+ .if !'po4a'hide' .RS
+ .if !'po4a'hide' .B http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/www.sample.com.pem
+