Log message:
squid-2.5.STABLE4-http_workarounds.patch was updated.  (It seems that
some patch were added.)

Log message:
Update squid to squid-2.5.4nb7.  Add three official patches.

Various HTTP workarounds and minor corrections

synopsis	This patch works around certain broken HTTP servers
		(reportedly IIS-5) who incorrectly signals the use of
		persistent connections. It also corrects some minor
		HTTP issues to make the Squid proxy more semantically
		transparent.
severity	Minor
date		2004-01-14 18:14
bugzilla	#890
versions	Squid-2.5 and earlier
platforms	All

squid_ldap_group failure if specifying many or long group names

synopsis	If the request to squid_ldap_group (login name + all
		group names) exceed 256 characters then group lookups
		fails or behaves erratically.
severity	Minor
date		2004-01-08 19:08
versions	Squid-2.5
platforms	All
workaround	Define multiple ACLs instead of listing many groups in
		the same ACL

LDAP helpers TLS mode (-Z option) does not work

synopsis	The TLS mode of the LDAP helpers did not work and
		always reported "TLS Connection failed"
severity	Minor
date		2004-01-05 12:05
bugzilla	#887
versions	Squid-2.5
platforms	All
workaround	Use the ldaps:// URI method instead, if your LDAP
		server supports it.

Log message:
Update squid package to 2.5.4nb6.

- Remove --disable-internal-dns.  It could be still enabled by adding to
  SQUID_CONFIGURE_ARGS in /etc/mk.conf.  It found that external dnsserver
  has some problem, performance disadvantage on Solaris 8.

- Apply eight official patches.

o Incomplete objects may appear stuck in the cache

	synopsis	Under certain conditions incomplete objects
			may appear stuck in the cache, not even reload
			giving a new fresh copy.
	severity	Major
	date		2003-12-23 01:23
	bugzilla	#876
	versions	Squid-2.5 and earlier
	platforms	All
	workaround	Compiling squid with --disable-http-violations
			completely avoids the issue.  Setting
			"half_closed_clients off" and making
			quick_abort as aggressively aborting as
			possible by "quick_abort_min 0 KB" and
			"quick_abort_max 0 KB" mostly hides the
			problem.

o assertion failed: pinger.c:187: "icmp_pktsize <= MAX_PKT_SZ"

	synopsis	In Squids built with --enable-icmp the pinger
			helper may exit with the above assertion
			failure if Squid receives a request with a
			very long host name.
	severity	Minor
	date		2003-12-23 01:23
	bugzilla	#865
	versions	Squid-2.5 and earlier
	platforms	All
	workaround	Don't build squid with --enable-icmp.  This is
			generally recommended anyway unless you are
			absolutely sure you want to ICMP PING random
			sites all over the Internet to measure RTT
			information even if this may trigger IDS
			systems etc.

o 000 status code being logged for redirects (should be 302)

	synopsis	Redirects initiated by redirector helpers was
			logged as TCP_MISS/000 instead of the expected
			TCP_MISS/302.  This patch corrects this and should
			also correct log_mime_hdrs output for the same.
	severity	Minor
	date		2003-12-21 16:21
	bugzilla	#869
	versions	Squid-2.5 and earlier
	platforms	All

o Update of Russian error pages

	synopsis	In a current version threre is a problem.  The
			absence of "yo" letter. ("e" with 2 dots ).
			People prefer to write "E" instead "yo", that is
			not quite correct, like "How r u" intstead "How
			are you?"
	severity	Cosmetic
	date		2003-12-21 15:21
	bugzilla	#864
	versions	Squid-2.5 and earlier
	platforms	All

o Added 'urllogin' ACL type

	synopsis	This is not a fix for a Squid bug.  It is a new
			feature to workaround an MSIE6 bug that uses
			control characters to obfuscate the true origin
			server hostname.  You can use the 'urllogin' acl
			TYPE to deny HTTP requests that contain certain
			characters in the URL login field.
	severity	Medium
	date		2003-12-19 16:19
	versions	Squid-2.5 and earlier
	platforms	All
	workaround	Patch MSIE6, if/when the patch becomes available.

o DNS resolver has too short MAXHOSTNAME

	synopsis	Squid would not process hostnames longer than 128
			characters.  This affects few hosts on the
			internet, but with the growing use of iDNA it's
			becoming an issue.
	severity	Minor
	date		2003-12-18 01:18
	bugzilla	#842
	versions	Squid-2.5 and earlier
	platforms	All
	workaround	None.

o Squid refuses to start if "pid_filename none" is specified

	synopsis	Contrary to the documentation "pid_filename none"
			is not accepted and Squid refuses to start.
	severity	Minor
	date		2003-12-17 21:17
	bugzilla	#868
	versions	Squid-2.5 and earlier
	platforms	All

o cache_peer max-conn=.. option does not work

	synopsis	Due to the a accounting mismatch in the number of
			open connections to peers the cache_peer
			max-conn=.. option does not work.  This issue is
			also seen as very high numbers in the OPEN CONN
			peer statistics via cachemgr.
	severity	Minor
	date		2003-12-20 20:20
	bugzilla	#867
	versions	Squid-2.5 and earlier
	platforms	All

Log message:
Update squid package to squid-2.5.4nb5, including six official patches.

o Repeated POST requests causes number of persistent connections to grow

	synopsis	If responses to POST or other non-indempotent
			requests allows the connection to be kept
			persistently open then this can lead to a
			increased connection usage by Squid.  This
			patch changes the behaviour to keep the number
			of connections stable by closing a persistent
			connection before opening the new connection.

	severity	Minor
	date		2003-12-13 16:13
	bugzilla	#862
	versions	Squid-2.5
	platforms	All
	workaround	Disable server-side persistent connections by
			setting "server_persistent_connections off" in
			squid.conf.

o Segmentation fault on aborted FTP PUT requests

	synopsis	If a FTP PUT request is aborted while Squid is
			writing data to the server then Squid may
			abort with a segmentation fault.
	severity	Major
	date		2003-12-14 12:14
	bugzilla	#853
	versions	Squid-2.5 and earlier
	platforms	All
	workaround	If this plauges you a lot then you can deny
			the use of FTP PUT until the server can be
			patched.  But please note that this will limit
			the functionality of the proxy by not allowing
			FTP uploads via the proxy.

			acl FTP protocol FTP
			acl PUT method PUT
			http_access deny FTP PUT

o Limit use of persistent connections when filedescriptor usage is high

	synopsis	Under high usage a lot of filedescriptors may
			be idle persistent connections, causing a
			shortage of filedescriptors for handling new
			requests.
	severity	Minor
	date		2003-12-14 12:14
	bugzilla	#571
	versions	Squid-2.5 and earlier
	platforms	All
	workaround	Disable the use of persistent connections in
			squid.conf.  But pleae note that disabling
			persistent connections will cause a networking
			performance penalty unless you are actually
			short on filedescriptors.  Alternatively
			rebuild Squid with support for more
			filedescriptors.

o Icon URLs are uneededly complex

	synopsis	The URL syntax used by Squid for FTP/Gopher
			icons are uneededly complex and often causes
			problems.  This patch adds a "short_icon_urls"
			directive which can be used to enable a less
			complex URL syntax for icons.
	severity	Cosmetic
	date		2003-12-14 13:14
	bugzilla	#856
	versions	Squid-2.5 and earlier
	platforms	All

o redirector_access does not handle slow acls such as dst or external correctly

	synopsis	redirector_access was a "fast" acl lookup and
			did not handle "slow" acls requiring external
			lookups such as	dst or external correcly.
	severity	Minor
	date		2003-12-14 13:14
	bugzilla	#860
	versions	Squid-2.5 and earlier
	platforms	All

o Persistent connection usage too high after sudden burst of traffic

	synopsis	Persistent server connections are reused in a
			round-robin fashion which may cause the number
			of connections to stay artificially high after
			a sudden burst of requests.

			This patch changes persistent connection
			management to use a LIFO order reusing the
			most recently used connection first, thereby
			allowing unneeded connections to close down by
			idle timeout.
	severity	Minor
	date		2003-12-15 23:15
	bugzilla	#865
	versions	Squid-2.5 and earlier
	platforms	All
	workaround	This usually is not a significant problem, but
			if you are plauged by this you can try
			disabling server-side persistent connections
			in squid.conf.

Log message:
- squid-2.5.STABLE4-connect_cleanup.patch was updated; one off-bye-one mistake
  was corrected.
- bump package revision.

Log message:
Update squid package to squid-2.5.4nb3.
Apply two offcial patches.

* FQDN lookups sometimes returns garbage

	synopsis	FQDN lookups sometimes give garbage after the result.
			This can be seen as junk in access.log when using
			log_fqdn or false access control results when using
			dstdomain acl type and the user requests a URL by IP
			address.
	severity	Minor
	date		2003-12-04 10:04
	bugzilla	#846, #834, #433
	versions	Squid-2.5 and earlier
	platforms	All
	workaround	Don't use log_fqdn or alternatively compile Squid with
			--disable-internal-dns

* Cleanup of connect & dns timeouts etc

	synopsis	Several minor errors related to how Squid finds a
			connection where to forward requests. This patch

			o Adds a new configuration parameter "forward_timeout"
			  to control how long Squid tries to find a method to
			  find a path where to forward the request before
			  giving up.  Defaults to 2 minutes.
			o The default connect_timeout tuned down from 2 minutes
			  to 1 minute to allow for two attempts to find a
			  suitable path within the forward_timeout
			o fqdncache/ipcache restructured to allow for DNS code
			  to allow the queried name to be logged in cache.log
			  on errors.
			o negative_dns_ttl now overloaded to also specify the
			  minimum ttl used when caching DNS responses, and
			  tuned down from 5 minutes to 1 minute.
			o default dns_timeout tuned down from 5 minutes to
			  2 minutes
			o some minor compilation warnings on
			  --disable-internal-dns corrected
			o properly report DNS timeouts as timeouts and not just
			  "No DNS records"
	severity	Minor
	date		2003-12-06 17:06
	bugzilla	#848, #849, #851, #852
	versions	Squid-2.5 and earlier
	platforms	All

Log message:
Take in 16 official patches and bump revision.

* connection setup may look like syn flood attack if server is
  refusing connection
* --enable-arp-acl may give warning about net/route.h
* Incorrect html on empty Gopher responses
* positive_dns_ttl ignored when using internal DNS client
* squid_ldap_group update to version 2.12
* 100% CPU loop if external_acl combined with authentication
* maximum_object_size too large causes squid not to cache
* Install of Mozilla/Netscape plugins fails because .xpi mime type unknown
* Segfault if failing to load error page
* Error page translation updates for German and Lithuanian
* auth_param documentation update
* pam_auth fails on Solaris when using pam_authtok_get
* FQDNcache discards negative responses when using internal DNS
* login with space confuses redirector helpers
* digest auth never detects password changes
* cache.log message on "squid -k reconfigure" confusing

Log message:
Of course, distinfo should be updated.

Log message:
Oops, I forgot to update DIST_SUBDIR.

Log message:
Update squid package to 2.5.4.  Most of changes are already in
squid 2.5.3nb4 package.

Changes to squid-2.5.STABLE4 (15 Sep 2003):
	- Lithuanian error messages added to the distribution
	- Bug #660: segfauld if more than one custom deny_info line
	- cache_dir disd documentation cleanup
	- check open of /dev/null to avoid 100% CPU loop in badly
	  configured chroot environments
	- documentation update on uri_whitespace to refer to the correct RFC
	- Bug #655: icmpRecv: recv: (11) Resource temporarily unavailable
	- Bug #683: external_acl does not wait for ident lookups to complete
	- aufs: Fix a minor use-after-free problem which could cause the
	  count of opening filedescriptors to grow larger than it should
	- Syntax changes to make GCC-3.3 accept Squid without complaints
	- Warning if CARP server defined in incorrect load factor order
	- neighbor_type_domain documentation update
	- http_header_access now works when using cache peers
	- high_memory_warning now uses sbrk as fallback mechanism on
	  platforms where neither mallinfo or mstats are available.
	- hosts_file now handles comments at the end of lines correcly
	- storeCheckCachable() Stats corrected for release_request and
	  wrong_content_length.
	- cachePeerPingsSent MIB type corrected
	- unused minimum_retry_timeout directive removed
	- Bug #702: ERR_TO_BIG spanish translation
	- Bug #705: Memory leak on deny_info TCP_RESET
	- Code cleanup to fix compile error in httpHeaderDelById
	- Bug #699: Host header now forwarded exactly where it was in the
	  original request to work around certain broken firewalls or
	  load balancers which fail if this header is too far into the
	  request headers.
	- Bug #704: Memory leak on reply_body_max_size
	- Bug #686: requests denied due to http_reply_access are now
	  logged with TCP_DENIED (instead of TCP_MISS, etc).
	- Bug #708: ie_refresh now sends no-cache to have the reload
	  request propagate properly in cache meshes
	- Bug #700: Crashes related to ftpTimeout: timeout in SENT_PASV state
	- Bug #709: cbdata.c:186: "c->valid" assertion due to peer
	  digest not found
	- Bug #710: round-robin cache_dir selection incorrectly
	  compares max-size.
	- Statistics corrections in HTTP header statitics
	- QUICKSTART cleanups
	- Bug #715: statCounter.syscalls.disk counters treated
	  inconsistently.  Now increment the counters in AUFS
	  functions and for unlinkd.
	- Improvements to the (experimental) COSS storage scheme.
	- Bug #721: User name field in access.log sometimes blank
	- Bug #94: assertion failed: http.c: "-1 == cfd ||
	  FD_SOCKET == fd_table[cfd].type"
	- Bug #716: assertion failed: client_side.c:1478: "size > 0"
	- Bug #732: aufs calculates number of threads and limits wrongly
	- Bug #663: Username not logged into access.log in case of /407
	- Bug #267: Form POSTing troubles with NTLM authentication
	  and occationally in differen other error conditions.
	- Bug #736: ICP dynamic timeout algorithm ignores multicast.
	- Bug #733: No explicit error message when ncsa_auth can't access
	  passwd file
	- Bug #267, #757: POST with NTLM stops after persistent connection
	  timeout
	- Bug #742: Wrong status code on access denials if delay_access
	  is used. Most notably 407 instead of 403 could be returned.
	- Bug #763: segfault if using ntlm in http_reply_access
	- Bug #638: assertion error if using proxy_auth in delay_access
	- Bug #756: segmentation fault if using ntlm proxy_auth in delay_access
	- The issue of reply_body_max_size limiting the size of error
	  messages no longer applies.
	- external_acl_type concurrency= option renamed to children= to
	  prepare for Squid-3 upgrades. Old syntax still accepted for the
	  duration of the Squid-2.5 release.
	- number of filedescriptors rounded down to an even multiple of 64
	  to work around issues in certain libc implementations.
	- winbind helpers less noisy in cache.log on restarts/shutdown.
	- Squid now automatically restarts helpers if too many of them
	  have crashed.