Log message:
Update squid3 to 3.5.19, 3.5.18 contains security fix.

Changes to squid-3.5.19 (09 May 2016):

	- Regression Bug 4515: interception proxy hangs

Changes to squid-3.5.18 (06 May 2016):

	- Bug 4510: stale comment about 32KB limit on shared memory cache entries
	- Bug 4509: EUI compile error on NetBSD
	- Bug 4501: HTTP/1.1: normalize Host header
	- Bug 4498: URL-unescape the login-info after extraction from URI
	- Bug 4455: SegFault from ESIInclude::Start
	- Prevent Squid forcing -b 2048 into the arguments for sslcrtd_program
	- Fix TLS/SSL server handshake alert handling

Log message:
Fix build on NetBSD >=7.99.27 due route(4) change (deprecation of \ 
RTF_LLINFO). Courtesy of leot.

Log message:
Changes 3.5.17:
* nullptr is a C++11 feature
* Fix several ESI element construction issues
* SourceFormat Enforcement
* cachemgr.cgi: use dynamic MemBuf for internal content generation
* Add chained certificates and signing certificate to peek-then-bumped connections.
* Handshake Error: ccs received early: fix typo
* Avoid startup/shutdown crashes [by avoiding static non-POD globals].
* Bugs fixed.

Log message:
Update squid3 pacakge to 3.5.16, fixing several security problems.
Please refer release note for other changes:
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html

* SQUID-2016:4 - Denial of Service issue in HTTP Response processing

    http://www.squid-cache.org/Advisories/SQUID-2016_4.txt
    aka. CVE-2016-3948

This is another of the bugs left unfixed by the SQUID-2016:2 patches.
The visible symptom is assertions about:
 "String.cc:*: 'len_ + len <65536'"

There is an attack in the wild for this one, but not as widely as for
the previous issues.

* SQUID-2016:3 - Buffer overrun issue in pinger ICMPv6 processing.

    http://www.squid-cache.org/Advisories/SQUID-2016_3.txt
    aka. CVE-2016-3947

This bug shows up as pinger crashing with Icmp6::Recv errors. This may
affect Squid HTTP routing decisions. In some configurations, sub-optimal
routing decisions may result in serious service degradation or even
transaction failures.

All previous Squid-3 releases are affected by both these issues. See the
advisory for further details. Upgrade or patching should be considered a
high priority.

* pinger: drop capabilities on Linux

On Linux, it is now possible to install pinger helper with only
CAP_NET_RAW permissions raised instead of full setuid-root:

  (setcap cap_net_raw+ep /path/to/pinger &&
   chmod u-s /path/to/pinger) || :

Other operating systems without libcap capabilities features are not
affected by this change.

* Bug #4447: FwdState.cc:447 "serverConnection() == conn" assertion

This rather cripling bug appears after the CVE-2016-2569 patch. It
turned out to be a race condition closing connections and has now been
fully fixed.

Log message:
Bump PKGREVISION for security/openssl ABI bump.

Log message:
Use OPSYSVARS.

Log message:
Update squid3 package to 3.5.15, security release.

* SQUID-2016:2 - Multiple Denial of Service issues in HTTP Response
  processing

    http://www.squid-cache.org/Advisories/SQUID-2016_2.txt

Changes to squid-3.5.15 (23 Feb 2016):

	- Bug 3870: assertion failed: String.cc: 'len_ + len <65536' in ESI::CustomParser
	- Fix multiple assertion on String overflows
	- Fix unit test errors on MacOS
	- Better handling of huge response headers. Fewer incorrect "Bug \ 
#3279" messages.
	- Log noise reduction for eCAP

Log message:
Update squid3 to 3.5.14 (Squid 3.5.14), security release.

Changes to squid-3.5.14 (16 Feb 2016):

	- Bug 4437: Fix Segfault on Certain SSL Handshake Errors
	- Bug 4431: C code is not compiled with CFLAGS
	- Bug 4418: FlexibleArray compile error with GCC 6
	- Bug 4378: assertion failed: DestinationIp.cc:60:
		'checklist->conn() && checklist->conn()->clientConnection != NULL'
	- Fix invalid FTP connection handling on blocked content
	- Fix handling of shared memory left over by Squid crashes or bugs
	- Fix mgr:config report 'qos_flows mark' output
	- Fix compile error in CPU affinity
	- Fix %un logging external ACL username
	- Avoid more certificate validation memory leaks
	- ... and some documentation updates

Log message:
Changes 3.5.13:
* Ssl::CertValidationHelper::sslSubmit: Assure that the callback->getDialer()
* Fix build error with ICC
* Fix GnuTLS detection via pkg-config
* Reflect the [ugly] reality in external_acl_type cache=n documentation.
* Avoid memory leaks when a certificate validator is used with SslBump
* Support Ephemeral Elliptic Curve Diffie-Hellman (EECDH) key exchange
* Fix clang build error after rev.13961
* Bug 4397: DragonFly BSD, POSIX shared memory is implemented as filepath
* Fix startup crash with a misconfigured (too-small) shared memory cache
* Fix connection retry and fallback after failed server TLS connections
* Complete certificate chains using external intermediate certificates
* Bug 4387: Kerberos build errors on Solaris

Log message:
Changes 3.5.12:
* Add missing stub definition for CPU_ISSET
* Fix build errors in cpuafinity.cc
* Bug 4228: links with krb5 libs despite --without options
* Fix delay_parameters documentation
* Stop using dangling pointers for eCAP-set custom HTTP reason phrases.
* Fix status code-based HTTP reason phrase for eCAP-generated messages.
* Revert r13921: Migrate StoreEntry to using MEMPROXY_CLASS
* Fix cache_peer forceddomain= in CONNECT
* TLS: Handshake Problem during Renegotiation
* Docs: Updated stale Ssl text to make the comment match the code again.
* Fix SSL_get_certificate() problem detection
* Polished cache_peer_access and related documentation.
* Bug 4374: refresh_pattern config parser (%)
* Bug 4373: assertion failed: client_side_request.cc:1709: \ 
'calloutContext->redirect_state == REDIRECT_NONE'
* Make FATAL messages have a consistent prefix