Log message:
Changes 3.5.11:
* Add Locker friend class to SBuf for protection against memory issues
* Connection stats, including %<lp, missing for persistent connections
* Fix incorrect authentication headers on cache digest requests
* Bug 4281: copy-paste typos in src/tools.cc
* Bug 4188: Bumping intercepted SSL connections does not work on Solaris
* Avoid errors when parsing manager ACL in old squid.conf
* Bug 4279: No response from proxy for FTP-download of non-existing file
* Bug 3574: crashes on reconfigure and startup
* Bug 4347: compile errors with LibreSSL 2.3

Log message:
Add SHA512 digests for distfiles for www category

Problems found locating distfiles:
	Package haskell-cgi: missing distfile haskell-cgi-20001206.tar.gz
	Package nginx: missing distfile array-var-nginx-module-0.04.tar.gz
	Package nginx: missing distfile encrypted-session-nginx-module-0.04.tar.gz
	Package nginx: missing distfile headers-more-nginx-module-0.261.tar.gz
	Package nginx: missing distfile nginx_http_push_module-0.692.tar.gz
	Package nginx: missing distfile set-misc-nginx-module-0.29.tar.gz
	Package nginx-devel: missing distfile echo-nginx-module-0.58.tar.gz
	Package nginx-devel: missing distfile form-input-nginx-module-0.11.tar.gz
	Package nginx-devel: missing distfile lua-nginx-module-0.9.16.tar.gz
	Package nginx-devel: missing distfile nginx_http_push_module-0.692.tar.gz
	Package nginx-devel: missing distfile set-misc-nginx-module-0.29.tar.gz
	Package php-owncloud: missing distfile owncloud-8.2.0.tar.bz2

Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden).  All existing
SHA1 digests retained for now as an audit trail.

Log message:
Check current file descriptor limit and raise if required rather than
blindly setting to 4096 (which may in fact be lower than current limit).
Bump PKGREVISION

Log message:
Changes 3.5.10:
* Align behavior of MEMPROXY_CLASS's operator delete with ::delete on nullptr
* Bug 4330: Do not use SSL_METHOD::put_cipher_by_char to determine size
* Fix cache_peer login=PASS(THRU) after CVE-2015-5400
* Bug 4304: PeerConnector.cc:743 "!callback" assertion.
* Relicense SSPI helper to GPLv2+
* Bug 4208: more than one port in wccp2_service_info line causes error
* Relicense smb_lm auth helper to GPLv2+
* Relicense ntlm_fake_auth.pl to GPLv2+
* SMP: register worker listening ports one by one
* Bug 4328: %un format code does not work for external ACLs in \ 
credentials-fetching rules
* Bug 4323: Netfilter broken cross-includes with Linux 4.2
* Cleanup: Migrate StoreEntry to using MEMPROXY_CLASS
* Remove custom pool chunk size for StoreEntry
* Implement default constructor for hash_link
* Bug 4326: base64 binary encoder rejects data beginning with nil byte

Log message:
Quick fix for build problem with IP Filter 4.1.34 (NetBSD 6.1
and may be older).  Tested on NetBSD 6_STABLE and 7,0_RC3.

Log message:
Update squid3 to 3.5.9, it is security fix release.

* SQUID-2015:3 Multiple Remote Denial of service issues in SSL/TLS
  processing

These problems allow any trusted client or external server to
perform a denial of service attack on the Squid service and all
other services on the same machine.

However, the bugs are exploitable only if you have configured a
Squid-3.5 listening port with ssl-bump.

The visible signs of these bugs are a Squid crash or high CPU usage.
Skype is known to trigger the crash and/or a small amount of extra CPU
use unintentionally. Malicious traffic is possible which could have
severe effects.

* Regression Bug 3618: ntlm_smb_lm_auth rejects correct passwords

The SMB LanMan authentication helper in Squid-3.2 and later has been
rejecting valid user credentials.

Reminder: Use of this helper is deprecated. We strongly recommend
against using it. LanMan authentication gives the illusion of
transmitting NTLM protocol while actually transmitting username and
password with crypto algorithms that can be decoded in real-time (this
helper relies on that ability). The combination makes it overall less
secure than even HTTP Basic authentication.

* TLS: Support SNI on generated CONNECT after peek

When Squid generates CONNECT requests it will now attempt to use the
client SNI value if any is known.

Note that SNI is found during an ssl_bump peek action, so will only be
available on some generated CONNECT. Intercepted traffic will always
begin with a raw-IP CONNECT message which must pass access controls and
adaptations before ssl_bump peek is even considered.

* Quieten UFS cache maintenance skipped warnings

This resolves the log noise encountered since the 3.5.8 release when
large caches are running a full (aka. 'DIRTY') cache_dir rebuild scan.

Log message:
Changes 3.5.8:
Fix FreeBSD Clang-3.5 build error
Support splice for SSLv3 and TLSv1 sessions that start with an SSLv2 Hello
Bug 3553: cache_swap_high ignored and maxCapacity used instead
Fix memory leak in Surrogate-Capability header detection
When a RESPMOD service aborts, mark the body it produced as truncated.
Cleanup: fix assertion in Store unit tests
Bug 3696: crash when client delay pools are activated
Bug 4278: Docs: typo in the refresh_pattern freshness algorithm
Bug 4306: build portability fix in Kerberos helpers
Docs: auto-build release notes for snapshots
FtpServer.cc:1024: "reply != NULL" assertion
Work around clang-3.6 complaining of unknown attributes in libxml2
Ignore impossible SSL bumping actions, as intended and documented.
Bug 4242: compile errors with eCAP using clang-3.6
Docs: fix typo in miss_access
Bug 4285 partial: %us is not supported in access.log
Bug 4302: IPFilter v5 transparent interception
Docs: update intercept/tproxy related text
Bug 4301: compile errors with IPFilter interception
Polish: add debug section,level to cache.log
Reject non-chunked HTTP messages with conflicting Content-Length values
Boilerplate: update ignored files
Boilerplate: add Foundation details to rfcnb and smblib documentation files
Cleanup: de-duplicate fake-CONNECT code
Use automake subdir-objects feature

Log message:
Bump for IPFilter fix

Log message:
Fix transparent proxying with IPFilter v5.
Also fix ipf configure test, and remove superfluous debug patch.

Log message:
Changes 3.5.7:
* Bug 4293: wrong SNI sent to server after URL-rewrite
* Add ENABLE_POD2MAN_DOC automake conditional for pod2man builds
* basic_smb_auth: rejecting valid credentials
* basic_smb_auth: doesn't handle passwords with backslashes
* basic_smb_auth: nmblookup fails when smb.conf contaisn WINS servers
* Docs: fix man(8) page syntax for lexgrof tool
* Make pod2man an optional dependency
* Handle exceptions during squid.conf parse
* When SBuf chop()s away everything, always clear the buffer.
* Cleanup: avoid mentioning compiler directives in configure output
* Bug 4251: incorrect instance name for memory segments in /dev/shm
* Bug 3345: Support %un (any available user name) format code for external ACLs.
* AUFS: Raise I/O queue congestion limits
* Improve handling of client connections on shutdown
* Avoid SSL certificate db corruption with empty index.txt as a symptom.
* Errors served using invalid certificates when dealing with SSL server errors.
* IPv6: improve BCP 177 compliance
* Polish debugs on NAT failure
* Fix crash in TcpAccepter with profiler enabled
* Splice to origin cache_peer.
* Bug 4227: invalid key in AuthUserHashPointer causing assertation failure