From 72ca3a8613fee7be00042f76c263eec544d847225049a80d842aacb596c08c35 Mon Sep 17 00:00:00 2001
From: Christian Wittmer <chris@computersalat.de>
Date: Tue, 21 Jan 2014 23:20:48 +0000
Subject: [PATCH] Accepting request 214646 from server:proxy:Test

update to 3.4.2

OBS-URL: https://build.opensuse.org/request/show/214646
OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=49
---
 RELEASENOTES.html                          | 534 +++++++++++++--------
 rpmlintrc                                  |   1 +
 squid-3.3.11.tar.bz2                       |   3 -
 squid-3.3.11.tar.bz2.asc                   |  20 -
 squid-3.4.2.tar.bz2                        |   3 +
 squid-3.4.2.tar.bz2.asc                    |  20 +
 squid-compiled_without_RPM_OPT_FLAGS.patch |   4 +-
 squid-config.patch                         |   8 +-
 squid-fix-pod2man-check.patch              |  24 -
 squid.changes                              |  85 ++++
 squid.spec                                 |  38 +-
 11 files changed, 473 insertions(+), 267 deletions(-)
 delete mode 100644 squid-3.3.11.tar.bz2
 delete mode 100644 squid-3.3.11.tar.bz2.asc
 create mode 100644 squid-3.4.2.tar.bz2
 create mode 100644 squid-3.4.2.tar.bz2.asc
 delete mode 100644 squid-fix-pod2man-check.patch

diff --git a/RELEASENOTES.html b/RELEASENOTES.html
index 61e03c9..c5b35ab 100644
--- a/RELEASENOTES.html
+++ b/RELEASENOTES.html
@@ -2,14 +2,14 @@
 <HTML>
 <HEAD>
  <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.69">
- <TITLE>Squid 3.3.11 release notes</TITLE>
+ <TITLE>Squid 3.4.2 release notes</TITLE>
 </HEAD>
 <BODY>
-<H1>Squid 3.3.11 release notes</H1>
+<H1>Squid 3.4.2 release notes</H1>
 
 <H2>Squid Developers</H2>
 <HR>
-<EM>This document contains the release notes for version 3.3 of Squid.
+<EM>This document contains the release notes for version 3.4 of Squid.
 Squid is a WWW Cache application developed by the National Laboratory
 for Applied Network Research and members of the Web Caching community.</EM>
 <HR>
@@ -18,20 +18,21 @@ for Applied Network Research and members of the Web Caching community.</EM>
 
 <UL>
 <LI><A NAME="toc1.1">1.1</A> <A HREF="#ss1.1">Known issues</A>
-<LI><A NAME="toc1.2">1.2</A> <A HREF="#ss1.2">Changes since earlier releases of Squid-3.3</A>
+<LI><A NAME="toc1.2">1.2</A> <A HREF="#ss1.2">Changes since earlier releases of Squid-3.4</A>
 </UL>
 <P>
-<H2><A NAME="toc2">2.</A> <A HREF="#s2">Major new features since Squid-3.2</A></H2>
+<H2><A NAME="toc2">2.</A> <A HREF="#s2">Major new features since Squid-3.3</A></H2>
 
 <UL>
-<LI><A NAME="toc2.1">2.1</A> <A HREF="#ss2.1">SQL Database logging helper</A>
-<LI><A NAME="toc2.2">2.2</A> <A HREF="#ss2.2">Time-Quota session helper</A>
-<LI><A NAME="toc2.3">2.3</A> <A HREF="#ss2.3">SSL-Bump Server First</A>
-<LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">Server Certificate Mimic</A>
-<LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Custom HTTP request headers</A>
+<LI><A NAME="toc2.1">2.1</A> <A HREF="#ss2.1">Helper protocol extensions</A>
+<LI><A NAME="toc2.2">2.2</A> <A HREF="#ss2.2">SSL Server Certificate Validator</A>
+<LI><A NAME="toc2.3">2.3</A> <A HREF="#ss2.3">Store-ID</A>
+<LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+</A>
+<LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Transaction Annotations</A>
+<LI><A NAME="toc2.6">2.6</A> <A HREF="#ss2.6">Multicast DNS</A>
 </UL>
 <P>
-<H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-3.2</A></H2>
+<H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-3.3</A></H2>
 
 <UL>
 <LI><A NAME="toc3.1">3.1</A> <A HREF="#ss3.1">New tags</A>
@@ -39,7 +40,7 @@ for Applied Network Research and members of the Web Caching community.</EM>
 <LI><A NAME="toc3.3">3.3</A> <A HREF="#ss3.3">Removed tags</A>
 </UL>
 <P>
-<H2><A NAME="toc4">4.</A> <A HREF="#s4">Changes to ./configure options since Squid-3.2</A></H2>
+<H2><A NAME="toc4">4.</A> <A HREF="#s4">Changes to ./configure options since Squid-3.3</A></H2>
 
 <UL>
 <LI><A NAME="toc4.1">4.1</A> <A HREF="#ss4.1">New options</A>
@@ -56,14 +57,11 @@ for Applied Network Research and members of the Web Caching community.</EM>
 <HR>
 <H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
 
-<P>The Squid Team are pleased to announce the release of Squid-3.3.11.</P>
+<P>The Squid Team are pleased to announce the release of Squid-3.4.2 for testing.</P>
 <P>This new release is available for download from 
-<A HREF="http://www.squid-cache.org/Versions/v3/3.3/">http://www.squid-cache.org/Versions/v3/3.3/</A> or the 
+<A HREF="http://www.squid-cache.org/Versions/v3/3.4/">http://www.squid-cache.org/Versions/v3/3.4/</A> or the
 <A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
-
-<P>A large number of the design flaws in SSL-Bump feature have been fixed along with general improvements all around.
-While this release is not fully bug-free we believe it is ready for use in production on many systems.</P>
-
+<P>While this release is not deemed ready for production use, we believe it is ready for wider testing by the community.</P>
 <P>We welcome feedback and bug reports. If you find a bug, please see 
 <A HREF="http://wiki.squid-cache.org/SquidFaq/BugReporting">http://wiki.squid-cache.org/SquidFaq/BugReporting</A>
 for how to submit a report with a stack trace.</P>
@@ -72,162 +70,210 @@ for how to submit a report with a stack trace.</P>
 </H2>
 
 <P>Although this release is deemed good enough for use in many setups, please note the existence of 
-<A HREF="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&amp;product=Squid&amp;bug_status=UNCONFIRMED&amp;bug_status=NEW&amp;bug_status=ASSIGNED&amp;bug_status=REOPENED&amp;version=3.3">open bugs against Squid-3.3</A>.</P>
+<A HREF="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&amp;product=Squid&amp;bug_status=UNCONFIRMED&amp;bug_status=NEW&amp;bug_status=ASSIGNED&amp;bug_status=REOPENED&amp;version=3.4">open bugs against Squid-3.4</A>.</P>
 
-
-<H2><A NAME="ss1.2">1.2</A> <A HREF="#toc1.2">Changes since earlier releases of Squid-3.3</A>
+<H2><A NAME="ss1.2">1.2</A> <A HREF="#toc1.2">Changes since earlier releases of Squid-3.4</A>
 </H2>
 
-<P>The 3.3 change history can be 
-<A HREF="http://www.squid-cache.org/Versions/v3/3.3/changesets/">viewed here</A>.</P>
+<P>The 3.4 change history can be 
+<A HREF="http://www.squid-cache.org/Versions/v3/3.4/changesets/">viewed here</A>.</P>
 
-<H2><A NAME="s2">2.</A> <A HREF="#toc2">Major new features since Squid-3.2</A></H2>
 
-<P>Squid 3.3 represents a new feature release above 3.2.</P>
+<H2><A NAME="s2">2.</A> <A HREF="#toc2">Major new features since Squid-3.3</A></H2>
+
+<P>Squid 3.4 represents a new feature release above 3.3.</P>
 
 <P>The most important of these new features are:
 <UL>
-<LI>SQL Database logging helper</LI>
-<LI>Time-Quota session helper</LI>
-<LI>SSL-Bump Server First</LI>
-<LI>Server Certificate Mimic</LI>
-<LI>Custom HTTP request headers</LI>
+<LI>Helper protocol extensions</LI>
+<LI>SSL Server Certificate Validator</LI>
+<LI>Store-ID</LI>
+<LI>TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+</LI>
+<LI>Transaction Annotations</LI>
+<LI>Multicast DNS</LI>
 </UL>
 </P>
 <P>Most user-facing changes are reflected in squid.conf (see below).</P>
 
-<H2><A NAME="ss2.1">2.1</A> <A HREF="#toc2.1">SQL Database logging helper</A>
-</H2>
 
-<P><EM>log_db_daemon</EM> - Database logging daemon for Squid</P>
-
-<P>This program writes Squid access.log entries to an SQL database.
-Written in Perl it can utilize any database supported by the Perl
-database abstraction layer.</P>
-
-<P>NOTE: Presently it only accepts the Squid native log format.</P>
-
-
-<H2><A NAME="ss2.2">2.2</A> <A HREF="#toc2.2">Time-Quota session helper</A>
-</H2>
-
-<P><EM>ext_time_quota_acl</EM> - Time quota external ACL helper.</P>
-
-<P>Allows an administrator to define time budgets (quota) for the
-users of Squid to limit the time using Squid.</P>
-
-<P>This is useful for corporate lunch time allocations, wifi portal
-pay-per-minute installations or for parental control of children.</P>
-
-<P>The administrator can define a time budget (e.g. 1 hour per day)
-which is enforced through this helper using session estimations
-of their browsing time. A 'pause' threshold is given in seconds
-and defines the period between two requests to be treated as part
-of the same session. Pauses shorter than this value will be
-counted against the quota, longer ones ignored.</P>
-
-
-<H2><A NAME="ss2.3">2.3</A> <A HREF="#toc2.3">SSL-Bump Server First</A>
+<H2><A NAME="ss2.1">2.1</A> <A HREF="#toc2.1">Helper protocol extensions</A>
 </H2>
 
 <P>Details at 
-<A HREF="http://wiki.squid-cache.org/Features/BumpSslServerFirst">http://wiki.squid-cache.org/Features/BumpSslServerFirst</A>.</P>
+<A HREF="http://wiki.squid-cache.org/Features/AddonHelpers">http://wiki.squid-cache.org/Features/AddonHelpers</A>.</P>
 
-<P>When an intercepted connection is received, Squid first connects
-to the server using SSL and receives the server certificate.
-Squid then uses the host name inside the true server certificate
-to generate a fake one and impersonates the server while still
-using the already established secure connection to the server.</P>
+<P>The Squid helper protocol used to communicate with authenticators,
+URL-rewriters, Redirectors, and External ACL helpers has been updated
+and extended.</P>
 
-<P>Bumping server first is essentially required for handling
-intercepted HTTPS connections but the same scheme should be used
-for most HTTP CONNECT requests because it offers a few advantages
-compared to the old bump-client-first approach:</P>
+<P><EM>BH</EM> status code is now accepted from all helpers to report
+internal error events separate from <EM>ERR</EM> rejection code.
+Permitting Squid to perform recovery operations specific to
+helper failure instead of a blanket client rejection.</P>
+
+<P>Arbitrary key-value pairs can be returned from any helper.
+Allowing future helpers to be forward- and backward- compatible
+with this and future versions of Squid.</P>
+
+
+<H2><A NAME="ss2.2">2.2</A> <A HREF="#toc2.2">SSL Server Certificate Validator</A>
+</H2>
+
+<P>Details at 
+<A HREF="http://wiki.squid-cache.org/Features/SslServerCertValidator">http://wiki.squid-cache.org/Features/SslServerCertValidator</A>.</P>
+
+<P>The helper consulted after the internal OpenSSL validation, regardless of the
+validation results. The helper will receive:</P>
 <P>
 <UL>
-<LI>When Squid knows valid server certificate details, it can
-generate its fake server certificate with those details.
-With the bump-client-first scheme, all those details are lost.
-In general, browsers do not care about those details but there
-may be HTTP clients (or even human users) that require or could
-benefit from knowing them.
-</LI>
-<LI>When a server sends a bad certificate, Squid may be able to
-replicate that brokenness in its own fake certificate, giving
-the HTTP client control whether to ignore the problem or
-terminate the transaction. With bump-client-furst, it is
-difficult to support similar dynamic, user-directed opt out; 
-Squid itself has to decide what to do when the server
-certificate cannot be validated.
-</LI>
-<LI>When a server asks for a client certificate, Squid may be
-able to ask the client and then forward the client certificate
-to the server. Such client certificate handling may not be
-possible with the bump-client-first scheme because it would
-have to be done after the SSL handshake.
-</LI>
-<LI>Some clients (e.g., Rekonq browser v0.7.x) do not send host
-names in CONNECT requests. Such clients require bump-server-first
-even in forward proxying mode. Unfortunately, there are other
-problems with fully supporting such clients (i.e., Squid does
-not know whether the IP address in the CONNECT request is what
-the user have typed into the address bar) so not all features
-will work well for them until more specialized detection code
-is added.</LI>
+<LI>the origin server certificate (chain),</LI>
+<LI>the intended domain name, and</LI>
+<LI>a list of OpenSSL validation errors (if any).</LI>
 </UL>
 </P>
 
-<H2><A NAME="ss2.4">2.4</A> <A HREF="#toc2.4">Server Certificate Mimic</A>
+<P>If the helper decides to honor an OpenSSL error or report another validation 
+error(s), the helper will return:</P>
+<P>
+<UL>
+<LI>A list of certificates.</LI>
+<LI>A list of items consists the the validation error name (see <EM>%err_name</EM>
+error page macro and <EM>%err_details</EM> code for <EM>logformat</EM>), error reason
+(<EM>%ssl_lib_error macro</EM>), and the offending certificate.</LI>
+</UL>
+</P>
+
+<P>The returned information mimics what the internal OpenSSL-based validation code
+collects now. Returned errors, if any, are fed to <EM>sslproxy_cert_error</EM>,
+triggering the existing SSL error processing code.</P>
+
+<P>The helper invocation controlled by the <EM>sslcrtvalidator_program</EM> and
+<EM>sslcrtvalidator_children</EM> configurations options which are similar to the
+<EM>ssl_crtd</EM> related options. </P>
+
+
+<H2><A NAME="ss2.3">2.3</A> <A HREF="#toc2.3">Store-ID</A>
 </H2>
 
 <P>Details at 
-<A HREF="http://wiki.squid-cache.org/Features/MimicSslServerCert">http://wiki.squid-cache.org/Features/MimicSslServerCert</A>.</P>
+<A HREF="http://wiki.squid-cache.org/Features/StoreID">http://wiki.squid-cache.org/Features/StoreID</A>.</P>
 
-<P>One of the SslBump features serious drawbacks is the loss of
-information embedded in SSL server certificate.
-This certificate mimic feature passes original SSL server
-certificate information to the user. Allowing the user to
-make an informed decision on whether to trust the server
-certificate.</P>
+<P>This feature is a redesigned equivalent to the Squid-2.7 feature known as StoreURL-rewrite.</P>
+
+<P><EM>Notice</EM> that this is not a direct portage of the Squid-2.7 feature so behaviour
+differences do exist. Although the new feature works in similar enough ways that the old
+helper scripts used for Squid-2.7 are expected to work in this and later versions of Squid.</P>
+
+<P>Squid traditionally uses the requested URL as an index key ID to locate objects in cache.
+It is not the only key possible and the Store-ID feature exposes an API for external
+helpers to provide Squid with an alternative key name for any URL.</P>
+
+<P>When any client request is received which requires a cache lookup the URL is passed to
+a helper specified with the <EM>store_id_program</EM> directive to check for an alternative
+Store ID. This allows the helper to identify URLs which refer to duplicate resources and
+de-duplicate the cache content. <EM>store_id_access</EM> is provided to allow ACL-based
+tuning of which traffic gets sent to the helper and reduce overheads.</P>
+
+<P>One subtle and noteworthy difference between Squid-2 and Squid-3 which is highlighted by
+this feature is that <EM>refresh_pattern</EM> applies its regex argument against the Store
+ID key and not the transaction URL. So using the Store-ID feature to alter the value
+affects which <EM>refresh_pattern</EM> directive will be matched.</P>
+
+<P>Store-ID helpers bundled with Squid can be built with the --enable-storeid-rewrite-helpers
+option which is added in this version. Currently there is a <EM>file</EM> helper
+provided.</P>
 
 
-<H2><A NAME="ss2.5">2.5</A> <A HREF="#toc2.5">Custom HTTP request headers</A>
+<H2><A NAME="ss2.4">2.4</A> <A HREF="#toc2.4">TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+</A>
 </H2>
 
-<P>The <EM>request_header_add</EM> option is added to insert
-HTTP header fields to outgoing HTTP requests (i.e.,
-request headers sent by Squid to the next HTTP hop such as a
-cache peer or an origin server). The option has no effect on
-cache hit traffic or requests serviced by Squid and ICAP.</P>
+<P>Details at 
+<A HREF="http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf">http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf</A>.</P>
 
-<P>WARNING: If a standard HTTP header name is used, Squid does not check whether
-the new header conflicts with any existing headers or violates
-HTTP rules. If the request to be modified already contains a
-field with the same name, the old field is preserved but the
-header field values are not merged.</P>
+<P>The Packet Filter (PF) firewall in OpenBSD 4.4 and later offers traffic interception
+using several very simple methods. One of which is the <EM>divert-to</EM> rule type
+which acts as a simple routing diversion instead of performing NAT packet alterations.</P>
 
-<P>Field-value set can be either a token or a quoted string. If quoted
-string format is used, then the surrounding quotes are removed
-while escape sequences and %macros are processed.</P>
+<P>The IP Firewall (IPFW) on FreeBSD 9+ contains a port of the Linux Netfilter TPROXY feature.</P>
 
-<P>In theory, all of the <EM>logformat</EM> codes can be used as %macros.
-However, unlike logging (which happens at the very end of
-transaction lifetime), the transaction may not yet have enough
-information to expand a macro when the new header value is needed.
-And some information may already be available to Squid but not yet
-committed where the macro expansion code can access it (please report
-such instances!). The macro will be expanded into a single dash
-('-') in such cases. Not all macros have been tested.</P>
+<P>This version of Squid adds support for these features through the ./configure
+options --enable-pf-transparent and --enable-ipfw-transparent when Squid is built on
+systems with the required support. No special extras are required to enable
+<EM>http_port ... tproxy</EM> configuration to work.</P>
 
-<P>One or more Squid ACLs may be specified to restrict header
-injection to matching requests. As always in squid.conf, all
-ACLs in an option ACL list must be satisfied for the insertion
-to happen. The <EM>request_header_add</EM> option supports fast ACLs only.</P>
+<P>NOTE: To resolve NAT lookup issues on recent PF firewall versions the code behind
+<EM>./configure --enable-pf-transparent</EM> has been altered and is expected to
+break on the version of PF firewall shipped with BSD systems such as NetBSD and FreeBSD
+which do not yet support the getsockname() API.
+These systems require <EM>--with-nat-devpf</EM> to enable /dev/pf support when using PF firewall.</P>
 
 
-<H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes to squid.conf since Squid-3.2</A></H2>
+<H2><A NAME="ss2.5">2.5</A> <A HREF="#toc2.5">Transaction Annotations</A>
+</H2>
 
-<P>There have been changes to Squid's configuration file since Squid-3.2.</P>
+<P>Previously the only annotation methods available were ICAP/eCAP HTTP header insertions
+or external ACL <EM>tag=</EM> result code. Each of which had only limited possibilities
+for use and little or no correlation.</P>
+
+<P>It is now possible to add annotations to a client transaction from several sources:
+<UL>
+<LI>    Directly from squid.conf using the <EM>note</EM> directive with
+ACL-based selection of which annotation is linked to any
+particular transaction.
+</LI>
+<LI>    By configured helper processes returning a key=value pair.
+The key name becomes the annotation name.</LI>
+</UL>
+</P>
+
+<P>Annotations on the transaction can be passed to ICAP services or eCAP modules using the
+<EM>adaptation_meta</EM> directive to send them as headers.
+They can also be logged using the <EM>%note</EM> log format code in custom logs. With
+the new helper response syntax changes this means all helper response key=value details
+such as URL-rewrite or store-id changes, external ACL tag etc. are now able to be logged.</P>
+
+<P>Annotations which are already assigned to a transaction can be checked using an ACL test
+of the new <EM>note</EM> ACL type. This can match a particular note by name and value,
+of for any notes with a given name.</P>
+
+<P>NOTE: not all helper interfaces are yet enabled to convert key=value into annotations
+and the external ACL interface does not yet send annotations to the helper.</P>
+
+
+<H2><A NAME="ss2.6">2.6</A> <A HREF="#toc2.6">Multicast DNS</A>
+</H2>
+
+<P>The internal DNS component of Squid now supports multicast DNS (mDNS) resolution in
+accordance with RFC 6762.</P>
+
+<P>The <EM>dns_multicast_local</EM> directive must be set to <EM>on</EM> to enable this
+feature.</P>
+
+<P>The multicast DNS group IP addresses for IPv4 and IPv6 resolving are added to the set
+of available DNS resolvers and used automatically for domain names ending in <EM>.local</EM>
+and reverse-DNS lookups before attempting a secondary resolution on the configured
+resolvers. Domains without <EM>.local</EM> are resolved using only the configured resolvers.</P>
+
+<P>Statistics for multicast DNS resolution can be found on the <EM>idns</EM> cache manager
+report.</P>
+
+<P><EM>NOTE</EM> that the external DNS helper interface is now deprecated and has been
+removed from future Squid versions. Any installations still using it for local hostname
+resolution need to upgrade to mDNS resolution with this Squid version.</P>
+
+
+<H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes to squid.conf since Squid-3.3</A></H2>
+
+<P>There have been changes to Squid's configuration file since Squid-3.3.</P>
+
+<P>Squid supports reading configuration option parameters from external
+files using the syntax <EM>parameters("/path/filename")</EM>. For example:
+<PRE>
+    acl whitelist dstdomain parameters("/etc/squid/whitelist.txt")
+</PRE>
+</P>
+
+<P>There have also been changes to individual directives in the config file.</P>
 <P>This section gives a thorough account of those changes in three categories:</P>
 <P>
 <UL>
@@ -246,20 +292,50 @@ to happen. The <EM>request_header_add</EM> option supports fast ACLs only.</P>
 
 <P>
 <DL>
-<DT><B>cache_miss_revalidate</B><DD>
-<P>Whether Squid is to pass-through If-Modified-Since and If-None-Match headers on cache MISS.
-Revalidation requests can prevent cache gathering objects to HIT on.</P>
-<P>Based on the Squid-2.7 <EM>ignore_ims_on_miss</EM> feature.</P>
-<P><EM>IMPORTANT:</EM> the meaning for on/off values has changed along with the name since 2.7.</P>
+<DT><B>configuration_includes_quoted_values</B><DD>
+<P>Whether Squid supports directive parameters with spaces, quotes, and other
+special characters. Surround such parameters with "double quotes" and
+also set this directive on/off around the relevant squid.conf line(s)
+making use of such quoting.</P>
 
-<DT><B>request_header_add</B><DD>
-<P>New directive to add custom headers on HTTP traffic sent to upstream servers.</P>
+<DT><B>dns_multicast_local</B><DD>
+<P>Use multicast DNS for <EM>.local</EM> domains and reverse-DNS resolution.</P>
 
-<DT><B>sslproxy_cert_sign</B><DD>
-<P>New option to determine how the client certificate sent to upstream servers is signed.</P>
+<DT><B>note</B><DD>
+<P>Use ACLs to annotate a transaction with customized annotations
+which can be logged in access.log</P>
 
-<DT><B>sslproxy_cert_adapt</B><DD>
-<P>New option to adapt certain properties of outgoing SSL certificates generated for use when bumping SSL to an upstream server.</P>
+<DT><B>spoof_client_ip</B><DD>
+<P>Access control to determine whether to disable the TPROXY spoofing on upstream traffic.</P>
+
+<DT><B>sslcrtvalidator_children</B><DD>
+<P>Specifies the settings for how many SSL server certificate
+validator helpers are run and when they are started.</P>
+
+<DT><B>sslcrtvalidator_program</B><DD>
+<P>Specifies the location of a SSL server certificate validator helper.</P>
+
+<DT><B>store_id_access</B><DD>
+<P>Whether the URL for a given request is passed to the Store-ID helper process.
+Used to improve StoreID performance by quickly eliminating helper delays using ACL tests.</P>
+<P>Ported equivalent to <EM>storeurl_access</EM> from 2.7</P>
+
+<DT><B>store_id_bypass</B><DD>
+<P>Whether the StoreID helper may be bypassed when overloaded.</P>
+
+<DT><B>store_id_children</B><DD>
+<P>Controls the number of StoreID helper processes.</P>
+<P>Options <EM>startup=N</EM>, <EM>idle=N</EM>, <EM>concurrency=N</EM>
+<UL>
+<LI>startup=N allow finer tuning of how many helpers are started initially.</LI>
+<LI>idle=N allow fine tuning of how many helper to retain as buffer against sudden traffic loads.</LI>
+<LI>concurrency=N was previously called url_rewrite_concurrency as a distinct directive.</LI>
+</UL>
+</P>
+
+<DT><B>store_id_rewrite_program</B><DD>
+<P>A helper program to provide cache storage internal key ID value for a request.</P>
+<P>Ported equivalent to <EM>storeurl_rewrite_program</EM> from 2.7</P>
 
 </DL>
 </P>
@@ -269,36 +345,81 @@ Revalidation requests can prevent cache gathering objects to HIT on.</P>
 
 <P>
 <DL>
+<DT><B>access_log</B><DD>
+<P>Configuration syntax extended to support name=value options.
+<EM>New Syntax:</EM> access_log module:place [option ...] [acl ...]</P>
+<P>New option <EM>logformat=</EM> to specify the logging format name.</P>
+<P>New option <EM>buffer-size=</EM> to specify how large the log buffer
+for this log is to be when <EM>buffered_logs</EM> is enabled.</P>
+<P>New option <EM>on-error=</EM> to specify what handling is to be done
+if the logging module encounters a non-recoverable error writing logs.
+With the value <EM>die</EM> (the default) Squid halts operation.
+With the value <EM>drop</EM> Squid drops log lines and continue running.</P>
+
 <DT><B>acl</B><DD>
-<P><EM>myport</EM> and <EM>myip</EM>ACL types replaced with <EM>localport</EM> and <EM>localip</EM> respectively.
-To reflect that it matches the TCP connection details and not the squid.conf port.
-This matters when dealing with intercepted traffic, where the Squid receiving port differs from the TCP connection IP:port.
-Always use <EM>myportname</EM> type to match the squid.conf port details.</P>
-<P>New default built-in ACLs for testing SSL certificate properties.</P>
-<P><EM>ssl::certHasExpired</EM>,
-<EM>ssl::certNotYetValid</EM>,
-<EM>ssl::certDomainMismatch</EM>,
-<EM>ssl::certUntrusted</EM>,
-<EM>ssl::certSelfSigned</EM>.</P>
+<P>New test type <EM>server_cert_fingerprint</EM> to match against 
+server SSL certificate fingerprint.</P>
+<P>New test type <EM>note</EM> to match against transaction annotations
+by name and value, or just by name.</P>
+<P>New test type <EM>any-of</EM> to match if any one of a set of named ACLs.</P>
+<P>New test type <EM>all-of</EM> to match against all of a set of named ACLs.</P>
+
+<DT><B>auth_param</B><DD>
+<P>New result code <EM>BH</EM> to signal helper internal errors
+available in all authentication schemes.</P>
+<P>New key <EM>message=</EM> for error message details in all authentication schemes.</P>
+<P>New result code <EM>OK</EM> and key <EM>ha1=</EM> in Digest authentication.</P>
+<P>New result codes <EM>OK</EM>, <EM>ERR</EM> replace result codes <EM>AF</EM>,
+and <EM>NA</EM> in NTLM and Negotiate authentication.</P>
+<P>New key <EM>token=</EM> for NTLM and Negotiate authentication <EM>OK</EM> responses.</P>
+<P>Details at 
+<A HREF="http://wiki.squid-cache.org/Features/AddonHelpers">http://wiki.squid-cache.org/Features/AddonHelpers</A>.</P>
 
 <DT><B>external_acl_type</B><DD>
-<P><EM>%ACL</EM> format tag ported from 2.6.
-Sends the name of ACL being tested to the external helper.</P>
-<P><EM>%DATA</EM> format tag ported from 2.6.
-Inserts the ACL arguments into a particular location of the helper input instead of at the end of the line.</P>
+<P>Deprecated <EM>protocol=3.0</EM> option. No longer necessary.</P>
+<P>New result code <EM>BH</EM> to signal helper internal errors</P>
+<P>Details at 
+<A HREF="http://wiki.squid-cache.org/Features/AddonHelpers">http://wiki.squid-cache.org/Features/AddonHelpers</A>.</P>
+
+<DT><B>http_port</B><DD>
+<P>Support IPv6 for <EM>intercept</EM> mode. Requires ip6tables support on Linux,
+PF support on OpenBSD and IPFW support on FreeBSD. Squid will no longer complain
+about misconfiguration if IPv6 support is missing, we now rely on the firewall
+tools reporting misconfiguration when the NAT rules are created.</P>
+<P>Support <EM>tproxy</EM> mode traffic on BSD systems with BINDANY support
+(OpenBSD 5+, FreeBSD 9+ so far).</P>
+<P>Changed build options behind <EM>intercept</EM> traffic mode handling on BSD.
+see <EM>--enable-pf-transparent</EM> for more details.</P>
 
 <DT><B>logformat</B><DD>
-<P>New token <EM>%ssl::bump_mode</EM> to log the SSL-bump mode type performed on a request.
-Logs values of: <EM>-</EM>, <EM>none</EM>, <EM>client-first</EM>, or <EM>server-first</EM>.</P>
-<P>New token of <EM>%ssl::&gt;cert_subject</EM> to log the Subject field of a SSL certificate received from the client.</P>
-<P>New token of <EM>%ssl::&gt;cert_issuer</EM> to log the Issuer field of a SSL certificate received from the client.</P>
+<P>New format code <EM>%note</EM> to log a transaction annotation linked to the
+transaction by ICAP, eCAP, a helper, or the <EM>note</EM> squid.conf directive.</P>
+<P>New format code <EM>%&gt;qos</EM> to log client connection TOS/DSCP value set by Squid.</P>
+<P>New format code <EM>%&lt;qos</EM> to log server connection TOS/DSCP value set by Squid.</P>
+<P>New format code <EM>%&gt;nfmark</EM> to log client connection netfilter mark set by Squid.</P>
+<P>New format code <EM>%&lt;nfmark</EM> to log server connection netfilter mark set by Squid.</P>
 
-<DT><B>ssl_bump</B><DD>
-<P>New action types <EM>none</EM>, <EM>client-first</EM>, <EM>server-first</EM>. The default is <EM>none</EM>.</P>
-<P>Use of <EM>allow</EM>/<EM>deny</EM> is now deprecated and they should be removed as soon as possible.
-To retain the exact same behaviour between 3.3 and older releases replace <EM>deny</EM> with <EM>none</EM>,
-and <EM>allow</EM> with <EM>client-first</EM>. However an upgrade to <EM>server-first</EM> is the recommended.</P>
-<P><EM>NOTE</EM>: Mixing of allow/deny with the new action types is prohibited and will cause Squid to exit with a FATAL error.</P>
+<DT><B>pipeline_prefetch</B><DD>
+<P>Updated to take a numeric count of prefetched pipeline requests instead of ON/OFF.</P>
+
+<DT><B>refresh_pattern</B><DD>
+<P><EM>NOTE:</EM> the regular expression pattern operates on the cache Store-ID value.
+Which by default is identical to the requested URL, but may differ for some
+objects if the Store-ID feature is in use.</P>
+
+<DT><B>unlinkd_program</B><DD>
+<P>New helper response format utilizing result codes <EM>OK</EM> and <EM>BH</EM>,
+to signal helper lookup results. Also, key-value response values to return
+multiple values to Squid.</P>
+<P>Details at 
+<A HREF="http://wiki.squid-cache.org/Features/AddonHelpers">http://wiki.squid-cache.org/Features/AddonHelpers</A>.</P>
+
+<DT><B>url_rewrite_program</B><DD>
+<P>New helper response format utilizing result codes <EM>OK</EM>, <EM>ERR</EM>,
+and <EM>BH</EM> to signal helper lookup results. Also, key-value response
+values to return multiple values to Squid.</P>
+<P>Details at 
+<A HREF="http://wiki.squid-cache.org/Features/AddonHelpers">http://wiki.squid-cache.org/Features/AddonHelpers</A>.</P>
 
 </DL>
 </P>
@@ -308,16 +429,25 @@ and <EM>allow</EM> with <EM>client-first</EM>. However an upgrade to <EM>server-
 
 <P>
 <DL>
-<DT><B>ignore_ims_on_miss</B><DD>
-<P>This option has been replaced by the <EM>cache_miss_revalidate</EM> feature.</P>
+<DT><B>storeurl_access</B><DD>
+<P>Replaced by <EM>store_id_access</EM>.</P>
+
+<DT><B>storeurl_rewrite_children</B><DD>
+<P>Replaced by <EM>store_id_children</EM>.</P>
+
+<DT><B>storeurl_rewrite_concurrency</B><DD>
+<P>Replaced by <EM>store_id_children</EM> with <EM>concurrency=N</EM> option.</P>
+
+<DT><B>storeurl_rewrite_program</B><DD>
+<P>Replaced by <EM>store_id_program</EM>.</P>
 
 </DL>
 </P>
 
 
-<H2><A NAME="s4">4.</A> <A HREF="#toc4">Changes to ./configure options since Squid-3.2</A></H2>
+<H2><A NAME="s4">4.</A> <A HREF="#toc4">Changes to ./configure options since Squid-3.3</A></H2>
 
-<P>There have been some changes to Squid's build configuration since Squid-3.2.</P>
+<P>There have been some changes to Squid's build configuration since Squid-3.3.</P>
 <P>This section gives an account of those changes in three categories:</P>
 <P>
 <UL>
@@ -336,7 +466,27 @@ and <EM>allow</EM> with <EM>client-first</EM>. However an upgrade to <EM>server-
 
 <P>
 <DL>
-<P><EM>There are no new ./configure options in Squid-3.3.</EM></P>
+<DT><B>--enable-storeid-rewrite-helpers</B><DD>
+<P>New option to control which Store-ID helpers are built. As with other
+helper options use --disable-* to prevent any helpers building and
+omit to get all helper auto-detected.</P>
+<P>Currenly only a helper using <EM>file</EM> for backend is provided.</P>
+
+<DT><B>--disable-arch-native</B><DD>
+<P>New option to disable use of -march=native compiler flag.</P>
+<P>The new flag auto-enables CPU-specific optimizations in GCC and is
+required by Clang++ v3.2 for correct 64-bit environment detection.
+It does not always work well however, so this build option is provided
+to remove it when necessary.</P>
+
+<DT><B>--with-nat-devpf</B><DD>
+<P>New option to alter the behaviour of <EM>http_port ... intercept</EM> option
+in squid.conf.</P>
+<P>When this option is used Squid performs the /dev/pf lookups required to
+support PF <EM>rdr-to</EM> rules. Otherwise Squid will perform perform the
+getsockname() API calls to support PF <EM>divert-to</EM> rules.</P>
+<P>NOTE: systems such as NetBSD and FreeBSD which do not yet support
+the getsockname() API in recent PF versions require this option.</P>
 
 </DL>
 </P>
@@ -346,14 +496,14 @@ and <EM>allow</EM> with <EM>client-first</EM>. However an upgrade to <EM>server-
 
 <P>
 <DL>
-<DT><B>--enable-kqueue</B><DD>
-<P>kqueue network I/O module is now built by default when it is available.
-This option is no longer required to enable kqueue support,
-but if used will abort build when kqueue dependencies are missing or broken.</P>
-
-<DT><B>--disable-kqueue</B><DD>
-<P>kqueue network I/O module is now built by default when it is available.
-This configure option is now needed to disable it. Previously it did nothing.</P>
+<DT><B>--enable-pf-transparent</B><DD>
+<P>NAT table support updated to use the getsockname() API provided by the
+latest PF versions <EM>divert-to</EM>. This allows <EM>http_port</EM>
+in squid.conf to support both <EM>intercept</EM> and <EM>tproxy</EM> traffic
+and to silence NAT lookup failure messages on recent BSD.</P>
+<P>NOTE: systems such as NetBSD and FreeBSD which do not yet support
+the getsockname() API in recent PF versions require <EM>--with-nat-devpf</EM>
+to re-enable /dev/pf support when using PF firewall.</P>
 
 </DL>
 </P>
@@ -362,8 +512,7 @@ This configure option is now needed to disable it. Previously it did nothing.</P
 
 <P>
 <DL>
-<DT><B>--enable-ntlm-fail-open</B><DD>
-<P>This has not been supported by Squid for several versions.</P>
+<P><EM>There are no removed ./configure options in Squid-3.4.</EM></P>
 
 </DL>
 </P>
@@ -371,7 +520,7 @@ This configure option is now needed to disable it. Previously it did nothing.</P
 
 <H2><A NAME="s5">5.</A> <A HREF="#toc5">Regressions since Squid-2.7</A></H2>
 
-<P>Some squid.conf and ./configure options which were available in Squid-2.7 are not yet available in Squid-3.3</P>
+<P>Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-3.4</P>
 
 <P>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.</P>
 
@@ -429,16 +578,7 @@ This configure option is now needed to disable it. Previously it did nothing.</P
 <DT><B>refresh_stale_hit</B><DD>
 <P>Not yet ported from 2.7</P>
 
-<DT><B>storeurl_access</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>storeurl_rewrite_children</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>storeurl_rewrite_concurrency</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>storeurl_rewrite_program</B><DD>
+<DT><B>update_headers</B><DD>
 <P>Not yet ported from 2.7</P>
 
 </DL>
diff --git a/rpmlintrc b/rpmlintrc
index df739f9..3e9ebd3 100644
--- a/rpmlintrc
+++ b/rpmlintrc
@@ -1,2 +1,3 @@
 addFilter("macro-in-comment")
 addFilter("no-manual-page-for-binary")
+addFilter("zero-length")
diff --git a/squid-3.3.11.tar.bz2 b/squid-3.3.11.tar.bz2
deleted file mode 100644
index 18a825a..0000000
--- a/squid-3.3.11.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6b314cd706693522f01d5ab1930f3aa7a9b03a913bc0e699def16cca8d15ea54
-size 2989941
diff --git a/squid-3.3.11.tar.bz2.asc b/squid-3.3.11.tar.bz2.asc
deleted file mode 100644
index 87c1551..0000000
--- a/squid-3.3.11.tar.bz2.asc
+++ /dev/null
@@ -1,20 +0,0 @@
-File: squid-3.3.11.tar.bz2
-Date: Sat Nov 30 14:12:34 UTC 2013
-Size: 2989941
-MD5 : abf2b0fe128f73f5dc157e7e917949e0
-SHA1: f99627f9f5c76cc2ddf6e14e4a3e955963801b6f
-Key : 0xFF5CF463 <squid3@treenet.co.nz>
-      fingerprint = EA31 CC5E 9488 E516 8D2D  CC5E B268 E706 FF5C F463
-      keyring = http://www.squid-cache.org/pgp.asc
-      keyserver = subkeys.pgp.net
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.15 (GNU/Linux)
-
-iQEcBAABAgAGBQJSmfXuAAoJELJo5wb/XPRjaqcIAKvTzz9frodyUOeuop5W2yZx
-s3knaI5ZyM7dsXYdDUixto5Q1+a8wIUAvZzCp2sLij3QQTKZJAxgmQ8Tztl/sgKI
-NbHJSJxAtibNOGKBfCqCDurcNfmn2kLZJPxJXx3gulEP5O7rTdKVoZq/1vyj/rvv
-rnzZBP2HZ5fnXNRfs7UPrOzMLmg423zXzsDnRjj69xy6w0dXpObDP5tb32jNmOLg
-zRvk3lw4mtpWJ5kGZ4BbwPpO9i2MT94M9YupjL/doNbbiAt2nutGfGuLgPcmsCwA
-fpb74hKIM20ON8A7XypeyX6eNeYn4nkRBSuzEX/sPWQUyq0BMxheCEZRboGCnvo=
-=rlWB
------END PGP SIGNATURE-----
diff --git a/squid-3.4.2.tar.bz2 b/squid-3.4.2.tar.bz2
new file mode 100644
index 0000000..9f9c25c
--- /dev/null
+++ b/squid-3.4.2.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bc1f2c3e2b2d8975bfc3745419a6c5bfcbb4716b6cd04011303610b77b19b454
+size 2812777
diff --git a/squid-3.4.2.tar.bz2.asc b/squid-3.4.2.tar.bz2.asc
new file mode 100644
index 0000000..31dd62d
--- /dev/null
+++ b/squid-3.4.2.tar.bz2.asc
@@ -0,0 +1,20 @@
+File: squid-3.4.2.tar.bz2
+Date: Mon Dec 30 11:52:11 UTC 2013
+Size: 2812777
+MD5 : 7ec46965bc58bc927e81869805a25241
+SHA1: 0b96ee7502b21c69b5f9bd8d2c113b35dd58ecf0
+Key : 0xFF5CF463 <squid3@treenet.co.nz>
+      fingerprint = EA31 CC5E 9488 E516 8D2D  CC5E B268 E706 FF5C F463
+      keyring = http://www.squid-cache.org/pgp.asc
+      keyserver = subkeys.pgp.net
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.15 (GNU/Linux)
+
+iQEcBAABAgAGBQJSwWThAAoJELJo5wb/XPRjdhgIAIjPMGSUDhylA56CEH5NAXg7
+yevT8tC6D3dFhQLtXt8a0sT4ULzMwvXGvH/lYBrEyn8mO8tcU145AJldCAKA3tGS
+j1EmB48w5Vu7R4rkfEpwraYS1y4X/hM1nqv0On78yvAOueau6E2Ti5bbkPKCU0xB
+oP1YPv+WoLGQtvpgjO9EhX/uVTF+cnCWUwediq9EulAtnkkXAZnJlXgNoJW7cBFv
+YhLKpds4Ge/LO0jsPp7j6BsOOhbpvIOmMiELCepZ8hk9Cxm7VeCMrFzI069tUiWs
+TQGvblf32oVhlFWRNkVZI4ZPINXmGPPHT2t4f33Lrep0EawQDnFQfoJxOi2VUUM=
+=Ugn1
+-----END PGP SIGNATURE-----
diff --git a/squid-compiled_without_RPM_OPT_FLAGS.patch b/squid-compiled_without_RPM_OPT_FLAGS.patch
index abfde4a..7918bd5 100644
--- a/squid-compiled_without_RPM_OPT_FLAGS.patch
+++ b/squid-compiled_without_RPM_OPT_FLAGS.patch
@@ -2,7 +2,7 @@ Index: src/Makefile.am
 ===================================================================
 --- src/Makefile.am.orig
 +++ src/Makefile.am
-@@ -975,7 +975,7 @@ cache_cf.o: cf_parser.cci
+@@ -981,7 +981,7 @@ cache_cf.o: cf_parser.cci
  
  # cf_gen builds the configuration files.
  cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci
@@ -15,7 +15,7 @@ Index: src/Makefile.in
 ===================================================================
 --- src/Makefile.in.orig
 +++ src/Makefile.in
-@@ -7306,7 +7306,7 @@ cache_cf.o: cf_parser.cci
+@@ -7294,7 +7294,7 @@ cache_cf.o: cf_parser.cci
  
  # cf_gen builds the configuration files.
  cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci
diff --git a/squid-config.patch b/squid-config.patch
index d17343b..ea08e85 100644
--- a/squid-config.patch
+++ b/squid-config.patch
@@ -2,7 +2,7 @@ Index: src/cf.data.pre
 ===================================================================
 --- src/cf.data.pre.orig
 +++ src/cf.data.pre
-@@ -1196,6 +1196,8 @@ http_access deny manager
+@@ -1350,6 +1350,8 @@ http_access deny manager
  # Adapt localnet in the ACL section to list your (internal) IP networks
  # from where browsing should be allowed
  http_access allow localnet
@@ -11,7 +11,7 @@ Index: src/cf.data.pre
  http_access allow localhost
  
  # And finally deny all other access to this proxy
-@@ -3144,6 +3146,10 @@ DOC_START
+@@ -3361,6 +3363,10 @@ DOC_START
  	Instead, if you want Squid to use the entire disk drive,
  	subtract 20% and use that value.
  
@@ -22,7 +22,7 @@ Index: src/cf.data.pre
  	'L1' is the number of first-level subdirectories which
  	will be created under the 'Directory'.  The default is 16.
  
-@@ -3277,7 +3283,7 @@ DOC_START
+@@ -3494,7 +3500,7 @@ DOC_START
  NOCOMMENT_START
  
  # Uncomment and adjust the following to add a disk cache directory.
@@ -31,7 +31,7 @@ Index: src/cf.data.pre
  NOCOMMENT_END
  DOC_END
  
-@@ -3890,7 +3896,7 @@ DOC_END
+@@ -4147,7 +4153,7 @@ DOC_END
  
  NAME: logfile_rotate
  TYPE: int
diff --git a/squid-fix-pod2man-check.patch b/squid-fix-pod2man-check.patch
deleted file mode 100644
index c50f97c..0000000
--- a/squid-fix-pod2man-check.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Index: helpers/basic_auth/DB/config.test
-===================================================================
---- helpers/basic_auth/DB/config.test.orig
-+++ helpers/basic_auth/DB/config.test
-@@ -2,6 +2,6 @@
- 
- ## Test: do we have perl to build the helper scripts?
- ## Test: do we have pod2man to build the manual?
--perl --version >/dev/null && echo | pod2man >/dev/null
-+perl --version >/dev/null && pod2man --help >/dev/null
- 
- exit $?
-Index: helpers/log_daemon/DB/config.test
-===================================================================
---- helpers/log_daemon/DB/config.test.orig
-+++ helpers/log_daemon/DB/config.test
-@@ -2,6 +2,6 @@
- 
- ## Test: do we have perl to build the helper scripts?
- ## Test: do we have pod2man to build the manual?
--perl --version >/dev/null && echo | pod2man >/dev/null
-+perl --version >/dev/null && pod2man --help >/dev/null
- 
- exit $?
diff --git a/squid.changes b/squid.changes
index 6ca2560..0d10971 100644
--- a/squid.changes
+++ b/squid.changes
@@ -1,3 +1,88 @@
+-------------------------------------------------------------------
+Tue Jan  7 19:45:22 UTC 2014 - chris@computersalat.de
+
+- Changes to squid-3.4.2 (30 Dec 2013):
+  * Regression Bug 3980: FATAL ERROR due to max_user_ip -s option
+  * Regression Fix: \-unescaping in quoted strings from helpers
+  * Regression Fix: URL helper API bypassing on URL containing '=' character
+  * Bug 3985: 60s limit introduced by balance_on_multiple_ip breaks bad IP recovery
+  * Bug 3806: Caching responses with Vary header
+  * Bug 3498: FTP PUT assertion
+  * WCCPv2: Fix assertion 'Cannot convert non-IPv4 to IPv4' on FreeBSD
+  * Enable concurrency by default for SSL certificate validator
+  * ... and fix several build errors
+
+-------------------------------------------------------------------
+Wed Dec 25 23:10:24 UTC 2013 - chris@computersalat.de
+
+- Changes to squid-3.4.1 (09 Dec 2013):
+  * Bug 3935: Invalid pointer dereference when peeking at origin server certificate
+  * Bug 3589: intercepted and ICAP modified request using a cache_peer
+  * ... and several portability fixes
+  * ... and some documentation updates
+- Changes to squid-3.4.0.3 (01 Dec 2013):
+  * Bug 3941: Release notes error
+  * Receive annotations from authentication and external ACL helpers
+  * basic_nis_auth: Improved portability
+  * ... and several documentation updates
+  * ... and all bug fixes from 3.3.9, 3.3.10, 3.3.11
+- Changes to squid-3.4.0.2 (03 Oct 2013):
+  * Regression Bug 3891: squid.conf parser errors in 3.4.0.1
+  * Regression Fix: re-disable MinGW C++11 support
+  * Bug 3914: partial: make squidclient tool build cleanly with -Wconversion
+  * Fix memory leak in refresh_pattern parsing
+  * negotiate_kerberos_auth: upgrade to present group= keys
+  * Handle NTLM helper returning OK without user= value
+  * Add dns_multicast_local to control mDNS operation
+  * Add --disable-arch-native build option
+  * Display Build-Info in cache manager info report
+  * ... and all changes from squid 3.3.9
+  * ... and some code and debug output polishing
+- Changes to squid-3.4.0.1 (29 Jul 2013):
+  * Port from 2.7: StoreURL (renamed Store-ID) support
+  * Bug 3795: fix several mistakes in the MIB file
+  * Bug 3793: configure: improved helper detection
+  * Bug 3722: Invalid markup in Armenian hy ERR_ONLY_IF_CACHED_MISS
+  * Bug 3676: Support GCC 4.7 with -Wshadow option
+  * Bug 3643: NTLM helpers stuck in reserved state by Safari
+  * Bug 3389: Auto-reconnect for tcp access_log
+  * Bug 2066: squid does not do chdir() after chroot()
+  * Fix uninitialized fields in IcapLogEntry
+  * Fix a number of minor issues detected by Coverity Scan
+  * Fix some potential memory leaks detected by Coverity Scan
+  * Fix 64-bit support for Intel compiler suite (ICC) and other similar compilers
+  * Fix ACL matching algorithm to avoid repeating tests
+  * basic_pam_auth: Add -r option to strip NTLM/Negotiate domain from username
+  * squidpurge: fix META TLV parsing issues
+  * squid.conf: enforce all the directive and option names are lower-case
+  * Support EUI on HTTPS and FTP data connections
+  * Support OK/ERR/BH response codes from any helper
+  * Support No-lookup flag (-n) on DNS ACLs
+  * Support -march=native compiler optimization by default
+  * Support forwarding intercepted but not bumped connections to cache_peers
+  * Support IPv6 NAT interception on Linux and some BSD
+  * Deprecate log_icap and log_access configuration directives
+  * HTTP/1.1: improved method invalidation and cacheability detection
+  * HTTP/1.1: support length configuration for pipeline_prefetch queue
+  * Improved TPROXY support for OpenBSD and FreeBSD
+  * Add storeid_file_rewrite helper to perform Store-ID rewrites from a rules file
+  * Add all-of and any-of ACL types for grouping sets of ACL tests
+  * Add note directive for transaction annotations
+  * Add %note log format for transaction annotation logging
+  * Add note ACL type for matching annotated transactions with by annotation name or value
+  * Add kv-pair support to URL-rewrite/redirector interface
+  * Add SSL server certificate validator interface, helper and result cache
+  * Add SSL server certificate fingerprint ACL type
+  * Add spoof_client_ip access control
+  * Add pt-bz (Belize Portuguese) dialect to translations
+  * ... and many Windows portability changes (still incomplete)
+  * ... and many documentation changes
+  * ... and much code cleanup and polishing
+- modified patches:
+  * squid-compiled_without_RPM_OPT_FLAGS.patch
+  * squid-config.patch
+- remove obsolete fix-pod2man-check patch
+
 -------------------------------------------------------------------
 Wed Dec 25 21:29:38 UTC 2013 - chris@computersalat.de
 
diff --git a/squid.spec b/squid.spec
index a3d8c13..8fffd39 100644
--- a/squid.spec
+++ b/squid.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package squid
 #
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,17 +16,19 @@
 #
 
 
-%define		squidlibdir %{_libdir}/squid
-%define		squidconfdir /etc/squid
+%define         squidlibdir %{_libdir}/squid
+%define         squidconfdir /etc/squid
+#define         snap -20131225-r13064
 
 Name:           squid
 Summary:        Squid Version 3.3 WWW Proxy Server
 License:        GPL-2.0+
 Group:          Productivity/Networking/Web/Proxy
-Version:        3.3.11
+Version:        3.4.2
 Release:        0
-Url:            http://www.squid-cache.org/Versions/v3/3.3
-Source0:        http://www.squid-cache.org/Versions/v3/3.3/%{name}-%{version}.tar.bz2
+Url:            http://www.squid-cache.org/Versions/v3/3.4
+#Source0:        http://www.squid-cache.org/Versions/v3/3.3/%{name}-%{version}%{snap}.tar.bz2
+Source0:        http://www.squid-cache.org/Versions/v3/3.4/%{name}-%{version}.tar.bz2
 Source1:        %{name}-%{version}.tar.bz2.asc
 Source2:        RELEASENOTES.html
 Source3:        squid.init
@@ -58,8 +60,6 @@ Patch101:       %{name}-nobuilddates.patch
 ## File is compiled without RPM_OPT_FLAGS
 # squid3 no-rpm-opt-flags <cmdline>:./cf_gen.cc
 Patch102:       %{name}-compiled_without_RPM_OPT_FLAGS.patch
-# Upstream notified of this problem by mageia guys
-Patch103:       %{name}-fix-pod2man-check.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         %fillup_prereq
 PreReq:         %insserv_prereq
@@ -108,21 +108,23 @@ Obsoletes:      %{name}3 < %{version}
 %description
 Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.
 
-Squid 3.3 represents a new feature release above 3.2.
+Squid 3.4 represents a new feature release above 3.3.
 
 The most important of these new features are:
 
-  * SQL Database logging helper
-  * Time-Quota session helper
-  * SSL-Bump Server First
-  * Server Certificate Mimic
-  * Custom HTTP request headers
+  * Helper protocol extensions
+  * SSL Server Certificate Validator
+  * Store-ID
+  * TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+
+  * Transaction Annotations
+  * Multicast DNS 
 
 Most user-facing changes are reflected in squid.conf (see below).
 
-  First STABLE release Date: 20 Oct 2012
+  First STABLE release Date: 08 Dec 2013
 
 %prep
+#setup -q -n %{name}-%{version}%{snap}
 %gpg_verify %{S:1}
 %setup -q -n %{name}-%{version}
 cp %{S:10} .
@@ -134,7 +136,6 @@ perl -p -i -e 's|/usr/local/bin/perl|/usr/bin/perl|' `find -name "*.pl"`
 chmod a-x CREDITS
 %patch101
 %patch102
-%patch103
 
 %build
 export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
@@ -351,7 +352,8 @@ fi
 %{_sbindir}/basic_smb_auth
 %{_sbindir}/basic_smb_auth.sh
 %{_sbindir}/cert_tool
-%{_sbindir}/digest_edirectory_auth
+%{_sbindir}/cert_valid.pl
+#{_sbindir}/digest_edirectory_auth
 %{_sbindir}/digest_file_auth
 %{_sbindir}/digest_ldap_auth
 %{_sbindir}/diskd
@@ -359,6 +361,7 @@ fi
 %{_sbindir}/ext_file_userip_acl
 %{_sbindir}/ext_kerberos_ldap_group_acl
 %{_sbindir}/ext_ldap_group_acl
+%{_sbindir}/ext_session_acl
 %{_sbindir}/ext_unix_group_acl
 %{_sbindir}/ext_wbinfo_group_acl
 %{_sbindir}/helper-mux.pl
@@ -372,6 +375,7 @@ fi
 %{_sbindir}/pinger
 %{_sbindir}/rc%{name}
 %{_sbindir}/%{name}
+%{_sbindir}/storeid_file_rewrite
 %{_sbindir}/unlinkd
 %{_sbindir}/url_fake_rewrite
 %{_sbindir}/url_fake_rewrite.sh