squid 3.5.24: latest patches (14149-14153)

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

lfs/squid

@@ -77,6 +77,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14146.patch
 	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14147.patch
 	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14148.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14149.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14150.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14151.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14152.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14153.patch
 	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.24-fix-max-file-descriptors.patch
 
 	cd $(DIR_APP) && autoreconf -vfi

src/patches/squid/squid-3.5-14149.patch

@@ -0,0 +1,78 @@
+------------------------------------------------------------
+revno: 14149
+revision-id: squid3@treenet.co.nz-20170330133122-zcpblbvnuq7mjvq3
+parent: squid3@treenet.co.nz-20170226110942-90rcwhx3fwa2l7is
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4508
+author: Christos Tsantilas <chtsanti@users.sourceforge.net>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Fri 2017-03-31 01:31:22 +1200
+message:
+  Bug 4508: Host forgery stalls intercepted being-spliced connections.
+  
+  Most SslBump splicing happens after getting SNI. SNI goes into the
+  second fake CONNECT request, where it may fail the host forgery check.
+  A failed check triggers an HTTP error response from Squid. When
+  attempting to send that response to the TLS client, Squid checks whether
+  all previously pipelined HTTP requests on the connection have finished.
+  
+  Prior to this fix, Squid left the first fake CONNECT request in the
+  connection pipeline despite adding the second fake CONNECT. That first
+  CONNECT stalled the error response described above, with Squid waiting,
+  in vain, for that already handled [fake] transaction to finish.
+  
+  Also call quitAfterError() to force Squid to close the connection (after
+  writing the discussed error response) instead of just logging a
+  [misleading] "kick abandoning [connection]" message in cache.log.
+  
+  TODO: Always pop the first CONNECT when generating a second one.
+  Unifying CONNECT treatment is difficult because code like tunnel.cc
+  wants that CONNECT to be in the pipeline. Polishing that would probably
+  require disassociating ConnStateData from tunnel.cc (at least).
+  
+  TODO: Apply the existing "delayed error" logic (that optionally bumps
+  TLS connections to deliver [some] errors to [some] SSL/TLS clients) to
+  host forgery errors. Otherwise, the plain HTTP error message cannot be
+  understood by the intercepted TLS client.
+  
+  This is a Measurement Factory project
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170330133122-zcpblbvnuq7mjvq3
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: db616fff2ac0df73cf41d380f07a96b773cf2be5
+# timestamp: 2017-03-30 13:51:17 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170226110942-\
+#   90rcwhx3fwa2l7is
+# 
+# Begin patch
+=== modified file 'src/client_side.cc'
+--- src/client_side.cc	2017-01-27 13:38:24 +0000
++++ src/client_side.cc	2017-03-30 13:31:22 +0000
+@@ -4376,7 +4376,12 @@
+         fd_table[connState->clientConnection->fd].read_method = &default_read_method;
+         fd_table[connState->clientConnection->fd].write_method = &default_write_method;
+ 
++        ClientSocketContext::Pointer context = connState->getCurrentContext();
++        Must(context != NULL);
+         if (connState->transparent()) {
++            // If we are going to fake the second CONNECT, clear the first one.
++            context->connIsFinished();
++
+             // fake a CONNECT request to force connState to tunnel
+             // XXX: copy from MemBuf reallocates, not a regression since old code did too
+             SBuf temp;
+
+=== modified file 'src/client_side_request.cc'
+--- src/client_side_request.cc	2017-02-25 05:50:14 +0000
++++ src/client_side_request.cc	2017-03-30 13:31:22 +0000
+@@ -561,6 +561,7 @@
+     debugs(85, DBG_IMPORTANT, "SECURITY ALERT: on URL: " << urlCanonical(http->request));
+ 
+     // IP address validation for Host: failed. reject the connection.
++    http->getConn()->quitAfterError(http->request);
+     clientStreamNode *node = (clientStreamNode *)http->client_stream.tail->prev->data;
+     clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
+     assert (repContext);
+

src/patches/squid/squid-3.5-14150.patch

@@ -0,0 +1,32 @@
+------------------------------------------------------------
+revno: 14150
+revision-id: squid3@treenet.co.nz-20170331005152-8exm3hsly1v1jk8y
+parent: squid3@treenet.co.nz-20170330133122-zcpblbvnuq7mjvq3
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Fri 2017-03-31 12:51:52 +1200
+message:
+  Fix variable shadowing after rev.14149
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170331005152-8exm3hsly1v1jk8y
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: ae1e30fff31cf8b411c62eba344fdc944692aecf
+# timestamp: 2017-03-31 01:51:06 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170330133122-\
+#   zcpblbvnuq7mjvq3
+# 
+# Begin patch
+=== modified file 'src/client_side.cc'
+--- src/client_side.cc	2017-03-30 13:31:22 +0000
++++ src/client_side.cc	2017-03-31 00:51:52 +0000
+@@ -4390,7 +4390,6 @@
+         } else {
+             // in.buf still has the "CONNECT ..." request data, reset it to SSL hello message
+             connState->in.buf.append(rbuf.content(), rbuf.contentSize());
+-            ClientSocketContext::Pointer context = connState->getCurrentContext();
+             ClientHttpRequest *http = context->http;
+             tunnelStart(http, &http->out.size, &http->al->http.code, http->al);
+         }
+

src/patches/squid/squid-3.5-14151.patch

@@ -0,0 +1,36 @@
+------------------------------------------------------------
+revno: 14151
+revision-id: squid3@treenet.co.nz-20170331233831-m3hfrigo82uhz4id
+parent: squid3@treenet.co.nz-20170331005152-8exm3hsly1v1jk8y
+author: Garri Djavadyan <garryd@comnet.uz>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Sat 2017-04-01 12:38:31 +1300
+message:
+  Docs: update refresh_pattern description regarding 'max' option
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170331233831-m3hfrigo82uhz4id
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: be64101730dcb2deb664d6594d20a7295a666b98
+# timestamp: 2017-03-31 23:40:50 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170331005152-\
+#   8exm3hsly1v1jk8y
+# 
+# Begin patch
+=== modified file 'src/cf.data.pre'
+--- src/cf.data.pre	2017-01-01 00:16:45 +0000
++++ src/cf.data.pre	2017-03-31 23:38:31 +0000
+@@ -5401,7 +5401,9 @@
+ 	will be considered fresh.
+ 
+ 	'Max' is an upper limit on how long objects without an explicit
+-	expiry time will be considered fresh.
++	expiry time will be considered fresh. The value is also used
++	to form Cache-Control: max-age header for a request sent from
++	Squid to origin/parent.
+ 
+ 	options: override-expire
+ 		 override-lastmod
+

src/patches/squid/squid-3.5-14152.patch

@@ -0,0 +1,35 @@
+------------------------------------------------------------
+revno: 14152
+revision-id: squid3@treenet.co.nz-20170331233921-efxhs8vy025fvrnl
+parent: squid3@treenet.co.nz-20170331233831-m3hfrigo82uhz4id
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Sat 2017-04-01 12:39:21 +1300
+message:
+  libtrie: Fix 'make check' when run before 'make all'
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170331233921-efxhs8vy025fvrnl
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 8399bbfe7b517fa6306bdc61d212a9a4fcc9e88b
+# timestamp: 2017-03-31 23:40:52 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170331233831-\
+#   m3hfrigo82uhz4id
+# 
+# Begin patch
+=== modified file 'lib/libTrie/Makefile.am'
+--- lib/libTrie/Makefile.am	2017-01-01 00:16:45 +0000
++++ lib/libTrie/Makefile.am	2017-03-31 23:39:21 +0000
+@@ -8,8 +8,8 @@
+ include $(top_srcdir)/src/Common.am
+ include $(top_srcdir)/src/TestHeaders.am
+ 
+-DIST_SUBDIRS = test
+-SUBDIRS = test
++DIST_SUBDIRS = . test
++SUBDIRS = . test
+ 
+ noinst_LIBRARIES = libTrie.a
+ 
+

src/patches/squid/squid-3.5-14153.patch

@@ -0,0 +1,353 @@
+------------------------------------------------------------
+revno: 14153
+revision-id: squid3@treenet.co.nz-20170331234747-59glu40hhx0kf8fx
+parent: squid3@treenet.co.nz-20170331233921-efxhs8vy025fvrnl
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4688
+author: Lubos Uhliarik <luhliari@redhat.com>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Sat 2017-04-01 12:47:47 +1300
+message:
+  Bug 4688: various typo error(s) in man page(s)
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170331234747-59glu40hhx0kf8fx
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: a05d98a4e328e39f2a490cfeff72ad8735cc6b6e
+# timestamp: 2017-03-31 23:48:51 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170331233921-\
+#   efxhs8vy025fvrnl
+# 
+# Begin patch
+=== modified file 'compat/compat.h'
+--- compat/compat.h	2017-01-01 00:16:45 +0000
++++ compat/compat.h	2017-03-31 23:47:47 +0000
+@@ -11,7 +11,7 @@
+ 
+ /*
+  * From discussions it was chosen to push compat code as far down as possible.
+- * That means we can have a seperate compat for most
++ * That means we can have a separate compat for most
+  *  compatability and portability hacks and resolutions.
+  *
+  * This file is meant to collate all those hacks files together and
+
+=== modified file 'helpers/basic_auth/DB/basic_db_auth.pl.in'
+--- helpers/basic_auth/DB/basic_db_auth.pl.in	2017-01-01 00:16:45 +0000
++++ helpers/basic_auth/DB/basic_db_auth.pl.in	2017-03-31 23:47:47 +0000
+@@ -14,7 +14,7 @@
+ 
+  basic_db_auth [options]
+ 
+-=head1 DESCRIPTOIN
++=head1 DESCRIPTION
+ 
+ This program verifies username & password to a database
+ 
+@@ -97,7 +97,7 @@
+ Copyright (C) 2007 Henrik Nordstrom <henrik@henriknordstrom.net>
+ Copyright (C) 2010 Luis Daniel Lucio Quiroz <dlucio@okay.com.mx> (Joomla support)
+ This program is free software. You may redistribute copies of it under the
+-terms of the GNU General Public License version 2, or (at youropinion) any
++terms of the GNU General Public License version 2, or (at your opinion) any
+ later version.
+ 
+ =head1 QUESTIONS
+
+=== modified file 'helpers/basic_auth/LDAP/basic_ldap_auth.8'
+--- helpers/basic_auth/LDAP/basic_ldap_auth.8	2017-01-01 00:16:45 +0000
++++ helpers/basic_auth/LDAP/basic_ldap_auth.8	2017-03-31 23:47:47 +0000
+@@ -98,7 +98,7 @@
+ .B Note:
+ This can only be done if all your users are located directly under
+ the same position in the LDAP tree and the login name is used for naming
+-each user object. If your LDAP tree does not match these criterias or if
++each user object. If your LDAP tree does not match these criteria or if
+ you want to filter who are valid users then you need to use a search filter
+ to search for your users DN (
+ .B \-f
+@@ -186,15 +186,15 @@
+ .B never
+ dereference aliases (default),
+ .B always
+-dereference aliases, only while
+-.B search ing
++dereference aliases, only during a
++.B search
+ or only to
+ .B find
+ the base object.
+ .
+ .if !'po4a'hide' .TP
+ .if !'po4a'hide' .B "\-H ldap_uri
+-Specity the LDAP server to connect to by LDAP URI (requires OpenLDAP libraries).
++Specify the LDAP server to connect to by LDAP URI (requires OpenLDAP libraries).
+ Servers can also be specified last on the command line.
+ .
+ .if !'po4a'hide' .TP
+
+=== modified file 'helpers/digest_auth/LDAP/digest_pw_auth.cc'
+--- helpers/digest_auth/LDAP/digest_pw_auth.cc	2017-01-01 00:16:45 +0000
++++ helpers/digest_auth/LDAP/digest_pw_auth.cc	2017-03-31 23:47:47 +0000
+@@ -30,7 +30,7 @@
+  * the file format.  However storing such a triple does little to
+  * improve security: If compromised the username:realm:HA1 combination
+  * is "plaintext equivalent" - for the purposes of digest authentication
+- * they allow the user access. Password syncronisation is not tackled
++ * they allow the user access. Password synchronization is not tackled
+  * by digest - just preventing on the wire compromise.
+  *
+  * Copyright (c) 2003  Robert Collins  <robertc@squid-cache.org>
+
+=== modified file 'helpers/digest_auth/eDirectory/digest_pw_auth.cc'
+--- helpers/digest_auth/eDirectory/digest_pw_auth.cc	2017-01-01 00:16:45 +0000
++++ helpers/digest_auth/eDirectory/digest_pw_auth.cc	2017-03-31 23:47:47 +0000
+@@ -30,7 +30,7 @@
+  * the file format.  However storing such a triple does little to
+  * improve security: If compromised the username:realm:HA1 combination
+  * is "plaintext equivalent" - for the purposes of digest authentication
+- * they allow the user access. Password syncronisation is not tackled
++ * they allow the user access. Password synchronization is not tackled
+  * by digest - just preventing on the wire compromise.
+  *
+  * Copyright (c) 2003  Robert Collins  <robertc@squid-cache.org>
+
+=== modified file 'helpers/digest_auth/file/digest_file_auth.8'
+--- helpers/digest_auth/file/digest_file_auth.8	2017-01-01 00:16:45 +0000
++++ helpers/digest_auth/file/digest_file_auth.8	2017-03-31 23:47:47 +0000
+@@ -15,7 +15,7 @@
+ is an installed binary authentication program for Squid. It handles digest 
+ authentication protocol and authenticates against a text file backend.
+ .
+-This program will automatically detect the existence of a concurrecy channel-ID and adjust appropriately.
++This program will automatically detect the existence of a concurrency channel-ID and adjust appropriately.
+ It may be used with any value 0 or above for the auth_param children concurrency= parameter.
+ .
+ .SH OPTIONS
+@@ -54,7 +54,7 @@
+ improve security: If compromised the
+ .B username:realm:HA1 
+ combination is "plaintext equivalent" - for the purposes of digest authentication
+-they allow the user access. Password syncronisation is not tackled
++they allow the user access. Password synchronization is not tackled
+ by digest - just preventing on the wire compromise.
+ .
+ .SH AUTHOR
+
+=== modified file 'helpers/digest_auth/file/digest_file_auth.cc'
+--- helpers/digest_auth/file/digest_file_auth.cc	2017-01-01 00:16:45 +0000
++++ helpers/digest_auth/file/digest_file_auth.cc	2017-03-31 23:47:47 +0000
+@@ -33,7 +33,7 @@
+  * the file format.  However storing such a triple does little to
+  * improve security: If compromised the username:realm:HA1 combination
+  * is "plaintext equivalent" - for the purposes of digest authentication
+- * they allow the user access. Password syncronisation is not tackled
++ * they allow the user access. Password synchronization is not tackled
+  * by digest - just preventing on the wire compromise.
+  *
+  * Copyright (c) 2003  Robert Collins  <robertc@squid-cache.org>
+
+=== modified file 'helpers/digest_auth/file/text_backend.cc'
+--- helpers/digest_auth/file/text_backend.cc	2017-01-01 00:16:45 +0000
++++ helpers/digest_auth/file/text_backend.cc	2017-03-31 23:47:47 +0000
+@@ -29,7 +29,7 @@
+  * the file format.  However storing such a triple does little to
+  * improve security: If compromised the username:realm:HA1 combination
+  * is "plaintext equivalent" - for the purposes of digest authentication
+- * they allow the user access. Password syncronisation is not tackled
++ * they allow the user access. Password synchronization is not tackled
+  * by digest - just preventing on the wire compromise.
+  *
+  * Copyright (c) 2003  Robert Collins  <robertc@squid-cache.org>
+
+=== modified file 'helpers/external_acl/LDAP_group/ext_ldap_group_acl.8'
+--- helpers/external_acl/LDAP_group/ext_ldap_group_acl.8	2017-01-01 00:16:45 +0000
++++ helpers/external_acl/LDAP_group/ext_ldap_group_acl.8	2017-03-31 23:47:47 +0000
+@@ -52,8 +52,8 @@
+ .BI never
+ dereference aliases (default),
+ .BI always
+-dereference aliases, only while
+-.BR search ing
++dereference aliases, only during a
++.BR search
+ or only to
+ .B find
+ the base object
+@@ -143,7 +143,7 @@
+ .
+ .if !'po4a'hide' .TP
+ .if !'po4a'hide' .BI \-H " ldapuri"
+-Specity the LDAP server to connect to by a LDAP URI (requires OpenLDAP libraries)
++Specify the LDAP server to connect to by a LDAP URI (requires OpenLDAP libraries)
+ .
+ .if !'po4a'hide' .TP
+ .if !'po4a'hide' .BI \-K
+
+=== modified file 'helpers/external_acl/kerberos_ldap_group/README'
+--- helpers/external_acl/kerberos_ldap_group/README	2010-08-13 10:17:20 +0000
++++ helpers/external_acl/kerberos_ldap_group/README	2017-03-31 23:47:47 +0000
+@@ -65,7 +65,7 @@
+ export KRB5_KTNAME
+ 
+ If you use a different Kerberos domain than the machine itself is in you can point squid to 
+-the seperate Kerberos config file by setting the following environmnet variable in the startup 
++the separate Kerberos config file by setting the following environment variable in the startup 
+ script.
+ 
+ KRB5_CONFIG=/etc/krb5-squid.conf
+
+=== modified file 'helpers/external_acl/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8'
+--- helpers/external_acl/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8	2015-03-21 06:32:34 +0000
++++ helpers/external_acl/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8	2017-03-31 23:47:47 +0000
+@@ -163,7 +163,7 @@
+ .if !'po4a'hide' .ft
+ .
+ If you use a different Kerberos domain than the machine itself is in you can point squid to
+-the seperate Kerberos config file by setting the following environmnet variable in the startup
++the separate Kerberos config file by setting the following environment variable in the startup
+ script.
+ .if !'po4a'hide' .P
+ .if !'po4a'hide' .ft CR
+
+=== modified file 'helpers/external_acl/session/ext_session_acl.8'
+--- helpers/external_acl/session/ext_session_acl.8	2017-01-01 00:16:45 +0000
++++ helpers/external_acl/session/ext_session_acl.8	2017-03-31 23:47:47 +0000
+@@ -21,7 +21,7 @@
+ ) or a fixed period of time (
+ .B \-T
+ ). The former is suitable for displaying terms and conditions to a user; the
+-latter is suitable for the display of advertisments or other notices (both as a
++latter is suitable for the display of advertisements or other notices (both as a
+ splash page \- see config examples in the wiki online). The session helper can also be used
+ to force users to re\-authenticate if the 
+ .B %LOGIN 
+@@ -55,7 +55,7 @@
+ environment is created within the directory. The advantage of the latter
+ is better database support between multiple instances of the session
+ helper. Using multiple instances of the session helper with a single
+-database file will cause synchronisation problems between processes.
++database file will cause synchronization problems between processes.
+ If this option is not specified the session details will be kept in
+ memory only and all sessions will reset each time Squid restarts its
+ helpers (Squid restart or rotation of logs).
+
+=== modified file 'helpers/log_daemon/DB/log_db_daemon.pl.in'
+--- helpers/log_daemon/DB/log_db_daemon.pl.in	2017-01-01 00:16:45 +0000
++++ helpers/log_daemon/DB/log_db_daemon.pl.in	2017-03-31 23:47:47 +0000
+@@ -18,7 +18,7 @@
+ 
+ log_db_daemon DSN [options]
+ 
+-=head1 DESCRIPTOIN
++=head1 DESCRIPTION
+ 
+ This program writes Squid access.log entries to a database.
+ Presently only accepts the B<squid> native format
+@@ -373,7 +373,7 @@
+     WHERE squid_request_status LIKE '%MISS%')
+     /
+     (SELECT COUNT(*) FROM access_log)*100
+-    AS pecentage;
++    AS percentage;
+ 
+ =item Response time ranges
+ 
+@@ -433,7 +433,7 @@
+ 
+ This script currently implements only the C<L> (i.e. "append a line to the log") command, therefore the log lines are never purged from the table. This approach has an obvious scalability problem.
+ 
+-One solution would be to implement e.g. the "rotate log" command in a way that would calculate some summary values, put them in a "summary table" and then delete the lines used to caluclate those values.
++One solution would be to implement e.g. the "rotate log" command in a way that would calculate some summary values, put them in a "summary table" and then delete the lines used to calculate those values.
+ 
+ Similar cleanup code could be implemented in an external script and run periodically independently from squid log commands.
+ 
+
+=== modified file 'helpers/negotiate_auth/kerberos/README'
+--- helpers/negotiate_auth/kerberos/README	2008-10-03 02:25:50 +0000
++++ helpers/negotiate_auth/kerberos/README	2017-03-31 23:47:47 +0000
+@@ -53,7 +53,7 @@
+ export KRB5_KTNAME
+ 
+ If you use a different Kerberos domain than the machine itself is in you can point squid to 
+-the seperate Kerberos config file by setting the following environmnet variable in the startup 
++the separate Kerberos config file by setting the following environment variable in the startup 
+ script.
+ 
+ KRB5_CONFIG=/etc/krb-squid5.conf
+
+=== modified file 'helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8'
+--- helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8	2014-12-20 17:10:25 +0000
++++ helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8	2017-03-31 23:47:47 +0000
+@@ -69,7 +69,7 @@
+ export KRB5_KTNAME
+ 
+ If you use a different Kerberos domain than the machine itself is in you can point squid to
+-the seperate Kerberos config file by setting the following environmnet variable in the startup
++the separate Kerberos config file by setting the following environment variable in the startup
+ script.
+ 
+ KRB5_CONFIG=/etc/krb5\-squid.conf
+
+=== modified file 'helpers/storeid_rewrite/file/storeid_file_rewrite.pl.in'
+--- helpers/storeid_rewrite/file/storeid_file_rewrite.pl.in	2017-01-01 00:16:45 +0000
++++ helpers/storeid_rewrite/file/storeid_file_rewrite.pl.in	2017-03-31 23:47:47 +0000
+@@ -29,7 +29,7 @@
+ Rewrite rules are matched in the same order as they appear in the rules file.
+ So for best performance, sort it in order of frequency of occurrence.
+ 
+-This program will automatically detect the existence of a concurrecy channel-ID and adjust appropriately.
++This program will automatically detect the existence of a concurrency channel-ID and adjust appropriately.
+ It may be used with any value 0 or above for the store_id_children concurrency= parameter.
+ 
+ =head1 OPTIONS
+
+=== modified file 'src/StoreFileSystem.h'
+--- src/StoreFileSystem.h	2017-01-01 00:16:45 +0000
++++ src/StoreFileSystem.h	2017-03-31 23:47:47 +0000
+@@ -47,7 +47,7 @@
+  \par
+  * configure will take a list of storage types through the
+  * --enable-store-io parameter. This parameter takes a list of
+- * space seperated storage types. For example,
++ * space separated storage types. For example,
+  * --enable-store-io="ufs aufs" .
+  *
+  \par
+
+=== modified file 'src/ipcache.cc'
+--- src/ipcache.cc	2017-01-01 00:16:45 +0000
++++ src/ipcache.cc	2017-03-31 23:47:47 +0000
+@@ -50,7 +50,7 @@
+  \defgroup IPCacheInternal IP Cache Internals
+  \ingroup IPCacheAPI
+  \todo  when IP cache is provided as a class. These sub-groups will be obsolete
+- *  for now they are used to seperate the public and private functions.
++ *  for now they are used to separate the public and private functions.
+  *  with the private ones all being in IPCachInternal and public in IPCacheAPI
+  *
+  \section InternalOperation Internal Operation
+
+=== modified file 'src/ssl/ssl_crtd.8'
+--- src/ssl/ssl_crtd.8	2017-01-01 00:16:45 +0000
++++ src/ssl/ssl_crtd.8	2017-03-31 23:47:47 +0000
+@@ -33,7 +33,7 @@
+ Because the generation and signing of SSL certificates takes time
+ Squid must use external process to handle the work.
+ .
+-This process generates new SSL certificates and uses a disk cache of certificatess
++This process generates new SSL certificates and uses a disk cache of certificates
+ to improve response times on repeated requests.
+ Communication occurs via TCP sockets bound to the loopback interface.
+ .
+@@ -122,7 +122,7 @@
+ .
+ .PP
+ For simple configuration the helper defaults can be used.
+-Only HTTP listening port options are required to enable generation and set the signign CA certificate.
++Only HTTP listening port options are required to enable generation and set the signing CA certificate.
+ For Example:
+ .if !'po4a'hide' .RS
+ .if !'po4a'hide' .B http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/www.sample.com.pem
+