- fix perlpath patch

Resolves: #1939927 - CVE-2020-25097 squid: improper input validation may allow
  a trusted client to perform HTTP Request Smuggling

.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -1,2 +1,2 @@
 /*.asc
-/*.xz
+/*.xz

cache_swap.sh

@@ -17,8 +17,5 @@ done
 
 if [ $init_cache_dirs -ne 0 ]; then
 	echo ""
-	if ! squid --foreground -z -f "$SQUID_CONF" >> /var/log/squid/squid.out 2>&1; then
-		echo "init_cache_dir failed, see /var/log/squid/squid.out for more information"
-		exit 1
-	fi
+	squid --foreground -z -f "$SQUID_CONF" >> /var/log/squid/squid.out 2>&1
 fi

gating.yaml

@@ -1,16 +0,0 @@
---- !Policy
-product_versions:
-  - fedora-*
-decision_contexts: [bodhi_update_push_testing]
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
-
-#gating rawhide
---- !Policy
-product_versions:
-  - fedora-*
-decision_contexts: [bodhi_update_push_stable]
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}

plans/all.fmf

@@ -1,6 +0,0 @@
-summary: Test plan with all beakerlib tests
-discover:
-    how: fmf
-    url: https://src.fedoraproject.org/tests/squid.git
-execute:
-    how: tmt

sources

@@ -1,3 +1,3 @@
-SHA512 (squid-7.3.tar.xz) = ad6bbe518d79d079f7fe5d1ee9ae7a3f49b28ba75afdb1f0db16675e1e4127be2bc30dd246b00576f29e987c08c41dbff50c8227166ae3955c460ff837a89e2b
-SHA512 (squid-7.3.tar.xz.asc) = c6774627e0408d1feed5a00489ca95467f001261b201b82c3ab9c450856fe5ad27e50d43db7a2afe2aaff88930981f783315a1b764cac5619543852e93338273
-SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d
+SHA512 (squid-4.14.tar.xz) = 3509caea9e10ea54547eeb769a21f0ca4d37e39a063953821fc51d588b22facfa183d0a48be9ab15831ee646e031079b515c75162515b8a4e7c708df2d41958b
+SHA512 (squid-4.14.tar.xz.asc) = a556e5f20e25e598375e3a6d8a300a1e35b29c89b8125f31d3fb16f1f59f538548f7f2e7424f06fc957e330cca8f16e0efe534a4772699454cd1778a82d4647d
+SHA512 (pgp.asc) = 09f7012030d68831dfc083d67ca63ee54ed851482ca8d0e9505b444ee3e7ddeed62369b53f2917c9b2e0e57cc0533fce46e8cafd2ebcd1c6cb186b516efd0ad2

squid-3.0.STABLE1-perlpath.patch

@@ -1,10 +1,10 @@
 diff --git a/contrib/url-normalizer.pl b/contrib/url-normalizer.pl
-index e965e9e..ed5ffcb 100755
+index 4cb0480..4b89910 100755
 --- a/contrib/url-normalizer.pl
 +++ b/contrib/url-normalizer.pl
 @@ -1,4 +1,4 @@
 -#!/usr/local/bin/perl -Tw
 +#!/usr/bin/perl -Tw
  #
- # * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
+ # * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
  # *

squid-3.5.9-include-guards.patch

@@ -0,0 +1,95 @@
+------------------------------------------------------------
+revno: 14311
+revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
+parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr
+------------------------------------------------------------
+revno: 14311
+revision-id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
+parent: squid3@treenet.co.nz-20150924032241-6cx3g6hwz9xfoybr
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323
+author: Francesco Chemolli <kinkie@squid-cache.org>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: trunk
+timestamp: Thu 2015-09-24 06:05:37 -0700
+message:
+  Bug 4323: Netfilter broken cross-includes with Linux 4.2
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
+# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b
+# timestamp: 2015-09-24 13:06:33 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk
+# base_revision_id: squid3@treenet.co.nz-20150924032241-\
+#   6cx3g6hwz9xfoybr
+# 
+# Begin patch
+=== modified file 'compat/os/linux.h'
+--- compat/os/linux.h	2015-01-13 07:25:36 +0000
++++ compat/os/linux.h	2015-09-24 13:05:37 +0000
+@@ -30,6 +30,21 @@
+ #endif
+ 
+ /*
++ * Netfilter header madness. (see Bug 4323)
++ *
++ * Netfilter have a history of defining their own versions of network protocol
++ * primitives without sufficient protection against the POSIX defines which are
++ * aways present in Linux.
++ *
++ * netinet/in.h must be included before any other sys header in order to properly
++ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
++ * to workaround it.
++ */
++#if HAVE_NETINET_IN_H
++#include <netinet/in.h>
++#endif
++
++/*
+  * sys/capability.h is only needed in Linux apparently.
+  *
+  * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4323
+author: Francesco Chemolli <kinkie@squid-cache.org>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: trunk
+timestamp: Thu 2015-09-24 06:05:37 -0700
+message:
+  Bug 4323: Netfilter broken cross-includes with Linux 4.2
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20150924130537-lqwzd1z99a3l9gt4
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
+# testament_sha1: c67cfca81040f3845d7c4caf2f40518511f14d0b
+# timestamp: 2015-09-24 13:06:33 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk
+# base_revision_id: squid3@treenet.co.nz-20150924032241-\
+#   6cx3g6hwz9xfoybr
+# 
+# Begin patch
+=== modified file 'compat/os/linux.h'
+--- compat/os/linux.h	2015-01-13 07:25:36 +0000
++++ compat/os/linux.h	2015-09-24 13:05:37 +0000
+@@ -30,6 +30,21 @@
+ #endif
+ 
+ /*
++ * Netfilter header madness. (see Bug 4323)
++ *
++ * Netfilter have a history of defining their own versions of network protocol
++ * primitives without sufficient protection against the POSIX defines which are
++ * aways present in Linux.
++ *
++ * netinet/in.h must be included before any other sys header in order to properly
++ * activate include guards in <linux/libc-compat.h> the kernel maintainers added
++ * to workaround it.
++ */
++#if HAVE_NETINET_IN_H
++#include <netinet/in.h>
++#endif
++
++/*
+  * sys/capability.h is only needed in Linux apparently.
+  *
+  * HACK: LIBCAP_BROKEN Ugly glue to get around linux header madness colliding with glibc
+

squid-4.0.11-config.patch

@@ -1,8 +1,7 @@
-diff --git a/src/cf.data.pre b/src/cf.data.pre
-index 44aa34d..12225bc 100644
---- a/src/cf.data.pre
-+++ b/src/cf.data.pre
-@@ -5453,7 +5453,7 @@ DOC_END
+diff -up squid-4.0.11/src/cf.data.pre.config squid-4.0.11/src/cf.data.pre
+--- squid-4.0.11/src/cf.data.pre.config	2016-06-09 22:32:57.000000000 +0200
++++ squid-4.0.11/src/cf.data.pre	2016-07-11 21:08:35.090976840 +0200
+@@ -4658,7 +4658,7 @@ DOC_END
  
  NAME: logfile_rotate
  TYPE: int
@@ -11,7 +10,7 @@ index 44aa34d..12225bc 100644
  LOC: Config.Log.rotateNumber
  DOC_START
  	Specifies the default number of logfile rotations to make when you
-@@ -7447,11 +7447,11 @@ COMMENT_END
+@@ -6444,11 +6444,11 @@ COMMENT_END
  
  NAME: cache_mgr
  TYPE: string

squid-4.0.21-large-acl.patch

@@ -0,0 +1,178 @@
+diff --git a/src/acl/RegexData.cc b/src/acl/RegexData.cc
+index 01a4c12..b5c1679 100644
+--- a/src/acl/RegexData.cc
++++ b/src/acl/RegexData.cc
+@@ -22,6 +22,7 @@
+ #include "ConfigParser.h"
+ #include "Debug.h"
+ #include "sbuf/List.h"
++#include "sbuf/Algorithms.h"
+ 
+ ACLRegexData::~ACLRegexData()
+ {
+@@ -129,6 +130,18 @@ compileRE(std::list<RegexPattern> &curlist, const char * RE, int flags)
+     return true;
+ }
+ 
++static bool
++compileRE(std::list<RegexPattern> &curlist, const SBufList &RE, int flags)
++{
++	if (RE.empty())
++		return curlist.empty(); // XXX: old code did this. It looks wrong.
++	SBuf regexp;
++	static const SBuf openparen("("), closeparen(")"), separator(")|(");
++	JoinContainerIntoSBuf(regexp, RE.begin(), RE.end(), separator, openparen,
++			closeparen);
++	return compileRE(curlist, regexp.c_str(), flags);
++}
++
+ /** Compose and compile one large RE from a set of (small) REs.
+  * The ultimate goal is to have only one RE per ACL so that match() is
+  * called only once per ACL.
+@@ -137,16 +150,11 @@ static int
+ compileOptimisedREs(std::list<RegexPattern> &curlist, const SBufList &sl)
+ {
+     std::list<RegexPattern> newlist;
+-    int numREs = 0;
++    SBufList accumulatedRE;
++    int numREs = 0, reSize = 0;
+     int flags = REG_EXTENDED | REG_NOSUB;
+-    int largeREindex = 0;
+-    char largeRE[BUFSIZ];
+-    *largeRE = 0;
+ 
+     for (const SBuf & configurationLineWord : sl) {
+-        int RElen;
+-        RElen = configurationLineWord.length();
+-
+         static const SBuf minus_i("-i");
+         static const SBuf plus_i("+i");
+         if (configurationLineWord == minus_i) {
+@@ -155,10 +163,11 @@ compileOptimisedREs(std::list<RegexPattern> &curlist, const SBufList &sl)
+                 debugs(28, 2, "optimisation of -i ... -i" );
+             } else {
+                 debugs(28, 2, "-i" );
+-                if (!compileRE(newlist, largeRE, flags))
++                if (!compileRE(newlist, accumulatedRE, flags))
+                     return 0;
+                 flags |= REG_ICASE;
+-                largeRE[largeREindex=0] = '\0';
++                accumulatedRE.clear();
++                reSize = 0;
+             }
+         } else if (configurationLineWord == plus_i) {
+             if ((flags & REG_ICASE) == 0) {
+@@ -166,37 +175,34 @@ compileOptimisedREs(std::list<RegexPattern> &curlist, const SBufList &sl)
+                 debugs(28, 2, "optimisation of +i ... +i");
+             } else {
+                 debugs(28, 2, "+i");
+-                if (!compileRE(newlist, largeRE, flags))
++                if (!compileRE(newlist, accumulatedRE, flags))
+                     return 0;
+                 flags &= ~REG_ICASE;
+-                largeRE[largeREindex=0] = '\0';
++                accumulatedRE.clear();
++                reSize = 0;
+             }
+-        } else if (RElen + largeREindex + 3 < BUFSIZ-1) {
++        } else if (reSize < 1024) {
+             debugs(28, 2, "adding RE '" << configurationLineWord << "'");
+-            if (largeREindex > 0) {
+-                largeRE[largeREindex] = '|';
+-                ++largeREindex;
+-            }
+-            largeRE[largeREindex] = '(';
+-            ++largeREindex;
+-            configurationLineWord.copy(largeRE+largeREindex, BUFSIZ-largeREindex);
+-            largeREindex += configurationLineWord.length();
+-            largeRE[largeREindex] = ')';
+-            ++largeREindex;
+-            largeRE[largeREindex] = '\0';
++            accumulatedRE.push_back(configurationLineWord);
+             ++numREs;
++            reSize += configurationLineWord.length();
+         } else {
+             debugs(28, 2, "buffer full, generating new optimised RE..." );
+-            if (!compileRE(newlist, largeRE, flags))
++            accumulatedRE.push_back(configurationLineWord);
++            if (!compileRE(newlist, accumulatedRE, flags))
+                 return 0;
+-            largeRE[largeREindex=0] = '\0';
++            accumulatedRE.clear();
++            reSize = 0;
+             continue;    /* do the loop again to add the RE to largeRE */
+         }
+     }
+ 
+-    if (!compileRE(newlist, largeRE, flags))
++    if (!compileRE(newlist, accumulatedRE, flags))
+         return 0;
+ 
++    accumulatedRE.clear();
++    reSize = 0;
++
+     /* all was successful, so put the new list at the tail */
+     curlist.splice(curlist.end(), newlist);
+ 
+diff --git a/src/sbuf/Algorithms.h b/src/sbuf/Algorithms.h
+index 21ee889..338e9c0 100644
+--- a/src/sbuf/Algorithms.h
++++ b/src/sbuf/Algorithms.h
+@@ -81,6 +81,57 @@ SBufContainerJoin(const Container &items, const SBuf& separator)
+     return rv;
+ }
+ 
++/** Join container of SBufs and append to supplied target
++ *
++ * append to the target SBuf all elements in the [begin,end) range from
++ * an iterable container, prefixed by prefix, separated by separator and
++ * followed by suffix. Prefix and suffix are added also in case of empty
++ * iterable
++ *
++ * \return the modified dest
++ */
++template <class ContainerIterator>
++SBuf&
++JoinContainerIntoSBuf(SBuf &dest, const ContainerIterator &begin,
++                      const ContainerIterator &end, const SBuf& separator,
++                      const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf())
++{
++    if (begin == end) {
++        dest.append(prefix).append(suffix);
++        return dest;
++    }
++
++    // optimization: pre-calculate needed storage
++    const SBuf::size_type totalContainerSize =
++        std::accumulate(begin, end, 0, SBufAddLength(separator)) +
++        dest.length() + prefix.length() + suffix.length();
++    SBufReservationRequirements req;
++    req.minSpace = totalContainerSize;
++    dest.reserve(req);
++
++    auto i = begin;
++    dest.append(prefix);
++    dest.append(*i);
++    ++i;
++    for (; i != end; ++i)
++        dest.append(separator).append(*i);
++    dest.append(suffix);
++    return dest;
++}
++
++
++/// convenience wrapper of JoinContainerIntoSBuf with no caller-supplied SBuf
++template <class ContainerIterator>
++SBuf
++JoinContainerToSBuf(const ContainerIterator &begin,
++                    const ContainerIterator &end, const SBuf& separator,
++                    const SBuf& prefix = SBuf(), const SBuf& suffix = SBuf())
++{
++    SBuf rv;
++    return JoinContainerIntoSBuf(rv, begin, end, separator, prefix, suffix);
++}
++
++
+ namespace std {
+ /// default hash functor to support std::unordered_map<SBuf,*>
+ template <>

squid-6.1-symlink-lang-err.patch

@@ -1,26 +0,0 @@
-diff --git a/errors/aliases b/errors/aliases
-index c256106..38c123a 100644
---- a/errors/aliases
-+++ b/errors/aliases
-@@ -14,8 +14,7 @@ da	da-dk
- de	de-at de-ch de-de de-li de-lu
- el	el-gr
- en	en-au en-bz en-ca en-cn en-gb en-ie en-in en-jm en-nz en-ph en-sg en-tt en-uk en-us en-za en-zw
--es	es-ar es-bo es-cl es-cu es-co es-do es-ec es-es es-pe es-pr es-py es-us es-uy es-ve es-xl spq
--es-mx	es-bz es-cr es-gt es-hn es-ni es-pa es-sv
-+es	es-ar es-bo es-cl es-co es-cr es-do es-ec es-es es-gt es-hn es-mx es-ni es-pa es-pe es-pr es-py es-sv es-us es-uy es-ve es-xl
- et	et-ee
- fa	fa-fa fa-ir
- fi	fi-fi
-diff --git a/errors/language.am b/errors/language.am
-index a437d17..f2fe463 100644
---- a/errors/language.am
-+++ b/errors/language.am
-@@ -19,7 +19,6 @@ LANGUAGE_FILES = \
- 	de.lang \
- 	el.lang \
- 	en.lang \
--	es-mx.lang \
- 	es.lang \
- 	et.lang \
- 	fa.lang \

squid-gcc11.patch

@@ -0,0 +1,24 @@
+diff --git a/src/acl/ConnMark.cc b/src/acl/ConnMark.cc
+index 1fdae0c..213cf39 100644
+--- a/src/acl/ConnMark.cc
++++ b/src/acl/ConnMark.cc
+@@ -15,6 +15,7 @@
+ #include "Debug.h"
+ #include "http/Stream.h"
+ #include "sbuf/Stream.h"
++#include <limits>
+ 
+ bool
+ Acl::ConnMark::empty() const
+diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc
+index 5cd81ab..3f73892 100644
+--- a/src/security/ServerOptions.cc
++++ b/src/security/ServerOptions.cc
+@@ -6,6 +6,7 @@
+  * Please see the COPYING and CONTRIBUTORS files for details.
+  */
+ 
++#include <limits>
+ #include "squid.h"
+ #include "anyp/PortCfg.h"
+ #include "base/Packable.h"

squid.service

@@ -8,14 +8,11 @@ Type=notify
 LimitNOFILE=16384
 PIDFile=/run/squid.pid
 EnvironmentFile=/etc/sysconfig/squid
-ExecStartPre=!/usr/libexec/squid/cache_swap.sh
-ExecStart=!/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF}
-ExecReload=!/usr/bin/kill -HUP $MAINPID
+ExecStartPre=/usr/libexec/squid/cache_swap.sh
+ExecStart=/usr/sbin/squid --foreground $SQUID_OPTS -f ${SQUID_CONF}
+ExecReload=/usr/bin/kill -HUP $MAINPID
 KillMode=mixed
 NotifyAccess=all
-User=squid
-Group=squid
-RuntimeDirectory=squid
 
 [Install]
 WantedBy=multi-user.target

squid.spec

@@ -1,17 +1,16 @@
 %define __perl_requires %{SOURCE98}
-%define version_underscore %(echo %{version} | tr '.' '_')
 
 Name:     squid
-Version:  7.3
+Version:  4.14
 Release:  1%{?dist}
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
-License:  GPL-2.0-or-later AND (LGPL-2.0-or-later AND MIT AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSD-4-Clause-UC AND LicenseRef-Fedora-Public-Domain AND Beerware)
+License:  GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain)
 URL:      http://www.squid-cache.org
 
-Source0:  https://github.com/squid-cache/squid/releases/download/SQUID_%{version_underscore}/squid-%{version}.tar.xz
-Source1:  https://github.com/squid-cache/squid/releases/download/SQUID_%{version_underscore}/squid-%{version}.tar.xz.asc
+Source0:  http://www.squid-cache.org/Versions/v4/squid-%{version}.tar.xz
+Source1:  http://www.squid-cache.org/Versions/v4/squid-%{version}.tar.xz.asc
 Source2:  http://www.squid-cache.org/pgp.asc
 Source3:  squid.logrotate
 Source4:  squid.sysconfig
@@ -19,30 +18,31 @@ Source5:  squid.pam
 Source6:  squid.nm
 Source7:  squid.service
 Source8:  cache_swap.sh
-Source9:  squid.sysusers
 
 Source98: perl-requires-squid.sh
 
 # Upstream patches
 
 # Backported patches
-# Patch101: squid-7.1-.....patch
 
 # Local patches
 # Applying upstream patches first makes it less likely that local patches
 # will break upstream ones.
-Patch201: squid-6.1-config.patch
-Patch202: squid-6.1-location.patch
-Patch203: squid-6.1-perlpath.patch
-# revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422
-# workaround for #1934919
-Patch204: squid-6.1-symlink-lang-err.patch
+Patch201: squid-4.0.11-config.patch
+Patch202: squid-3.1.0.9-location.patch
+Patch203: squid-3.0.STABLE1-perlpath.patch
+Patch204: squid-3.5.9-include-guards.patch
+Patch205: squid-4.0.21-large-acl.patch
+Patch206: squid-gcc11.patch
 
 # cache_swap.sh
 Requires: bash gawk
 # for httpd conf file - cachemgr script alias
 Requires: httpd-filesystem
-
+Requires(pre): shadow-utils
+Requires(post): systemd
+Requires(preun): systemd
+Requires(postun): systemd
 # squid_ldap_auth and other LDAP helpers require OpenLDAP
 BuildRequires: make
 BuildRequires: openldap-devel
@@ -52,8 +52,10 @@ BuildRequires: pam-devel
 BuildRequires: openssl-devel
 # squid_kerb_aut requires Kerberos development libs
 BuildRequires: krb5-devel
-# time_quota requires TrivialDB
-BuildRequires: libtdb-devel
+# time_quota requires DB
+BuildRequires: libdb-devel
+# ESI support requires Expat & libxml2
+BuildRequires: expat-devel libxml2-devel
 # TPROXY requires libcap, and also increases security somewhat
 BuildRequires: libcap-devel
 # eCAP support
@@ -61,27 +63,24 @@ BuildRequires: libecap-devel
 #ip_user helper requires
 BuildRequires: gcc-c++
 BuildRequires: libtool libtool-ltdl-devel
-BuildRequires: libxcrypt-devel
 BuildRequires: perl-generators
 # For test suite
 BuildRequires: pkgconfig(cppunit)
 # For verifying downloded src tarball
 BuildRequires: gnupg2
-# for _unitdir macro
+# for _tmpfilesdir and _unitdir macro
 # see https://docs.fedoraproject.org/en-US/packaging-guidelines/Systemd/#_packaging
 BuildRequires: systemd-rpm-macros
 # systemd notify
 BuildRequires: systemd-devel
 
-%{?systemd_requires}
-%{?sysusers_requires_compat}
 
 # Old NetworkManager expects the dispatcher scripts in a different place
 Conflicts: NetworkManager < 1.20
 
 %description
 Squid is a high-performance proxy caching server for Web clients,
-supporting FTP and HTTP data objects. Unlike traditional
+supporting FTP, gopher, and HTTP data objects. Unlike traditional
 caching software, Squid handles all requests in a single,
 non-blocking, I/O-driven process. Squid keeps meta data and especially
 hot objects cached in RAM, caches DNS lookups, supports non-blocking
@@ -93,14 +92,28 @@ lookup program (dnsserver), a program for retrieving FTP data
 
 %prep
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+%setup -q
 
-%autosetup -p1
+# Upstream patches
+
+# Backported patches
+
+# Local patches
+%patch201 -p1 -b .config
+%patch202 -p1 -b .location
+%patch203 -p1 -b .perlpath
+%patch204 -p0 -b .include-guards
+%patch205 -p1 -b .large_acl
+%patch206 -p1 -b .gcc11
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526
 # Patch in the vendor documentation and used different location for documentation
 sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented|' src/squid.8.in
 
 %build
+# This package fails its testsuite when LTO is enabled.  This needs further
+# investigation
+%define _lto_cflags %{nil}
 
 # NIS helper has been removed because of the following bug
 # https://bugzilla.redhat.com/show_bug.cgi?id=1531540
@@ -114,8 +127,8 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented
    --enable-eui \
    --enable-follow-x-forwarded-for \
    --enable-auth \
-   --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB" \
-   --enable-auth-ntlm="fake" \
+   --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM" \
+   --enable-auth-ntlm="SMB_LM,fake" \
    --enable-auth-digest="file,LDAP" \
    --enable-auth-negotiate="kerberos" \
    --enable-external-acl-helpers="LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group" \
@@ -137,7 +150,7 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented
    --enable-storeio="aufs,diskd,ufs,rock" \
    --enable-diskio \
    --enable-wccpv2 \
-   --disable-esi \
+   --enable-esi \
    --enable-ecap \
    --with-aio \
    --with-default-user="squid" \
@@ -147,13 +160,7 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented
    --disable-arch-native \
    --disable-security-cert-validators \
    --disable-strict-error-checking \
-   --with-swapdir=%{_localstatedir}/spool/squid \
-   --enable-translation
-
-# workaround to build squid v5
-#mkdir -p src/icmp/tests
-#mkdir -p tools/squidclient/tests
-#mkdir -p tools/tests
+   --with-swapdir=%{_localstatedir}/spool/squid
 
 %make_build
 
@@ -194,8 +201,17 @@ install -m 644 $RPM_BUILD_ROOT/squid.httpd.tmp $RPM_BUILD_ROOT%{_sysconfdir}/htt
 install -m 755 %{SOURCE6} $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-squid
 mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/squid
 mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/spool/squid
+mkdir -p $RPM_BUILD_ROOT/run/squid
 chmod 644 contrib/url-normalizer.pl contrib/user-agents.pl
 
+# install /usr/lib/tmpfiles.d/squid.conf
+mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir}
+cat > ${RPM_BUILD_ROOT}%{_tmpfilesdir}/squid.conf <<EOF
+# See tmpfiles.d(5) for details
+
+d /run/squid 0755 squid squid - -
+EOF
+
 # Move the MIB definition to the proper place (and name)
 mkdir -p $RPM_BUILD_ROOT/usr/share/snmp/mibs
 mv $RPM_BUILD_ROOT/usr/share/squid/mib.txt $RPM_BUILD_ROOT/usr/share/snmp/mibs/SQUID-MIB.txt
@@ -206,9 +222,6 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/squid/squid.conf.documented
 # remove unpackaged files from the buildroot
 rm -f $RPM_BUILD_ROOT/squid.httpd.tmp
 
-# sysusers.d
-install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf
-
 %files
 %license COPYING 
 %doc CONTRIBUTORS README ChangeLog QUICKSTART src/squid.conf.documented
@@ -221,9 +234,11 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf
 %attr(755,root,root) %dir %{_libdir}/squid
 %attr(770,squid,root) %dir %{_localstatedir}/log/squid
 %attr(750,squid,squid) %dir %{_localstatedir}/spool/squid
+%attr(755,squid,squid) %dir /run/squid
 
 %config(noreplace) %attr(644,root,root) %{_sysconfdir}/httpd/conf.d/squid.conf
 %config(noreplace) %attr(640,root,squid) %{_sysconfdir}/squid/squid.conf
+%config(noreplace) %attr(644,root,squid) %{_sysconfdir}/squid/cachemgr.conf
 %config(noreplace) %{_sysconfdir}/squid/mime.conf
 %config(noreplace) %{_sysconfdir}/squid/errorpage.css
 %config(noreplace) %{_sysconfdir}/sysconfig/squid
@@ -231,6 +246,7 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf
 %config %{_sysconfdir}/squid/squid.conf.default
 %config %{_sysconfdir}/squid/mime.conf.default
 %config %{_sysconfdir}/squid/errorpage.css.default
+%config %{_sysconfdir}/squid/cachemgr.conf.default
 %config(noreplace) %{_sysconfdir}/pam.d/squid
 %config(noreplace) %{_sysconfdir}/logrotate.d/squid
 
@@ -239,13 +255,22 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf
 %{_prefix}/lib/NetworkManager
 %{_datadir}/squid/icons
 %{_sbindir}/squid
+%{_bindir}/squidclient
+%{_bindir}/purge
 %{_mandir}/man8/*
+%{_mandir}/man1/*
 %{_libdir}/squid/*
 %{_datadir}/snmp/mibs/SQUID-MIB.txt
-%{_sysusersdir}/squid.conf
+%{_tmpfilesdir}/squid.conf
 
 %pre
-%sysusers_create_compat %{SOURCE9}
+if ! getent group squid >/dev/null 2>&1; then
+  /usr/sbin/groupadd -g 23 squid
+fi
+
+if ! getent passwd squid >/dev/null 2>&1 ; then
+  /usr/sbin/useradd -g 23 -u 23 -d /var/spool/squid -r -s /sbin/nologin squid >/dev/null 2>&1 || exit 1 
+fi
 
 for i in /var/log/squid /var/spool/squid ; do
         if [ -d $i ] ; then
@@ -257,37 +282,6 @@ done
 
 exit 0
 
-%pretrans -p <lua>
--- temporarilly commented until https://bugzilla.redhat.com/show_bug.cgi?id=1936422 is resolved
---
--- previously /usr/share/squid/errors/es-mx was symlink, now it is directory since squid v5
--- see https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/
--- Define the path to the symlink being replaced below.
---
--- path = "/usr/share/squid/errors/es-mx"
--- st = posix.stat(path)
--- if st and st.type == "link" then
---   os.remove(path)
--- end
-
--- Due to a bug #447156
-paths = {"/usr/share/squid/errors/zh-cn", "/usr/share/squid/errors/zh-tw"}
-for key,path in ipairs(paths)
-do
-  st = posix.stat(path)
-  if st and st.type == "directory" then
-    status = os.rename(path, path .. ".rpmmoved")
-    if not status then
-      suffix = 0
-      while not status do
-        suffix = suffix + 1
-        status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix)
-      end
-      os.rename(path, path .. ".rpmmoved")
-    end
-  end
-end
-
 %post
 %systemd_post squid.service
 
@@ -306,170 +300,10 @@ fi
 
 
 %changelog
-* Wed Oct 29 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:7.3-1
-- new version 7.3
-
-* Fri Oct 17 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:7.2-1
-- new version 7.2
-
-* Thu Sep 11 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:7.1-3
-- Support provider keys that require NULL digest
-
-* Thu Aug 14 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:7.1-1
-- new version 7.1
-- removed squidclient
-- removed purge
-- removed cachemgr.cgi
-- removed basic_smb_lm_auth and ntlm_smb_lm_auth helpers
-
-* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 7:6.14-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
-
-* Mon Jul 21 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:6.14-1
-- new version 6.14
-
-* Wed Mar 12 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:6.13-2
-- Do not blame cache_peer for 4xx CONNECT responses
-
-* Tue Feb 04 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:6.13-1
-- new version 6.13
-
-* Sat Feb 01 2025 Björn Esser <besser82@fedoraproject.org> - 7:6.12-5
-- Add explicit BR: libxcrypt-devel
-
-* Sun Jan 19 2025 Fedora Release Engineering <releng@fedoraproject.org> - 7:6.12-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
-
-* Fri Nov 01 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.12-3
-- better error handling in cache_swap.sh
-- added RuntimeDirectory to systemd service file
-
-* Fri Nov 01 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.12-2
-- Disable ESI support since ESI support has been also removed from squid 7
-- Resolves: CVE-2024-45802 squid: Denial of Service processing ESI
-  response content
-
-* Wed Oct 23 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.12-1
-- new version 6.12
-- Fix TCP_MISS_ABORTED/100 erros when uploading
-
-* Fri Oct 11 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.11-2
-- ignore SP and HTAB chars after chunk-size
-
-* Wed Sep 25 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.11-1
-- new version 6.11
-
-* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 7:6.10-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
-
-* Mon Jul 01 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.10-1
-- new version 6.10
-- Resolves: #2294354 - CVE-2024-37894 squid: Out-of-bounds write error may
-  lead to Denial of Service
-
-* Tue Apr 16 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.9-1
-- Resolves: #2262715 - squid-6.9 is available
-
-* Sat Mar 09 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.8-1
-- new version 6.8
-
-* Mon Feb 12 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:6.7-1
-- new version 6.7
-- switch to autosetup
-- fix FTBFS when using gcc14
-
-* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 7:6.6-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Wed Dec 13 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 7:6.6-1
-- new version 6.6
-
-* Tue Nov 07 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:6.5-1
-- new version 6.5
-
-* Tue Oct 24 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:6.4-1
-- new version 6.4
-
-* Thu Sep 14 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:6.3-2
-- SPDX migration
-
-* Tue Sep 05 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:6.3-1
-- new version 6.3
-
-* Wed Aug 16 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:6.2-1
-- new version 6.2
-
-* Fri Aug 04 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:6.1-3
-- Fix "!commHasHalfClosedMonitor(fd)" assertion
-
-* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 7:6.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
-* Tue Jul 11 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:6.1-1
-- new version 6.1
-
-* Tue May 09 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:5.9-1
-- new version 5.9
-
-* Tue Feb 28 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:5.8-1
-- new version 5.8
-
-* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 7:5.7-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-
-* Mon Dec 05 2022 Tomas Korbar <tkorbar@redhat.com> - 7:5.7-3
-- Backport adding IP_BIND_ADDRESS_NO_PORT flag to outgoing connections
-
-* Wed Oct 12 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:5.7-2
-- Provide a sysusers.d file to get user() and group() provides (#2134071)
-
-* Tue Sep 06 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:5.7-1
-- new version 5.7
-
-* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 7:5.6-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Mon Jun 27 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:5.6-1
-- new version 5.6
-
-* Wed Apr 20 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-1
-- new version 5.5
-- Resolves: #2053799 - squid-5.5 is available
-
-* Wed Feb 09 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:5.4-1
-- new version 5.4
-
-* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 7:5.2-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Tue Oct 05 2021 Luboš Uhliarik <luhliari@redhat.com> - 7:5.2-1
-- new version 5.2 (#2010109)
-- Resolves: #1934559 - squid: out-of-bounds read in WCCP protocol
-
-* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 7:5.1-2
-- Rebuilt with OpenSSL 3.0.0
-
-* Thu Aug 05 2021 Luboš Uhliarik <luhliari@redhat.com> - 7:5.1-1
-- new version 5.1
-
-* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7:5.0.6-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Mon May 17 2021 Lubos Uhliarik <luhliari@redhat.com> - 7:5.0.6-1
-- new version 5.0.6
-
-* Fri Apr 23 2021 Lubos Uhliarik <luhliari@redhat.com> - 7:5.0.5-4
-- Related: #1934919 - squid update attempts fail with file conflicts
-
-* Fri Mar 05 2021 Lubos Uhliarik <luhliari@redhat.com> - 7:5.0.5-3
-- Resolves: #1934919 - squid update attempts fail with file conflicts
-
-* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 7:5.0.5-2
-- Rebuilt for updated systemd-rpm-macros
-  See https://pagure.io/fesco/issue/2583.
-
-* Wed Feb 10 2021 Lubos Uhliarik <luhliari@redhat.com> - 7:5.0.5-1
-- new version 5.0.5
+* Wed Mar 31 2021 Lubos Uhliarik <luhliari@redhat.com> - 7:4.14-1
+- new version 4.14
+- Resolves: #1939927 - CVE-2020-25097 squid: improper input validation may allow
+  a trusted client to perform HTTP Request Smuggling
 
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7:4.13-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

squid.sysusers

@@ -1,2 +0,0 @@
-g squid 23 -
-u squid 23 "Squid proxy user" /var/spool/squid /sbin/nologin