diff -u -r -N squid-3.2.0.11/ChangeLog squid-3.2.0.12/ChangeLog
--- squid-3.2.0.11/ChangeLog	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/ChangeLog	2011-09-16 23:37:30.000000000 +1200
@@ -1,3 +1,21 @@
+Changes to squid-3.2.0.12 (17 Sep 2011):
+
+	- Regression Bug 3335: ICAP service is down
+	- Regression Bug 3322: adapt:: and icap:: format codes do not parse
+	- Regression Bug 3303: Support for non-English usernames in log files
+	- Regression Bug 3259: assertion failed: Connection.cc:29: 'fd<0' after REVIVED PARENT
+	- Regression: %I shows hostname on SSL error page
+	- Regression: FTP outgoing port always 'in use' on PASV connections
+	- Bug 3337: (partial) status 200 is not accepted for deny_info
+	- Bug 3319: Inconsistencies in error messages
+	- Bug 3281: pconn in-use while closing assertion
+	- Bug 3243: Fix cases: raw-IPv6, case variant FQDN, internal request
+	- Fixed max-stale check. Entities not exceeding max-stale were marked as stale
+	- Adjust format code %la for intercepted connections
+	- Log ICAP_ERR_GONE ICAP transaction outcome when ICAP initiator disappears early
+	- Send RST packet when closing an ICAP connection after a transaction error
+	- Support maximum field width for string access.log fields
+
 Changes to squid-3.2.0.11 (28 Aug 2011):
 
 	- Bug 3243: CVE-2009-0801 Bypass of browser same-origin access control
diff -u -r -N squid-3.2.0.11/configure squid-3.2.0.12/configure
--- squid-3.2.0.11/configure	2011-08-29 03:12:23.000000000 +1200
+++ squid-3.2.0.12/configure	2011-09-16 23:38:35.000000000 +1200
@@ -1,7 +1,7 @@
 #! /bin/sh
 # From configure.ac Revision.
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.2.0.11.
+# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.2.0.12.
 #
 # Report bugs to <http://www.squid-cache.org/bugs/>.
 #
@@ -575,8 +575,8 @@
 # Identity of this package.
 PACKAGE_NAME='Squid Web Proxy'
 PACKAGE_TARNAME='squid'
-PACKAGE_VERSION='3.2.0.11'
-PACKAGE_STRING='Squid Web Proxy 3.2.0.11'
+PACKAGE_VERSION='3.2.0.12'
+PACKAGE_STRING='Squid Web Proxy 3.2.0.12'
 PACKAGE_BUGREPORT='http://www.squid-cache.org/bugs/'
 PACKAGE_URL=''
 
@@ -1570,7 +1570,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures Squid Web Proxy 3.2.0.11 to adapt to many kinds of systems.
+\`configure' configures Squid Web Proxy 3.2.0.12 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1640,7 +1640,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of Squid Web Proxy 3.2.0.11:";;
+     short | recursive ) echo "Configuration of Squid Web Proxy 3.2.0.12:";;
    esac
   cat <<\_ACEOF
 
@@ -2018,7 +2018,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-Squid Web Proxy configure 3.2.0.11
+Squid Web Proxy configure 3.2.0.12
 generated by GNU Autoconf 2.68
 
 Copyright (C) 2010 Free Software Foundation, Inc.
@@ -3114,7 +3114,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by Squid Web Proxy $as_me 3.2.0.11, which was
+It was created by Squid Web Proxy $as_me 3.2.0.12, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
 
   $ $0 $@
@@ -3933,7 +3933,7 @@
 
 # Define the identity of the package.
  PACKAGE='squid'
- VERSION='3.2.0.11'
+ VERSION='3.2.0.12'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -30543,7 +30543,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by Squid Web Proxy $as_me 3.2.0.11, which was
+This file was extended by Squid Web Proxy $as_me 3.2.0.12, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -30609,7 +30609,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-Squid Web Proxy config.status 3.2.0.11
+Squid Web Proxy config.status 3.2.0.12
 configured by $0, generated by GNU Autoconf 2.68,
   with options \\"\$ac_cs_config\\"
 
diff -u -r -N squid-3.2.0.11/configure.ac squid-3.2.0.12/configure.ac
--- squid-3.2.0.11/configure.ac	2011-08-29 03:12:23.000000000 +1200
+++ squid-3.2.0.12/configure.ac	2011-09-16 23:38:35.000000000 +1200
@@ -3,7 +3,7 @@
 dnl
 dnl
 dnl
-AC_INIT([Squid Web Proxy],[3.2.0.11],[http://www.squid-cache.org/bugs/],[squid])
+AC_INIT([Squid Web Proxy],[3.2.0.12],[http://www.squid-cache.org/bugs/],[squid])
 AC_PREREQ(2.61)
 AC_CONFIG_HEADERS([include/autoconf.h])
 AC_CONFIG_AUX_DIR(cfgaux)
diff -u -r -N squid-3.2.0.11/errors/af/ERR_AGENT_CONFIGURE squid-3.2.0.12/errors/af/ERR_AGENT_CONFIGURE
--- squid-3.2.0.11/errors/af/ERR_AGENT_CONFIGURE	2011-08-29 03:16:15.000000000 +1200
+++ squid-3.2.0.12/errors/af/ERR_AGENT_CONFIGURE	2011-09-16 23:39:40.000000000 +1200
@@ -1 +1 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Webblaaier se opstelling</title> <style type="text/css"><!--  %l  body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; }  --></style> </head><body id=%c> <div id="titles"> <h1>FOUT</h1> <h2>Web Browser Configuration</h2> </div> <hr>  <div id="content"> <blockquote id="error"> <p>Your Web Browser configuration needs to be corrected to use this network.</p> </blockquote>  <p>How to find these settings in your browser:</p>  <div id="firefox"> For Firefox browsers go to: <ul> <li>Tools -&gt; Options -&gt; Advanced -&gt; Network -&gt; Connection Settings</li> <li>In the HTTP proxy box type the proxy name %h and port %b.</li> </ul> </div>  <div id="microsoft"> For Internet Explorer browsers go to: <ul> <li>Tools -&gt; Internet Options -&gt; Connection -&gt; LAN Settings -&gt;Proxy</li> <li>In the HTTP proxy box type the proxy name %h and port %b.</li> </ul> </div>  <div id="opera"> For Opera browsers go to: <ul> <li>Tools -&gt; Preferences -&gt; Advanced -&gt; Network -&gt; Proxy Servers</li> <li>In the HTTP proxy box type the proxy name %h and port %b.</li> </ul> </div>  <p>Die kasbediener se administrateur is <a href="mailto:%w%W">%w</a>.</p> <br> </div>  <hr> <div id="footer"> <p>Gegenereer op %T deur %h (%s)</p> <!-- %c --> </div> </body></html> 
\ No newline at end of file
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Webblaaier se opstelling</title> <style type="text/css"><!--  %l  body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; }  --></style> </head><body id=%c> <div id="titles"> <h1>FOUT</h1> <h2>Web Browser Configuration</h2> </div> <hr>  <div id="content"> <blockquote id="error"> <p>Die opstelling van u webblaaier moet reggestel word om hierdie netwerk te gebruik.</p> </blockquote>  <p>Hoe om hierdie instellings in die blaaier te vind:</p>  <div id="firefox"> Vir Firefox-blaaiers, gaan na: <ul> <li>Nutsgoed -&gt; Opsies -&gt; Gevorderd -&gt; Netwerk -&gt; Verbinding</li> <li>In the HTTP proxy box type the proxy name %h and port %b.</li> </ul> </div>  <div id="microsoft"> Vir Internet Explorer-blaaiers, gaan na: <ul> <li>Tools -&gt; Internet Options -&gt; Connection -&gt; LAN Settings -&gt;Proxy</li> <li>In the HTTP proxy box type the proxy name %h and port %b.</li> </ul> </div>  <div id="opera"> Vir Opera-blaaiers, gaan na: <ul> <li>Tools -&gt; Preferences -&gt; Advanced -&gt; Network -&gt; Proxy Servers</li> <li>In the HTTP proxy box type the proxy name %h and port %b.</li> </ul> </div>  <p>Die kasbediener se administrateur is <a href="mailto:%w%W">%w</a>.</p> <br> </div>  <hr> <div id="footer"> <p>Gegenereer op %T deur %h (%s)</p> <!-- %c --> </div> </body></html> 
\ No newline at end of file
diff -u -r -N squid-3.2.0.11/errors/af/ERR_AGENT_WPAD squid-3.2.0.12/errors/af/ERR_AGENT_WPAD
--- squid-3.2.0.11/errors/af/ERR_AGENT_WPAD	2011-08-29 03:16:16.000000000 +1200
+++ squid-3.2.0.12/errors/af/ERR_AGENT_WPAD	2011-09-16 23:39:41.000000000 +1200
@@ -1 +1 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Webblaaier se opstelling</title> <style type="text/css"><!--  %l  body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; }  --></style> </head><body id=%c> <div id="titles"> <h1>FOUT</h1> <h2>Web Browser Configuration</h2> </div> <hr>  <div id="content"> <blockquote id="error"> <p>Your Web Browser configuration needs to be corrected to use this network.</p> </blockquote>  <p>How to find these settings in your browser:</p>  <div id="firefox"> For Firefox browsers go to: <ul> <li>Tools -&gt; Options -&gt; Advanced -&gt; Network -&gt; Connection Settings</li> <li>Select Auto-detect proxy settings for this network</li> </ul> </div>  <div id="microsoft"> For Internet Explorer browsers go to: <ul> <li>Tools -&gt; Internet Options -&gt; Connection -&gt; LAN Settings -&gt;Proxy</li> <li>Select Automatically detect settings</li> </ul> </div>  <div id="opera"> For Opera browsers go to: <ul> <li>Tools -&gt; Preferences -&gt; Advanced -&gt; Network -&gt; Proxy Servers</li> <li>Select Use Automatic proxy configuration</li> </ul> </div>  <p>Die kasbediener se administrateur is <a href="mailto:%w%W">%w</a>.</p> <br> </div>  <hr> <div id="footer"> <p>Gegenereer op %T deur %h (%s)</p> <!-- %c --> </div> </body></html> 
\ No newline at end of file
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Webblaaier se opstelling</title> <style type="text/css"><!--  %l  body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; }  --></style> </head><body id=%c> <div id="titles"> <h1>FOUT</h1> <h2>Web Browser Configuration</h2> </div> <hr>  <div id="content"> <blockquote id="error"> <p>Die opstelling van u webblaaier moet reggestel word om hierdie netwerk te gebruik.</p> </blockquote>  <p>Hoe om hierdie instellings in die blaaier te vind:</p>  <div id="firefox"> Vir Firefox-blaaiers, gaan na: <ul> <li>Nutsgoed -&gt; Opsies -&gt; Gevorderd -&gt; Netwerk -&gt; Verbinding</li> <li>Kies "Outospeur instaanopstelling vir hierdie netwerk"</li> </ul> </div>  <div id="microsoft"> Vir Internet Explorer-blaaiers, gaan na: <ul> <li>Tools -&gt; Internet Options -&gt; Connection -&gt; LAN Settings -&gt;Proxy</li> <li>Select Automatically detect settings</li> </ul> </div>  <div id="opera"> Vir Opera-blaaiers, gaan na: <ul> <li>Tools -&gt; Preferences -&gt; Advanced -&gt; Network -&gt; Proxy Servers</li> <li>Select Use Automatic proxy configuration</li> </ul> </div>  <p>Die kasbediener se administrateur is <a href="mailto:%w%W">%w</a>.</p> <br> </div>  <hr> <div id="footer"> <p>Gegenereer op %T deur %h (%s)</p> <!-- %c --> </div> </body></html> 
\ No newline at end of file
diff -u -r -N squid-3.2.0.11/errors/af/ERR_DIR_LISTING squid-3.2.0.12/errors/af/ERR_DIR_LISTING
--- squid-3.2.0.11/errors/af/ERR_DIR_LISTING	2011-08-29 03:16:20.000000000 +1200
+++ squid-3.2.0.12/errors/af/ERR_DIR_LISTING	2011-09-16 23:39:43.000000000 +1200
@@ -1 +1 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Gids: %U</title> <style type="text/css"><!--  %l  body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; }  --></style> </head><body id=%c> <div id="titles"> <h2>Gids: <a href="%U">%U</a>/</h2> </div> <hr>  <div id="content"> <h4>Gidsinhoud:</h4>  <blockquote id="data"> <pre id="dirmsg">%z</pre> </blockquote>  <table id="dirlisting" summary="Directory Listing"> <tr> <th><a href="../"><img border="0" src="/squid-internal-static/icons/silk/arrow_up.png" alt=""></a></th> <th nowrap="nowrap"><a href="../">Ouergids</a> (<a href="/">Wortelgids</a>)</th> </tr>  %g  </table> </div>  <hr> <div id="footer"> <p>Gegenereer op %T deur %h (%s)</p> <!-- %c --> </div> </body></html> 
\ No newline at end of file
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Gids: %U</title> <style type="text/css"><!--  %l  body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; }  --></style> </head><body id=%c> <div id="titles"> <h2>Gids: <a href="%U">%U</a>/</h2> </div> <hr>  <div id="content"> <h4>Gidsinhoud:</h4>  <blockquote id="data"> <pre id="dirmsg">%z</pre> </blockquote>  <table id="dirlisting" summary="Gidslys"> <tr> <th><a href="../"><img border="0" src="/squid-internal-static/icons/silk/arrow_up.png" alt=""></a></th> <th nowrap="nowrap"><a href="../">Ouergids</a> (<a href="/">Wortelgids</a>)</th> </tr>  %g  </table> </div>  <hr> <div id="footer"> <p>Gegenereer op %T deur %h (%s)</p> <!-- %c --> </div> </body></html> 
\ No newline at end of file
diff -u -r -N squid-3.2.0.11/errors/af/ERR_DNS_FAIL squid-3.2.0.12/errors/af/ERR_DNS_FAIL
--- squid-3.2.0.11/errors/af/ERR_DNS_FAIL	2011-08-29 03:16:21.000000000 +1200
+++ squid-3.2.0.12/errors/af/ERR_DNS_FAIL	2011-09-16 23:39:44.000000000 +1200
@@ -1 +1 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>FOUT: Die aangevraagde URL kon nie verkry word nie</title> <style type="text/css"><!--   %l  body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; }  --></style> </head><body id=%c> <div id="titles"> <h1>ERROR</h1> <h2>The requested URL could not be retrieved</h2> </div> <hr>  <div id="content"> <p>Die volgende fout is teëgekom tydens verkryging van die URL: <a href="%U">%U</a></p>  <blockquote id="error"> <p><b>Kan nie IP-adres vanaf gasheernaam <q>%H</q> bepaal nie</b></p> </blockquote>  <p>Die DNS-bediener het geantwoord:</p> <blockquote id="data"> <pre>%z</pre> </blockquote>  <p>This means that the cache was not able to resolve the hostname presented in the URL. Check if the address is correct.</p>  <p>Die kasbediener se administrateur is <a href="mailto:%w%W">%w</a>.</p> <br> </div>  <hr> <div id="footer"> <p>Gegenereer op %T deur %h (%s)</p> <!-- %c --> </div> </body></html> 
\ No newline at end of file
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>FOUT: Die aangevraagde URL kon nie verkry word nie</title> <style type="text/css"><!--   %l  body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; }  --></style> </head><body id=%c> <div id="titles"> <h1>ERROR</h1> <h2>The requested URL could not be retrieved</h2> </div> <hr>  <div id="content"> <p>Die volgende fout is teëgekom tydens verkryging van die URL: <a href="%U">%U</a></p>  <blockquote id="error"> <p><b>Kan nie IP-adres vanaf gasheernaam <q>%H</q> bepaal nie</b></p> </blockquote>  <p>Die DNS-bediener het geantwoord:</p> <blockquote id="data"> <pre>%z</pre> </blockquote>  <p>Dit beteken dat die kasbediener nie in staat was om die gasheernaam in die URL op te los nie. Kyk of die adres korrek is.</p>  <p>Die kasbediener se administrateur is <a href="mailto:%w%W">%w</a>.</p> <br> </div>  <hr> <div id="footer"> <p>Gegenereer op %T deur %h (%s)</p> <!-- %c --> </div> </body></html> 
\ No newline at end of file
diff -u -r -N squid-3.2.0.11/errors/af/ERR_FTP_PUT_CREATED squid-3.2.0.12/errors/af/ERR_FTP_PUT_CREATED
--- squid-3.2.0.11/errors/af/ERR_FTP_PUT_CREATED	2011-08-29 03:16:24.000000000 +1200
+++ squid-3.2.0.12/errors/af/ERR_FTP_PUT_CREATED	2011-09-16 23:39:47.000000000 +1200
@@ -1 +1 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>FTP PUT Successful.</title> <style type="text/css"><!--   %l  body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; }  --></style> </head><body id=%c> <div id="titles"> <h1 id="ftpsuccess">Bewerking suksesvol</h1> <h2>Lêer is geskep</h2> </div> <hr>  <br>  <hr> <div id="footer"> <p>Gegenereer op %T deur %h (%s)</p> <!-- %c --> </div> </body></html> 
\ No newline at end of file
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>FTP PUT suksesvol.</title> <style type="text/css"><!--   %l  body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; }  --></style> </head><body id=%c> <div id="titles"> <h1 id="ftpsuccess">Bewerking suksesvol</h1> <h2>Lêer is geskep</h2> </div> <hr>  <br>  <hr> <div id="footer"> <p>Gegenereer op %T deur %h (%s)</p> <!-- %c --> </div> </body></html> 
\ No newline at end of file
diff -u -r -N squid-3.2.0.11/errors/af/ERR_FTP_PUT_ERROR squid-3.2.0.12/errors/af/ERR_FTP_PUT_ERROR
--- squid-3.2.0.11/errors/af/ERR_FTP_PUT_ERROR	2011-08-29 03:16:26.000000000 +1200
+++ squid-3.2.0.12/errors/af/ERR_FTP_PUT_ERROR	2011-09-16 23:39:48.000000000 +1200
@@ -1 +1 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>FOUT: FTP upload failed</title> <style type="text/css"><!--   %l  body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; }  --></style> </head><body id=%c> <div id="titles"> <h1>ERROR</h1> <h2>FTP PUT upload failed</h2> </div> <hr>  <div id="content"> <p>'n FTP-protokolfout het voorgekom tydens verkryging van die URL: <a href="%U">%U</a></p>  <p>Squid het die volgende FTP-opdrag gestuur:</p> <blockquote id="data"> <pre>%f</pre> </blockquote>  <p>Die bediener het geantwoord met:</p> <blockquote id="sysmsg"> <pre>%F</pre> </blockquote>  <p>Dit beteken dat die FTP-bediener dalk nie toestemming of ruimte het om die lêer te stoor nie. Kontroleer die pad, toestemmings, skyfspasie en probeer weer.</p>  <p>Die kasbediener se administrateur is <a href="mailto:%w%W">%w</a>.</p> <br> </div>  <hr> <div id="footer"> <p>Gegenereer op %T deur %h (%s)</p> <!-- %c --> </div> </body></html> 
\ No newline at end of file
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>FOUT: FTP upload failed</title> <style type="text/css"><!--   %l  body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; }  --></style> </head><body id=%c> <div id="titles"> <h1>ERROR</h1> <h2>FTP PUT-oplaai het misluk</h2> </div> <hr>  <div id="content"> <p>'n FTP-protokolfout het voorgekom tydens verkryging van die URL: <a href="%U">%U</a></p>  <p>Squid het die volgende FTP-opdrag gestuur:</p> <blockquote id="data"> <pre>%f</pre> </blockquote>  <p>Die bediener het geantwoord met:</p> <blockquote id="sysmsg"> <pre>%F</pre> </blockquote>  <p>Dit beteken dat die FTP-bediener dalk nie toestemming of ruimte het om die lêer te stoor nie. Kontroleer die pad, toestemmings, skyfspasie en probeer weer.</p>  <p>Die kasbediener se administrateur is <a href="mailto:%w%W">%w</a>.</p> <br> </div>  <hr> <div id="footer"> <p>Gegenereer op %T deur %h (%s)</p> <!-- %c --> </div> </body></html> 
\ No newline at end of file
diff -u -r -N squid-3.2.0.11/errors/af/ERR_FTP_PUT_MODIFIED squid-3.2.0.12/errors/af/ERR_FTP_PUT_MODIFIED
--- squid-3.2.0.11/errors/af/ERR_FTP_PUT_MODIFIED	2011-08-29 03:16:26.000000000 +1200
+++ squid-3.2.0.12/errors/af/ERR_FTP_PUT_MODIFIED	2011-09-16 23:39:48.000000000 +1200
@@ -1 +1 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>FTP PUT Successful.</title> <style type="text/css"><!--   %l  body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; }  --></style> </head><body id=%c> <div id="titles"> <h1 id="ftpsuccess">Bewerking suksesvol</h1> <h2>Lêer is opgedateer</h2> </div> <hr>  <br>  <hr> <div id="footer"> <p>Gegenereer op %T deur %h (%s)</p> <!-- %c --> </div> </body></html> 
\ No newline at end of file
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>FTP PUT suksesvol.</title> <style type="text/css"><!--   %l  body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; }  --></style> </head><body id=%c> <div id="titles"> <h1 id="ftpsuccess">Bewerking suksesvol</h1> <h2>Lêer is opgedateer</h2> </div> <hr>  <br>  <hr> <div id="footer"> <p>Gegenereer op %T deur %h (%s)</p> <!-- %c --> </div> </body></html> 
\ No newline at end of file
diff -u -r -N squid-3.2.0.11/errors/af/ERR_ONLY_IF_CACHED_MISS squid-3.2.0.12/errors/af/ERR_ONLY_IF_CACHED_MISS
--- squid-3.2.0.11/errors/af/ERR_ONLY_IF_CACHED_MISS	2011-08-29 03:16:32.000000000 +1200
+++ squid-3.2.0.12/errors/af/ERR_ONLY_IF_CACHED_MISS	2011-09-16 23:39:53.000000000 +1200
@@ -1 +1 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>FOUT: Die aangevraagde URL kon nie verkry word nie</title> <style type="text/css"><!--   %l  body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; }  --></style> </head><body id=%c> <div id="titles"> <h1>ERROR</h1> <h2>The requested URL could not be retrieved</h2> </div> <hr>  <div id="content"> <p>Die volgende fout is teëgekom tydens verkryging van die URL: <a href="%U">%U</a></p>  <blockquote id="error"> <p><b>Valid document was not found in the cache and <q>only-if-cached</q> directive was specified.</b></p> </blockquote>  <p>You have issued a request with a <q>only-if-cached</q> cache control directive. The document was not found in the cache, <em>or</em> it required revalidation prohibited by the <q>only-if-cached</q> directive.</p>  <p>Die kasbediener se administrateur is <a href="mailto:%w%W">%w</a>.</p> <br> </div>  <hr> <div id="footer"> <p>Gegenereer op %T deur %h (%s)</p> <!-- %c --> </div> </body></html> 
\ No newline at end of file
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>FOUT: Die aangevraagde URL kon nie verkry word nie</title> <style type="text/css"><!--   %l  body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; }  --></style> </head><body id=%c> <div id="titles"> <h1>ERROR</h1> <h2>The requested URL could not be retrieved</h2> </div> <hr>  <div id="content"> <p>Die volgende fout is teëgekom tydens verkryging van die URL: <a href="%U">%U</a></p>  <blockquote id="error"> <p><b>Geldige dokument is nie in die kas gevind nie, en <q>only-if-cached</q> is gespesifiseer.</b></p> </blockquote>  <p>You have issued a request with a <q>only-if-cached</q> cache control directive. The document was not found in the cache, <em>or</em> it required revalidation prohibited by the <q>only-if-cached</q> directive.</p>  <p>Die kasbediener se administrateur is <a href="mailto:%w%W">%w</a>.</p> <br> </div>  <hr> <div id="footer"> <p>Gegenereer op %T deur %h (%s)</p> <!-- %c --> </div> </body></html> 
\ No newline at end of file
diff -u -r -N squid-3.2.0.11/errors/af/ERR_SOCKET_FAILURE squid-3.2.0.12/errors/af/ERR_SOCKET_FAILURE
--- squid-3.2.0.11/errors/af/ERR_SOCKET_FAILURE	2011-08-29 03:16:35.000000000 +1200
+++ squid-3.2.0.12/errors/af/ERR_SOCKET_FAILURE	2011-09-16 23:39:55.000000000 +1200
@@ -1 +1 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>FOUT: Die aangevraagde URL kon nie verkry word nie</title> <style type="text/css"><!--   %l  body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; }  --></style> </head><body id=%c> <div id="titles"> <h1>ERROR</h1> <h2>The requested URL could not be retrieved</h2> </div> <hr>  <div id="content"> <p>Die volgende fout is teëgekom tydens verkryging van die URL: <a href="%U">%U</a></p>  <blockquote id="error"> <p><b>Sokfout</b></p> </blockquote>  <p id="sysmsg">Die stelsel het die volgende teruggestuur: <i>%E</i></p>  <p>Squid is unable to create a TCP socket, presumably due to excessive load. Please retry your request.</p>  <p>Die kasbediener se administrateur is <a href="mailto:%w%W">%w</a>.</p> <br> </div>  <hr> <div id="footer"> <p>Gegenereer op %T deur %h (%s)</p> <!-- %c --> </div> </body></html> 
\ No newline at end of file
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>FOUT: Die aangevraagde URL kon nie verkry word nie</title> <style type="text/css"><!--   %l  body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; }  --></style> </head><body id=%c> <div id="titles"> <h1>ERROR</h1> <h2>The requested URL could not be retrieved</h2> </div> <hr>  <div id="content"> <p>Die volgende fout is teëgekom tydens verkryging van die URL: <a href="%U">%U</a></p>  <blockquote id="error"> <p><b>Sokfout</b></p> </blockquote>  <p id="sysmsg">Die stelsel het die volgende teruggestuur: <i>%E</i></p>  <p>Squid kan nie 'n TCP-sok skep nie, vermoedelik weens hoë lading. Probeer die navraag gerus weer.</p>  <p>Die kasbediener se administrateur is <a href="mailto:%w%W">%w</a>.</p> <br> </div>  <hr> <div id="footer"> <p>Gegenereer op %T deur %h (%s)</p> <!-- %c --> </div> </body></html> 
\ No newline at end of file
diff -u -r -N squid-3.2.0.11/errors/af/ERR_UNSUP_REQ squid-3.2.0.12/errors/af/ERR_UNSUP_REQ
--- squid-3.2.0.11/errors/af/ERR_UNSUP_REQ	2011-08-29 03:16:37.000000000 +1200
+++ squid-3.2.0.12/errors/af/ERR_UNSUP_REQ	2011-09-16 23:39:57.000000000 +1200
@@ -1 +1 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>FOUT: Die aangevraagde URL kon nie verkry word nie</title> <style type="text/css"><!--   %l  body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; }  --></style> </head><body id=%c> <div id="titles"> <h1>ERROR</h1> <h2>The requested URL could not be retrieved</h2> </div> <hr>  <div id="content"> <p>Die volgende fout is teëgekom tydens verkryging van die URL: <a href="%U">%U</a></p>  <blockquote id="error"> <p><b>Unsupported Request Method and Protocol</b></p> </blockquote>  <p>Squid ondersteun nie alle navraagmetodes vir alle toegangsprotokolle nie. Mens kan by voorbeeld nie 'n Gopher-navraag POST nie.</p>  <p>Die kasbediener se administrateur is <a href="mailto:%w%W">%w</a>.</p> <br> </div>  <hr> <div id="footer"> <p>Gegenereer op %T deur %h (%s)</p> <!-- %c --> </div> </body></html> 
\ No newline at end of file
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>FOUT: Die aangevraagde URL kon nie verkry word nie</title> <style type="text/css"><!--   %l  body :lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; } :lang(he) { direction: rtl; }  --></style> </head><body id=%c> <div id="titles"> <h1>ERROR</h1> <h2>The requested URL could not be retrieved</h2> </div> <hr>  <div id="content"> <p>Die volgende fout is teëgekom tydens verkryging van die URL: <a href="%U">%U</a></p>  <blockquote id="error"> <p><b>Niegesteunde versoekmetode en -protokol</b></p> </blockquote>  <p>Squid ondersteun nie alle navraagmetodes vir alle toegangsprotokolle nie. Mens kan by voorbeeld nie 'n Gopher-navraag POST nie.</p>  <p>Die kasbediener se administrateur is <a href="mailto:%w%W">%w</a>.</p> <br> </div>  <hr> <div id="footer"> <p>Gegenereer op %T deur %h (%s)</p> <!-- %c --> </div> </body></html> 
\ No newline at end of file
diff -u -r -N squid-3.2.0.11/helpers/basic_auth/DB/basic_db_auth.8 squid-3.2.0.12/helpers/basic_auth/DB/basic_db_auth.8
--- squid-3.2.0.11/helpers/basic_auth/DB/basic_db_auth.8	2011-08-29 03:38:13.000000000 +1200
+++ squid-3.2.0.12/helpers/basic_auth/DB/basic_db_auth.8	2011-09-16 23:54:03.000000000 +1200
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BASIC_DB_AUTH 1"
-.TH BASIC_DB_AUTH 1 "2011-08-28" "perl v5.10.1" "User Contributed Perl Documentation"
+.TH BASIC_DB_AUTH 1 "2011-09-16" "perl v5.10.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.2.0.11/helpers/basic_auth/DB/basic_db_auth.pl.in squid-3.2.0.12/helpers/basic_auth/DB/basic_db_auth.pl.in
--- squid-3.2.0.11/helpers/basic_auth/DB/basic_db_auth.pl.in	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/helpers/basic_auth/DB/basic_db_auth.pl.in	2011-09-16 23:37:30.000000000 +1200
@@ -127,6 +127,12 @@
     $_dbh = DBI->connect($dsn, $db_user, $db_passwd);
     if (!defined $_dbh) {
     	warn ("Could not connect to $dsn\n");
+	my @driver_names = DBI->available_drivers();
+	my $msg = "DSN drivers apparently installed, available:\n";
+	foreach my $dn (@driver_names) {
+		$msg .= "\t$dn";
+	}
+	warn($msg."\n");
 	return undef;
     }
     my $sql_query;
diff -u -r -N squid-3.2.0.11/helpers/basic_auth/NCSA/basic_ncsa_auth.cc squid-3.2.0.12/helpers/basic_auth/NCSA/basic_ncsa_auth.cc
--- squid-3.2.0.11/helpers/basic_auth/NCSA/basic_ncsa_auth.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/helpers/basic_auth/NCSA/basic_ncsa_auth.cc	2011-09-16 23:37:30.000000000 +1200
@@ -143,6 +143,9 @@
         } else if (strlen(passwd) <= 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
             // Bug 3107: crypt() DES functionality silently truncates long passwords.
             SEND_OK("");
+        } else if (strlen(passwd) > 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
+            // Bug 3107: crypt() DES functionality silently truncates long passwords.
+            SEND_ERR("Password too long. Only 8 characters accepted.");
 #endif
         } else if (strcmp(u->passwd, (char *) crypt_md5(passwd, u->passwd)) == 0) {
             SEND_OK("");
diff -u -r -N squid-3.2.0.11/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 squid-3.2.0.12/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8
--- squid-3.2.0.11/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8	2011-08-29 03:38:47.000000000 +1200
+++ squid-3.2.0.12/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8	2011-09-16 23:54:05.000000000 +1200
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EXT_WBINFO_GROUP_ACL.PL.IN 1"
-.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2011-08-28" "perl v5.10.1" "User Contributed Perl Documentation"
+.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2011-09-16" "perl v5.10.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.2.0.11/include/Array.h squid-3.2.0.12/include/Array.h
--- squid-3.2.0.11/include/Array.h	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/include/Array.h	2011-09-16 23:37:30.000000000 +1200
@@ -97,6 +97,8 @@
     Vector &operator += (E item) {push_back(item); return *this;};
 
     void insert (E);
+    const E &front() const;
+    E &front();
     E &back();
     E pop_back();
     E shift();         // aka pop_front
@@ -251,6 +253,22 @@
 }
 
 template<class E>
+const E &
+Vector<E>::front() const
+{
+    assert (size());
+    return items[0];
+}
+
+template<class E>
+E &
+Vector<E>::front()
+{
+    assert (size());
+    return items[0];
+}
+
+template<class E>
 void
 Vector<E>::prune(E item)
 {
diff -u -r -N squid-3.2.0.11/include/version.h squid-3.2.0.12/include/version.h
--- squid-3.2.0.11/include/version.h	2011-08-29 03:12:23.000000000 +1200
+++ squid-3.2.0.12/include/version.h	2011-09-16 23:38:35.000000000 +1200
@@ -9,7 +9,7 @@
  */
 
 #ifndef SQUID_RELEASE_TIME
-#define SQUID_RELEASE_TIME 1314544159
+#define SQUID_RELEASE_TIME 1316173049
 #endif
 
 #ifndef APP_SHORTNAME
diff -u -r -N squid-3.2.0.11/RELEASENOTES.html squid-3.2.0.12/RELEASENOTES.html
--- squid-3.2.0.11/RELEASENOTES.html	2011-08-29 03:42:01.000000000 +1200
+++ squid-3.2.0.12/RELEASENOTES.html	2011-09-16 23:54:10.000000000 +1200
@@ -2,10 +2,10 @@
 <HTML>
 <HEAD>
  <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.66">
- <TITLE>Squid 3.2.0.11 release notes</TITLE>
+ <TITLE>Squid 3.2.0.12 release notes</TITLE>
 </HEAD>
 <BODY>
-<H1>Squid 3.2.0.11 release notes</H1>
+<H1>Squid 3.2.0.12 release notes</H1>
 
 <H2>Squid Developers</H2>
 <HR>
@@ -73,7 +73,7 @@
 <HR>
 <H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
 
-<P>The Squid Team are pleased to announce the release of Squid-3.2.0.11 for testing.</P>
+<P>The Squid Team are pleased to announce the release of Squid-3.2.0.12 for testing.</P>
 <P>This new release is available for download from 
 <A HREF="http://www.squid-cache.org/Versions/v3/3.2/">http://www.squid-cache.org/Versions/v3/3.2/</A> or the 
 <A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
diff -u -r -N squid-3.2.0.11/src/AccessLogEntry.h squid-3.2.0.12/src/AccessLogEntry.h
--- squid-3.2.0.11/src/AccessLogEntry.h	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/AccessLogEntry.h	2011-09-16 23:37:30.000000000 +1200
@@ -39,6 +39,7 @@
 #if ICAP_CLIENT
 #include "adaptation/icap/Elements.h"
 #endif
+#include "ProtoPort.h"
 
 /* forward decls */
 class HttpReply;
@@ -148,6 +149,7 @@
 
         const char *ssluser;
 #endif
+        http_port_list *port;
 
     } cache;
 
diff -u -r -N squid-3.2.0.11/src/adaptation/icap/Elements.cc squid-3.2.0.12/src/adaptation/icap/Elements.cc
--- squid-3.2.0.11/src/adaptation/icap/Elements.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/adaptation/icap/Elements.cc	2011-09-16 23:37:30.000000000 +1200
@@ -8,6 +8,7 @@
 {
 
 const XactOutcome xoUnknown = "ICAP_ERR_UNKNOWN";
+const XactOutcome xoGone = "ICAP_ERR_GONE";
 const XactOutcome xoRace = "ICAP_ERR_RACE";
 const XactOutcome xoError = "ICAP_ERR_OTHER";
 const XactOutcome xoOpt = "ICAP_OPT";
diff -u -r -N squid-3.2.0.11/src/adaptation/icap/Elements.h squid-3.2.0.12/src/adaptation/icap/Elements.h
--- squid-3.2.0.11/src/adaptation/icap/Elements.h	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/adaptation/icap/Elements.h	2011-09-16 23:37:30.000000000 +1200
@@ -64,6 +64,7 @@
 
 typedef const char *XactOutcome; ///< transaction result for logging
 extern const XactOutcome xoUnknown; ///< initial value: outcome was not set
+extern const XactOutcome xoGone; ///< initiator gone, will not continue
 extern const XactOutcome xoRace; ///< ICAP server closed pconn when we started
 extern const XactOutcome xoError; ///< all kinds of transaction errors
 extern const XactOutcome xoOpt; ///< OPTION transaction
diff -u -r -N squid-3.2.0.11/src/adaptation/icap/ServiceRep.cc squid-3.2.0.12/src/adaptation/icap/ServiceRep.cc
--- squid-3.2.0.11/src/adaptation/icap/ServiceRep.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/adaptation/icap/ServiceRep.cc	2011-09-16 23:37:30.000000000 +1200
@@ -115,7 +115,7 @@
 }
 
 // pools connection if it is reusable or closes it
-void Adaptation::Icap::ServiceRep::putConnection(const Comm::ConnectionPointer &conn, bool isReusable, const char *comment)
+void Adaptation::Icap::ServiceRep::putConnection(const Comm::ConnectionPointer &conn, bool isReusable, bool sendReset, const char *comment)
 {
     Must(Comm::IsConnOpen(conn));
     // do not pool an idle connection if we owe connections
@@ -124,9 +124,14 @@
         commUnsetConnTimeout(conn);
         theIdleConns->push(conn);
     } else {
-        debugs(93, 3, HERE << "closing pconn" << comment);
-        // comm_close will clear timeout
-        conn->close();
+        debugs(93, 3, HERE << (sendReset ? "RST" : "FIN") << "-closing " <<
+               comment);
+        // comm_close called from Connection::close will clear timeout
+        // TODO: add "bool sendReset = false" to Connection::close()?
+        if (sendReset)
+            comm_reset_close(conn);
+        else
+            conn->close();
     }
 
     Must(theBusyConns > 0);
diff -u -r -N squid-3.2.0.11/src/adaptation/icap/ServiceRep.h squid-3.2.0.12/src/adaptation/icap/ServiceRep.h
--- squid-3.2.0.11/src/adaptation/icap/ServiceRep.h	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/adaptation/icap/ServiceRep.h	2011-09-16 23:37:30.000000000 +1200
@@ -111,7 +111,7 @@
     bool allows204() const;
     bool allows206() const;
     Comm::ConnectionPointer getConnection(bool isRetriable, bool &isReused);
-    void putConnection(const Comm::ConnectionPointer &conn, bool isReusable, const char *comment);
+    void putConnection(const Comm::ConnectionPointer &conn, bool isReusable, bool sendReset, const char *comment);
     void noteConnectionUse(const Comm::ConnectionPointer &conn);
     void noteConnectionFailed(const char *comment);
 
diff -u -r -N squid-3.2.0.11/src/adaptation/icap/Xaction.cc squid-3.2.0.12/src/adaptation/icap/Xaction.cc
--- squid-3.2.0.11/src/adaptation/icap/Xaction.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/adaptation/icap/Xaction.cc	2011-09-16 23:37:30.000000000 +1200
@@ -204,8 +204,11 @@
         if (reuseConnection)
             disableRetries();
 
+        const bool reset = !reuseConnection &&
+                           (al.icap.outcome == xoGone || al.icap.outcome == xoError);
+
         Adaptation::Icap::ServiceRep &s = service();
-        s.putConnection(connection, reuseConnection, status());
+        s.putConnection(connection, reuseConnection, reset, status());
 
         writer = NULL;
         reader = NULL;
@@ -476,8 +479,10 @@
 {
 
     if (theInitiator.set()) {
+        debugs(93,4, HERE << "Initiator gone before ICAP transaction ended");
         clearInitiator();
         detailError(ERR_DETAIL_ICAP_INIT_GONE);
+        setOutcome(xoGone);
         mustStop("initiator aborted");
     }
 
diff -u -r -N squid-3.2.0.11/src/auth/basic/UserRequest.cc squid-3.2.0.12/src/auth/basic/UserRequest.cc
--- squid-3.2.0.11/src/auth/basic/UserRequest.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/auth/basic/UserRequest.cc	2011-09-16 23:37:30.000000000 +1200
@@ -140,7 +140,7 @@
     BasicAuthQueueNode *tmpnode;
     char *t = NULL;
     void *cbdata;
-    debugs(29, 9, HERE << "{" << (reply ? reply : "<NULL>") << "}");
+    debugs(29, 5, HERE << "{" << (reply ? reply : "<NULL>") << "}");
 
     if (reply) {
         if ((t = strchr(reply, ' ')))
diff -u -r -N squid-3.2.0.11/src/base/Makefile.am squid-3.2.0.12/src/base/Makefile.am
--- squid-3.2.0.11/src/base/Makefile.am	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/base/Makefile.am	2011-09-16 23:37:30.000000000 +1200
@@ -15,6 +15,8 @@
 	TidyPointer.h \
 	CbcPointer.h \
 	InstanceId.h \
+	RunnersRegistry.cc \
+	RunnersRegistry.h \
 	Subscription.h \
 	TextException.cc \
 	TextException.h
diff -u -r -N squid-3.2.0.11/src/base/Makefile.in squid-3.2.0.12/src/base/Makefile.in
--- squid-3.2.0.11/src/base/Makefile.in	2011-08-29 03:11:51.000000000 +1200
+++ squid-3.2.0.12/src/base/Makefile.in	2011-09-16 23:38:18.000000000 +1200
@@ -57,7 +57,7 @@
 LTLIBRARIES = $(noinst_LTLIBRARIES)
 libbase_la_LIBADD =
 am_libbase_la_OBJECTS = AsyncCall.lo AsyncJob.lo AsyncCallQueue.lo \
-	TextException.lo
+	RunnersRegistry.lo TextException.lo
 libbase_la_OBJECTS = $(am_libbase_la_OBJECTS)
 DEFAULT_INCLUDES = 
 depcomp = $(SHELL) $(top_srcdir)/cfgaux/depcomp
@@ -320,6 +320,8 @@
 	TidyPointer.h \
 	CbcPointer.h \
 	InstanceId.h \
+	RunnersRegistry.cc \
+	RunnersRegistry.h \
 	Subscription.h \
 	TextException.cc \
 	TextException.h
@@ -388,6 +390,7 @@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/AsyncCall.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/AsyncCallQueue.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/AsyncJob.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/RunnersRegistry.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/TextException.Plo@am__quote@
 
 .cc.o:
diff -u -r -N squid-3.2.0.11/src/base/RunnersRegistry.cc squid-3.2.0.12/src/base/RunnersRegistry.cc
--- squid-3.2.0.11/src/base/RunnersRegistry.cc	1970-01-01 12:00:00.000000000 +1200
+++ squid-3.2.0.12/src/base/RunnersRegistry.cc	2011-09-16 23:37:30.000000000 +1200
@@ -0,0 +1,58 @@
+#include "config.h"
+#include "base/RunnersRegistry.h"
+#include <list>
+#include <map>
+
+typedef std::list<RegisteredRunner*> Runners;
+typedef std::map<RunnerRegistry, Runners*> Registries;
+
+/// all known registries
+static Registries *TheRegistries = NULL;
+
+/// returns the requested runners list, initializing structures as needed
+static Runners &
+GetRunners(const RunnerRegistry &registryId)
+{
+    if (!TheRegistries)
+        TheRegistries = new Registries;
+
+    if (TheRegistries->find(registryId) == TheRegistries->end())
+        (*TheRegistries)[registryId] = new Runners;
+
+    return *(*TheRegistries)[registryId];
+}
+
+int
+RegisterRunner(const RunnerRegistry &registryId, RegisteredRunner *rr)
+{
+    Runners &runners = GetRunners(registryId);
+    runners.push_back(rr);
+    return runners.size();
+}
+
+int
+ActivateRegistered(const RunnerRegistry &registryId)
+{
+    Runners &runners = GetRunners(registryId);
+    typedef Runners::iterator RRI;
+    for (RRI i = runners.begin(); i != runners.end(); ++i)
+        (*i)->run(registryId);
+    return runners.size();
+}
+
+void
+DeactivateRegistered(const RunnerRegistry &registryId)
+{
+    Runners &runners = GetRunners(registryId);
+    typedef Runners::iterator RRI;
+    while (!runners.empty()) {
+        delete runners.back();
+        runners.pop_back();
+    }
+}
+
+bool
+UseThisStatic(const void *)
+{
+    return true;
+}
diff -u -r -N squid-3.2.0.11/src/base/RunnersRegistry.h squid-3.2.0.12/src/base/RunnersRegistry.h
--- squid-3.2.0.11/src/base/RunnersRegistry.h	1970-01-01 12:00:00.000000000 +1200
+++ squid-3.2.0.12/src/base/RunnersRegistry.h	2011-09-16 23:37:30.000000000 +1200
@@ -0,0 +1,61 @@
+#ifndef SQUID_BASE_RUNNERSREGISTRY_H
+#define SQUID_BASE_RUNNERSREGISTRY_H
+
+/**
+ * This API allows virtually any module to register with a well-known registry,
+ * be activated by some central processor at some registry-specific time, and
+ * be deactiveated by some central processor at some registry-specific time.
+ *
+ * For example, main.cc may activate registered I/O modules after parsing
+ * squid.conf and deactivate them before exiting.
+ *
+ * A module in this context is code providing a functionality or service to the
+ * rest of Squid, such as src/DiskIO/Blocking, src/fs/ufs, or Cache Manager. A
+ * module must declare a RegisteredRunner child class to implement activation and
+ * deactivation logic using the run() method and destructor, respectively.
+ *
+ * This API allows the registry to determine the right [de]activation time for
+ * each group of similar modules, without knowing any module specifics.
+ *
+ */
+
+/// well-known registries
+typedef enum {
+    /// managed by main.cc; activated after parsing squid.conf and
+    /// deactivated before freeing configuration-related memory or exit()-ing
+    rrAfterConfig,
+
+    rrEnd ///< not a real registry, just a label to mark the end of enum
+} RunnerRegistry;
+
+/// a runnable registrant API
+class RegisteredRunner
+{
+public:
+    // called when this runner's registry is deactivated
+    virtual ~RegisteredRunner() {}
+
+    // called when this runner's registry is activated
+    virtual void run(const RunnerRegistry &r) = 0;
+};
+
+
+/// registers a given runner with the given registry and returns registry count
+int RegisterRunner(const RunnerRegistry &registry, RegisteredRunner *rr);
+
+/// calls run() methods of all runners in the given registry
+int ActivateRegistered(const RunnerRegistry &registry);
+/// deletes all runners in the given registry
+void DeactivateRegistered(const RunnerRegistry &registry);
+
+
+/// convenience function to "use" an otherwise unreferenced static variable
+bool UseThisStatic(const void *);
+
+/// convenience macro: register one RegisteredRunner kid as early as possible
+#define RunnerRegistrationEntry(Registry, Who) \
+    static const bool Who ## _RegisteredWith_ ## Registry = \
+        RegisterRunner(Registry, new Who) > 0 && \
+        UseThisStatic(& Who ## _RegisteredWith_ ## Registry);
+
+#endif /* SQUID_BASE_RUNNERSREGISTRY_H */
diff -u -r -N squid-3.2.0.11/src/cf.data.pre squid-3.2.0.12/src/cf.data.pre
--- squid-3.2.0.11/src/cf.data.pre	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/cf.data.pre	2011-09-16 23:37:30.000000000 +1200
@@ -1164,18 +1164,23 @@
 LOC: Config.accessList.miss
 DEFAULT: none
 DOC_START
-	Use to force your neighbors to use you as a sibling instead of
-	a parent.  For example:
+	Determins whether network access is permitted when satisfying a request.
+
+	For example;
+	    to force your neighbors to use you as a sibling instead of
+	    a parent.
 
 		acl localclients src 172.16.0.0/16
 		miss_access allow localclients
 		miss_access deny  !localclients
 
-	This means only your local clients are allowed to fetch
-	MISSES and all other clients can only fetch HITS.
+	This means only your local clients are allowed to fetch relayed/MISS
+	replies from the network and all other clients can only fetch cached
+	objects (HITs).
 
-	By default, allow all clients who passed the http_access rules
-	to fetch MISSES from us.
+
+	The default for this setting allows all clients who passed the
+	http_access rules to relay via this proxy.
 
 	This clause only supports fast acl types.
 	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
@@ -2869,8 +2874,12 @@
 		'	output as-is
 
 		-	left aligned
-		width	field width. If starting with 0 the
-			output is zero padded
+
+		width	minimum and/or maximum field width:
+			    [width_min][.width_max]
+			When minimum starts with 0, the field is zero-padded.
+			String values exceeding maximum width are truncated.
+
 		{arg}	argument such as header name etc
 
 	Format codes:
@@ -2890,6 +2899,9 @@
 		>la	Local IP address the client connected to
 		>lp	Local port number the client connected to
 
+		la	Local listening IP address the client connection was connected to.
+		lp	Local listening port number the client connection was connected to.
+
 		<a	Server IP address of the last server or peer connection
 		<A	Server FQDN or peer name
 		<p	Server port number of the last server or peer connection
@@ -3007,9 +3019,9 @@
 
 	The default formats available (which do not need re-defining) are:
 
-logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<a %mt
-logformat common     %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
-logformat combined   %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
+logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
+logformat common     %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
+logformat combined   %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
 logformat referrer   %ts.%03tu %>a %{Referer}>h %ru
 logformat useragent  %>a [%tl] "%{User-Agent}>h"
 
@@ -3690,12 +3702,20 @@
 DEFAULT: on
 LOC: Config.onoff.redir_rewrites_host
 DOC_START
-	By default Squid rewrites any Host: header in redirected
-	requests.  If you are running an accelerator this may
-	not be a wanted effect of a redirector.
-
+	To preserve same-origin security policies in browsers and
+	prevent Host: header forgery by redirectors Squid rewrites
+	any Host: header in redirected requests.
+	
+	If you are running an accelerator this may not be a wanted
+	effect of a redirector. This directive enables you disable
+	Host: alteration in reverse-proxy traffic.
+	
 	WARNING: Entries are cached on the result of the URL rewriting
 	process, so be careful if you have domain-virtual hosts.
+	
+	WARNING: Squid and other software verifies the URL and Host
+	are matching, so be careful not to relay through other proxies
+	or inspecting firewalls with this disabled.
 DOC_END
 
 NAME: url_rewrite_access redirector_access
@@ -6563,11 +6583,12 @@
 		returning a chain of services to be used next. The services
 		are specified using the X-Next-Services ICAP response header
 		value, formatted as a comma-separated list of service names.
-		Each named service should be configured in squid.conf and
-		should have the same method and vectoring point as the current
-		ICAP transaction.  Services violating these rules are ignored.
-		An empty X-Next-Services value results in an empty plan which
-		ends the current adaptation. 
+		Each named service should be configured in squid.conf. Other
+		services are ignored. An empty X-Next-Services value results
+		in an empty plan which ends the current adaptation.
+
+		Dynamic adaptation plan may cross or cover multiple supported
+		vectoring points in their natural processing order.
 
 		Routing is not allowed by default: the ICAP X-Next-Services
 		response header is ignored.
@@ -7094,6 +7115,7 @@
 TYPE: onoff
 LOC: Config.onoff.ignore_unknown_nameservers
 DEFAULT: on
+IFDEF: !USE_DNSSERVERS
 DOC_START
 	By default Squid checks that DNS responses are received
 	from the same IP addresses they are sent to.  If they
@@ -7106,6 +7128,7 @@
 TYPE: onoff
 DEFAULT: on
 LOC: Config.onoff.dns_require_A
+IFDEF: !USE_DNSSERVERS
 DOC_START
 	Standard practice with DNS is to lookup either A or AAAA records
 	and use the results if it succeeds. Only looking up the other if
@@ -7356,10 +7379,16 @@
 LOC: Config.retry.onerror
 DEFAULT: off
 DOC_START
-	If set to on Squid will automatically retry requests when
-	receiving an error response. This is mainly useful if you
-	are in a complex cache hierarchy to work around access
-	control errors.
+	If set to ON Squid will automatically retry requests when
+	receiving an error response with status 403 (Forbidden),
+	500 (Internal Error), 501 or 503 (Service not available).
+	Status 502 and 504 (Gateway errors) are always retried.
+	
+	This is mainly useful if you are in a complex cache hierarchy to
+	work around access control errors.
+	
+	NOTE: This retry will attempt to find another working destination.
+	Which is different from the server which just failed.
 DOC_END
 
 NAME: as_whois_server
diff -u -r -N squid-3.2.0.11/src/client_side.cc squid-3.2.0.12/src/client_side.cc
--- squid-3.2.0.11/src/client_side.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/client_side.cc	2011-09-16 23:37:30.000000000 +1200
@@ -640,7 +640,10 @@
 
     al.cache.caddr.SetNoAddr();
 
-    if (getConn() != NULL) al.cache.caddr = getConn()->log_addr;
+    if (getConn() != NULL) {
+        al.cache.caddr = getConn()->log_addr;
+        al.cache.port =  cbdataReference(getConn()->port);
+    }
 
     al.cache.requestSize = req_sz;
     al.cache.requestHeadersSize = req_sz;
@@ -2011,6 +2014,9 @@
     if (internalCheck(url)) {
         /* prepend our name & port */
         http->uri = xstrdup(internalLocalUri(NULL, url));
+        // We just re-wrote the URL. Must replace the Host: header.
+        //  But have not parsed there yet!! flag for local-only handling.
+        http->flags.internal = 1;
         return;
     }
 
@@ -3420,7 +3426,7 @@
     if (!(ssl = httpsCreate(details, sslContext)))
         return;
 
-    debugs(33, 5, HERE << details << " accepted, starting SSL negotiation.");
+    debugs(33, 4, HERE << details << " accepted, starting SSL negotiation.");
     fd_note(details->fd, "client https connect");
 
     if (s->http.tcp_keepalive.enabled) {
diff -u -r -N squid-3.2.0.11/src/client_side_request.cc squid-3.2.0.12/src/client_side_request.cc
--- squid-3.2.0.11/src/client_side_request.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/client_side_request.cc	2011-09-16 23:37:30.000000000 +1200
@@ -552,8 +552,10 @@
 void
 ClientRequestContext::hostHeaderVerifyFailed(const char *A, const char *B)
 {
-    debugs(85, 1, "SECURITY ALERT: Host: header forgery detected from " << http->getConn()->clientConnection <<
-           " (" << A << " does not match " << B << ")");
+    debugs(85, DBG_IMPORTANT, "SECURITY ALERT: Host header forgery detected on " <<
+           http->getConn()->clientConnection << " (" << A << " does not match " << B << ")");
+    debugs(85, DBG_IMPORTANT, "SECURITY ALERT: By user agent: " << http->request->header.getStr(HDR_USER_AGENT));
+    debugs(85, DBG_IMPORTANT, "SECURITY ALERT: on URL: " << urlCanonical(http->request));
 
     // IP address validation for Host: failed. reject the connection.
     clientStreamNode *node = (clientStreamNode *)http->client_stream.tail->prev->data;
@@ -579,7 +581,6 @@
 {
     // Require a Host: header.
     const char *host = http->request->header.getStr(HDR_HOST);
-    char *hostB = NULL;
 
     if (!host) {
         // TODO: dump out the HTTP/1.1 error about missing host header.
@@ -589,32 +590,34 @@
         return;
     }
 
+    if (http->request->flags.internal) {
+        // TODO: kill this when URL handling allows partial URLs out of accel mode
+        //       and we no longer screw with the URL just to add our internal host there
+        debugs(85, 6, HERE << "validate skipped due to internal composite URL.");
+        http->doCallouts();
+        return;
+    }
+
     // Locate if there is a port attached, strip ready for IP lookup
     char *portStr = NULL;
-    uint16_t port = 0;
+    char *hostB = xstrdup(host);
+    host = hostB;
     if (host[0] == '[') {
         // IPv6 literal.
-        // check for a port?
-        hostB = xstrdup(host+1);
         portStr = strchr(hostB, ']');
-        if (!portStr) {
-            safe_free(hostB); // well, that wasn't an IPv6 literal.
-        } else {
-            *portStr = '\0';
-            if (*(++portStr) == ':')
-                port = xatoi(++portStr);
-            else
-                portStr=NULL; // no port to check.
+        if (portStr && *(++portStr) != ':') {
+            portStr = NULL;
         }
-        if (hostB)
-            host = hostB; // point host at the local version for lookup
-    } else if (strrchr(host, ':') != NULL) {
+    } else {
         // Domain or IPv4 literal with port
-        hostB = xstrdup(host);
         portStr = strrchr(hostB, ':');
-        *portStr = '\0';
-        port = xatoi(++portStr);
-        host = hostB; // point host at the local version for lookup
+    }
+
+    uint16_t port = 0;
+    if (portStr) {
+        *portStr = '\0'; // strip the ':'
+        if (*(++portStr) != '\0')
+            port = xatoi(portStr);
     }
 
     debugs(85, 3, HERE << "validate host=" << host << ", port=" << port << ", portStr=" << (portStr?portStr:"NULL"));
@@ -630,7 +633,11 @@
             // verify the destination DNS is one of the Host: headers IPs
             ipcache_nbgethostbyname(host, hostHeaderIpVerifyWrapper, this);
         }
-    } else if (strcmp(host, http->request->GetHost()) != 0) {
+    } else if (strlen(host) != strlen(http->request->GetHost())) {
+        // Verify forward-proxy requested URL domain matches the Host: header
+        debugs(85, 3, HERE << "FAIL on validate URL domain length " << http->request->GetHost() << " matches Host: " << host);
+        hostHeaderVerifyFailed(host, http->request->GetHost());
+    } else if (matchDomainName(host, http->request->GetHost()) != 0) {
         // Verify forward-proxy requested URL domain matches the Host: header
         debugs(85, 3, HERE << "FAIL on validate URL domain " << http->request->GetHost() << " matches Host: " << host);
         hostHeaderVerifyFailed(host, http->request->GetHost());
@@ -863,7 +870,7 @@
 void
 ClientRequestContext::clientRedirectStart()
 {
-    debugs(33, 5, "clientRedirectStart: '" << http->uri << "'");
+    debugs(33, 5, HERE << "'" << http->uri << "'");
 
     if (Config.accessList.redirector) {
         acl_checklist = clientAclChecklistCreate(Config.accessList.redirector, http);
diff -u -r -N squid-3.2.0.11/src/comm/Connection.cc squid-3.2.0.12/src/comm/Connection.cc
--- squid-3.2.0.11/src/comm/Connection.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/comm/Connection.cc	2011-09-16 23:37:30.000000000 +1200
@@ -26,11 +26,9 @@
 static int64_t lost_conn = 0;
 Comm::Connection::~Connection()
 {
-    assert(fd < 0); // These should never occur now.
-
     if (fd >= 0) {
-        debugs(5, 0, "NOTE: Orphan Comm::Connection: " << *this);
-        debugs(5, 0, "NOTE: Orphaned Comm::Connections: " << ++lost_conn);
+        debugs(5, 0, "BUG: Orphan Comm::Connection: " << *this);
+        debugs(5, 0, "NOTE: " << ++lost_conn << " Orphans since last started.");
         close();
     }
 
diff -u -r -N squid-3.2.0.11/src/comm/ModDevPoll.cc squid-3.2.0.12/src/comm/ModDevPoll.cc
--- squid-3.2.0.11/src/comm/ModDevPoll.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/comm/ModDevPoll.cc	2011-09-16 23:37:30.000000000 +1200
@@ -247,13 +247,9 @@
 Comm::SetSelect(int fd, unsigned int type, PF * handler, void *client_data, time_t timeout)
 {
     assert(fd >= 0);
-    debugs(
-        5,
-        DEBUG_DEVPOLL ? 0 : 8,
-        HERE << "FD " << fd << ",type=" << type
-        << ",handler=" << handler << ",client_data=" << client_data
-        << ",timeout=" << timeout << ")"
-    );
+    debugs(5, 5, HERE << "FD " << fd << ", type=" << type <<
+           ", handler=" << handler << ", client_data=" << client_data <<
+           ", timeout=" << timeout);
 
     /* POLLIN/POLLOUT are defined in <sys/poll.h> */
     fde *F = &fd_table[fd];
diff -u -r -N squid-3.2.0.11/src/comm/ModEpoll.cc squid-3.2.0.12/src/comm/ModEpoll.cc
--- squid-3.2.0.11/src/comm/ModEpoll.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/comm/ModEpoll.cc	2011-09-16 23:37:30.000000000 +1200
@@ -132,7 +132,7 @@
 
     struct epoll_event ev;
     assert(fd >= 0);
-    debugs(5, DEBUG_EPOLL ? 0 : 8, HERE << "FD " << fd << ", type=" << type <<
+    debugs(5, 5, HERE << "FD " << fd << ", type=" << type <<
            ", handler=" << handler << ", client_data=" << client_data <<
            ", timeout=" << timeout);
 
diff -u -r -N squid-3.2.0.11/src/comm/ModKqueue.cc squid-3.2.0.12/src/comm/ModKqueue.cc
--- squid-3.2.0.11/src/comm/ModKqueue.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/comm/ModKqueue.cc	2011-09-16 23:37:30.000000000 +1200
@@ -194,6 +194,9 @@
     fde *F = &fd_table[fd];
     assert(fd >= 0);
     assert(F->flags.open);
+    debugs(5, 5, HERE << "FD " << fd << ", type=" << type <<
+           ", handler=" << handler << ", client_data=" << client_data <<
+           ", timeout=" << timeout);
 
     if (type & COMM_SELECT_READ) {
         kq_update_events(fd, EVFILT_READ, handler);
diff -u -r -N squid-3.2.0.11/src/comm/ModPoll.cc squid-3.2.0.12/src/comm/ModPoll.cc
--- squid-3.2.0.11/src/comm/ModPoll.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/comm/ModPoll.cc	2011-09-16 23:37:30.000000000 +1200
@@ -144,7 +144,9 @@
     fde *F = &fd_table[fd];
     assert(fd >= 0);
     assert(F->flags.open);
-    debugs(5, 5, "commSetSelect: FD " << fd << " type " << type);
+    debugs(5, 5, HERE << "FD " << fd << ", type=" << type <<
+           ", handler=" << handler << ", client_data=" << client_data <<
+           ", timeout=" << timeout);
 
     if (type & COMM_SELECT_READ) {
         F->read_handler = handler;
@@ -513,7 +515,7 @@
             }
 
             if (revents & (POLLWRNORM | POLLOUT | POLLHUP | POLLERR)) {
-                debugs(5, 5, "comm_poll: FD " << fd << " ready for writing");
+                debugs(5, 6, "comm_poll: FD " << fd << " ready for writing");
 
                 if ((hdl = F->write_handler)) {
                     PROF_start(comm_write_handler);
diff -u -r -N squid-3.2.0.11/src/comm/ModSelect.cc squid-3.2.0.12/src/comm/ModSelect.cc
--- squid-3.2.0.11/src/comm/ModSelect.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/comm/ModSelect.cc	2011-09-16 23:37:30.000000000 +1200
@@ -139,7 +139,9 @@
     fde *F = &fd_table[fd];
     assert(fd >= 0);
     assert(F->flags.open);
-    debugs(5, 5, HERE << "FD " << fd << " type " << type);
+    debugs(5, 5, HERE << "FD " << fd << ", type=" << type <<
+           ", handler=" << handler << ", client_data=" << client_data <<
+           ", timeout=" << timeout);
 
     if (type & COMM_SELECT_READ) {
         F->read_handler = handler;
@@ -585,7 +587,7 @@
                 }
 
                 F = &fd_table[fd];
-                debugs(5, 5, "comm_select: FD " << fd << " ready for writing");
+                debugs(5, 6, "comm_select: FD " << fd << " ready for writing");
 
                 if ((hdl = F->write_handler)) {
                     F->write_handler = NULL;
diff -u -r -N squid-3.2.0.11/src/comm/ModSelectWin32.cc squid-3.2.0.12/src/comm/ModSelectWin32.cc
--- squid-3.2.0.11/src/comm/ModSelectWin32.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/comm/ModSelectWin32.cc	2011-09-16 23:37:30.000000000 +1200
@@ -138,7 +138,9 @@
     fde *F = &fd_table[fd];
     assert(fd >= 0);
     assert(F->flags.open);
-    debugs(5, 5, "commSetSelect: FD " << fd << " type " << type);
+    debugs(5, 5, HERE << "FD " << fd << ", type=" << type <<
+           ", handler=" << handler << ", client_data=" << client_data <<
+           ", timeout=" << timeout);
 
     if (type & COMM_SELECT_READ) {
         F->read_handler = handler;
@@ -608,7 +610,7 @@
             }
 
             F = &fd_table[fd];
-            debugs(5, 5, "comm_select: FD " << fd << " ready for writing");
+            debugs(5, 6, "comm_select: FD " << fd << " ready for writing");
 
             if ((hdl = F->write_handler)) {
                 F->write_handler = NULL;
diff -u -r -N squid-3.2.0.11/src/comm.cc squid-3.2.0.12/src/comm.cc
--- squid-3.2.0.11/src/comm.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/comm.cc	2011-09-16 23:37:30.000000000 +1200
@@ -106,7 +106,7 @@
 bool
 isOpen(const int fd)
 {
-    return fd >= 0 && fd_table[fd].flags.open != 0;
+    return fd >= 0 && fd_table && fd_table[fd].flags.open != 0;
 }
 
 /**
@@ -1021,7 +1021,7 @@
  * closed, TCP generates a RESET
  */
 void
-comm_reset_close(Comm::ConnectionPointer &conn)
+comm_reset_close(const Comm::ConnectionPointer &conn)
 {
     struct linger L;
     L.l_onoff = 1;
diff -u -r -N squid-3.2.0.11/src/comm.h squid-3.2.0.12/src/comm.h
--- squid-3.2.0.11/src/comm.h	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/comm.h	2011-09-16 23:37:30.000000000 +1200
@@ -19,7 +19,7 @@
 extern void _comm_close(int fd, char const *file, int line);
 #define comm_close(x) (_comm_close((x), __FILE__, __LINE__))
 SQUIDCEXTERN void old_comm_reset_close(int fd);
-SQUIDCEXTERN void comm_reset_close(Comm::ConnectionPointer &conn);
+SQUIDCEXTERN void comm_reset_close(const Comm::ConnectionPointer &conn);
 #if LINGERING_CLOSE
 SQUIDCEXTERN void comm_lingering_close(int fd);
 #endif
diff -u -r -N squid-3.2.0.11/src/errorpage.cc squid-3.2.0.12/src/errorpage.cc
--- squid-3.2.0.11/src/errorpage.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/errorpage.cc	2011-09-16 23:37:30.000000000 +1200
@@ -485,15 +485,15 @@
         self_destruct();
     } else if ( /* >= 200 && */ info->page_redirect < 300 && strchr(&(page_name[4]), ':')) {
         // 2xx require a local template file
-        debugs(0, DBG_CRITICAL, "FATAL: status " << info->page_redirect << " is not valid on '" << page_name << "'");
+        debugs(0, DBG_CRITICAL, "FATAL: status " << info->page_redirect << " requires a template on '" << page_name << "'");
         self_destruct();
-    } else if (/* >= 300 && */ info->page_redirect <= 399 && !strchr(&(page_name[4]), ':')) {
+    } else if (info->page_redirect >= 300 && info->page_redirect <= 399 && !strchr(&(page_name[4]), ':')) {
         // 3xx require an absolute URL
-        debugs(0, DBG_CRITICAL, "FATAL: status " << info->page_redirect << " is not valid on '" << page_name << "'");
+        debugs(0, DBG_CRITICAL, "FATAL: status " << info->page_redirect << " requires a URL on '" << page_name << "'");
         self_destruct();
     } else if (info->page_redirect >= 400 /* && <= 599 */ && strchr(&(page_name[4]), ':')) {
         // 4xx/5xx require a local template file
-        debugs(0, DBG_CRITICAL, "FATAL: status " << info->page_redirect << " is not valid on '" << page_name << "'");
+        debugs(0, DBG_CRITICAL, "FATAL: status " << info->page_redirect << " requires a template on '" << page_name << "'");
         self_destruct();
     }
     // else okay.
@@ -892,8 +892,8 @@
         break;
 
     case 'I':
-        if (request && request->hier.host[0] != '\0') // if non-empty string
-            mb.Printf("%s", request->hier.host);
+        if (request && request->hier.tcpServer != NULL)
+            p = request->hier.tcpServer->remote.NtoA(ntoabuf,MAX_IPSTRLEN);
         else if (!building_deny_info_url)
             p = "[unknown]";
         break;
diff -u -r -N squid-3.2.0.11/src/filemap.cc squid-3.2.0.12/src/filemap.cc
--- squid-3.2.0.11/src/filemap.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/filemap.cc	2011-09-16 23:37:30.000000000 +1200
@@ -76,6 +76,7 @@
     assert(fm->max_n_files <= (1 << 24));	/* swap_filen is 25 bits, signed */
     fm->nwords = fm->max_n_files >> LONG_BIT_SHIFT;
     debugs(8, 3, "file_map_grow: creating space for " << fm->max_n_files << " files");
+    debugs(8, 5, "--> " << fm->nwords << " words of " << sizeof(*fm->file_map) << " bytes each");
     fm->file_map = (unsigned long *)xcalloc(fm->nwords, sizeof(*fm->file_map));
     debugs(8, 3, "copying " << old_sz << " old bytes");
     memcpy(fm->file_map, old_map, old_sz);
diff -u -r -N squid-3.2.0.11/src/format/Format.cc squid-3.2.0.12/src/format/Format.cc
--- squid-3.2.0.11/src/format/Format.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/format/Format.cc	2011-09-16 23:37:30.000000000 +1200
@@ -12,6 +12,8 @@
 #include "SquidTime.h"
 #include "Store.h"
 
+/// Convert a string to NULL pointer if it is ""
+#define strOrNull(s) ((s)==NULL||(s)[0]=='\0'?NULL:(s))
 
 Format::Format::Format(const char *n) :
         format(NULL),
@@ -365,14 +367,32 @@
             }
             break;
 
-        case LFT_CLIENT_LOCAL_IP_OLD_31:
+        case LFT_LOCAL_LISTENING_IP: {
+            // avoid logging a dash if we have reliable info
+            const bool interceptedAtKnownPort = (al->request->flags.spoof_client_ip ||
+                                                 al->request->flags.intercepted) && al->cache.port;
+            if (interceptedAtKnownPort) {
+                const bool portAddressConfigured = !al->cache.port->s.IsAnyAddr();
+                if (portAddressConfigured)
+                    out = al->cache.port->s.NtoA(tmp, sizeof(tmp));
+            } else if (al->tcpClient != NULL)
+                out = al->tcpClient->local.NtoA(tmp, sizeof(tmp));
+        }
+        break;
+
         case LFT_CLIENT_LOCAL_IP:
             if (al->tcpClient != NULL) {
                 out = al->tcpClient->local.NtoA(tmp,sizeof(tmp));
             }
             break;
 
-        case LFT_CLIENT_LOCAL_PORT_OLD_31:
+        case LFT_LOCAL_LISTENING_PORT:
+            if (al->cache.port) {
+                outint = al->cache.port->s.GetPort();
+                doint = 1;
+            }
+            break;
+
         case LFT_CLIENT_LOCAL_PORT:
             if (al->tcpClient != NULL) {
                 outint = al->tcpClient->local.GetPort();
@@ -726,44 +746,27 @@
             break;
 
         case LFT_USER_NAME:
-            out = QuoteUrlEncodeUsername(al->cache.authuser);
-
+            out = strOrNull(al->cache.authuser);
             if (!out)
-                out = QuoteUrlEncodeUsername(al->cache.extuser);
-
+                out = strOrNull(al->cache.extuser);
 #if USE_SSL
-
             if (!out)
-                out = QuoteUrlEncodeUsername(al->cache.ssluser);
-
+                out = strOrNull(al->cache.ssluser);
 #endif
-
             if (!out)
-                out = QuoteUrlEncodeUsername(al->cache.rfc931);
-
-            dofree = 1;
-
+                out = strOrNull(al->cache.rfc931);
             break;
 
         case LFT_USER_LOGIN:
-            out = QuoteUrlEncodeUsername(al->cache.authuser);
-
-            dofree = 1;
-
+            out = strOrNull(al->cache.authuser);
             break;
 
         case LFT_USER_IDENT:
-            out = QuoteUrlEncodeUsername(al->cache.rfc931);
-
-            dofree = 1;
-
+            out = strOrNull(al->cache.rfc931);
             break;
 
         case LFT_USER_EXTERNAL:
-            out = QuoteUrlEncodeUsername(al->cache.extuser);
-
-            dofree = 1;
-
+            out = strOrNull(al->cache.extuser);
             break;
 
             /* case LFT_USER_REALM: */
@@ -1049,11 +1052,18 @@
                 }
             }
 
-            if (fmt->width) {
+            // enforce width limits if configured
+            const bool haveMaxWidth = fmt->precision && !doint && !dooff;
+            if (haveMaxWidth || fmt->width) {
+                const int minWidth = fmt->width ?
+                                     static_cast<int>(fmt->width) : 0;
+                const int maxWidth = haveMaxWidth ?
+                                     static_cast<int>(fmt->precision) : strlen(out);
+
                 if (fmt->left)
-                    mb.Printf("%-*s", (int) fmt->width, out);
+                    mb.Printf("%-*.*s", minWidth, maxWidth, out);
                 else
-                    mb.Printf("%*s", (int) fmt->width, out);
+                    mb.Printf("%*.*s", minWidth, maxWidth, out);
             } else
                 mb.append(out, strlen(out));
         } else {
diff -u -r -N squid-3.2.0.11/src/format/Tokens.cc squid-3.2.0.12/src/format/Tokens.cc
--- squid-3.2.0.11/src/format/Tokens.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/format/Tokens.cc	2011-09-16 23:37:30.000000000 +1200
@@ -62,9 +62,9 @@
 static struct TokenTableEntry TokenTable2C[] = {
 
     {">la", LFT_CLIENT_LOCAL_IP},
-    {"la", LFT_CLIENT_LOCAL_IP_OLD_31},
+    {"la", LFT_LOCAL_LISTENING_IP},
     {">lp", LFT_CLIENT_LOCAL_PORT},
-    {"lp", LFT_CLIENT_LOCAL_PORT_OLD_31},
+    {"lp", LFT_LOCAL_LISTENING_PORT},
     /*{ "lA", LFT_LOCAL_NAME }, */
 
     {"<la", LFT_SERVER_LOCAL_IP},
@@ -121,9 +121,9 @@
     /*{"<rq", LFT_SERVER_REQ_QUERY},*/
     {"<rv", LFT_SERVER_REQ_VERSION},
 
-    { ">st", LFT_REQUEST_SIZE_TOTAL },
+    {">st", LFT_REQUEST_SIZE_TOTAL },
     /*{ ">sl", LFT_REQUEST_SIZE_LINE }, * / / * the request line "GET ... " */
-    { ">sh", LFT_REQUEST_SIZE_HEADERS },
+    {">sh", LFT_REQUEST_SIZE_HEADERS },
     /*{ ">sb", LFT_REQUEST_SIZE_BODY }, */
     /*{ ">sB", LFT_REQUEST_SIZE_BODY_NO_TE }, */
 
@@ -131,7 +131,7 @@
     {"<sH", LFT_REPLY_HIGHOFFSET},
     {"<sS", LFT_REPLY_OBJECTSIZE},
     /*{ "<sl", LFT_REPLY_SIZE_LINE }, * /   / * the reply line (protocol, code, text) */
-    { "<sh", LFT_REPLY_SIZE_HEADERS },
+    {"<sh", LFT_REPLY_SIZE_HEADERS },
     /*{ "<sb", LFT_REPLY_SIZE_BODY }, */
     /*{ "<sB", LFT_REPLY_SIZE_BODY_NO_TE }, */
 
@@ -146,9 +146,9 @@
 #if USE_ADAPTATION
 /// Adaptation (adapt::) tokens
 static struct TokenTableEntry TokenTableAdapt[] = {
-    {"adapt::all_trs", LTF_ADAPTATION_ALL_XACT_TIMES},
-    {"adapt::sum_trs", LTF_ADAPTATION_SUM_XACT_TIMES},
-    {"adapt::<last_h", LFT_ADAPTATION_LAST_HEADER},
+    {"all_trs", LTF_ADAPTATION_ALL_XACT_TIMES},
+    {"sum_trs", LTF_ADAPTATION_SUM_XACT_TIMES},
+    {"<last_h", LFT_ADAPTATION_LAST_HEADER},
     {NULL, LFT_NONE}		/* this must be last */
 };
 #endif
@@ -156,24 +156,24 @@
 #if ICAP_CLIENT
 /// ICAP (icap::) tokens
 static struct TokenTableEntry TokenTableIcap[] = {
-    {"icap::tt", LFT_ICAP_TOTAL_TIME},
-    {"icap::<last_h", LFT_ADAPTATION_LAST_HEADER}, // deprecated
+    {"tt", LFT_ICAP_TOTAL_TIME},
+    {"<last_h", LFT_ADAPTATION_LAST_HEADER}, // deprecated
 
-    {"icap::<A",  LFT_ICAP_ADDR},
-    {"icap::<service_name",  LFT_ICAP_SERV_NAME},
-    {"icap::ru",  LFT_ICAP_REQUEST_URI},
-    {"icap::rm",  LFT_ICAP_REQUEST_METHOD},
-    {"icap::>st",  LFT_ICAP_BYTES_SENT},
-    {"icap::<st",  LFT_ICAP_BYTES_READ},
-    {"icap::<bs", LFT_ICAP_BODY_BYTES_READ},
-
-    {"icap::>h",  LFT_ICAP_REQ_HEADER},
-    {"icap::<h",  LFT_ICAP_REP_HEADER},
-
-    {"icap::tr",  LFT_ICAP_TR_RESPONSE_TIME},
-    {"icap::tio",  LFT_ICAP_IO_TIME},
-    {"icap::to",  LFT_ICAP_OUTCOME},
-    {"icap::Hs",  LFT_ICAP_STATUS_CODE},
+    {"<A",  LFT_ICAP_ADDR},
+    {"<service_name",  LFT_ICAP_SERV_NAME},
+    {"ru",  LFT_ICAP_REQUEST_URI},
+    {"rm",  LFT_ICAP_REQUEST_METHOD},
+    {">st",  LFT_ICAP_BYTES_SENT},
+    {"<st",  LFT_ICAP_BYTES_READ},
+    {"<bs", LFT_ICAP_BODY_BYTES_READ},
+
+    {">h",  LFT_ICAP_REQ_HEADER},
+    {"<h",  LFT_ICAP_REP_HEADER},
+
+    {"tr",  LFT_ICAP_TR_RESPONSE_TIME},
+    {"tio",  LFT_ICAP_IO_TIME},
+    {"to",  LFT_ICAP_OUTCOME},
+    {"Hs",  LFT_ICAP_STATUS_CODE},
 
     {NULL, LFT_NONE}		/* this must be last */
 };
@@ -182,8 +182,8 @@
 /// Miscellaneous >2 byte tokens
 static struct TokenTableEntry TokenTableMisc[] = {
     {">eui", LFT_CLIENT_EUI},
-    { "err_code", LFT_SQUID_ERROR },
-    { "err_detail", LFT_SQUID_ERROR_DETAIL },
+    {"err_code", LFT_SQUID_ERROR },
+    {"err_detail", LFT_SQUID_ERROR_DETAIL },
     {NULL, LFT_NONE}		/* this must be last */
 };
 
@@ -496,16 +496,6 @@
         type = LFT_HTTP_SENT_STATUS_CODE;
         break;
 
-    case LFT_CLIENT_LOCAL_IP_OLD_31:
-        debugs(46, 0, "WARNING: The \"la\" formatting code is deprecated. Use the \">la\" instead.");
-        type = LFT_CLIENT_LOCAL_IP;
-        break;
-
-    case LFT_CLIENT_LOCAL_PORT_OLD_31:
-        debugs(46, 0, "WARNING: The \"lp\" formatting code is deprecated. Use the \">lp\" instead.");
-        type = LFT_CLIENT_LOCAL_PORT;
-        break;
-
     case LFT_SERVER_LOCAL_IP_OLD_27:
         debugs(46, 0, "WARNING: The \"oa\" formatting code is deprecated. Use the \"<la\" instead.");
         type = LFT_SERVER_LOCAL_IP;
diff -u -r -N squid-3.2.0.11/src/format/Tokens.h squid-3.2.0.12/src/format/Tokens.h
--- squid-3.2.0.11/src/format/Tokens.h	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/format/Tokens.h	2011-09-16 23:37:30.000000000 +1200
@@ -35,9 +35,9 @@
     LFT_SERVER_PORT,
 
     LFT_CLIENT_LOCAL_IP,
-    LFT_CLIENT_LOCAL_IP_OLD_31,
+    LFT_LOCAL_LISTENING_IP,
     LFT_CLIENT_LOCAL_PORT,
-    LFT_CLIENT_LOCAL_PORT_OLD_31,
+    LFT_LOCAL_LISTENING_PORT,
     /*LFT_LOCAL_NAME, */
 
     LFT_SERVER_LOCAL_IP,
@@ -215,8 +215,8 @@
         } header;
         char *timespec;
     } data;
-    unsigned char width;
-    unsigned char precision;
+    unsigned int width;
+    unsigned int precision;
     enum Quoting quote;
     unsigned int left:1;
     unsigned int space:1;
diff -u -r -N squid-3.2.0.11/src/forward.cc squid-3.2.0.12/src/forward.cc
--- squid-3.2.0.11/src/forward.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/forward.cc	2011-09-16 23:37:30.000000000 +1200
@@ -1199,9 +1199,13 @@
 void
 getOutgoingAddress(HttpRequest * request, Comm::ConnectionPointer conn)
 {
-    /* skip if an outgoing address is already set. */
+    // skip if an outgoing address is already set.
     if (!conn->local.IsAnyAddr()) return;
 
+    // ensure that at minimum the wildcard local matches remote protocol
+    if (conn->remote.IsIPv4())
+        conn->local.SetIPv4();
+
     // maybe use TPROXY client address
     if (request && request->flags.spoof_client_ip) {
         if (!conn->getPeer() || !conn->getPeer()->options.no_tproxy) {
diff -u -r -N squid-3.2.0.11/src/ftp.cc squid-3.2.0.12/src/ftp.cc
--- squid-3.2.0.11/src/ftp.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/ftp.cc	2011-09-16 23:37:30.000000000 +1200
@@ -2723,6 +2723,7 @@
 
     Comm::ConnectionPointer conn = new Comm::Connection;
     conn->local = ftpState->ctrl.conn->local;
+    conn->local.SetPort(0);
     conn->remote = ipaddr;
     conn->remote.SetPort(port);
 
@@ -3232,7 +3233,7 @@
 
     if (code == 125 || (code == 150 && Comm::IsConnOpen(ftpState->data.conn))) {
         /* Begin data transfer */
-        debugs(9, 3, HERE << "reading data channel");
+        debugs(9, 3, HERE << "begin data transfer from " << ftpState->data.conn->remote << " (" << ftpState->data.conn->local << ")");
         ftpState->switchTimeoutToDataChannel();
         ftpState->maybeReadVirginBody();
         ftpState->state = READING_DATA;
diff -u -r -N squid-3.2.0.11/src/gopher.cc squid-3.2.0.12/src/gopher.cc
--- squid-3.2.0.11/src/gopher.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/gopher.cc	2011-09-16 23:37:30.000000000 +1200
@@ -464,14 +464,6 @@
             gopherState->len += llen;
             break;
         }
-        if (!lpos) {
-            /* there is no complete line in inbuf */
-            /* copy it to temp buffer */
-            /* note: llen is adjusted above */
-            memcpy(gopherState->buf + gopherState->len, pos, llen);
-            gopherState->len += llen;
-            break;
-        }
         if (gopherState->len != 0) {
             /* there is something left from last tx. */
             memcpy(line, gopherState->buf, gopherState->len);
diff -u -r -N squid-3.2.0.11/src/helper.cc squid-3.2.0.12/src/helper.cc
--- squid-3.2.0.11/src/helper.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/helper.cc	2011-09-16 23:37:30.000000000 +1200
@@ -1093,6 +1093,7 @@
     dlink_node *n;
     helper_server *srv;
     helper_server *selected = NULL;
+    debugs(84, 5, "GetFirstAvailable: Running servers " << hlp->childs.n_running);
 
     if (hlp->childs.n_running == 0)
         return NULL;
@@ -1119,12 +1120,17 @@
     }
 
     /* Check for overload */
-    if (!selected)
+    if (!selected) {
+        debugs(84, 5, "GetFirstAvailable: None available.");
         return NULL;
+    }
 
-    if (selected->stats.pending >= (hlp->childs.concurrency ? hlp->childs.concurrency : 1))
+    if (selected->stats.pending >= (hlp->childs.concurrency ? hlp->childs.concurrency : 1)) {
+        debugs(84, 3, "GetFirstAvailable: Least-loaded helper is overloaded!");
         return NULL;
+    }
 
+    debugs(84, 5, "GetFirstAvailable: returning srv-" << selected->index);
     return selected;
 }
 
diff -u -r -N squid-3.2.0.11/src/htcp.cc squid-3.2.0.12/src/htcp.cc
--- squid-3.2.0.11/src/htcp.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/htcp.cc	2011-09-16 23:37:30.000000000 +1200
@@ -1171,7 +1171,6 @@
 }
 
 static void
-
 htcpHandleTstRequest(htcpDataHeader * dhdr, char *buf, int sz, Ip::Address &from)
 {
     /* buf should be a SPECIFIER */
@@ -1193,27 +1192,27 @@
     s->setDataHeader(dhdr);
 
     if (NULL == s) {
-        debugs(31, 2, "htcpHandleTstRequest: htcpUnpackSpecifier failed");
+        debugs(31, 3, "htcpHandleTstRequest: htcpUnpackSpecifier failed");
         htcpLogHtcp(from, dhdr->opcode, LOG_UDP_INVALID, dash_str);
         return;
     }
 
     if (!s->request) {
-        debugs(31, 2, "htcpHandleTstRequest: failed to parse request");
+        debugs(31, 3, "htcpHandleTstRequest: failed to parse request");
         htcpLogHtcp(from, dhdr->opcode, LOG_UDP_INVALID, dash_str);
         htcpFreeSpecifier(s);
         return;
     }
 
     if (!htcpAccessAllowed(Config.accessList.htcp, s, from)) {
-        debugs(31, 2, "htcpHandleTstRequest: Access denied");
+        debugs(31, 3, "htcpHandleTstRequest: Access denied");
         htcpLogHtcp(from, dhdr->opcode, LOG_UDP_DENIED, s->uri);
         htcpFreeSpecifier(s);
         return;
     }
 
-    debugs(31, 3, "htcpHandleTstRequest: " << s->method << " " << s->uri << " " << s->version);
-    debugs(31, 3, "htcpHandleTstRequest: " << s->req_hdrs);
+    debugs(31, 2, "HTCP TST request: " << s->method << " " << s->uri << " " << s->version);
+    debugs(31, 2, "HTCP TST headers: " << s->req_hdrs);
     s->checkHit();
 }
 
@@ -1251,7 +1250,7 @@
     htcpSpecifier *s;
     /* buf[0/1] is reserved and reason */
     int reason = buf[1] << 4;
-    debugs(31, 3, "htcpHandleClr: reason=" << reason);
+    debugs(31, 2, "HTCP CLR reason: " << reason);
     buf += 2;
     sz -= 2;
 
@@ -1272,21 +1271,21 @@
     }
 
     if (!s->request) {
-        debugs(31, 2, "htcpHandleTstRequest: failed to parse request");
+        debugs(31, 3, "htcpHandleTstRequest: failed to parse request");
         htcpLogHtcp(from, hdr->opcode, LOG_UDP_INVALID, dash_str);
         htcpFreeSpecifier(s);
         return;
     }
 
     if (!htcpAccessAllowed(Config.accessList.htcp_clr, s, from)) {
-        debugs(31, 2, "htcpHandleClr: Access denied");
+        debugs(31, 3, "htcpHandleClr: Access denied");
         htcpLogHtcp(from, hdr->opcode, LOG_UDP_DENIED, s->uri);
         htcpFreeSpecifier(s);
         return;
     }
 
-    debugs(31, 5, "htcpHandleClr: " << s->method << " " << s->uri << " " << s->version);
-    debugs(31, 5, "htcpHandleClr: request headers: " << s->req_hdrs);
+    debugs(31, 2, "HTCP CLR request: " << s->method << " " << s->uri << " " << s->version);
+    debugs(31, 2, "HTCP CLR headers: " << s->req_hdrs);
 
     /* Release objects from cache
      * analog to clientPurgeRequest in client_side.c
diff -u -r -N squid-3.2.0.11/src/http.cc squid-3.2.0.12/src/http.cc
--- squid-3.2.0.11/src/http.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/http.cc	2011-09-16 23:37:30.000000000 +1200
@@ -2212,12 +2212,12 @@
     }
 
     if (!Comm::IsConnOpen(serverConnection)) {
-        debugs(11,2, HERE << "ignoring broken POST for closed " << serverConnection);
+        debugs(11, 3, HERE << "ignoring broken POST for closed " << serverConnection);
         assert(closeHandler != NULL);
         return true; // prevent caller from proceeding as if nothing happened
     }
 
-    debugs(11, 2, "finishingBrokenPost: fixing broken POST");
+    debugs(11, 3, "finishingBrokenPost: fixing broken POST");
     typedef CommCbMemFunT<HttpStateData, CommIoCbParams> Dialer;
     requestSender = JobCallback(11,5,
                                 Dialer, this, HttpStateData::wroteLast);
diff -u -r -N squid-3.2.0.11/src/HttpHeader.cc squid-3.2.0.12/src/HttpHeader.cc
--- squid-3.2.0.11/src/HttpHeader.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/HttpHeader.cc	2011-09-16 23:37:30.000000000 +1200
@@ -877,8 +877,7 @@
     assert_eid(e->id);
     assert(e->name.size());
 
-    debugs(55, 9, this << " adding entry: " << e->id << " at " <<
-           entries.count);
+    debugs(55, 7, HERE << this << " adding entry: " << e->id << " at " << entries.count);
 
     if (CBIT_TEST(mask, e->id))
         Headers[e->id].stat.repCount++;
@@ -900,8 +899,7 @@
     assert(e);
     assert_eid(e->id);
 
-    debugs(55, 7, this << " adding entry: " << e->id << " at " <<
-           entries.count);
+    debugs(55, 7, HERE << this << " adding entry: " << e->id << " at " << entries.count);
 
     if (CBIT_TEST(mask, e->id))
         Headers[e->id].stat.repCount++;
diff -u -r -N squid-3.2.0.11/src/icmp/Icmp4.cc squid-3.2.0.12/src/icmp/Icmp4.cc
--- squid-3.2.0.11/src/icmp/Icmp4.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/icmp/Icmp4.cc	2011-09-16 23:37:30.000000000 +1200
@@ -141,7 +141,7 @@
     ((sockaddr_in*)S->ai_addr)->sin_port = 0;
     assert(icmp_pktsize <= MAX_PKT4_SZ);
 
-    debugs(42, 2, HERE << "Send ICMP packet to " << to << ".");
+    debugs(42, 5, HERE << "Send ICMP packet to " << to << ".");
 
     x = sendto(icmp_sock,
                (const void *) pkt,
diff -u -r -N squid-3.2.0.11/src/ip/Address.cc squid-3.2.0.12/src/ip/Address.cc
--- squid-3.2.0.11/src/ip/Address.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/ip/Address.cc	2011-09-16 23:37:30.000000000 +1200
@@ -826,7 +826,10 @@
     /* some external code may have blindly memset a parent. */
     /* thats okay, our default is known */
     if ( IsAnyAddr() ) {
-        memcpy(buf,"::\0", min(static_cast<unsigned int>(3),blen));
+        if (IsIPv6())
+            memcpy(buf,"::\0", min(static_cast<unsigned int>(3),blen));
+        else if (IsIPv4())
+            memcpy(buf,"0.0.0.0\0", min(static_cast<unsigned int>(8),blen));
         return buf;
     }
 
diff -u -r -N squid-3.2.0.11/src/ipcache.cc squid-3.2.0.12/src/ipcache.cc
--- squid-3.2.0.11/src/ipcache.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/ipcache.cc	2011-09-16 23:37:30.000000000 +1200
@@ -487,6 +487,7 @@
         return -1;
     }
 
+    debugs(14, 3, "ipcacheParse: " << nr << " answers for '" << name << "'");
     assert(answers);
 
     for (k = 0; k < nr; k++) {
diff -u -r -N squid-3.2.0.11/src/log/access_log.cc squid-3.2.0.12/src/log/access_log.cc
--- squid-3.2.0.11/src/log/access_log.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/log/access_log.cc	2011-09-16 23:37:30.000000000 +1200
@@ -596,6 +596,7 @@
     HTTPMSGUNLOCK(aLogEntry->icap.reply);
     HTTPMSGUNLOCK(aLogEntry->icap.request);
 #endif
+    cbdataReferenceDone(aLogEntry->cache.port);
 }
 
 int
diff -u -r -N squid-3.2.0.11/src/main.cc squid-3.2.0.12/src/main.cc
--- squid-3.2.0.11/src/main.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/main.cc	2011-09-16 23:37:30.000000000 +1200
@@ -47,6 +47,7 @@
 #if USE_AUTH
 #include "auth/Gadgets.h"
 #endif
+#include "base/RunnersRegistry.h"
 #include "base/Subscription.h"
 #include "base/TextException.h"
 #if USE_DELAY_POOLS
@@ -1427,6 +1428,11 @@
         /* NOTREACHED */
     }
 
+    debugs(1,2, HERE << "Doing post-config initialization\n");
+    leave_suid();
+    ActivateRegistered(rrAfterConfig);
+    enter_suid();
+
     if (!opt_no_daemon && Config.workers > 0)
         watch_child(argv);
 
@@ -1785,6 +1791,10 @@
 #endif
 
         if (!TheKids.someRunning() && !TheKids.shouldRestartSome()) {
+            leave_suid();
+            DeactivateRegistered(rrAfterConfig);
+            enter_suid();
+
             if (TheKids.someSignaled(SIGINT) || TheKids.someSignaled(SIGTERM)) {
                 syslog(LOG_ALERT, "Exiting due to unexpected forced shutdown");
                 exit(1);
@@ -1884,6 +1894,7 @@
     Store::Root().sync();		/* Flush log close */
     StoreFileSystem::FreeAllFs();
     DiskIOModule::FreeAllModules();
+    DeactivateRegistered(rrAfterConfig);
 #if LEAK_CHECK_MODE && 0 /* doesn't work at the moment */
 
     configFreeMemory();
diff -u -r -N squid-3.2.0.11/src/mgr/Action.cc squid-3.2.0.12/src/mgr/Action.cc
--- squid-3.2.0.11/src/mgr/Action.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/mgr/Action.cc	2011-09-16 23:37:30.000000000 +1200
@@ -70,7 +70,8 @@
     // Assume most kid classes are fully aggregatable (i.e., they do not dump
     // local info at all). Do not import the remote HTTP fd into our Comm
     // space; collect and send an IPC msg with collected info to Coordinator.
-    request.conn->close();
+    ::close(request.conn->fd);
+    request.conn->fd = -1;
     collect();
     sendResponse(request.requestId);
 }
diff -u -r -N squid-3.2.0.11/src/neighbors.cc squid-3.2.0.12/src/neighbors.cc
--- squid-3.2.0.11/src/neighbors.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/neighbors.cc	2011-09-16 23:37:30.000000000 +1200
@@ -1341,7 +1341,8 @@
     }
 
     p->testing_now--;
-    return;
+    conn->close();
+    // TODO: log this traffic.
 }
 
 static void
diff -u -r -N squid-3.2.0.11/src/pconn.cc squid-3.2.0.12/src/pconn.cc
--- squid-3.2.0.11/src/pconn.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/pconn.cc	2011-09-16 23:37:30.000000000 +1200
@@ -89,6 +89,7 @@
 }
 
 /** Remove the entry at specified index.
+ * May perform a shuffle of list entries to fill the gap.
  * \retval false The index is not an in-use entry.
  */
 bool
@@ -194,22 +195,35 @@
     commSetConnTimeout(conn, Config.Timeout.pconn, timeoutCall);
 }
 
+/// Determine whether an entry in the idle list is available for use.
+/// Returns false if the entry is unset, closed or closing.
+bool
+IdleConnList::isAvailable(int i) const
+{
+    const Comm::ConnectionPointer &conn = theList_[i];
+
+    // connection already closed. useless.
+    if (!Comm::IsConnOpen(conn))
+        return false;
+
+    // our connection early-read/close handler is scheduled to run already. unsafe
+    if (!COMMIO_FD_READCB(conn->fd)->active())
+        return false;
+
+    return true;
+}
+
 Comm::ConnectionPointer
 IdleConnList::pop()
 {
     for (int i=size_-1; i>=0; i--) {
 
-        // Is the FD pending completion of the closure callback?
-        // this flag is set while our early-read/close handler is
-        // waiting for a remote response. It gets unset when the
-        // handler is scheduled.
-        //The following check is disabled for now until we have a
-        // correct implementation of the read_pending flag
-        //if (!fd_table[theList_[i]->fd].flags.read_pending)
-        //    continue;
+        if (!isAvailable(i))
+            continue;
 
-        // connection already closed. useless.
-        if (!Comm::IsConnOpen(theList_[i]))
+        // our connection timeout handler is scheduled to run already. unsafe for now.
+        // TODO: cancel the pending timeout callback and allow re-use of the conn.
+        if (fd_table[theList_[i]->fd].timeoutHandler == NULL)
             continue;
 
         // finally, a match. pop and return it.
@@ -242,17 +256,7 @@
 
     for (int i=size_-1; i>=0; i--) {
 
-        // Is the FD pending completion of the closure callback?
-        // this flag is set while our early-read/close handler is
-        // waiting for a remote response. It gets unset when the
-        // handler is scheduled.
-        //The following check is disabled for now until we have a
-        // correct implementation of the read_pending flag
-        //if (!fd_table[theList_[i]->fd].flags.read_pending)
-        //    continue;
-
-        // connection already closed. useless.
-        if (!Comm::IsConnOpen(theList_[i]))
+        if (!isAvailable(i))
             continue;
 
         // local end port is required, but dont match.
@@ -263,6 +267,11 @@
         if (keyCheckAddr && key->local.matchIPAddr(theList_[i]->local) != 0)
             continue;
 
+        // our connection timeout handler is scheduled to run already. unsafe for now.
+        // TODO: cancel the pending timeout callback and allow re-use of the conn.
+        if (fd_table[theList_[i]->fd].timeoutHandler == NULL)
+            continue;
+
         // finally, a match. pop and return it.
         Comm::ConnectionPointer result = theList_[i];
         /* may delete this */
@@ -274,27 +283,33 @@
     return Comm::ConnectionPointer();
 }
 
+/* might delete list */
+void
+IdleConnList::findAndClose(const Comm::ConnectionPointer &conn)
+{
+    const int index = findIndexOf(conn);
+    if (index >= 0) {
+        /* might delete this */
+        removeAt(index);
+        clearHandlers(conn);
+        conn->close();
+    }
+}
+
 void
 IdleConnList::Read(const Comm::ConnectionPointer &conn, char *buf, size_t len, comm_err_t flag, int xerrno, void *data)
 {
     debugs(48, 3, HERE << len << " bytes from " << conn);
 
     if (flag == COMM_ERR_CLOSING) {
-        /* Bail out early on COMM_ERR_CLOSING - close handlers will tidy up for us */
+        debugs(48, 3, HERE << "COMM_ERR_CLOSING from " << conn);
+        /* Bail out on COMM_ERR_CLOSING - may happen when shutdown aborts our idle FD */
         return;
     }
 
     IdleConnList *list = (IdleConnList *) data;
-    int index = list->findIndexOf(conn);
-    if (index >= 0) {
-        /* might delete list */
-        list->removeAt(index);
-        list->clearHandlers(conn);
-    }
-    // else we lost a race.
-    // Somebody started using the pconn since the remote end disconnected.
-    // pass the closure info on!
-    conn->close();
+    /* may delete list/data */
+    list->findAndClose(conn);
 }
 
 void
@@ -302,13 +317,8 @@
 {
     debugs(48, 3, HERE << io.conn);
     IdleConnList *list = static_cast<IdleConnList *>(io.data);
-    int index = list->findIndexOf(io.conn);
-    assert(index>=0);
-    if (index >= 0) {
-        /* might delete list */
-        list->removeAt(index);
-        io.conn->close();
-    }
+    /* may delete list/data */
+    list->findAndClose(io.conn);
 }
 
 /* ========== PconnPool PRIVATE FUNCTIONS ============================================ */
diff -u -r -N squid-3.2.0.11/src/pconn.h squid-3.2.0.12/src/pconn.h
--- squid-3.2.0.11/src/pconn.h	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/pconn.h	2011-09-16 23:37:30.000000000 +1200
@@ -55,8 +55,10 @@
     void closeN(size_t count);
 
 private:
+    bool isAvailable(int i) const;
     bool removeAt(int index);
     int findIndexOf(const Comm::ConnectionPointer &conn) const;
+    void findAndClose(const Comm::ConnectionPointer &conn);
     static IOCB Read;
     static CTCB Timeout;
 
diff -u -r -N squid-3.2.0.11/src/peer_digest.cc squid-3.2.0.12/src/peer_digest.cc
--- squid-3.2.0.11/src/peer_digest.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/peer_digest.cc	2011-09-16 23:37:30.000000000 +1200
@@ -917,7 +917,7 @@
     assert(fetch->entry && fetch->request);
 
     if (fetch->old_entry) {
-        debugs(72, 2, "peerDigestFetchFinish: deleting old entry");
+        debugs(72, 3, "peerDigestFetchFinish: deleting old entry");
         storeUnregister(fetch->old_sc, fetch->old_entry, fetch);
         fetch->old_entry->releaseRequest();
         fetch->old_entry->unlock();
diff -u -r -N squid-3.2.0.11/src/peer_select.cc squid-3.2.0.12/src/peer_select.cc
--- squid-3.2.0.11/src/peer_select.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/peer_select.cc	2011-09-16 23:37:30.000000000 +1200
@@ -156,8 +156,6 @@
 
     psstate->callback_data = cbdataReference(callback_data);
 
-    psstate->direct = DIRECT_UNKNOWN;
-
 #if USE_CACHE_DIGESTS
 
     request->hier.peer_select_start = current_time;
@@ -177,6 +175,18 @@
     psstate->acl_checklist = NULL;
     debugs(44, 3, "peerCheckNeverDirectDone: " << answer);
     psstate->never_direct = answer;
+    switch (answer) {
+    case ACCESS_ALLOWED:
+        /** if always_direct says YES, do that. */
+        psstate->direct = DIRECT_YES;
+        debugs(44, 3, HERE << "direct = " << DirectStr[psstate->direct] << " (never_direct allow)");
+        break;
+    case ACCESS_DENIED: // not relevant.
+        break;
+    default: // Oops. Failed to get a result.
+        debugs(44, DBG_IMPORTANT, "WARNING: never_direct resulted in " << answer << ". Username ACLs are not reliable here.");
+        assert(answer != ACCESS_DUNNO);
+    }
     peerSelectFoo(psstate);
 }
 
@@ -187,6 +197,18 @@
     psstate->acl_checklist = NULL;
     debugs(44, 3, "peerCheckAlwaysDirectDone: " << answer);
     psstate->always_direct = answer;
+    switch (answer) {
+    case ACCESS_ALLOWED:
+        /** if always_direct says YES, do that. */
+        psstate->direct = DIRECT_YES;
+        debugs(44, 3, HERE << "direct = " << DirectStr[psstate->direct] << " (always_direct allow)");
+        break;
+    case ACCESS_DENIED: // not relevant.
+        break;
+    default: // Oops. Failed to get a result.
+        debugs(44, DBG_IMPORTANT, "WARNING: always_direct resulted in " << answer << ". Username ACLs are not reliable here.");
+        assert(answer != ACCESS_DUNNO);
+    }
     peerSelectFoo(psstate);
 }
 
@@ -344,41 +366,34 @@
     HttpRequest *request = ps->request;
     debugs(44, 3, "peerSelectFoo: '" << RequestMethodStr(request->method) << " " << request->GetHost() << "'");
 
-    /** If we don't known whether DIRECT is permitted ... */
+    /** If we don't know whether DIRECT is permitted ... */
     if (ps->direct == DIRECT_UNKNOWN) {
-        if (ps->always_direct == ACCESS_DUNNO && Config.accessList.AlwaysDirect) {
+        if (ps->always_direct == ACCESS_DUNNO) {
+            debugs(44, 3, "peerSelectFoo: direct = " << DirectStr[ps->direct] << " (always_direct to be checked)");
             /** check always_direct; */
-            ps->acl_checklist = new ACLFilledChecklist(
-                Config.accessList.AlwaysDirect,
-                request,
-                NULL);		/* ident */
+            ps->acl_checklist = new ACLFilledChecklist(Config.accessList.AlwaysDirect, request, NULL);
             ps->acl_checklist->nonBlockingCheck(peerCheckAlwaysDirectDone, ps);
             return;
-        } else if (ps->always_direct == ACCESS_ALLOWED) {
-            /** if always_direct says YES, do that. */
-            ps->direct = DIRECT_YES;
-        } else if (ps->never_direct == ACCESS_DUNNO && Config.accessList.NeverDirect) {
+        } else if (ps->never_direct == ACCESS_DUNNO) {
+            debugs(44, 3, "peerSelectFoo: direct = " << DirectStr[ps->direct] << " (never_direct to be checked)");
             /** check never_direct; */
-            ps->acl_checklist = new ACLFilledChecklist(
-                Config.accessList.NeverDirect,
-                request,
-                NULL);		/* ident */
-            ps->acl_checklist->nonBlockingCheck(peerCheckNeverDirectDone,
-                                                ps);
+            ps->acl_checklist = new ACLFilledChecklist(Config.accessList.NeverDirect, request, NULL);
+            ps->acl_checklist->nonBlockingCheck(peerCheckNeverDirectDone, ps);
             return;
-        } else if (ps->never_direct == ACCESS_ALLOWED) {
-            /** if always_direct says NO, do that. */
-            ps->direct = DIRECT_NO;
         } else if (request->flags.no_direct) {
             /** if we are accelerating, direct is not an option. */
             ps->direct = DIRECT_NO;
+            debugs(44, 3, "peerSelectFoo: direct = " << DirectStr[ps->direct] << " (forced non-direct)");
         } else if (request->flags.loopdetect) {
             /** if we are in a forwarding-loop, direct is not an option. */
             ps->direct = DIRECT_YES;
+            debugs(44, 3, "peerSelectFoo: direct = " << DirectStr[ps->direct] << " (forwarding loop detected)");
         } else if (peerCheckNetdbDirect(ps)) {
             ps->direct = DIRECT_YES;
+            debugs(44, 3, "peerSelectFoo: direct = " << DirectStr[ps->direct] << " (checkNetdbDirect)");
         } else {
             ps->direct = DIRECT_MAYBE;
+            debugs(44, 3, "peerSelectFoo: direct = " << DirectStr[ps->direct] << " (default)");
         }
 
         debugs(44, 3, "peerSelectFoo: direct = " << DirectStr[ps->direct]);
@@ -865,9 +880,9 @@
 
 ps_state::ps_state() : request (NULL),
         entry (NULL),
-        always_direct(ACCESS_DUNNO),
-        never_direct(ACCESS_DUNNO),
-        direct (0),
+        always_direct(Config.accessList.AlwaysDirect?ACCESS_DUNNO:ACCESS_DENIED),
+        never_direct(Config.accessList.NeverDirect?ACCESS_DUNNO:ACCESS_DENIED),
+        direct(DIRECT_UNKNOWN),
         callback (NULL),
         callback_data (NULL),
         servers (NULL),
diff -u -r -N squid-3.2.0.11/src/refresh.cc squid-3.2.0.12/src/refresh.cc
--- squid-3.2.0.11/src/refresh.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/refresh.cc	2011-09-16 23:37:30.000000000 +1200
@@ -392,7 +392,7 @@
      * NOTE: max-stale config blocks the overrides.
      */
     int max_stale = (R->max_stale >= 0 ? R->max_stale : Config.maxStale);
-    if ( max_stale >= 0 && staleness < max_stale) {
+    if ( max_stale >= 0 && staleness > max_stale) {
         debugs(22, 3, "refreshCheck: YES: max-stale limit");
         if (request)
             request->flags.fail_on_validation_err = 1;
diff -u -r -N squid-3.2.0.11/src/SquidString.h squid-3.2.0.12/src/SquidString.h
--- squid-3.2.0.11/src/SquidString.h	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/SquidString.h	2011-09-16 23:37:30.000000000 +1200
@@ -181,6 +181,8 @@
 
 _SQUID_INLINE_ std::ostream & operator<<(std::ostream& os, String const &aString);
 
+_SQUID_INLINE_ bool operator<(const String &a, const String &b);
+
 #if _USE_INLINE_
 #include "String.cci"
 #endif
diff -u -r -N squid-3.2.0.11/src/ssl/certificate_db.cc squid-3.2.0.12/src/ssl/certificate_db.cc
--- squid-3.2.0.11/src/ssl/certificate_db.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/ssl/certificate_db.cc	2011-09-16 23:37:30.000000000 +1200
@@ -393,7 +393,7 @@
         corrupt = true;
 
     // Create indexes in db.
-#if OPENSSL_VERSION_NUMBER > 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x1000004fL
     if (!corrupt && !TXT_DB_create_index(temp_db.get(), cnlSerial, NULL, LHASH_HASH_FN(index_serial), LHASH_COMP_FN(index_serial)))
         corrupt = true;
 
@@ -433,7 +433,7 @@
         return false;
 
     bool removed_one = false;
-#if OPENSSL_VERSION_NUMBER > 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x1000004fL
     for (int i = 0; i < sk_OPENSSL_PSTRING_num(db.get()->data); i++) {
         const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db.get()->data, i));
 #else
@@ -444,7 +444,7 @@
         if (!sslDateIsInTheFuture(current_row[cnlExp_date])) {
             std::string filename(cert_full + "/" + current_row[cnlSerial] + ".pem");
             FileLocker cert_locker(filename);
-#if OPENSSL_VERSION_NUMBER > 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x1000004fL
             sk_OPENSSL_PSTRING_delete(db.get()->data, i);
 #else
             sk_delete(db.get()->data, i);
@@ -466,14 +466,14 @@
     if (!db)
         return false;
 
-#if OPENSSL_VERSION_NUMBER > 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x1000004fL
     if (sk_OPENSSL_PSTRING_num(db.get()->data) == 0)
 #else
     if (sk_num(db.get()->data) == 0)
 #endif
         return false;
 
-#if OPENSSL_VERSION_NUMBER > 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x1000004fL
     const char **row = (const char **)sk_OPENSSL_PSTRING_value(db.get()->data, 0);
 #else
     const char **row = (const char **)sk_value(db.get()->data, 0);
@@ -481,7 +481,7 @@
     std::string filename(cert_full + "/" + row[cnlSerial] + ".pem");
     FileLocker cert_locker(filename);
 
-#if OPENSSL_VERSION_NUMBER > 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x1000004fL
     sk_OPENSSL_PSTRING_delete(db.get()->data, 0);
 #else
     sk_delete(db.get()->data, 0);
@@ -498,7 +498,7 @@
     if (!db)
         return false;
 
-#if OPENSSL_VERSION_NUMBER > 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x1000004fL
     for (int i = 0; i < sk_OPENSSL_PSTRING_num(db.get()->data); i++) {
         const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db.get()->data, i));
 #else
@@ -508,7 +508,7 @@
         if (host == current_row[cnlName]) {
             std::string filename(cert_full + "/" + current_row[cnlSerial] + ".pem");
             FileLocker cert_locker(filename);
-#if OPENSSL_VERSION_NUMBER > 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x1000004fL
             sk_OPENSSL_PSTRING_delete(db.get()->data, i);
 #else
             sk_delete(db.get()->data, i);
diff -u -r -N squid-3.2.0.11/src/ssl/ssl_crtd.cc squid-3.2.0.12/src/ssl/ssl_crtd.cc
--- squid-3.2.0.11/src/ssl/ssl_crtd.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/ssl/ssl_crtd.cc	2011-09-16 23:37:30.000000000 +1200
@@ -123,6 +123,8 @@
     if (!strncasecmp(unit, B_GBYTES_STR, strlen(B_GBYTES_STR)))
         return 1 << 30;
 
+    std::cerr << "WARNING: Unknown bytes unit '" << unit << "'" << std::endl;
+
     return 0;
 }
 
diff -u -r -N squid-3.2.0.11/src/ssl/support.cc squid-3.2.0.12/src/ssl/support.cc
--- squid-3.2.0.11/src/ssl/support.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/ssl/support.cc	2011-09-16 23:37:30.000000000 +1200
@@ -654,7 +654,7 @@
         debugs(83, 5, "Using SSLv2.");
         method = SSLv2_server_method();
 #else
-        debugs(83, 1, "SSLv2 is not available in this Proxy.");
+        debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy.");
         return NULL;
 #endif
         break;
@@ -711,31 +711,33 @@
         }
     }
 
-    debugs(83, 1, "Using certificate in " << certfile);
+    debugs(83, DBG_IMPORTANT, "Using certificate in " << certfile);
 
     if (!SSL_CTX_use_certificate_chain_file(sslContext, certfile)) {
         ssl_error = ERR_get_error();
-        debugs(83, 0, "Failed to acquire SSL certificate '" << certfile << "': " << ERR_error_string(ssl_error, NULL)  );
-        goto error;
+        debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire SSL certificate '" << certfile << "': " << ERR_error_string(ssl_error, NULL));
+        SSL_CTX_free(sslContext);
+        return NULL;
     }
 
-    debugs(83, 1, "Using private key in " << keyfile);
+    debugs(83, DBG_IMPORTANT, "Using private key in " << keyfile);
     ssl_ask_password(sslContext, keyfile);
 
     if (!SSL_CTX_use_PrivateKey_file(sslContext, keyfile, SSL_FILETYPE_PEM)) {
         ssl_error = ERR_get_error();
-        debugs(83, 0, "Failed to acquire SSL private key '" << keyfile << "': " << ERR_error_string(ssl_error, NULL)  );
-        goto error;
+        debugs(83, DBG_CRITICAL, "ERROR: Failed to acquire SSL private key '" << keyfile << "': " << ERR_error_string(ssl_error, NULL));
+        SSL_CTX_free(sslContext);
+        return NULL;
     }
 
     debugs(83, 5, "Comparing private and public SSL keys.");
 
     if (!SSL_CTX_check_private_key(sslContext)) {
         ssl_error = ERR_get_error();
-        debugs(83, 0, "SSL private key '" <<
-               certfile << "' does not match public key '" <<
-               keyfile << "': " << ERR_error_string(ssl_error, NULL)  );
-        goto error;
+        debugs(83, DBG_CRITICAL, "ERROR: SSL private key '" << certfile << "' does not match public key '" <<
+               keyfile << "': " << ERR_error_string(ssl_error, NULL));
+        SSL_CTX_free(sslContext);
+        return NULL;
     }
 
     debugs(83, 9, "Setting RSA key generation callback.");
@@ -745,15 +747,13 @@
 
     if ((CAfile || CApath) && !SSL_CTX_load_verify_locations(sslContext, CAfile, CApath)) {
         ssl_error = ERR_get_error();
-        debugs(83, 1, "Error setting CA certificate locations: " << ERR_error_string(ssl_error, NULL)  );
-        debugs(83, 1, "continuing anyway..." );
+        debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate locations: " << ERR_error_string(ssl_error, NULL));
     }
 
     if (!(fl & SSL_FLAG_NO_DEFAULT_CA) &&
             !SSL_CTX_set_default_verify_paths(sslContext)) {
         ssl_error = ERR_get_error();
-        debugs(83, 1, "Error setting default CA certificate location: " << ERR_error_string(ssl_error, NULL)  );
-        debugs(83, 1, "continuing anyway..." );
+        debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting default CA certificate location: " << ERR_error_string(ssl_error, NULL));
     }
 
     if (clientCA) {
@@ -762,8 +762,9 @@
         cert_names = SSL_load_client_CA_file(clientCA);
 
         if (cert_names == NULL) {
-            debugs(83, 1, "Error loading the client CA certificates from '" << clientCA << "\': " << ERR_error_string(ERR_get_error(),NULL)  );
-            goto error;
+            debugs(83, DBG_IMPORTANT, "ERROR: loading the client CA certificates from '" << clientCA << "\': " << ERR_error_string(ERR_get_error(),NULL));
+            SSL_CTX_free(sslContext);
+            return NULL;
         }
 
         ERR_clear_error();
@@ -806,10 +807,10 @@
         }
 
         if (!dh)
-            debugs(83, 1, "WARNING: Failed to read DH parameters '" << dhfile << "'");
+            debugs(83, DBG_IMPORTANT, "WARNING: Failed to read DH parameters '" << dhfile << "'");
         else if (dh && DH_check(dh, &codes) == 0) {
             if (codes) {
-                debugs(83, 1, "WARNING: Failed to verify DH parameters '" << dhfile  << "' (" << std::hex << codes  << ")");
+                debugs(83, DBG_IMPORTANT, "WARNING: Failed to verify DH parameters '" << dhfile  << "' (" << std::hex << codes  << ")");
                 DH_free(dh);
                 dh = NULL;
             }
@@ -823,11 +824,6 @@
         SSL_CTX_set_ex_data(sslContext, ssl_ctx_ex_index_dont_verify_domain, (void *) -1);
 
     return sslContext;
-
-error:
-    SSL_CTX_free(sslContext);
-
-    return NULL;
 }
 
 SSL_CTX *
@@ -857,7 +853,7 @@
         debugs(83, 5, "Using SSLv2.");
         method = SSLv2_client_method();
 #else
-        debugs(83, 1, "SSLv2 is not available in this Proxy.");
+        debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy.");
         return NULL;
 #endif
         break;
@@ -931,7 +927,7 @@
     SSL_CTX_set_tmp_rsa_callback(sslContext, ssl_temp_rsa_cb);
 
     if (fl & SSL_FLAG_DONT_VERIFY_PEER) {
-        debugs(83, 1, "NOTICE: Peer certificates are not verified for validity!");
+        debugs(83, 2, "NOTICE: Peer certificates are not verified for validity!");
         SSL_CTX_set_verify(sslContext, SSL_VERIFY_NONE, NULL);
     } else {
         debugs(83, 9, "Setting certificate verification callback.");
@@ -942,8 +938,7 @@
 
     if ((CAfile || CApath) && !SSL_CTX_load_verify_locations(sslContext, CAfile, CApath)) {
         ssl_error = ERR_get_error();
-        debugs(83, 1, "Error setting CA certificate locations: " << ERR_error_string(ssl_error, NULL));
-        debugs(83, 1, "continuing anyway..." );
+        debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate locations: " << ERR_error_string(ssl_error, NULL));
     }
 
     if (CRLfile) {
@@ -962,8 +957,7 @@
     if (!(fl & SSL_FLAG_NO_DEFAULT_CA) &&
             !SSL_CTX_set_default_verify_paths(sslContext)) {
         ssl_error = ERR_get_error();
-        debugs(83, 1, "Error setting default CA certificate location: " << ERR_error_string(ssl_error, NULL)  );
-        debugs(83, 1, "continuing anyway...");
+        debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting default CA certificate location: " << ERR_error_string(ssl_error, NULL));
     }
 
     return sslContext;
diff -u -r -N squid-3.2.0.11/src/String.cci squid-3.2.0.12/src/String.cci
--- squid-3.2.0.11/src/String.cci	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/String.cci	2011-09-16 23:37:30.000000000 +1200
@@ -200,3 +200,9 @@
     os.write(aString.rawBuf(),aString.size());
     return os;
 }
+
+bool
+operator<(const String &a, const String &b)
+{
+    return a.cmp(b) < 0;
+}
diff -u -r -N squid-3.2.0.11/src/tests/STUB.h squid-3.2.0.12/src/tests/STUB.h
--- squid-3.2.0.11/src/tests/STUB.h	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/tests/STUB.h	2011-09-16 23:37:30.000000000 +1200
@@ -1,11 +1,43 @@
 #ifndef STUB
 #include "fatal.h"
 
+/** \group STUB
+ *
+ *  A set of useful macros to create stub_* files.
+ *
+ * Intended for use building unit tests, if a stubbed function is called
+ * by any code it is linked to it will abort with a message indicating
+ * which API file is missing from the linked dependencies.
+ *
+ * Usage:
+ *    at the top of your intended stub file define STUB_API to be the
+ *    name of the .cc file or library you are providing a stub of
+ *    then include this STUB.h header.
+ *
+ *   #define STUB_API "foo/libexample.la"
+ *   #include "tests/STUB.h"
+ */
+
+/// macro to stub a void function.
 #define STUB { fatal(STUB_API " required"); }
+
+/** macro to stub a function with return value.
+ *  Aborts unit tests requiring its definition with a message about the missing linkage
+ */
 #define STUB_RETVAL(x) { fatal(STUB_API " required"); return x; }
-//#define STUB_RETREF(x) { fatal(STUB_API " required"); x* o = new (x); return *o; }
-// NP: no () around the x here
+
+/** macro to stub a function which returns a reference to dynamic
+ *  Aborts unit tests requiring its definition with a message about the missing linkage
+ *  This macro uses 'new x' to construct a stack vailable for the reference, may leak.
+ *  \param x may be the type to define or a constructor call with parameter values
+ */
 #define STUB_RETREF(x) { fatal(STUB_API " required"); return new x; }
+
+/** macro to stub a function which returns a reference to static
+ *  Aborts unit tests requiring its definition with a message about the missing linkage
+ *  This macro uses static variable definition to avoid leaks.
+ *  \param x  the type name to define
+ */
 #define STUB_RETSTATREF(x) { fatal(STUB_API " required"); static x v; return v; }
 
 #endif /* STUB */
diff -u -r -N squid-3.2.0.11/src/tools.cc squid-3.2.0.12/src/tools.cc
--- squid-3.2.0.11/src/tools.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/tools.cc	2011-09-16 23:37:30.000000000 +1200
@@ -1050,7 +1050,7 @@
 
 #if HAVE_SETRLIMIT && defined(RLIMIT_VMEM)
     if (getrlimit(RLIMIT_VMEM, &rl) < 0) {
-        debugs(50, 0, "getrlimit: RLIMIT_VMEM: " << xstrerror());
+        debugs(50, DBG_CRITICAL, "getrlimit: RLIMIT_VMEM: " << xstrerror());
     } else if (rl.rlim_max > rl.rlim_cur) {
         rl.rlim_cur = rl.rlim_max;	/* set it to the max */
 
@@ -1073,7 +1073,7 @@
     sigemptyset(&sa.sa_mask);
 
     if (sigaction(sig, &sa, NULL) < 0)
-        debugs(50, 0, "sigaction: sig=" << sig << " func=" << func << ": " << xstrerror());
+        debugs(50, DBG_CRITICAL, "sigaction: sig=" << sig << " func=" << func << ": " << xstrerror());
 
 #else
 #if _SQUID_MSWIN_
diff -u -r -N squid-3.2.0.11/src/wccp2.cc squid-3.2.0.12/src/wccp2.cc
--- squid-3.2.0.11/src/wccp2.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/wccp2.cc	2011-09-16 23:37:30.000000000 +1200
@@ -985,12 +985,12 @@
     debugs(80, 5, "wccp2ConnectionOpen: Called");
 
     if (wccp2_numrouters == 0 || !wccp2_service_list_head) {
-        debugs(80, 2, "WCCPv2 Disabled.");
+        debugs(80, 2, "WCCPv2 Disabled. No IPv4 Router(s) configured.");
         return;
     }
 
     if ( !Config.Wccp2.address.SetIPv4() ) {
-        debugs(80, 0, "WCCPv2 Disabled. " << Config.Wccp2.address << " is not an IPv4 address.");
+        debugs(80, DBG_CRITICAL, "WCCPv2 Disabled. Local address " << Config.Wccp2.address << " is not an IPv4 address.");
         return;
     }
 
@@ -2135,7 +2135,7 @@
     service_id = GetInteger();
 
     if (service_id < 0 || service_id > 255) {
-        debugs(80, 0, "wccp2ParseServiceInfo: service info id " << service_id << " is out of range (0..255)");
+        debugs(80, DBG_CRITICAL, "ERROR: invalid WCCP service id " << service_id << " (must be between 0 .. 255)");
         self_destruct();
     }
 
@@ -2306,7 +2306,7 @@
     service_id = GetInteger();
 
     if (service_id < 0 || service_id > 255) {
-        debugs(80, 1, "parse_wccp2_service_info: invalid service id " << service_id << " (must be between 0 .. 255)");
+        debugs(80, DBG_CRITICAL, "ERROR: invalid WCCP service id " << service_id << " (must be between 0 .. 255)");
         self_destruct();
     }
 
diff -u -r -N squid-3.2.0.11/src/wccp.cc squid-3.2.0.12/src/wccp.cc
--- squid-3.2.0.11/src/wccp.cc	2011-08-29 03:09:21.000000000 +1200
+++ squid-3.2.0.12/src/wccp.cc	2011-09-16 23:37:30.000000000 +1200
@@ -139,12 +139,12 @@
     }
 
     if ( !Config.Wccp.router.SetIPv4() ) {
-        debugs(1, 1, "WCCPv1 Disabled. Router " << Config.Wccp.router << " is not IPv4.");
+        debugs(80, DBG_CRITICAL, "WCCPv1 Disabled. Router " << Config.Wccp.router << " is not an IPv4 address.");
         return;
     }
 
     if ( !Config.Wccp.address.SetIPv4() ) {
-        debugs(1, 1, "WCCPv1 Disabled. Local address " << Config.Wccp.address << " is not IPv4.");
+        debugs(80, DBG_CRITICAL, "WCCPv1 Disabled. Local address " << Config.Wccp.address << " is not an IPv4 address.");
         return;
     }
 
