diff -u -r -N squid-3.4.11/ChangeLog squid-3.4.12/ChangeLog
--- squid-3.4.11/ChangeLog	2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/ChangeLog	2015-02-18 03:05:44.000000000 -0800
@@ -1,3 +1,15 @@
+Changes to squid-3.4.12 (18 Feb 2015):
+
+	- Bug 4066: Digest auth nonce indefinite rollover
+	- Bug 3997: Excessive NTLM or Negotiate auth helper annotations
+	- Fix several crashes when debugging enabled
+	- Fix silent SSL/TLS failure on split-stack operating systems
+	- HTTP/1.1: Stop emitting (Proxy-)Authentication-Info for Negotiate
+	- HTTPS: Add TLS/SSL option NO_TICKET to http[s]_port
+	- Remove dst ACL dependency on HTTP request message existence
+	- Set cap_net_admin when Squid sets TOS/Diffserv packet values
+	- ... and some documentation updates
+
 Changes to squid-3.4.11 (13 Jan 2015):
 
 	- Bug 4164: SEGFAULT when %W formating code used in errorpages
diff -u -r -N squid-3.4.11/compat/Makefile.in squid-3.4.12/compat/Makefile.in
--- squid-3.4.11/compat/Makefile.in	2015-01-13 03:54:03.000000000 -0800
+++ squid-3.4.12/compat/Makefile.in	2015-02-18 03:06:43.000000000 -0800
@@ -83,9 +83,9 @@
 build_triplet = @build@
 host_triplet = @host@
 DIST_COMMON = $(top_srcdir)/src/Common.am $(srcdir)/Makefile.in \
-	$(srcdir)/Makefile.am initgroups.c inet_pton.c drand48.c \
-	inet_ntop.c getnameinfo.c psignal.c strtoll.c tempnam.c \
-	strerror.c getaddrinfo.c $(top_srcdir)/cfgaux/depcomp \
+	$(srcdir)/Makefile.am inet_ntop.c getnameinfo.c drand48.c \
+	psignal.c strerror.c inet_pton.c tempnam.c strtoll.c \
+	initgroups.c getaddrinfo.c $(top_srcdir)/cfgaux/depcomp \
 	$(top_srcdir)/cfgaux/test-driver
 check_PROGRAMS = testPreCompiler$(EXEEXT)
 TESTS = testPreCompiler$(EXEEXT) testHeaders
diff -u -r -N squid-3.4.11/configure squid-3.4.12/configure
--- squid-3.4.11/configure	2015-01-13 03:54:50.000000000 -0800
+++ squid-3.4.12/configure	2015-02-18 03:07:32.000000000 -0800
@@ -1,7 +1,7 @@
 #! /bin/sh
 # From configure.ac Revision.
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for Squid Web Proxy 3.4.11.
+# Generated by GNU Autoconf 2.69 for Squid Web Proxy 3.4.12.
 #
 # Report bugs to <http://bugs.squid-cache.org/>.
 #
@@ -595,8 +595,8 @@
 # Identity of this package.
 PACKAGE_NAME='Squid Web Proxy'
 PACKAGE_TARNAME='squid'
-PACKAGE_VERSION='3.4.11'
-PACKAGE_STRING='Squid Web Proxy 3.4.11'
+PACKAGE_VERSION='3.4.12'
+PACKAGE_STRING='Squid Web Proxy 3.4.12'
 PACKAGE_BUGREPORT='http://bugs.squid-cache.org/'
 PACKAGE_URL=''
 
@@ -1605,7 +1605,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures Squid Web Proxy 3.4.11 to adapt to many kinds of systems.
+\`configure' configures Squid Web Proxy 3.4.12 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1675,7 +1675,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of Squid Web Proxy 3.4.11:";;
+     short | recursive ) echo "Configuration of Squid Web Proxy 3.4.12:";;
    esac
   cat <<\_ACEOF
 
@@ -2071,7 +2071,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-Squid Web Proxy configure 3.4.11
+Squid Web Proxy configure 3.4.12
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -3175,7 +3175,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by Squid Web Proxy $as_me 3.4.11, which was
+It was created by Squid Web Proxy $as_me 3.4.12, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4042,7 +4042,7 @@
 
 # Define the identity of the package.
  PACKAGE='squid'
- VERSION='3.4.11'
+ VERSION='3.4.12'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -34378,7 +34378,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by Squid Web Proxy $as_me 3.4.11, which was
+This file was extended by Squid Web Proxy $as_me 3.4.12, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -34444,7 +34444,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-Squid Web Proxy config.status 3.4.11
+Squid Web Proxy config.status 3.4.12
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -u -r -N squid-3.4.11/configure.ac squid-3.4.12/configure.ac
--- squid-3.4.11/configure.ac	2015-01-13 03:54:50.000000000 -0800
+++ squid-3.4.12/configure.ac	2015-02-18 03:07:32.000000000 -0800
@@ -1,4 +1,4 @@
-AC_INIT([Squid Web Proxy],[3.4.11],[http://bugs.squid-cache.org/],[squid])
+AC_INIT([Squid Web Proxy],[3.4.12],[http://bugs.squid-cache.org/],[squid])
 AC_PREREQ(2.61)
 AC_CONFIG_HEADERS([include/autoconf.h])
 AC_CONFIG_AUX_DIR(cfgaux)
diff -u -r -N squid-3.4.11/helpers/basic_auth/DB/basic_db_auth.8 squid-3.4.12/helpers/basic_auth/DB/basic_db_auth.8
--- squid-3.4.11/helpers/basic_auth/DB/basic_db_auth.8	2015-01-13 04:33:24.000000000 -0800
+++ squid-3.4.12/helpers/basic_auth/DB/basic_db_auth.8	2015-02-18 03:43:16.000000000 -0800
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BASIC_DB_AUTH 1"
-.TH BASIC_DB_AUTH 1 "2015-01-13" "perl v5.20.1" "User Contributed Perl Documentation"
+.TH BASIC_DB_AUTH 1 "2015-02-18" "perl v5.20.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.4.11/helpers/external_acl/LDAP_group/ext_ldap_group_acl.8 squid-3.4.12/helpers/external_acl/LDAP_group/ext_ldap_group_acl.8
--- squid-3.4.11/helpers/external_acl/LDAP_group/ext_ldap_group_acl.8	2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/helpers/external_acl/LDAP_group/ext_ldap_group_acl.8	2015-02-18 03:05:44.000000000 -0800
@@ -7,19 +7,19 @@
 .
 .SH SYNOPSIS
 .if !'po4a'hide' .B ext_ldap_group_acl
-.if !'po4a'hide' .B "\-b \""
-base DN
-.if !'po4a'hide' .B "\" \-f \""
-LDAP search filter
-.if !'po4a'hide' .B "\" ["
+.if !'po4a'hide' .B \-b
+base\-DN
+.if !'po4a'hide' .B \-f
+filter
+.if !'po4a'hide' .B "["
 options
 .if !'po4a'hide' .B "] ["
-LDAP server name
-.if !'po4a'hide' .B "[:"
+server
+.if !'po4a'hide' .B "[ ':' "
 port
-.if !'po4a'hide' .B "]|"
+.if !'po4a'hide' .B "] |"
 URI
-.if !'po4a'hide' .B "]..."
+.if !'po4a'hide' .B "] ..."
 .
 .SH DESCRIPTION
 .B ext_ldap_group_acl
@@ -100,7 +100,7 @@
 configuration file without getting the secretfile.
 .
 .if !'po4a'hide' .TP
-.if !'po4a'hide' .BI \-E certpath
+.if !'po4a'hide' .BI "\-E " certpath
 Enable LDAP over SSL (requires Netscape LDAP API libraries)
 .
 .if !'po4a'hide' .TP
diff -u -r -N squid-3.4.11/helpers/external_acl/SQL_session/ext_sql_session_acl.8 squid-3.4.12/helpers/external_acl/SQL_session/ext_sql_session_acl.8
--- squid-3.4.11/helpers/external_acl/SQL_session/ext_sql_session_acl.8	2015-01-13 04:33:57.000000000 -0800
+++ squid-3.4.12/helpers/external_acl/SQL_session/ext_sql_session_acl.8	2015-02-18 03:43:38.000000000 -0800
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EXT_SQL_SESSION_ACL 1"
-.TH EXT_SQL_SESSION_ACL 1 "2015-01-13" "perl v5.20.1" "User Contributed Perl Documentation"
+.TH EXT_SQL_SESSION_ACL 1 "2015-02-18" "perl v5.20.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.4.11/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 squid-3.4.12/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8
--- squid-3.4.11/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8	2015-01-13 04:34:01.000000000 -0800
+++ squid-3.4.12/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8	2015-02-18 03:43:41.000000000 -0800
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EXT_WBINFO_GROUP_ACL.PL.IN 1"
-.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2015-01-13" "perl v5.20.1" "User Contributed Perl Documentation"
+.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2015-02-18" "perl v5.20.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.4.11/helpers/log_daemon/DB/log_db_daemon.8 squid-3.4.12/helpers/log_daemon/DB/log_db_daemon.8
--- squid-3.4.11/helpers/log_daemon/DB/log_db_daemon.8	2015-01-13 04:34:03.000000000 -0800
+++ squid-3.4.12/helpers/log_daemon/DB/log_db_daemon.8	2015-02-18 03:43:43.000000000 -0800
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "LOG_DB_DAEMON 1"
-.TH LOG_DB_DAEMON 1 "2015-01-13" "perl v5.20.1" "User Contributed Perl Documentation"
+.TH LOG_DB_DAEMON 1 "2015-02-18" "perl v5.20.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.4.11/helpers/storeid_rewrite/file/storeid_file_rewrite.8 squid-3.4.12/helpers/storeid_rewrite/file/storeid_file_rewrite.8
--- squid-3.4.11/helpers/storeid_rewrite/file/storeid_file_rewrite.8	2015-01-13 04:34:15.000000000 -0800
+++ squid-3.4.12/helpers/storeid_rewrite/file/storeid_file_rewrite.8	2015-02-18 03:43:55.000000000 -0800
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "STOREID_FILE_REWRITE 1"
-.TH STOREID_FILE_REWRITE 1 "2015-01-13" "perl v5.20.1" "User Contributed Perl Documentation"
+.TH STOREID_FILE_REWRITE 1 "2015-02-18" "perl v5.20.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.4.11/include/version.h squid-3.4.12/include/version.h
--- squid-3.4.11/include/version.h	2015-01-13 03:54:50.000000000 -0800
+++ squid-3.4.12/include/version.h	2015-02-18 03:07:32.000000000 -0800
@@ -7,7 +7,7 @@
  */
 
 #ifndef SQUID_RELEASE_TIME
-#define SQUID_RELEASE_TIME 1421149989
+#define SQUID_RELEASE_TIME 1424257536
 #endif
 
 #ifndef APP_SHORTNAME
diff -u -r -N squid-3.4.11/RELEASENOTES.html squid-3.4.12/RELEASENOTES.html
--- squid-3.4.11/RELEASENOTES.html	2015-01-13 04:35:19.000000000 -0800
+++ squid-3.4.12/RELEASENOTES.html	2015-02-18 03:44:52.000000000 -0800
@@ -2,10 +2,10 @@
 <HTML>
 <HEAD>
  <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.69">
- <TITLE>Squid 3.4.11 release notes</TITLE>
+ <TITLE>Squid 3.4.12 release notes</TITLE>
 </HEAD>
 <BODY>
-<H1>Squid 3.4.11 release notes</H1>
+<H1>Squid 3.4.12 release notes</H1>
 
 <H2>Squid Developers</H2>
 <HR>
@@ -57,10 +57,10 @@
 <HR>
 <H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
 
-<P>The Squid Team are pleased to announce the release of Squid-3.4.11 for testing.</P>
+<P>The Squid Team are pleased to announce the release of Squid-3.4.12.</P>
 <P>This new release is available for download from 
 <A HREF="http://www.squid-cache.org/Versions/v3/3.4/">http://www.squid-cache.org/Versions/v3/3.4/</A> or the
-<A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
+<A HREF="http://www.squid-cache.org/Download/http-mirrors.html">mirrors</A>.</P>
 
 <P>Some interesting new features adding system flexibility have been added along with general improvements all around.
 While this release is not fully bug-free we believe it is ready for use in production on many systems.</P>
@@ -432,6 +432,12 @@
 
 <P>
 <DL>
+<DT><B>log_access</B><DD>
+<P>Removed. Use access_log with ACLs instead</P>
+
+<DT><B>log_icap</B><DD>
+<P>Removed. Use icap_log with ACLs instead</P>
+
 <DT><B>storeurl_access</B><DD>
 <P>Replaced by <EM>store_id_access</EM>.</P>
 
diff -u -r -N squid-3.4.11/src/acl/DestinationIp.cc squid-3.4.12/src/acl/DestinationIp.cc
--- squid-3.4.11/src/acl/DestinationIp.cc	2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/acl/DestinationIp.cc	2015-02-18 03:05:44.000000000 -0800
@@ -52,6 +52,10 @@
 {
     ACLFilledChecklist *checklist = Filled(cl);
 
+    // if there is no HTTP request details fallback to the dst_addr
+    if (!checklist->request)
+        return ACLIP::match(checklist->dst_addr);
+
     // Bug 3243: CVE 2009-0801
     // Bypass of browser same-origin access control in intercepted communication
     // To resolve this we will force DIRECT and only to the original client destination.
diff -u -r -N squid-3.4.11/src/acl/DestinationIp.h squid-3.4.12/src/acl/DestinationIp.h
--- squid-3.4.11/src/acl/DestinationIp.h	2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/acl/DestinationIp.h	2015-02-18 03:05:44.000000000 -0800
@@ -58,7 +58,6 @@
     ACLDestinationIP(): ACLIP(ACLDestinationIP::SupportedFlags) {}
     virtual char const *typeString() const;
     virtual int match(ACLChecklist *checklist);
-    virtual bool requiresRequest() const {return true;}
 
     virtual ACL *clone()const;
 
diff -u -r -N squid-3.4.11/src/anyp/PortCfg.cc squid-3.4.12/src/anyp/PortCfg.cc
--- squid-3.4.11/src/anyp/PortCfg.cc	2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/anyp/PortCfg.cc	2015-02-18 03:05:44.000000000 -0800
@@ -66,22 +66,34 @@
     b->disable_pmtu_discovery = disable_pmtu_discovery;
     b->tcp_keepalive = tcp_keepalive;
 
-#if 0
-    // TODO: AYJ: 2009-07-18: for now SSL does not clone. Configure separate ports with IPs and SSL settings
-
 #if USE_SSL
-    char *cert;
-    char *key;
-    int version;
-    char *cipher;
-    char *options;
-    char *clientca;
-    char *cafile;
-    char *capath;
-    char *crlfile;
-    char *dhfile;
-    char *sslflags;
-    char *sslContextSessionId;
+    if (cert)
+        b->cert = xstrdup(cert);
+    if (key)
+        b->key = xstrdup(key);
+    b->version = version;
+    if (cipher)
+        b->cipher = xstrdup(cipher);
+    if (options)
+        b->options = xstrdup(options);
+    if (clientca)
+        b->clientca = xstrdup(clientca);
+    if (cafile)
+        b->cafile = xstrdup(cafile);
+    if (capath)
+        b->capath = xstrdup(capath);
+    if (crlfile)
+        b->crlfile = xstrdup(crlfile);
+    if (dhfile)
+        b->dhfile = xstrdup(dhfile);
+    if (sslflags)
+        b->sslflags = xstrdup(sslflags);
+    if (sslContextSessionId)
+        b->sslContextSessionId = xstrdup(sslContextSessionId);
+
+#if 0
+    // TODO: AYJ: 2015-01-15: for now SSL does not clone the context object.
+    // cloning should only be done before the PortCfg is post-configure initialized and opened
     SSL_CTX *sslContext;
 #endif
 
diff -u -r -N squid-3.4.11/src/auth/digest/auth_digest.cc squid-3.4.12/src/auth/digest/auth_digest.cc
--- squid-3.4.11/src/auth/digest/auth_digest.cc	2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/auth/digest/auth_digest.cc	2015-02-18 03:05:44.000000000 -0800
@@ -1038,12 +1038,7 @@
         debugs(29, 2, "Username for the nonce does not equal the username for the request");
         nonce = NULL;
     }
-    /* check for stale nonce */
-    if (authDigestNonceIsStale(nonce)) {
-        debugs(29, 3, "The received nonce is stale from " << username);
-        digest_request->setDenyMessage("Stale nonce");
-        nonce = NULL;
-    }
+
     if (!nonce) {
         /* we couldn't find a matching nonce! */
         debugs(29, 2, "Unexpected or invalid nonce received from " << username);
diff -u -r -N squid-3.4.11/src/auth/digest/UserRequest.cc squid-3.4.12/src/auth/digest/UserRequest.cc
--- squid-3.4.11/src/auth/digest/UserRequest.cc	2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/auth/digest/UserRequest.cc	2015-02-18 03:05:44.000000000 -0800
@@ -152,10 +152,14 @@
     }
 
     /* check for stale nonce */
-    if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc)) {
-        debugs(29, 3, "user '" << auth_user->username() << "' validated OK but nonce stale");
-        auth_user->credentials(Auth::Handshake);
-        digest_request->setDenyMessage("Stale nonce");
+    /* check Auth::Pending to avoid loop */
+
+    if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc) && user()->credentials() != Auth::Pending) {
+        debugs(29, 3, auth_user->username() << "' validated OK but nonce stale: " << digest_request->nonceb64);
+        /* Pending prevent banner and makes a ldap control */
+        auth_user->credentials(Auth::Pending);
+        nonce->flags.valid = false;
+        authDigestNoncePurge(nonce);
         return;
     }
 
@@ -298,6 +302,8 @@
     // add new helper kv-pair notes to the credentials object
     // so that any transaction using those credentials can access them
     auth_user_request->user()->notes.appendNewOnly(&reply.notes);
+    // remove any private credentials detail which got added.
+    auth_user_request->user()->notes.remove("ha1");
 
     static bool oldHelperWarningDone = false;
     switch (reply.result) {
diff -u -r -N squid-3.4.11/src/auth/negotiate/UserRequest.cc squid-3.4.12/src/auth/negotiate/UserRequest.cc
--- squid-3.4.11/src/auth/negotiate/UserRequest.cc	2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/auth/negotiate/UserRequest.cc	2015-02-18 03:05:44.000000000 -0800
@@ -229,6 +229,8 @@
     // add new helper kv-pair notes to the credentials object
     // so that any transaction using those credentials can access them
     auth_user_request->user()->notes.appendNewOnly(&reply.notes);
+    // remove any private credentials detail which got added.
+    auth_user_request->user()->notes.remove("token");
 
     Auth::Negotiate::UserRequest *lm_request = dynamic_cast<Auth::Negotiate::UserRequest *>(auth_user_request.getRaw());
     assert(lm_request != NULL);
@@ -359,21 +361,3 @@
     delete r;
 }
 
-void
-Auth::Negotiate::UserRequest::addAuthenticationInfoHeader(HttpReply * rep, int accel)
-{
-    http_hdr_type type;
-
-    if (!server_blob)
-        return;
-
-    /* don't add to authentication error pages */
-    if ((!accel && rep->sline.status() == Http::scProxyAuthenticationRequired)
-            || (accel && rep->sline.status() == Http::scUnauthorized))
-        return;
-
-    type = accel ? HDR_AUTHENTICATION_INFO : HDR_PROXY_AUTHENTICATION_INFO;
-    httpHeaderPutStrf(&rep->header, type, "Negotiate %s", server_blob);
-
-    safe_free(server_blob);
-}
diff -u -r -N squid-3.4.11/src/auth/negotiate/UserRequest.h squid-3.4.12/src/auth/negotiate/UserRequest.h
--- squid-3.4.11/src/auth/negotiate/UserRequest.h	2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/auth/negotiate/UserRequest.h	2015-02-18 03:05:44.000000000 -0800
@@ -28,8 +28,6 @@
     virtual Direction module_direction();
     virtual void module_start(AUTHCB *, void *);
 
-    virtual void addAuthenticationInfoHeader(HttpReply * rep, int accel);
-
     virtual const char * connLastHeader();
 
     /* we need to store the helper server between requests */
diff -u -r -N squid-3.4.11/src/auth/ntlm/UserRequest.cc squid-3.4.12/src/auth/ntlm/UserRequest.cc
--- squid-3.4.11/src/auth/ntlm/UserRequest.cc	2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/auth/ntlm/UserRequest.cc	2015-02-18 03:05:44.000000000 -0800
@@ -223,6 +223,8 @@
     // add new helper kv-pair notes to the credentials object
     // so that any transaction using those credentials can access them
     auth_user_request->user()->notes.appendNewOnly(&reply.notes);
+    // remove any private credentials detail which got added.
+    auth_user_request->user()->notes.remove("token");
 
     Auth::Ntlm::UserRequest *lm_request = dynamic_cast<Auth::Ntlm::UserRequest *>(auth_user_request.getRaw());
     assert(lm_request != NULL);
diff -u -r -N squid-3.4.11/src/cf.data.pre squid-3.4.12/src/cf.data.pre
--- squid-3.4.11/src/cf.data.pre	2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/cf.data.pre	2015-02-18 03:05:44.000000000 -0800
@@ -180,6 +180,12 @@
 DOC_END
 
 # Options Removed in 3.2
+NAME: chunked_request_body_max_size
+TYPE: obsolete
+DOC_START
+	Remove this line. Squid is now HTTP/1.1 compliant.
+DOC_END
+
 NAME: ignore_expect_100
 TYPE: obsolete
 DOC_START
@@ -1734,6 +1740,7 @@
 			    NO_TLSv1_2  Disallow the use of TLSv1.2
 			    SINGLE_DH_USE Always create a new key when using
 				      temporary/ephemeral DH key exchanges
+			    NO_TICKET Disables TLS tickets extension
 			    ALL       Enable various bug workarounds
 				      suggested as "harmless" by OpenSSL
 				      Be warned that this reduces SSL/TLS
@@ -5255,33 +5262,6 @@
 	a large file.
 DOC_END
 
-NAME: chunked_request_body_max_size
-COMMENT: (bytes)
-TYPE: b_int64_t
-DEFAULT: 64 KB
-LOC: Config.maxChunkedRequestBodySize
-DOC_START
-	A broken or confused HTTP/1.1 client may send a chunked HTTP
-	request to Squid. Squid does not have full support for that
-	feature yet. To cope with such requests, Squid buffers the
-	entire request and then dechunks request body to create a
-	plain HTTP/1.0 request with a known content length. The plain
-	request is then used by the rest of Squid code as usual.
-
-	The option value specifies the maximum size of the buffer used
-	to hold the request before the conversion. If the chunked
-	request size exceeds the specified limit, the conversion
-	fails, and the client receives an "unsupported request" error,
-	as if dechunking was disabled.
-
-	Dechunking is enabled by default. To disable conversion of
-	chunked requests, set the maximum to zero.
-
-	Request dechunking feature and this option in particular are a
-	temporary hack. When chunking requests and responses are fully
-	supported, there will be no need to buffer a chunked request.
-DOC_END
-
 NAME: broken_posts
 IFDEF: USE_HTTP_VIOLATIONS
 TYPE: acl_access
diff -u -r -N squid-3.4.11/src/Notes.cc squid-3.4.12/src/Notes.cc
--- squid-3.4.11/src/Notes.cc	2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/Notes.cc	2015-02-18 03:05:44.000000000 -0800
@@ -189,6 +189,21 @@
 }
 
 void
+NotePairs::remove(const char *key)
+{
+    Vector<NotePairs::Entry *>::iterator i = entries.begin();
+    while (i != entries.end()) {
+        if ((*i)->name.cmp(key) == 0) {
+            NotePairs::Entry *e = (*i);
+            entries.prune(e);
+            delete e;
+            i = entries.begin(); // vector changed underneath us
+        } else
+            ++i;
+    }
+}
+
+void
 NotePairs::addStrList(const char *key, const char *values)
 {
     String strValues(values);
diff -u -r -N squid-3.4.11/src/Notes.h squid-3.4.12/src/Notes.h
--- squid-3.4.11/src/Notes.h	2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/Notes.h	2015-02-18 03:05:44.000000000 -0800
@@ -155,6 +155,11 @@
     void add(const char *key, const char *value);
 
     /**
+     * Remove all notes with a given key.
+     */
+    void remove(const char *key);
+
+    /**
      * Adds a note key and values strList to the notes list.
      * If the key name already exists in list, add the new values to its set
      * of values.
diff -u -r -N squid-3.4.11/src/peer_select.cc squid-3.4.12/src/peer_select.cc
--- squid-3.4.11/src/peer_select.cc	2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/peer_select.cc	2015-02-18 03:05:44.000000000 -0800
@@ -122,7 +122,7 @@
     assert(entry);
     assert(entry->ping_status == PING_NONE);
     assert(direct != DIRECT_YES);
-    debugs(44, 3, "peerSelectIcpPing: " << entry->url()  );
+    debugs(44, 3, "peerSelectIcpPing: " << entry->url());
 
     if (!request->flags.hierarchical && direct != DIRECT_NO)
         return 0;
@@ -262,7 +262,7 @@
     if (fs && psstate->paths->size() < (unsigned int)Config.forward_max_tries) {
         // send the next one off for DNS lookup.
         const char *host = fs->_peer ? fs->_peer->host : psstate->request->GetHost();
-        debugs(44, 2, "Find IP destination for: " << psstate->entry->url() << "' via " << host);
+        debugs(44, 2, "Find IP destination for: " << psstate->url() << "' via " << host);
         ipcache_nbgethostbyname(host, peerSelectDnsResults, psstate);
         return;
     }
@@ -744,7 +744,7 @@
     StoreEntry *entry = psstate->entry;
 
     if (entry)
-        debugs(44, 3, "peerPingTimeout: '" << entry->url() << "'" );
+        debugs(44, 3, "peerPingTimeout: '" << psstate->url() << "'" );
 
     if (!cbdataReferenceValid(psstate->callback_data)) {
         /* request aborted */
@@ -812,7 +812,7 @@
 {
     ps_state *psstate = (ps_state *)data;
     icp_opcode op = header->getOpCode();
-    debugs(44, 3, "peerHandleIcpReply: " << icp_opcode_str[op] << " " << psstate->entry->url()  );
+    debugs(44, 3, "peerHandleIcpReply: " << icp_opcode_str[op] << " " << psstate->url()  );
 #if USE_CACHE_DIGESTS && 0
     /* do cd lookup to count false misses */
 
@@ -845,9 +845,7 @@
 peerHandleHtcpReply(CachePeer * p, peer_t type, HtcpReplyData * htcp, void *data)
 {
     ps_state *psstate = (ps_state *)data;
-    debugs(44, 3, "peerHandleHtcpReply: " <<
-           (htcp->hit ? "HIT" : "MISS") << " " <<
-           psstate->entry->url()  );
+    debugs(44, 3, "" << (htcp->hit ? "HIT" : "MISS") << " " << psstate->url());
     ++ psstate->ping.n_recv;
 
     if (htcp->hit) {
diff -u -r -N squid-3.4.11/src/SquidConfig.h squid-3.4.12/src/SquidConfig.h
--- squid-3.4.11/src/SquidConfig.h	2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/SquidConfig.h	2015-02-18 03:05:44.000000000 -0800
@@ -120,7 +120,6 @@
     } Timeout;
     size_t maxRequestHeaderSize;
     int64_t maxRequestBodySize;
-    int64_t maxChunkedRequestBodySize;
     size_t maxRequestBufferSize;
     size_t maxReplyHeaderSize;
     AclSizeLimit *ReplyBodySize;
diff -u -r -N squid-3.4.11/src/ssl/support.cc squid-3.4.12/src/ssl/support.cc
--- squid-3.4.11/src/ssl/support.cc	2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/ssl/support.cc	2015-02-18 03:05:44.000000000 -0800
@@ -488,6 +488,11 @@
         "No_Compression", SSL_OP_NO_COMPRESSION
     },
 #endif
+#if SSL_OP_NO_TICKET
+    {
+        "NO_TICKET", SSL_OP_NO_TICKET
+    },
+#endif
     {
         "", 0
     },
diff -u -r -N squid-3.4.11/src/tools.cc squid-3.4.12/src/tools.cc
--- squid-3.4.11/src/tools.cc	2015-01-13 03:53:17.000000000 -0800
+++ squid-3.4.12/src/tools.cc	2015-02-18 03:05:44.000000000 -0800
@@ -1319,7 +1319,10 @@
         cap_value_t cap_list[10];
         cap_list[ncaps] = CAP_NET_BIND_SERVICE;
         ++ncaps;
-        if (Ip::Interceptor.TransparentActive() || Ip::Qos::TheConfig.isHitNfmarkActive() || Ip::Qos::TheConfig.isAclNfmarkActive()) {
+        if (Ip::Interceptor.TransparentActive() ||
+                Ip::Qos::TheConfig.isHitNfmarkActive() ||
+                Ip::Qos::TheConfig.isAclNfmarkActive() ||
+                Ip::Qos::TheConfig.isAclTosActive()) {
             cap_list[ncaps] = CAP_NET_ADMIN;
             ++ncaps;
         }
