diff -u -r -N squid-4.0.1/ChangeLog squid-4.0.2/ChangeLog
--- squid-4.0.1/ChangeLog	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/ChangeLog	2015-11-01 04:17:47.000000000 -0800
@@ -1,3 +1,15 @@
+Changes to squid-4.0.2 (01 Nov 2015):
+
+	- Regression Bug 4351: compile errors when authentication modules disabled
+	- Regression fix: HTTP/1.1 Transfer-Encoding:chunked parsing
+	- Bug 4359: assertion failure 'Comm::IsConnOpen(conn)' within ConnStateData::requestTimeout
+	- Bug 4356: segmentation fault using proxy_auth ACL
+	- Bug 4352: compile errors in OS X 10.11
+	- Bug 4021: ext_user_regex does exact match
+	- Bug 3574: avoid crashes, prohibit reconfiguration during shutdown
+	- Support re-assigning delay pools based on HTTP reply details
+	- ... and all fixes from squid 3.5.11
+
 Changes to squid-4.0.1 (14 Oct 2015):
 
 	- Bug 4329: GCC 5.2 no known conversion for argument
@@ -48,6 +60,18 @@
 	- ... and many documentation changes
 	- ... and much code cleanup and polishing
 
+Changes to squid-3.5.11 (01 Nov 2015):
+
+	- Bug 3574: crashes on reconfigure and startup
+	- Bug 4347: compile errors with LibreSSL 2.3
+	- Bug 4281: copy-paste typos in src/tools.cc
+	- Bug 4279: No response from proxy for FTP-download of non-existing file
+	- Bug 4188: Bumping intercepted SSL connections does not work on Solaris
+	- Fix incorrect authentication headers on cache digest requests
+	- Fix connection stats, including %<lp, missing for persistent connections
+	- Fix invalid memory access issues in SBuf
+	- Avoid errors when parsing manager ACL in old squid.conf
+
 Changes to squid-3.5.10 (01 Oct 2015):
 
 	- Regression Fix cache_peer login=PASS(THRU) after CVE-2015-5400
diff -u -r -N squid-4.0.1/configure squid-4.0.2/configure
--- squid-4.0.1/configure	2015-10-13 23:13:32.000000000 -0700
+++ squid-4.0.2/configure	2015-11-01 04:19:43.000000000 -0800
@@ -1,7 +1,7 @@
 #! /bin/sh
 # From configure.ac Revision.
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for Squid Web Proxy 4.0.1.
+# Generated by GNU Autoconf 2.69 for Squid Web Proxy 4.0.2.
 #
 # Report bugs to <http://bugs.squid-cache.org/>.
 #
@@ -595,8 +595,8 @@
 # Identity of this package.
 PACKAGE_NAME='Squid Web Proxy'
 PACKAGE_TARNAME='squid'
-PACKAGE_VERSION='4.0.1'
-PACKAGE_STRING='Squid Web Proxy 4.0.1'
+PACKAGE_VERSION='4.0.2'
+PACKAGE_STRING='Squid Web Proxy 4.0.2'
 PACKAGE_BUGREPORT='http://bugs.squid-cache.org/'
 PACKAGE_URL=''
 
@@ -1645,7 +1645,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures Squid Web Proxy 4.0.1 to adapt to many kinds of systems.
+\`configure' configures Squid Web Proxy 4.0.2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1716,7 +1716,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of Squid Web Proxy 4.0.1:";;
+     short | recursive ) echo "Configuration of Squid Web Proxy 4.0.2:";;
    esac
   cat <<\_ACEOF
 
@@ -2123,7 +2123,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-Squid Web Proxy configure 4.0.1
+Squid Web Proxy configure 4.0.2
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -3227,7 +3227,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by Squid Web Proxy $as_me 4.0.1, which was
+It was created by Squid Web Proxy $as_me 4.0.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4094,7 +4094,7 @@
 
 # Define the identity of the package.
  PACKAGE='squid'
- VERSION='4.0.1'
+ VERSION='4.0.2'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -41381,7 +41381,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by Squid Web Proxy $as_me 4.0.1, which was
+This file was extended by Squid Web Proxy $as_me 4.0.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -41447,7 +41447,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-Squid Web Proxy config.status 4.0.1
+Squid Web Proxy config.status 4.0.2
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -u -r -N squid-4.0.1/configure.ac squid-4.0.2/configure.ac
--- squid-4.0.1/configure.ac	2015-10-13 23:13:31.000000000 -0700
+++ squid-4.0.2/configure.ac	2015-11-01 04:19:43.000000000 -0800
@@ -5,7 +5,7 @@
 ## Please see the COPYING and CONTRIBUTORS files for details.
 ##
 
-AC_INIT([Squid Web Proxy],[4.0.1],[http://bugs.squid-cache.org/],[squid])
+AC_INIT([Squid Web Proxy],[4.0.2],[http://bugs.squid-cache.org/],[squid])
 AC_PREREQ(2.61)
 AC_CONFIG_HEADERS([include/autoconf.h])
 AC_CONFIG_AUX_DIR(cfgaux)
diff -u -r -N squid-4.0.1/doc/release-notes/release-4.html squid-4.0.2/doc/release-notes/release-4.html
--- squid-4.0.1/doc/release-notes/release-4.html	2015-10-14 00:09:59.000000000 -0700
+++ squid-4.0.2/doc/release-notes/release-4.html	2015-11-01 05:13:09.000000000 -0800
@@ -1,11 +1,11 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
 <HTML>
 <HEAD>
- <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.69">
- <TITLE>Squid 4.0.1 release notes</TITLE>
+ <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.71">
+ <TITLE>Squid 4.0.2 release notes</TITLE>
 </HEAD>
 <BODY>
-<H1>Squid 4.0.1 release notes</H1>
+<H1>Squid 4.0.2 release notes</H1>
 
 <H2>Squid Developers</H2>
 <HR>
@@ -61,7 +61,7 @@
 <HR>
 <H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
 
-<P>The Squid Team are pleased to announce the release of Squid-4.0.1 for testing.</P>
+<P>The Squid Team are pleased to announce the release of Squid-4.0.2 for testing.</P>
 <P>This new release is available for download from 
 <A HREF="http://www.squid-cache.org/Versions/v4/">http://www.squid-cache.org/Versions/v4/</A> or the
 <A HREF="http://www.squid-cache.org/Download/http-mirrors.html">mirrors</A>.</P>
diff -u -r -N squid-4.0.1/helpers/basic_auth/DB/basic_db_auth.8 squid-4.0.2/helpers/basic_auth/DB/basic_db_auth.8
--- squid-4.0.1/helpers/basic_auth/DB/basic_db_auth.8	2015-10-14 00:10:01.000000000 -0700
+++ squid-4.0.2/helpers/basic_auth/DB/basic_db_auth.8	2015-11-01 05:13:17.000000000 -0800
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BASIC_DB_AUTH 8"
-.TH BASIC_DB_AUTH 8 "2015-10-14" "perl v5.20.2" "User Contributed Perl Documentation"
+.TH BASIC_DB_AUTH 8 "2015-11-01" "perl v5.20.2" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-4.0.1/helpers/basic_auth/POP3/basic_pop3_auth.8 squid-4.0.2/helpers/basic_auth/POP3/basic_pop3_auth.8
--- squid-4.0.1/helpers/basic_auth/POP3/basic_pop3_auth.8	2015-10-14 00:10:07.000000000 -0700
+++ squid-4.0.2/helpers/basic_auth/POP3/basic_pop3_auth.8	2015-11-01 05:13:30.000000000 -0800
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BASIC_POP3_AUTH 8"
-.TH BASIC_POP3_AUTH 8 "2015-10-14" "perl v5.20.2" "User Contributed Perl Documentation"
+.TH BASIC_POP3_AUTH 8 "2015-11-01" "perl v5.20.2" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-4.0.1/helpers/external_acl/delayer/ext_delayer_acl.8 squid-4.0.2/helpers/external_acl/delayer/ext_delayer_acl.8
--- squid-4.0.1/helpers/external_acl/delayer/ext_delayer_acl.8	2015-10-14 00:10:18.000000000 -0700
+++ squid-4.0.2/helpers/external_acl/delayer/ext_delayer_acl.8	2015-11-01 05:13:47.000000000 -0800
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EXT_DELAYER_ACL 8"
-.TH EXT_DELAYER_ACL 8 "2015-10-14" "perl v5.20.2" "User Contributed Perl Documentation"
+.TH EXT_DELAYER_ACL 8 "2015-11-01" "perl v5.20.2" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-4.0.1/helpers/external_acl/SQL_session/ext_sql_session_acl.8 squid-4.0.2/helpers/external_acl/SQL_session/ext_sql_session_acl.8
--- squid-4.0.1/helpers/external_acl/SQL_session/ext_sql_session_acl.8	2015-10-14 00:10:25.000000000 -0700
+++ squid-4.0.2/helpers/external_acl/SQL_session/ext_sql_session_acl.8	2015-11-01 05:13:58.000000000 -0800
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EXT_SQL_SESSION_ACL 8"
-.TH EXT_SQL_SESSION_ACL 8 "2015-10-14" "perl v5.20.2" "User Contributed Perl Documentation"
+.TH EXT_SQL_SESSION_ACL 8 "2015-11-01" "perl v5.20.2" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-4.0.1/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 squid-4.0.2/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8
--- squid-4.0.1/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8	2015-10-14 00:10:28.000000000 -0700
+++ squid-4.0.2/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8	2015-11-01 05:14:03.000000000 -0800
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EXT_WBINFO_GROUP_ACL 8"
-.TH EXT_WBINFO_GROUP_ACL 8 "2015-10-14" "perl v5.20.2" "User Contributed Perl Documentation"
+.TH EXT_WBINFO_GROUP_ACL 8 "2015-11-01" "perl v5.20.2" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-4.0.1/helpers/log_daemon/DB/log_db_daemon.8 squid-4.0.2/helpers/log_daemon/DB/log_db_daemon.8
--- squid-4.0.1/helpers/log_daemon/DB/log_db_daemon.8	2015-10-14 00:10:30.000000000 -0700
+++ squid-4.0.2/helpers/log_daemon/DB/log_db_daemon.8	2015-11-01 05:14:06.000000000 -0800
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "LOG_DB_DAEMON 8"
-.TH LOG_DB_DAEMON 8 "2015-10-14" "perl v5.20.2" "User Contributed Perl Documentation"
+.TH LOG_DB_DAEMON 8 "2015-11-01" "perl v5.20.2" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-4.0.1/helpers/storeid_rewrite/file/storeid_file_rewrite.8 squid-4.0.2/helpers/storeid_rewrite/file/storeid_file_rewrite.8
--- squid-4.0.1/helpers/storeid_rewrite/file/storeid_file_rewrite.8	2015-10-14 00:10:42.000000000 -0700
+++ squid-4.0.2/helpers/storeid_rewrite/file/storeid_file_rewrite.8	2015-11-01 05:14:24.000000000 -0800
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "STOREID_FILE_REWRITE 8"
-.TH STOREID_FILE_REWRITE 8 "2015-10-14" "perl v5.20.2" "User Contributed Perl Documentation"
+.TH STOREID_FILE_REWRITE 8 "2015-11-01" "perl v5.20.2" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-4.0.1/helpers/url_rewrite/LFS/url_lfs_rewrite.8 squid-4.0.2/helpers/url_rewrite/LFS/url_lfs_rewrite.8
--- squid-4.0.1/helpers/url_rewrite/LFS/url_lfs_rewrite.8	2015-10-14 00:10:39.000000000 -0700
+++ squid-4.0.2/helpers/url_rewrite/LFS/url_lfs_rewrite.8	2015-11-01 05:14:20.000000000 -0800
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "URL_LFS_REWRITE 8"
-.TH URL_LFS_REWRITE 8 "2015-10-14" "perl v5.20.2" "User Contributed Perl Documentation"
+.TH URL_LFS_REWRITE 8 "2015-11-01" "perl v5.20.2" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-4.0.1/include/version.h squid-4.0.2/include/version.h
--- squid-4.0.1/include/version.h	2015-10-13 23:13:32.000000000 -0700
+++ squid-4.0.2/include/version.h	2015-11-01 04:19:43.000000000 -0800
@@ -7,7 +7,7 @@
  */
 
 #ifndef SQUID_RELEASE_TIME
-#define SQUID_RELEASE_TIME 1444802928
+#define SQUID_RELEASE_TIME 1446380250
 #endif
 
 /*
diff -u -r -N squid-4.0.1/RELEASENOTES.html squid-4.0.2/RELEASENOTES.html
--- squid-4.0.1/RELEASENOTES.html	2015-10-14 00:09:59.000000000 -0700
+++ squid-4.0.2/RELEASENOTES.html	2015-11-01 05:13:09.000000000 -0800
@@ -1,11 +1,11 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
 <HTML>
 <HEAD>
- <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.69">
- <TITLE>Squid 4.0.1 release notes</TITLE>
+ <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.71">
+ <TITLE>Squid 4.0.2 release notes</TITLE>
 </HEAD>
 <BODY>
-<H1>Squid 4.0.1 release notes</H1>
+<H1>Squid 4.0.2 release notes</H1>
 
 <H2>Squid Developers</H2>
 <HR>
@@ -61,7 +61,7 @@
 <HR>
 <H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
 
-<P>The Squid Team are pleased to announce the release of Squid-4.0.1 for testing.</P>
+<P>The Squid Team are pleased to announce the release of Squid-4.0.2 for testing.</P>
 <P>This new release is available for download from 
 <A HREF="http://www.squid-cache.org/Versions/v4/">http://www.squid-cache.org/Versions/v4/</A> or the
 <A HREF="http://www.squid-cache.org/Download/http-mirrors.html">mirrors</A>.</P>
diff -u -r -N squid-4.0.1/src/acl/Acl.cc squid-4.0.2/src/acl/Acl.cc
--- squid-4.0.1/src/acl/Acl.cc	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/acl/Acl.cc	2015-11-01 04:17:47.000000000 -0800
@@ -244,6 +244,10 @@
         }
         theType = "localport";
         debugs(28, DBG_IMPORTANT, "UPGRADE: ACL 'myport' type is has been renamed to 'localport' and matches the port the client connected to.");
+    } else if (strcmp(theType, "proto") == 0 && strcmp(aclname, "manager") == 0) {
+        // ACL manager is now a built-in and has a different type.
+        debugs(28, DBG_PARSE_NOTE(DBG_IMPORTANT), "UPGRADE: ACL 'manager' is now a built-in ACL. Remove it from your config file.");
+        return; // ignore the line
     }
 
     if (!Prototype::Registered(theType)) {
diff -u -r -N squid-4.0.1/src/acl/ExtUser.cc squid-4.0.2/src/acl/ExtUser.cc
--- squid-4.0.1/src/acl/ExtUser.cc	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/acl/ExtUser.cc	2015-11-01 04:17:47.000000000 -0800
@@ -45,8 +45,6 @@
 void
 ACLExtUser::parse()
 {
-    debugs(28, 3, "aclParseUserList: current is null. Creating");
-    data = new ACLUserData;
     data->parse();
 }
 
diff -u -r -N squid-4.0.1/src/acl/UserData.cc squid-4.0.2/src/acl/UserData.cc
--- squid-4.0.1/src/acl/UserData.cc	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/acl/UserData.cc	2015-11-01 04:17:47.000000000 -0800
@@ -55,13 +55,19 @@
 }
 
 static bool
+CaseSensitiveSBufCompare(const SBuf &lhs, const SBuf &rhs)
+{
+    return (lhs.cmp(rhs) < 0);
+}
+
+static bool
 CaseInsensitveSBufCompare(const SBuf &lhs, const SBuf &rhs)
 {
     return (lhs.caseCmp(rhs) < 0);
 }
 
 ACLUserData::ACLUserData() :
-    userDataNames()
+    userDataNames(CaseSensitiveSBufCompare)
 {
     flags.case_insensitive = false;
     flags.required = false;
diff -u -r -N squid-4.0.1/src/auth/basic/Config.h squid-4.0.2/src/auth/basic/Config.h
--- squid-4.0.1/src/auth/basic/Config.h	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/auth/basic/Config.h	2015-11-01 04:17:47.000000000 -0800
@@ -9,6 +9,8 @@
 #ifndef __AUTH_BASIC_H__
 #define __AUTH_BASIC_H__
 
+#if HAVE_AUTH_MODULE_BASIC
+
 #include "auth/Config.h"
 #include "auth/Gadgets.h"
 #include "auth/UserRequest.h"
@@ -51,5 +53,6 @@
 
 extern helper *basicauthenticators;
 
+#endif /* HAVE_AUTH_MODULE_BASIC */
 #endif /* __AUTH_BASIC_H__ */
 
diff -u -r -N squid-4.0.1/src/auth/basic/Scheme.h squid-4.0.2/src/auth/basic/Scheme.h
--- squid-4.0.1/src/auth/basic/Scheme.h	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/auth/basic/Scheme.h	2015-11-01 04:17:47.000000000 -0800
@@ -9,6 +9,8 @@
 #ifndef SQUID_AUTH_BASIC_SCHEME_H
 #define SQUID_AUTH_BASIC_SCHEME_H
 
+#if HAVE_AUTH_MODULE_BASIC
+
 #include "auth/Scheme.h"
 
 namespace Auth
@@ -41,5 +43,6 @@
 } // namespace Basic
 } // namespace Auth
 
+#endif /* HAVE_AUTH_MODULE_BASIC */
 #endif /* SQUID_AUTH_BASIC_SCHEME_H */
 
diff -u -r -N squid-4.0.1/src/auth/basic/User.h squid-4.0.2/src/auth/basic/User.h
--- squid-4.0.1/src/auth/basic/User.h	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/auth/basic/User.h	2015-11-01 04:17:47.000000000 -0800
@@ -9,6 +9,8 @@
 #ifndef _SQUID_AUTH_BASIC_USER_H
 #define _SQUID_AUTH_BASIC_USER_H
 
+#if HAVE_AUTH_MODULE_BASIC
+
 #include "auth/User.h"
 #include "auth/UserRequest.h"
 
@@ -51,5 +53,6 @@
 } // namespace Basic
 } // namespace Auth
 
+#endif /* HAVE_AUTH_MODULE_BASIC */
 #endif /* _SQUID_AUTH_BASIC_USER_H */
 
diff -u -r -N squid-4.0.1/src/auth/basic/UserRequest.h squid-4.0.2/src/auth/basic/UserRequest.h
--- squid-4.0.1/src/auth/basic/UserRequest.h	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/auth/basic/UserRequest.h	2015-11-01 04:17:47.000000000 -0800
@@ -9,6 +9,8 @@
 #ifndef _SQUID_SRC_AUTH_BASIC_USERREQUEST_H
 #define _SQUID_SRC_AUTH_BASIC_USERREQUEST_H
 
+#if HAVE_AUTH_MODULE_BASIC
+
 #include "auth/UserRequest.h"
 
 class ConnStateData;
@@ -43,5 +45,6 @@
 } // namespace Basic
 } // namespace Auth
 
+#endif /* HAVE_AUTH_MODULE_BASIC */
 #endif /* _SQUID_SRC_AUTH_BASIC_USERREQUEST_H */
 
diff -u -r -N squid-4.0.1/src/auth/digest/Config.h squid-4.0.2/src/auth/digest/Config.h
--- squid-4.0.1/src/auth/digest/Config.h	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/auth/digest/Config.h	2015-11-01 04:17:47.000000000 -0800
@@ -9,6 +9,8 @@
 #ifndef __AUTH_DIGEST_H__
 #define __AUTH_DIGEST_H__
 
+#if HAVE_AUTH_MODULE_DIGEST
+
 #include "auth/Config.h"
 #include "auth/Gadgets.h"
 #include "auth/UserRequest.h"
@@ -103,5 +105,6 @@
 
 extern helper *digestauthenticators;
 
+#endif /* HAVE_AUTH_MODULE_DIGEST */
 #endif
 
diff -u -r -N squid-4.0.1/src/auth/digest/Scheme.h squid-4.0.2/src/auth/digest/Scheme.h
--- squid-4.0.1/src/auth/digest/Scheme.h	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/auth/digest/Scheme.h	2015-11-01 04:17:47.000000000 -0800
@@ -9,6 +9,8 @@
 #ifndef SQUID_AUTH_DIGEST_SCHEME_H
 #define SQUID_AUTH_DIGEST_SCHEME_H
 
+#if HAVE_AUTH_MODULE_DIGEST
+
 #include "auth/Scheme.h"
 
 namespace Auth
@@ -43,5 +45,6 @@
 } // namespace Digest
 } // namespace Auth
 
+#endif /* HAVE_AUTH_MODULE_DIGEST */
 #endif /* SQUID_AUTH_DIGEST_SCHEME_H */
 
diff -u -r -N squid-4.0.1/src/auth/digest/User.h squid-4.0.2/src/auth/digest/User.h
--- squid-4.0.1/src/auth/digest/User.h	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/auth/digest/User.h	2015-11-01 04:17:47.000000000 -0800
@@ -9,6 +9,8 @@
 #ifndef _SQUID_AUTH_DIGEST_USER_H
 #define _SQUID_AUTH_DIGEST_USER_H
 
+#if HAVE_AUTH_MODULE_DIGEST
+
 #include "auth/digest/Config.h"
 #include "auth/User.h"
 #include "rfc2617.h"
@@ -45,5 +47,6 @@
 } // namespace Digest
 } // namespace Auth
 
+#endif /* HAVE_AUTH_MODULE_DIGEST */
 #endif /* _SQUID_AUTH_DIGEST_USER_H */
 
diff -u -r -N squid-4.0.1/src/auth/digest/UserRequest.h squid-4.0.2/src/auth/digest/UserRequest.h
--- squid-4.0.1/src/auth/digest/UserRequest.h	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/auth/digest/UserRequest.h	2015-11-01 04:17:47.000000000 -0800
@@ -9,6 +9,8 @@
 #ifndef _SQUID_SRC_AUTH_DIGEST_USERREQUEST_H
 #define _SQUID_SRC_AUTH_DIGEST_USERREQUEST_H
 
+#if HAVE_AUTH_MODULE_DIGEST
+
 #include "auth/UserRequest.h"
 
 class ConnStateData;
@@ -67,5 +69,6 @@
 } // namespace Digest
 } // namespace Auth
 
+#endif /* HAVE_AUTH_MODULE_DIGEST */
 #endif /* _SQUID_SRC_AUTH_DIGEST_USERREQUEST_H */
 
diff -u -r -N squid-4.0.1/src/auth/Gadgets.cc squid-4.0.2/src/auth/Gadgets.cc
--- squid-4.0.1/src/auth/Gadgets.cc	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/auth/Gadgets.cc	2015-11-01 04:17:47.000000000 -0800
@@ -112,22 +112,34 @@
         return lhs->userKey() < rhs->userKey();
     };
     std::vector<Auth::User::Pointer> v1, v2, rv, u1, u2;
+#if HAVE_AUTH_MODULE_BASIC
     if (Auth::Config::Find("basic") != nullptr)
         u1 = Auth::Basic::User::Cache()->sortedUsersList();
+#endif
+#if HAVE_AUTH_MODULE_DIGEST
     if (Auth::Config::Find("digest") != nullptr)
         u2 = Auth::Digest::User::Cache()->sortedUsersList();
-    v1.reserve(u1.size()+u2.size());
-    std::merge(u1.begin(), u1.end(),u2.begin(), u2.end(),
-               std::back_inserter(v1), aucp_compare);
-    u1.clear();
-    u2.clear();
+#endif
+    if (u1.size() > 0 || u2.size() > 0) {
+        v1.reserve(u1.size()+u2.size());
+        std::merge(u1.begin(), u1.end(),u2.begin(), u2.end(),
+                   std::back_inserter(v1), aucp_compare);
+        u1.clear();
+        u2.clear();
+    }
+#if HAVE_AUTH_MODULE_NEGOTIATE
     if (Auth::Config::Find("negotiate") != nullptr)
         u1 = Auth::Negotiate::User::Cache()->sortedUsersList();
+#endif
+#if HAVE_AUTH_MODULE_NTLM
     if (Auth::Config::Find("ntlm") != nullptr)
         u2 = Auth::Ntlm::User::Cache()->sortedUsersList();
-    v2.reserve(u1.size()+u2.size());
-    std::merge(u1.begin(), u1.end(),u2.begin(), u2.end(),
-               std::back_inserter(v2), aucp_compare);
+#endif
+    if (u1.size() > 0 || u2.size() > 0) {
+        v2.reserve(u1.size()+u2.size());
+        std::merge(u1.begin(), u1.end(),u2.begin(), u2.end(),
+                   std::back_inserter(v2), aucp_compare);
+    }
     rv.reserve(v1.size()+v2.size());
     std::merge(v1.begin(), v1.end(),v2.begin(), v2.end(),
                std::back_inserter(rv), aucp_compare);
diff -u -r -N squid-4.0.1/src/auth/negotiate/Config.h squid-4.0.2/src/auth/negotiate/Config.h
--- squid-4.0.1/src/auth/negotiate/Config.h	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/auth/negotiate/Config.h	2015-11-01 04:17:47.000000000 -0800
@@ -9,6 +9,8 @@
 #ifndef __AUTH_NEGOTIATE_H__
 #define __AUTH_NEGOTIATE_H__
 
+#if HAVE_AUTH_MODULE_NEGOTIATE
+
 #include "auth/Config.h"
 #include "auth/Gadgets.h"
 #include "auth/UserRequest.h"
@@ -45,5 +47,6 @@
 
 extern statefulhelper *negotiateauthenticators;
 
+#endif /* HAVE_AUTH_MODULE_NEGOTIATE */
 #endif
 
diff -u -r -N squid-4.0.1/src/auth/negotiate/Scheme.h squid-4.0.2/src/auth/negotiate/Scheme.h
--- squid-4.0.1/src/auth/negotiate/Scheme.h	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/auth/negotiate/Scheme.h	2015-11-01 04:17:47.000000000 -0800
@@ -9,6 +9,8 @@
 #ifndef SQUID_AUTH_NEGOTIATE_SCHEME_H
 #define SQUID_AUTH_NEGOTIATE_SCHEME_H
 
+#if HAVE_AUTH_MODULE_NEGOTIATE
+
 #include "auth/Scheme.h"
 
 namespace Auth
@@ -42,5 +44,6 @@
 } // namespace Negotiate
 } // namespace Auth
 
+#endif /* HAVE_AUTH_MODULE_NEGOTIATE */
 #endif /* SQUID_AUTH_NEGOTIATE_SCHEME_H */
 
diff -u -r -N squid-4.0.1/src/auth/negotiate/User.h squid-4.0.2/src/auth/negotiate/User.h
--- squid-4.0.1/src/auth/negotiate/User.h	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/auth/negotiate/User.h	2015-11-01 04:17:47.000000000 -0800
@@ -9,6 +9,8 @@
 #ifndef _SQUID_AUTH_NEGOTIATE_USER_H
 #define _SQUID_AUTH_NEGOTIATE_USER_H
 
+#if HAVE_AUTH_MODULE_NEGOTIATE
+
 #include "auth/User.h"
 
 namespace Auth
@@ -39,5 +41,6 @@
 } // namespace Negotiate
 } // namespace Auth
 
+#endif /* HAVE_AUTH_MODULE_NEGOTIATE */
 #endif /* _SQUID_AUTH_NEGOTIATE_USER_H */
 
diff -u -r -N squid-4.0.1/src/auth/negotiate/UserRequest.h squid-4.0.2/src/auth/negotiate/UserRequest.h
--- squid-4.0.1/src/auth/negotiate/UserRequest.h	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/auth/negotiate/UserRequest.h	2015-11-01 04:17:47.000000000 -0800
@@ -9,6 +9,8 @@
 #ifndef _SQUID_SRC_AUTH_NEGOTIATE_USERREQUEST_H
 #define _SQUID_SRC_AUTH_NEGOTIATE_USERREQUEST_H
 
+#if HAVE_AUTH_MODULE_NEGOTIATE
+
 #include "auth/UserRequest.h"
 #include "helper/forward.h"
 
@@ -62,5 +64,6 @@
 } // namespace Negotiate
 } // namespace Auth
 
+#endif /* HAVE_AUTH_MODULE_NEGOTIATE */
 #endif /* _SQUID_SRC_AUTH_NEGOTIATE_USERREQUEST_H */
 
diff -u -r -N squid-4.0.1/src/auth/ntlm/Config.h squid-4.0.2/src/auth/ntlm/Config.h
--- squid-4.0.1/src/auth/ntlm/Config.h	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/auth/ntlm/Config.h	2015-11-01 04:17:47.000000000 -0800
@@ -9,6 +9,8 @@
 #ifndef __AUTH_NTLM_H__
 #define __AUTH_NTLM_H__
 
+#if HAVE_AUTH_MODULE_NTLM
+
 #include "auth/Config.h"
 #include "auth/Gadgets.h"
 #include "auth/UserRequest.h"
@@ -48,5 +50,6 @@
 
 extern statefulhelper *ntlmauthenticators;
 
+#endif /* HAVE_AUTH_MODULE_NTLM */
 #endif
 
diff -u -r -N squid-4.0.1/src/auth/ntlm/Scheme.h squid-4.0.2/src/auth/ntlm/Scheme.h
--- squid-4.0.1/src/auth/ntlm/Scheme.h	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/auth/ntlm/Scheme.h	2015-11-01 04:17:47.000000000 -0800
@@ -9,6 +9,8 @@
 #ifndef SQUID_AUTH_NTLM_SCHEME_H
 #define SQUID_AUTH_NTLM_SCHEME_H
 
+#if HAVE_AUTH_MODULE_NTLM
+
 #include "auth/Scheme.h"
 
 namespace Auth
@@ -46,5 +48,6 @@
 } // namespace Ntlm
 } // namespace Auth
 
+#endif /* HAVE_AUTH_MODULE_NTLM */
 #endif /* SQUID_AUTH_NTLM_SCHEME_H */
 
diff -u -r -N squid-4.0.1/src/auth/ntlm/User.h squid-4.0.2/src/auth/ntlm/User.h
--- squid-4.0.1/src/auth/ntlm/User.h	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/auth/ntlm/User.h	2015-11-01 04:17:47.000000000 -0800
@@ -9,6 +9,8 @@
 #ifndef _SQUID_AUTH_NTLM_USER_H
 #define _SQUID_AUTH_NTLM_USER_H
 
+#if HAVE_AUTH_MODULE_NTLM
+
 #include "auth/User.h"
 
 namespace Auth
@@ -39,5 +41,6 @@
 } // namespace Ntlm
 } // namespace Auth
 
+#endif /* HAVE_AUTH_MODULE_NTLM */
 #endif /* _SQUID_AUTH_NTLM_USER_H */
 
diff -u -r -N squid-4.0.1/src/auth/ntlm/UserRequest.h squid-4.0.2/src/auth/ntlm/UserRequest.h
--- squid-4.0.1/src/auth/ntlm/UserRequest.h	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/auth/ntlm/UserRequest.h	2015-11-01 04:17:47.000000000 -0800
@@ -9,6 +9,8 @@
 #ifndef _SQUID_SRC_AUTH_NTLM_USERREQUEST_H
 #define _SQUID_SRC_AUTH_NTLM_USERREQUEST_H
 
+#if HAVE_AUTH_MODULE_NTLM
+
 #include "auth/UserRequest.h"
 #include "helper/forward.h"
 
@@ -59,5 +61,6 @@
 } // namespace Ntlm
 } // namespace Auth
 
+#endif /* HAVE_AUTH_MODULE_NTLM */
 #endif /* _SQUID_SRC_AUTH_NTLM_USERREQUEST_H */
 
diff -u -r -N squid-4.0.1/src/client_side.cc squid-4.0.2/src/client_side.cc
--- squid-4.0.1/src/client_side.cc	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/client_side.cc	2015-11-01 04:17:47.000000000 -0800
@@ -3339,6 +3339,9 @@
 void
 ConnStateData::requestTimeout(const CommTimeoutCbParams &io)
 {
+    if (!Comm::IsConnOpen(io.conn))
+        return;
+
     if (Config.accessList.on_unsupported_protocol && !receivedFirstByte_) {
 #if USE_OPENSSL
         if (serverBump() && (serverBump()->act.step1 == Ssl::bumpPeek || serverBump()->act.step1 == Ssl::bumpStare)) {
diff -u -r -N squid-4.0.1/src/client_side_reply.cc squid-4.0.2/src/client_side_reply.cc
--- squid-4.0.1/src/client_side_reply.cc	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/client_side_reply.cc	2015-11-01 04:17:47.000000000 -0800
@@ -2196,6 +2196,11 @@
 
     cloneReply();
 
+#if USE_DELAY_POOLS
+    if (sc)
+        sc->setDelayId(DelayId::DelayClient(http,reply));
+#endif
+
     /* handle headers */
 
     if (Config.onoff.log_mime_hdrs) {
diff -u -r -N squid-4.0.1/src/comm/ModDevPoll.cc squid-4.0.2/src/comm/ModDevPoll.cc
--- squid-4.0.1/src/comm/ModDevPoll.cc	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/comm/ModDevPoll.cc	2015-11-01 04:17:47.000000000 -0800
@@ -241,6 +241,9 @@
 
     if ( type & COMM_SELECT_READ ) {
         if ( handler != NULL ) {
+            // Hack to keep the events flowing if there is data immediately ready
+            if (F->flags.read_pending)
+                state_new |= POLLOUT;
             /* we want to POLLIN */
             state_new |= POLLIN;
         } else {
diff -u -r -N squid-4.0.1/src/comm/TcpAcceptor.cc squid-4.0.2/src/comm/TcpAcceptor.cc
--- squid-4.0.1/src/comm/TcpAcceptor.cc	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/comm/TcpAcceptor.cc	2015-11-01 04:17:47.000000000 -0800
@@ -181,13 +181,11 @@
     // Set TOS if needed.
     // To correctly implement TOS values on listening sockets, probably requires
     // more work to inherit TOS values to created connection objects.
-    if (conn->tos &&
-            Ip::Qos::setSockTos(conn->fd, conn->tos, conn->remote.isIPv4() ? AF_INET : AF_INET6) < 0)
-        conn->tos = 0;
+    if (conn->tos)
+        Ip::Qos::setSockTos(conn, conn->tos)
 #if SO_MARK
-    if (conn->nfmark &&
-            Ip::Qos::setSockNfmark(conn->fd, conn->nfmark) < 0)
-        conn->nfmark = 0;
+        if (conn->nfmark)
+            Ip::Qos::setSockNfmark(conn, conn->nfmark);
 #endif
 #endif
 
diff -u -r -N squid-4.0.1/src/DelayId.cc squid-4.0.2/src/DelayId.cc
--- squid-4.0.1/src/DelayId.cc	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/DelayId.cc	2015-11-01 04:17:47.000000000 -0800
@@ -63,7 +63,7 @@
 
 /* create a delay Id for a given request */
 DelayId
-DelayId::DelayClient(ClientHttpRequest * http)
+DelayId::DelayClient(ClientHttpRequest * http, HttpReply *reply)
 {
     HttpRequest *r;
     unsigned short pool;
@@ -85,6 +85,10 @@
         }
 
         ACLFilledChecklist ch(DelayPools::delay_data[pool].access, r, NULL);
+        if (reply) {
+            ch.reply = reply;
+            HTTPMSGLOCK(reply);
+        }
 #if FOLLOW_X_FORWARDED_FOR
         if (Config.onoff.delay_pool_uses_indirect_client)
             ch.src_addr = r->indirect_client_addr;
diff -u -r -N squid-4.0.1/src/DelayId.h squid-4.0.2/src/DelayId.h
--- squid-4.0.1/src/DelayId.h	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/DelayId.h	2015-11-01 04:17:47.000000000 -0800
@@ -11,15 +11,17 @@
 
 #if USE_DELAY_POOLS
 
-class ClientHttpRequest;
 #include "DelayIdComposite.h"
 
+class ClientHttpRequest;
+class HttpReply;
+
 /// \ingroup DelayPoolsAPI
 class DelayId
 {
 
 public:
-    static DelayId DelayClient (ClientHttpRequest *);
+    static DelayId DelayClient(ClientHttpRequest *, HttpReply *reply = nullptr);
     DelayId ();
     DelayId (unsigned short);
     ~DelayId ();
diff -u -r -N squid-4.0.1/src/DiskIO/DiskThreads/async_io.cc squid-4.0.2/src/DiskIO/DiskThreads/async_io.cc
--- squid-4.0.1/src/DiskIO/DiskThreads/async_io.cc	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/DiskIO/DiskThreads/async_io.cc	2015-11-01 04:17:47.000000000 -0800
@@ -38,7 +38,7 @@
 
     assert(DiskThreadsIOStrategy::Instance.initialised);
     ++squidaio_counts.open_start;
-    ctrlp = (squidaio_ctrl_t *)DiskThreadsIOStrategy::Instance.squidaio_ctrl_pool->alloc();
+    ctrlp = new squidaio_ctrl_t;
     ctrlp->fd = -2;
     ctrlp->done_handler = callback;
     ctrlp->done_handler_data = cbdataReference(callback_data);
@@ -57,7 +57,7 @@
     assert(DiskThreadsIOStrategy::Instance.initialised);
     ++squidaio_counts.close_start;
     aioCancel(fd);
-    ctrlp = (squidaio_ctrl_t *)DiskThreadsIOStrategy::Instance.squidaio_ctrl_pool->alloc();
+    ctrlp = new squidaio_ctrl_t;
     ctrlp->fd = fd;
     ctrlp->done_handler = NULL;
     ctrlp->done_handler_data = NULL;
@@ -105,7 +105,7 @@
         }
 
         dlinkDelete(m, &used_list);
-        DiskThreadsIOStrategy::Instance.squidaio_ctrl_pool->freeOne(ctrlp);
+        delete ctrlp;
     }
 }
 
@@ -117,7 +117,7 @@
 
     assert(DiskThreadsIOStrategy::Instance.initialised);
     ++squidaio_counts.write_start;
-    ctrlp = (squidaio_ctrl_t *)DiskThreadsIOStrategy::Instance.squidaio_ctrl_pool->alloc();
+    ctrlp = new squidaio_ctrl_t;
     ctrlp->fd = fd;
     ctrlp->done_handler = callback;
     ctrlp->done_handler_data = cbdataReference(callback_data);
@@ -145,7 +145,7 @@
 
     assert(DiskThreadsIOStrategy::Instance.initialised);
     ++squidaio_counts.read_start;
-    ctrlp = (squidaio_ctrl_t *)DiskThreadsIOStrategy::Instance.squidaio_ctrl_pool->alloc();
+    ctrlp = new squidaio_ctrl_t;
     ctrlp->fd = fd;
     ctrlp->done_handler = callback;
     ctrlp->done_handler_data = cbdataReference(callback_data);
@@ -174,7 +174,7 @@
 
     assert(DiskThreadsIOStrategy::Instance.initialised);
     ++squidaio_counts.stat_start;
-    ctrlp = (squidaio_ctrl_t *)DiskThreadsIOStrategy::Instance.squidaio_ctrl_pool->alloc();
+    ctrlp = new squidaio_ctrl_t;
     ctrlp->fd = -2;
     ctrlp->done_handler = callback;
     ctrlp->done_handler_data = cbdataReference(callback_data);
@@ -191,7 +191,7 @@
     squidaio_ctrl_t *ctrlp;
     assert(DiskThreadsIOStrategy::Instance.initialised);
     ++squidaio_counts.unlink_start;
-    ctrlp = (squidaio_ctrl_t *)DiskThreadsIOStrategy::Instance.squidaio_ctrl_pool->alloc();
+    ctrlp = new squidaio_ctrl_t;
     ctrlp->fd = -2;
     ctrlp->done_handler = callback;
     ctrlp->done_handler_data = cbdataReference(callback_data);
@@ -204,6 +204,6 @@
 int
 aioQueueSize(void)
 {
-    return DiskThreadsIOStrategy::Instance.squidaio_ctrl_pool->inUseCount();
+    return squidaio_ctrl_t::UseCount();
 }
 
diff -u -r -N squid-4.0.1/src/DiskIO/DiskThreads/DiskThreads.h squid-4.0.2/src/DiskIO/DiskThreads/DiskThreads.h
--- squid-4.0.1/src/DiskIO/DiskThreads/DiskThreads.h	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/DiskIO/DiskThreads/DiskThreads.h	2015-11-01 04:17:47.000000000 -0800
@@ -56,7 +56,9 @@
 
 typedef void AIOCB(int fd, void *cbdata, const char *buf, int aio_return, int aio_errno);
 
-struct squidaio_result_t {
+class squidaio_result_t {
+public:
+    squidaio_result_t() : aio_return(0), aio_errno(0), result_type(_AIO_OP_NONE), _data(nullptr), data(nullptr) {}
     int aio_return;
     int aio_errno;
     enum _squidaio_request_type result_type;
@@ -64,8 +66,10 @@
     void *data;         /* Available to the caller */
 };
 
-struct squidaio_ctrl_t {
-
+class squidaio_ctrl_t {
+    MEMPROXY_CLASS(squidaio_ctrl_t);
+public:
+    squidaio_ctrl_t() : next(nullptr), fd(0), operation(0), done_handler(nullptr), done_handler_data(nullptr), len(0), bufp(0), free_func(nullptr) {}
     struct squidaio_ctrl_t *next;
     int fd;
     int operation;
diff -u -r -N squid-4.0.1/src/DiskIO/DiskThreads/DiskThreadsIOStrategy.cc squid-4.0.2/src/DiskIO/DiskThreads/DiskThreadsIOStrategy.cc
--- squid-4.0.1/src/DiskIO/DiskThreads/DiskThreadsIOStrategy.cc	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/DiskIO/DiskThreads/DiskThreadsIOStrategy.cc	2015-11-01 04:17:47.000000000 -0800
@@ -28,8 +28,6 @@
     if (initialised)
         return;
 
-    squidaio_ctrl_pool = memPoolCreate("aio_ctrl", sizeof(squidaio_ctrl_t));
-
     initialised = true;
 
     /*
@@ -56,10 +54,6 @@
 
     squidaio_shutdown();
 
-    delete squidaio_ctrl_pool;
-
-    squidaio_ctrl_pool = NULL;
-
     initialised = false;
 }
 
@@ -144,7 +138,7 @@
         if (ctrlp->operation == _AIO_READ)
             squidaio_xfree(ctrlp->bufp, ctrlp->len);
 
-        squidaio_ctrl_pool->freeOne(ctrlp);
+        delete ctrlp;
     }
 
     return retval;
@@ -168,8 +162,7 @@
 }
 
 DiskThreadsIOStrategy::DiskThreadsIOStrategy() :
-    initialised(false),
-    squidaio_ctrl_pool(NULL)
+    initialised(false)
 {}
 
 void
diff -u -r -N squid-4.0.1/src/DiskIO/DiskThreads/DiskThreadsIOStrategy.h squid-4.0.2/src/DiskIO/DiskThreads/DiskThreadsIOStrategy.h
--- squid-4.0.1/src/DiskIO/DiskThreads/DiskThreadsIOStrategy.h	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/DiskIO/DiskThreads/DiskThreadsIOStrategy.h	2015-11-01 04:17:47.000000000 -0800
@@ -37,7 +37,6 @@
     /* Todo: add access limitations */
     bool initialised;
     static DiskThreadsIOStrategy Instance;
-    MemAllocator *squidaio_ctrl_pool;
 
 private:
     static void aioStats(StoreEntry * sentry);
diff -u -r -N squid-4.0.1/src/FwdState.cc squid-4.0.2/src/FwdState.cc
--- squid-4.0.1/src/FwdState.cc	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/FwdState.cc	2015-11-01 04:17:47.000000000 -0800
@@ -780,6 +780,21 @@
         return (time_t)ctimeout;
 }
 
+/// called when serverConn is set to an _open_ to-peer connection
+void
+FwdState::syncWithServerConn(const char *host)
+{
+    if (Ip::Qos::TheConfig.isAclTosActive())
+        Ip::Qos::setSockTos(serverConn, GetTosToServer(request));
+
+#if SO_MARK
+    if (Ip::Qos::TheConfig.isAclNfmarkActive())
+        Ip::Qos::setSockNfmark(serverConn, GetNfmarkToServer(request));
+#endif
+
+    request->hier.note(serverConn, host);
+}
+
 /**
  * Called after forwarding path selection (via peer select) has taken place
  * and whenever forwarding needs to attempt a new connection (routing failover).
@@ -820,23 +835,11 @@
             flags.connected_okay = true;
             ++n_tries;
             request->flags.pinned = true;
-            request->hier.note(serverConn, pinned_connection->pinning.host);
             if (pinned_connection->pinnedAuth())
                 request->flags.auth = true;
             comm_add_close_handler(serverConn->fd, fwdServerClosedWrapper, this);
 
-            /* Update server side TOS and Netfilter mark on the connection. */
-            if (Ip::Qos::TheConfig.isAclTosActive()) {
-                debugs(17, 3, HERE << "setting tos for pinned connection to " << (int)serverConn->tos );
-                serverConn->tos = GetTosToServer(request);
-                Ip::Qos::setSockTos(serverConn, serverConn->tos);
-            }
-#if SO_MARK
-            if (Ip::Qos::TheConfig.isAclNfmarkActive()) {
-                serverConn->nfmark = GetNfmarkToServer(request);
-                Ip::Qos::setSockNfmark(serverConn, serverConn->nfmark);
-            }
-#endif
+            syncWithServerConn(pinned_connection->pinning.host);
 
             // the server may close the pinned connection before this request
             pconnRace = racePossible;
@@ -875,17 +878,7 @@
 
         comm_add_close_handler(serverConnection()->fd, fwdServerClosedWrapper, this);
 
-        /* Update server side TOS and Netfilter mark on the connection. */
-        if (Ip::Qos::TheConfig.isAclTosActive()) {
-            const tos_t tos = GetTosToServer(request);
-            Ip::Qos::setSockTos(temp, tos);
-        }
-#if SO_MARK
-        if (Ip::Qos::TheConfig.isAclNfmarkActive()) {
-            const nfmark_t nfmark = GetNfmarkToServer(request);
-            Ip::Qos::setSockNfmark(temp, nfmark);
-        }
-#endif
+        syncWithServerConn(request->url.host());
 
         dispatch();
         return;
diff -u -r -N squid-4.0.1/src/FwdState.h squid-4.0.2/src/FwdState.h
--- squid-4.0.1/src/FwdState.h	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/FwdState.h	2015-11-01 04:17:47.000000000 -0800
@@ -120,6 +120,8 @@
     /// stops monitoring server connection for closure and updates pconn stats
     void closeServerConnection(const char *reason);
 
+    void syncWithServerConn(const char *host);
+
 public:
     StoreEntry *entry;
     HttpRequest *request;
diff -u -r -N squid-4.0.1/src/http/one/TeChunkedParser.cc squid-4.0.2/src/http/one/TeChunkedParser.cc
--- squid-4.0.1/src/http/one/TeChunkedParser.cc	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/http/one/TeChunkedParser.cc	2015-11-01 04:17:47.000000000 -0800
@@ -164,19 +164,19 @@
 bool
 Http::One::TeChunkedParser::parseChunkBody(Http1::Tokenizer &tok)
 {
-    Must(theLeftBodySize > 0); // Should, really
+    if (theLeftBodySize > 0) {
+        buf_ = tok.remaining(); // sync buffers before buf_ use
 
-    buf_ = tok.remaining(); // sync buffers before buf_ use
+        // TODO fix type mismatches and casting for these
+        const size_t availSize = min(theLeftBodySize, (uint64_t)buf_.length());
+        const size_t safeSize = min(availSize, (size_t)theOut->potentialSpaceSize());
 
-    // TODO fix type mismatches and casting for these
-    const size_t availSize = min(theLeftBodySize, (uint64_t)buf_.length());
-    const size_t safeSize = min(availSize, (size_t)theOut->potentialSpaceSize());
+        theOut->append(buf_.rawContent(), safeSize);
+        buf_.consume(safeSize);
+        theLeftBodySize -= safeSize;
 
-    theOut->append(buf_.rawContent(), safeSize);
-    buf_.consume(safeSize);
-    theLeftBodySize -= safeSize;
-
-    tok.reset(buf_); // sync buffers after consume()
+        tok.reset(buf_); // sync buffers after consume()
+    }
 
     if (theLeftBodySize == 0)
         return parseChunkEnd(tok);
diff -u -r -N squid-4.0.1/src/http/RegisteredHeaders.h squid-4.0.2/src/http/RegisteredHeaders.h
--- squid-4.0.1/src/http/RegisteredHeaders.h	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/http/RegisteredHeaders.h	2015-11-01 04:17:47.000000000 -0800
@@ -10,7 +10,9 @@
 #define SQUID_HTTP_REGISTEREDHEADERS_H
 
 #include "base/LookupTable.h"
+
 #include <iosfwd>
+#include <vector>
 
 namespace Http
 {
diff -u -r -N squid-4.0.1/src/http.cc squid-4.0.2/src/http.cc
--- squid-4.0.1/src/http.cc	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/http.cc	2015-11-01 04:17:47.000000000 -0800
@@ -723,11 +723,10 @@
             }
         }
 
-        flags.headers_parsed = true;
-
         if (!parsedOk) {
             // unrecoverable parsing error
             debugs(11, 3, "Non-HTTP-compliant header:\n---------\n" << inBuf << "\n----------");
+            flags.headers_parsed = true;
             HttpReply *newrep = new HttpReply;
             newrep->sline.set(Http::ProtocolVersion(), hp->messageStatus());
             HttpReply *vrep = setVirginReply(newrep);
diff -u -r -N squid-4.0.1/src/ip/Qos.cci squid-4.0.2/src/ip/Qos.cci
--- squid-4.0.1/src/ip/Qos.cci	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/ip/Qos.cci	2015-11-01 04:17:47.000000000 -0800
@@ -19,6 +19,8 @@
     //     so we convert to a int before setting.
     int bTos = tos;
 
+    debugs(50, 3, "for FD " << fd << " to " << bTos);
+
     if (type == AF_INET) {
 #if defined(IP_TOS)
         const int x = setsockopt(fd, IPPROTO_IP, IP_TOS, &bTos, sizeof(bTos));
@@ -48,9 +50,7 @@
 Ip::Qos::setSockTos(const Comm::ConnectionPointer &conn, tos_t tos)
 {
     const int x = Ip::Qos::setSockTos(conn->fd, tos, conn->remote.isIPv4() ? AF_INET : AF_INET6);
-    if (x >= 0)
-        conn->tos = tos;
-
+    conn->tos = (x >= 0) ? tos : 0;
     return x;
 }
 
@@ -58,6 +58,7 @@
 Ip::Qos::setSockNfmark(const int fd, nfmark_t mark)
 {
 #if SO_MARK && USE_LIBCAP
+    debugs(50, 3, "for FD " << fd << " to " << mark);
     const int x = setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(nfmark_t));
     if (x < 0)
         debugs(50, 2, "setSockNfmark: setsockopt(SO_MARK) on " << fd << ": " << xstrerror());
@@ -75,8 +76,7 @@
 Ip::Qos::setSockNfmark(const Comm::ConnectionPointer &conn, nfmark_t mark)
 {
     const int x = Ip::Qos::setSockNfmark(conn->fd, mark);
-    if (x >= 0)
-        conn->nfmark = mark;
+    conn->nfmark = (x >= 0) ? mark : 0;
     return x;
 }
 
diff -u -r -N squid-4.0.1/src/main.cc squid-4.0.2/src/main.cc
--- squid-4.0.1/src/main.cc	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/main.cc	2015-11-01 04:17:47.000000000 -0800
@@ -237,29 +237,55 @@
 {
     PROF_start(SignalEngine_checkEvents);
 
-    if (do_reconfigure) {
-        if (!reconfiguring && configured_once) {
-            mainReconfigureStart();
-            do_reconfigure = 0;
-        } // else wait until previous reconfigure is done
-    } else if (do_rotate) {
+    if (do_reconfigure)
+        mainReconfigureStart();
+    else if (do_rotate)
         mainRotate();
-        do_rotate = 0;
-    } else if (do_shutdown) {
+    else if (do_shutdown)
         doShutdown(do_shutdown > 0 ? (int) Config.shutdownLifetime : 0);
-        do_shutdown = 0;
-    }
-    if (do_handle_stopped_child) {
-        do_handle_stopped_child = 0;
+    if (do_handle_stopped_child)
         handleStoppedChild();
-    }
     PROF_stop(SignalEngine_checkEvents);
     return EVENT_IDLE;
 }
 
+/// Decides whether the signal-controlled action X should be delayed, canceled,
+/// or executed immediately. Clears do_X (via signalVar) as needed.
+static bool
+AvoidSignalAction(const char *description, volatile int &signalVar)
+{
+    const char *avoiding = "delaying";
+    const char *currentEvent = "none";
+    if (shutting_down) {
+        currentEvent = "shutdown";
+        avoiding = "canceling";
+        // do not avoid repeated shutdown signals
+        // which just means the user wants to skip/abort shutdown timeouts
+        if (strcmp(currentEvent, description) == 0)
+            return false;
+        signalVar = 0;
+    }
+    else if (!configured_once)
+        currentEvent = "startup";
+    else if (reconfiguring)
+        currentEvent = "reconfiguration";
+    else {
+        signalVar = 0;
+        return false; // do not avoid (i.e., execute immediately)
+        // the caller may produce a signal-specific debugging message
+    }
+
+    debugs(1, DBG_IMPORTANT, avoiding << ' ' << description <<
+           " request during " << currentEvent);
+    return true;
+}
+
 void
 SignalEngine::doShutdown(time_t wait)
 {
+    if (AvoidSignalAction("shutdown", do_shutdown))
+        return;
+
     debugs(1, DBG_IMPORTANT, "Preparing for shutdown after " << statCounter.client_http.requests << " requests");
     debugs(1, DBG_IMPORTANT, "Waiting " << wait << " seconds for active connections to finish");
 
@@ -297,6 +323,10 @@
 void
 SignalEngine::handleStoppedChild()
 {
+    // no AvoidSignalAction() call: This code can run at any time because it
+    // does not depend on Squid state. It does not need debugging because it
+    // handles an "internal" signal, not an external/admin command.
+    do_handle_stopped_child = 0;
 #if !_SQUID_WINDOWS_
     PidStatus status;
     pid_t pid;
@@ -805,6 +835,9 @@
 static void
 mainReconfigureStart(void)
 {
+    if (AvoidSignalAction("reconfiguration", do_reconfigure))
+        return;
+
     debugs(1, DBG_IMPORTANT, "Reconfiguring Squid Cache (version " << version_string << ")...");
     reconfiguring = 1;
 
@@ -962,15 +995,14 @@
         writePidFile(); /* write PID file */
 
     reconfiguring = 0;
-
-    // ignore any pending re-reconfigure signals if shutdown received
-    if (do_shutdown)
-        do_reconfigure = 0;
 }
 
 static void
 mainRotate(void)
 {
+    if (AvoidSignalAction("log rotation", do_rotate))
+        return;
+
     icmpEngine.Close();
     redirectShutdown();
 #if USE_AUTH
@@ -1476,7 +1508,6 @@
         Format::Token::Init(); // XXX: temporary. Use a runners registry of pre-parse runners instead.
 
         try {
-            do_reconfigure = 0; // ignore any early (boot/startup) reconfigure signals
             parse_err = parseConfigFile(ConfigFile);
         } catch (...) {
             // for now any errors are a fatal condition...
diff -u -r -N squid-4.0.1/src/mem/AllocatorProxy.h squid-4.0.2/src/mem/AllocatorProxy.h
--- squid-4.0.1/src/mem/AllocatorProxy.h	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/mem/AllocatorProxy.h	2015-11-01 04:17:47.000000000 -0800
@@ -39,6 +39,7 @@
         if (address) \
             Pool().freeOne(address); \
     } \
+    static int UseCount() { return Pool().inUseCount(); } \
     private:
 
 namespace Mem
diff -u -r -N squid-4.0.1/src/peer_digest.cc squid-4.0.2/src/peer_digest.cc
--- squid-4.0.1/src/peer_digest.cc	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/peer_digest.cc	2015-11-01 04:17:47.000000000 -0800
@@ -351,7 +351,7 @@
             p->login[0] != '*' &&
             strcmp(p->login, "PASS") != 0 &&
             strcmp(p->login, "PASSTHRU") != 0 &&
-            strcmp(p->login, "NEGOTIATE") != 0 &&
+            strncmp(p->login, "NEGOTIATE",9) != 0 &&
             strcmp(p->login, "PROXYPASS") != 0) {
         req->url.userInfo(SBuf(p->login)); // XXX: performance regression make peer login SBuf as well.
     }
diff -u -r -N squid-4.0.1/src/SBuf.cc squid-4.0.2/src/SBuf.cc
--- squid-4.0.1/src/SBuf.cc	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/SBuf.cc	2015-11-01 04:17:47.000000000 -0800
@@ -160,6 +160,7 @@
 SBuf&
 SBuf::assign(const char *S, size_type n)
 {
+    const Locker blobKeeper(this, S);
     debugs(24, 6, id << " from c-string, n=" << n << ")");
     clear();
     return append(S, n); //bounds checked in append()
@@ -213,12 +214,14 @@
 SBuf&
 SBuf::append(const SBuf &S)
 {
+    const Locker blobKeeper(this, S.buf());
     return lowAppend(S.buf(), S.length());
 }
 
 SBuf &
 SBuf::append(const char * S, size_type Ssize)
 {
+    const Locker blobKeeper(this, S);
     if (S == NULL)
         return *this;
     if (Ssize == SBuf::npos)
@@ -237,6 +240,10 @@
 SBuf&
 SBuf::Printf(const char *fmt, ...)
 {
+    // with printf() the fmt or an arg might be a dangerous char*
+    // NP: cant rely on vappendf() Locker because of clear()
+    const Locker blobKeeper(this, buf());
+
     va_list args;
     va_start(args, fmt);
     clear();
@@ -258,6 +265,9 @@
 SBuf&
 SBuf::vappendf(const char *fmt, va_list vargs)
 {
+    // with (v)appendf() the fmt or an arg might be a dangerous char*
+    const Locker blobKeeper(this, buf());
+
     Must(fmt != NULL);
     int sz = 0;
     //reserve twice the format-string size, it's a likely heuristic
@@ -852,6 +862,10 @@
 int
 SBuf::scanf(const char *format, ...)
 {
+    // with the format or an arg might be a dangerous char*
+    // that gets invalidated by c_str()
+    const Locker blobKeeper(this, buf());
+
     va_list arg;
     int rv;
     ++stats.scanf;
diff -u -r -N squid-4.0.1/src/SBuf.h squid-4.0.2/src/SBuf.h
--- squid-4.0.1/src/SBuf.h	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/SBuf.h	2015-11-01 04:17:47.000000000 -0800
@@ -667,6 +667,27 @@
     // TODO: possibly implement a replace() call
 private:
 
+    /**
+     * Keeps SBuf's MemBlob alive in a blob-destroying context where
+     * a seemingly unrelated memory pointer may belong to the same blob.
+     * For [an extreme] example, consider: a.append(a).
+     * Compared to an SBuf temporary, this class is optimized to
+     * preserve blobs only if needed and to reduce debugging noise.
+     */
+    class Locker
+    {
+    public:
+        Locker(SBuf *parent, const char *otherBuffer) {
+            // lock if otherBuffer intersects the parents buffer area
+            const MemBlob *blob = parent->store_.getRaw();
+            if (blob->mem <= otherBuffer && otherBuffer < (blob->mem + blob->capacity))
+                locket = blob;
+        }
+    private:
+        MemBlob::Pointer locket;
+    };
+    friend class Locker;
+
     MemBlob::Pointer store_; ///< memory block, possibly shared with other SBufs
     size_type off_; ///< our content start offset from the beginning of shared store_
     size_type len_; ///< number of our content bytes in shared store_
diff -u -r -N squid-4.0.1/src/tools.cc squid-4.0.2/src/tools.cc
--- squid-4.0.1/src/tools.cc	2015-10-13 23:09:26.000000000 -0700
+++ squid-4.0.2/src/tools.cc	2015-11-01 04:17:47.000000000 -0800
@@ -810,7 +810,7 @@
 #endif
 
     if (getrlimit(RLIMIT_NOFILE, &rl) < 0) {
-        debugs(50, DBG_CRITICAL, "setrlimit: RLIMIT_NOFILE: " << xstrerror());
+        debugs(50, DBG_CRITICAL, "getrlimit: RLIMIT_NOFILE: " << xstrerror());
     } else if (Config.max_filedescriptors > 0) {
 #if USE_SELECT || USE_SELECT_WIN32
         /* select() breaks if this gets set too big */
@@ -856,7 +856,7 @@
 #endif
 
     if (getrlimit(RLIMIT_NOFILE, &rl) < 0) {
-        debugs(50, DBG_CRITICAL, "setrlimit: RLIMIT_NOFILE: " << xstrerror());
+        debugs(50, DBG_CRITICAL, "getrlimit: RLIMIT_NOFILE: " << xstrerror());
     } else {
         rl.rlim_cur = Squid_MaxFD;
         if (setrlimit(RLIMIT_NOFILE, &rl) < 0) {
diff -u -r -N squid-4.0.1/tools/helper-mux/helper-mux.8 squid-4.0.2/tools/helper-mux/helper-mux.8
--- squid-4.0.1/tools/helper-mux/helper-mux.8	2015-10-14 00:11:54.000000000 -0700
+++ squid-4.0.2/tools/helper-mux/helper-mux.8	2015-11-01 05:16:14.000000000 -0800
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "HELPER-MUX 8"
-.TH HELPER-MUX 8 "2015-10-14" "perl v5.20.2" "User Contributed Perl Documentation"
+.TH HELPER-MUX 8 "2015-11-01" "perl v5.20.2" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l