diff -u -r -N squid-6.4/ChangeLog squid-6.5/ChangeLog
--- squid-6.4/ChangeLog	2023-10-21 11:40:41.000000000 +1300
+++ squid-6.5/ChangeLog	2023-11-06 16:41:43.000000000 +1300
@@ -1,3 +1,11 @@
+Changes in squid-6.5 (5 Nov 2023):
+
+	- Bug 5309: frequent "lowestOffset () <= target_offset" assertion
+	- Bug 4977: Remove mem_hdr::freeDataUpto() assertion
+	- Fix handling of expanding HTTP header values
+	- Fix RFC 1123 date parsing
+	- Gracefully shutdown when helper process startup fails
+
 Changes in squid-6.4 (22 Oct 2023):
 
 	- Regression: Restore support for legacy cache_object cache manager requests
diff -u -r -N squid-6.4/configure squid-6.5/configure
--- squid-6.4/configure	2023-10-22 01:43:00.000000000 +1300
+++ squid-6.5/configure	2023-11-06 17:32:33.000000000 +1300
@@ -1,7 +1,7 @@
 #! /bin/sh
 # From configure.ac Revision.
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for Squid Web Proxy 6.4.
+# Generated by GNU Autoconf 2.71 for Squid Web Proxy 6.5.
 #
 # Report bugs to <https://bugs.squid-cache.org/>.
 #
@@ -626,8 +626,8 @@
 # Identity of this package.
 PACKAGE_NAME='Squid Web Proxy'
 PACKAGE_TARNAME='squid'
-PACKAGE_VERSION='6.4'
-PACKAGE_STRING='Squid Web Proxy 6.4'
+PACKAGE_VERSION='6.5'
+PACKAGE_STRING='Squid Web Proxy 6.5'
 PACKAGE_BUGREPORT='https://bugs.squid-cache.org/'
 PACKAGE_URL=''
 
@@ -1696,7 +1696,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures Squid Web Proxy 6.4 to adapt to many kinds of systems.
+\`configure' configures Squid Web Proxy 6.5 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1767,7 +1767,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of Squid Web Proxy 6.4:";;
+     short | recursive ) echo "Configuration of Squid Web Proxy 6.5:";;
    esac
   cat <<\_ACEOF
 
@@ -2187,7 +2187,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-Squid Web Proxy configure 6.4
+Squid Web Proxy configure 6.5
 generated by GNU Autoconf 2.71
 
 Copyright (C) 2021 Free Software Foundation, Inc.
@@ -3200,7 +3200,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by Squid Web Proxy $as_me 6.4, which was
+It was created by Squid Web Proxy $as_me 6.5, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   $ $0$ac_configure_args_raw
@@ -4692,7 +4692,7 @@
 
 # Define the identity of the package.
  PACKAGE='squid'
- VERSION='6.4'
+ VERSION='6.5'
 
 
 printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -56854,7 +56854,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by Squid Web Proxy $as_me 6.4, which was
+This file was extended by Squid Web Proxy $as_me 6.5, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -56922,7 +56922,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
-Squid Web Proxy config.status 6.4
+Squid Web Proxy config.status 6.5
 configured by $0, generated by GNU Autoconf 2.71,
   with options \\"\$ac_cs_config\\"
 
diff -u -r -N squid-6.4/configure.ac squid-6.5/configure.ac
--- squid-6.4/configure.ac	2023-10-22 01:43:00.000000000 +1300
+++ squid-6.5/configure.ac	2023-11-06 17:32:33.000000000 +1300
@@ -5,7 +5,7 @@
 ## Please see the COPYING and CONTRIBUTORS files for details.
 ##
 
-AC_INIT([Squid Web Proxy],[6.4],[https://bugs.squid-cache.org/],[squid])
+AC_INIT([Squid Web Proxy],[6.5],[https://bugs.squid-cache.org/],[squid])
 AC_PREREQ(2.61)
 AC_CONFIG_HEADERS([include/autoconf.h])
 AC_CONFIG_AUX_DIR(cfgaux)
diff -u -r -N squid-6.4/doc/release-notes/release-6.html squid-6.5/doc/release-notes/release-6.html
--- squid-6.4/doc/release-notes/release-6.html	2023-10-22 01:47:10.000000000 +1300
+++ squid-6.5/doc/release-notes/release-6.html	2023-11-06 17:36:30.000000000 +1300
@@ -3,10 +3,10 @@
 <HEAD>
  <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.83">
  <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
- <TITLE>Squid 6.4 release notes</TITLE>
+ <TITLE>Squid 6.5 release notes</TITLE>
 </HEAD>
 <BODY>
-<H1>Squid 6.4 release notes</H1>
+<H1>Squid 6.5 release notes</H1>
 
 <H2>Squid Developers</H2>
 <P>
@@ -59,7 +59,7 @@
 <HR>
 <H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
 
-<P>The Squid Team are pleased to announce the release of Squid-6.4 for testing.</P>
+<P>The Squid Team are pleased to announce the release of Squid-6.5 for testing.</P>
 <P>This new release is available for download from 
 <A HREF="http://www.squid-cache.org/Versions/v6/">http://www.squid-cache.org/Versions/v6/</A> or the
 <A HREF="http://www.squid-cache.org/Download/http-mirrors.html">mirrors</A>.</P>
diff -u -r -N squid-6.4/include/version.h squid-6.5/include/version.h
--- squid-6.4/include/version.h	2023-10-22 01:43:00.000000000 +1300
+++ squid-6.5/include/version.h	2023-11-06 17:32:33.000000000 +1300
@@ -10,7 +10,7 @@
 #define SQUID_VERSION_H
 
 #ifndef SQUID_RELEASE_TIME
-#define SQUID_RELEASE_TIME 1697892169
+#define SQUID_RELEASE_TIME 1699245141
 #endif
 
 /*
diff -u -r -N squid-6.4/RELEASENOTES.html squid-6.5/RELEASENOTES.html
--- squid-6.4/RELEASENOTES.html	2023-10-22 01:47:10.000000000 +1300
+++ squid-6.5/RELEASENOTES.html	2023-11-06 17:36:30.000000000 +1300
@@ -3,10 +3,10 @@
 <HEAD>
  <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.83">
  <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
- <TITLE>Squid 6.4 release notes</TITLE>
+ <TITLE>Squid 6.5 release notes</TITLE>
 </HEAD>
 <BODY>
-<H1>Squid 6.4 release notes</H1>
+<H1>Squid 6.5 release notes</H1>
 
 <H2>Squid Developers</H2>
 <P>
@@ -59,7 +59,7 @@
 <HR>
 <H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
 
-<P>The Squid Team are pleased to announce the release of Squid-6.4 for testing.</P>
+<P>The Squid Team are pleased to announce the release of Squid-6.5 for testing.</P>
 <P>This new release is available for download from 
 <A HREF="http://www.squid-cache.org/Versions/v6/">http://www.squid-cache.org/Versions/v6/</A> or the
 <A HREF="http://www.squid-cache.org/Download/http-mirrors.html">mirrors</A>.</P>
diff -u -r -N squid-6.4/scripts/update-contributors.pl squid-6.5/scripts/update-contributors.pl
--- squid-6.4/scripts/update-contributors.pl	2023-10-21 11:40:41.000000000 +1300
+++ squid-6.5/scripts/update-contributors.pl	2023-11-06 16:41:43.000000000 +1300
@@ -9,6 +9,7 @@
 
 use strict;
 use warnings;
+use Getopt::Long;
 
 # Reads (presumed to be previously vetted) CONTRIBUTORS file.
 # Reads untrusted CONTIBUTORS-like new input (without the preamble).
@@ -26,6 +27,16 @@
 my $SkippedEmptyLines = 0;
 my $SkippedBadLines = 0;
 
+# Brief display by default.
+# Use --quiet for no output
+# Use -v or --verbose for more details, repeating them for even more details.
+my $VerboseOutput = 1;
+
+GetOptions(
+    'quiet' => sub { $VerboseOutput = 0 },
+    'verbose+' => \$VerboseOutput, 'v+' => \$VerboseOutput,
+    ) or die("$0: Bad command line arguments\n");
+
 my @VettedContributors = ();
 my @NewContributors = ();
 my %Problems = ();
@@ -269,14 +280,16 @@
         die(ref($c)) unless ref($c) eq 'HASH';
 
         if (&isManuallyExcluded($c)) {
-            &noteProblem("Skipping banned entry: %s\n", $c->{raw});
+            &noteProblem("Skipping banned entry: %s\n", $c->{raw}) if ($VerboseOutput > 0);
             ++$SkippedBanned;
             next;
         }
 
         if (my ($vettedC) = grep { &similarToVetted($c, $_) } @VettedContributors) {
-            &noteProblem("Skipping already vetted:\n    %s\n    %s\n", $vettedC->{raw}, $c->{raw})
-                unless &contributorToString($vettedC) eq &contributorToString($c);
+            if ($VerboseOutput > 1) {
+                &noteProblem("Skipping already vetted:\n    %s\n    %s\n", $vettedC->{raw}, $c->{raw})
+                    unless &contributorToString($vettedC) eq &contributorToString($c);
+            }
             ++$SkippedAlreadyVetted;
             next;
         }
@@ -292,8 +305,10 @@
     while (@NewContributors) {
         my $c = pop @NewContributors;
         if (my ($otherC) = grep { &worseThan($c, $_) } (@VettedContributors, @NewContributors, @ngContributors)) {
-            &noteProblem("Skipping very similar:\n    %s\n    %s\n", $otherC->{raw}, $c->{raw})
-                unless &contributorToString($otherC) eq &contributorToString($c);
+            if ($VerboseOutput > 0) {
+                &noteProblem("Skipping very similar:\n    %s\n    %s\n", $otherC->{raw}, $c->{raw})
+                    unless &contributorToString($otherC) eq &contributorToString($c);
+            }
             ++$SkippedNewDuplicates;
             next;
         }
@@ -341,20 +356,27 @@
 
     &printContributors();
 
-    # TODO: Disable this debugging-like dump (by default). Or just remove?
-    printf(STDERR "Vetted lines in:     %4d\n", $VettedLinesIn);
-    printf(STDERR "Updated lines out:   %4d\n", $LinesOut);
-    printf(STDERR "\n");
-    printf(STDERR "New lines in:        %4d\n", $NewLinesIn);
-    printf(STDERR "Skipped empty lines: %4d\n", $SkippedEmptyLines);
-    printf(STDERR "Skipped banned:      %4d\n", $SkippedBanned);
-    printf(STDERR "Skipped similar:     %4d\n", $SkippedAlreadyVetted);
-    printf(STDERR "Skipped duplicates:  %4d\n", $SkippedNewDuplicates);
-    printf(STDERR "Skipped bad lines:   %4d\n", $SkippedBadLines);
-    printf(STDERR "\n");
-    printf(STDERR "Vetted contributors: %3d\n", scalar @VettedContributors);
-    printf(STDERR "New contributors:    %3d\n", scalar @NewContributors);
-    printf(STDERR "Contributors out:    %3d\n", @VettedContributors + @NewContributors);
+    if ($VerboseOutput > 1) {
+        printf(STDERR "Vetted lines in:     %4d\n", $VettedLinesIn);
+        printf(STDERR "Updated lines out:   %4d\n", $LinesOut);
+        printf(STDERR "\n");
+    }
+    if ($VerboseOutput > 2) {
+        printf(STDERR "New lines in:        %4d\n", $NewLinesIn);
+        printf(STDERR "Skipped empty lines: %4d\n", $SkippedEmptyLines) unless ($SkippedEmptyLines == 0);
+        printf(STDERR "Skipped duplicates:  %4d\n", $SkippedNewDuplicates) unless ($SkippedNewDuplicates == 0);
+    }
+    if ($VerboseOutput > 1) {
+        printf(STDERR "Skipped banned:      %4d\n", $SkippedBanned) unless ($SkippedBanned == 0);
+        printf(STDERR "Skipped similar:     %4d\n", $SkippedAlreadyVetted) unless ($SkippedAlreadyVetted == 0);
+    }
+    if ($VerboseOutput > 0) {
+        printf(STDERR "Skipped bad lines:   %4d\n", $SkippedBadLines) unless ($SkippedBadLines == 0);
+        printf(STDERR "\n");
+        printf(STDERR "Vetted contributors: %3d\n", scalar @VettedContributors) if ($VerboseOutput > 1);
+        printf(STDERR "New contributors:    %3d\n", scalar @NewContributors) unless (scalar @NewContributors == 0);
+        printf(STDERR "Contributors out:    %3d\n", @VettedContributors + @NewContributors) if ($VerboseOutput > 1);
+    }
 
     return 0;
 }
diff -u -r -N squid-6.4/src/acl/external/delayer/ext_delayer_acl.8 squid-6.5/src/acl/external/delayer/ext_delayer_acl.8
--- squid-6.4/src/acl/external/delayer/ext_delayer_acl.8	2023-10-22 01:47:13.000000000 +1300
+++ squid-6.5/src/acl/external/delayer/ext_delayer_acl.8	2023-11-06 17:36:35.000000000 +1300
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EXT_DELAYER_ACL 8"
-.TH EXT_DELAYER_ACL 8 "2023-10-21" "perl v5.36.0" "User Contributed Perl Documentation"
+.TH EXT_DELAYER_ACL 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-6.4/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 squid-6.5/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8
--- squid-6.4/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8	2023-10-22 01:47:13.000000000 +1300
+++ squid-6.5/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8	2023-11-06 17:36:35.000000000 +1300
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EXT_KERBEROS_SID_GROUP_ACL 8"
-.TH EXT_KERBEROS_SID_GROUP_ACL 8 "2023-10-21" "perl v5.36.0" "User Contributed Perl Documentation"
+.TH EXT_KERBEROS_SID_GROUP_ACL 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-6.4/src/acl/external/SQL_session/ext_sql_session_acl.8 squid-6.5/src/acl/external/SQL_session/ext_sql_session_acl.8
--- squid-6.4/src/acl/external/SQL_session/ext_sql_session_acl.8	2023-10-22 01:47:14.000000000 +1300
+++ squid-6.5/src/acl/external/SQL_session/ext_sql_session_acl.8	2023-11-06 17:36:35.000000000 +1300
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EXT_SQL_SESSION_ACL 8"
-.TH EXT_SQL_SESSION_ACL 8 "2023-10-21" "perl v5.36.0" "User Contributed Perl Documentation"
+.TH EXT_SQL_SESSION_ACL 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-6.4/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 squid-6.5/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8
--- squid-6.4/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8	2023-10-22 01:47:14.000000000 +1300
+++ squid-6.5/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8	2023-11-06 17:36:35.000000000 +1300
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EXT_WBINFO_GROUP_ACL 8"
-.TH EXT_WBINFO_GROUP_ACL 8 "2023-10-21" "perl v5.36.0" "User Contributed Perl Documentation"
+.TH EXT_WBINFO_GROUP_ACL 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-6.4/src/auth/basic/DB/basic_db_auth.8 squid-6.5/src/auth/basic/DB/basic_db_auth.8
--- squid-6.4/src/auth/basic/DB/basic_db_auth.8	2023-10-22 01:47:15.000000000 +1300
+++ squid-6.5/src/auth/basic/DB/basic_db_auth.8	2023-11-06 17:36:36.000000000 +1300
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BASIC_DB_AUTH 8"
-.TH BASIC_DB_AUTH 8 "2023-10-21" "perl v5.36.0" "User Contributed Perl Documentation"
+.TH BASIC_DB_AUTH 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-6.4/src/auth/basic/POP3/basic_pop3_auth.8 squid-6.5/src/auth/basic/POP3/basic_pop3_auth.8
--- squid-6.4/src/auth/basic/POP3/basic_pop3_auth.8	2023-10-22 01:47:15.000000000 +1300
+++ squid-6.5/src/auth/basic/POP3/basic_pop3_auth.8	2023-11-06 17:36:36.000000000 +1300
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BASIC_POP3_AUTH 8"
-.TH BASIC_POP3_AUTH 8 "2023-10-21" "perl v5.36.0" "User Contributed Perl Documentation"
+.TH BASIC_POP3_AUTH 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-6.4/src/cache_cf.cc squid-6.5/src/cache_cf.cc
--- squid-6.4/src/cache_cf.cc	2023-10-21 11:40:41.000000000 +1300
+++ squid-6.5/src/cache_cf.cc	2023-11-06 16:41:43.000000000 +1300
@@ -1007,6 +1007,18 @@
                (uint32_t)Config.maxRequestBufferSize, (uint32_t)Config.maxRequestHeaderSize);
     }
 
+    // Warn about the dangers of exceeding String limits when manipulating HTTP
+    // headers. Technically, we do not concatenate _requests_, so we could relax
+    // their check, but we keep the two checks the same for simplicity sake.
+    const auto safeRawHeaderValueSizeMax = (String::SizeMaxXXX()+1)/3;
+    // TODO: static_assert(safeRawHeaderValueSizeMax >= 64*1024); // no WARNINGs for default settings
+    if (Config.maxRequestHeaderSize > safeRawHeaderValueSizeMax)
+        debugs(3, DBG_CRITICAL, "WARNING: Increasing request_header_max_size beyond " << safeRawHeaderValueSizeMax <<
+               " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxRequestHeaderSize << " bytes");
+    if (Config.maxReplyHeaderSize > safeRawHeaderValueSizeMax)
+        debugs(3, DBG_CRITICAL, "WARNING: Increasing reply_header_max_size beyond " << safeRawHeaderValueSizeMax <<
+               " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxReplyHeaderSize << " bytes");
+
     /*
      * Disable client side request pipelining if client_persistent_connections OFF.
      * Waste of resources queueing any pipelined requests when the first will close the connection.
diff -u -r -N squid-6.4/src/cf.data.pre squid-6.5/src/cf.data.pre
--- squid-6.4/src/cf.data.pre	2023-10-21 11:40:41.000000000 +1300
+++ squid-6.5/src/cf.data.pre	2023-11-06 16:41:43.000000000 +1300
@@ -6753,11 +6753,14 @@
 DEFAULT: 64 KB
 LOC: Config.maxRequestHeaderSize
 DOC_START
-	This specifies the maximum size for HTTP headers in a request.
-	Request headers are usually relatively small (about 512 bytes).
-	Placing a limit on the request header size will catch certain
-	bugs (for example with persistent connections) and possibly
-	buffer-overflow or denial-of-service attacks.
+	This directives limits the header size of a received HTTP request
+	(including request-line). Increasing this limit beyond its 64 KB default
+	exposes certain old Squid code to various denial-of-service attacks. This
+	limit also applies to received FTP commands.
+
+	This limit has no direct affect on Squid memory consumption.
+
+	Squid does not check this limit when sending requests.
 DOC_END
 
 NAME: reply_header_max_size
@@ -6766,11 +6769,14 @@
 DEFAULT: 64 KB
 LOC: Config.maxReplyHeaderSize
 DOC_START
-	This specifies the maximum size for HTTP headers in a reply.
-	Reply headers are usually relatively small (about 512 bytes).
-	Placing a limit on the reply header size will catch certain
-	bugs (for example with persistent connections) and possibly
-	buffer-overflow or denial-of-service attacks.
+	This directives limits the header size of a received HTTP response
+	(including status-line). Increasing this limit beyond its 64 KB default
+	exposes certain old Squid code to various denial-of-service attacks. This
+	limit also applies to FTP command responses.
+
+	Squid also checks this limit when loading hit responses from disk cache.
+
+	Squid does not check this limit when sending responses.
 DOC_END
 
 NAME: request_body_max_size
diff -u -r -N squid-6.4/src/http/url_rewriters/LFS/url_lfs_rewrite.8 squid-6.5/src/http/url_rewriters/LFS/url_lfs_rewrite.8
--- squid-6.4/src/http/url_rewriters/LFS/url_lfs_rewrite.8	2023-10-22 01:47:16.000000000 +1300
+++ squid-6.5/src/http/url_rewriters/LFS/url_lfs_rewrite.8	2023-11-06 17:36:37.000000000 +1300
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "URL_LFS_REWRITE 8"
-.TH URL_LFS_REWRITE 8 "2023-10-21" "perl v5.36.0" "User Contributed Perl Documentation"
+.TH URL_LFS_REWRITE 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-6.4/src/http.cc squid-6.5/src/http.cc
--- squid-6.4/src/http.cc	2023-10-21 11:40:41.000000000 +1300
+++ squid-6.5/src/http.cc	2023-11-06 16:41:43.000000000 +1300
@@ -1900,8 +1900,9 @@
 
         String strFwd = hdr_in->getList(Http::HdrType::X_FORWARDED_FOR);
 
-        // if we cannot double strFwd size, then it grew past 50% of the limit
-        if (!strFwd.canGrowBy(strFwd.size())) {
+        // Detect unreasonably long header values. And paranoidly check String
+        // limits: a String ought to accommodate two reasonable-length values.
+        if (strFwd.size() > 32*1024 || !strFwd.canGrowBy(strFwd.size())) {
             // There is probably a forwarding loop with Via detection disabled.
             // If we do nothing, String will assert on overflow soon.
             // TODO: Terminate all transactions with huge XFF?
diff -u -r -N squid-6.4/src/ipc.cc squid-6.5/src/ipc.cc
--- squid-6.4/src/ipc.cc	2023-10-21 11:40:41.000000000 +1300
+++ squid-6.5/src/ipc.cc	2023-11-06 16:41:43.000000000 +1300
@@ -22,6 +22,11 @@
 
 #include <chrono>
 #include <thread>
+#include <cstdlib>
+
+#if HAVE_UNISTD_H
+#include <unistd.h>
+#endif
 
 static const char *hello_string = "hi there\n";
 #ifndef HELLO_BUF_SZ
@@ -362,6 +367,22 @@
     }
 
     PutEnvironment();
+
+    // A dup(2) wrapper that reports and exits the process on errors. The
+    // exiting logic is only suitable for this child process context.
+    const auto dupOrExit = [prog,name](const int oldFd) {
+        const auto newFd = dup(oldFd);
+        if (newFd < 0) {
+            const auto savedErrno = errno;
+            debugs(54, DBG_CRITICAL, "ERROR: Helper process initialization failure: " << name <<
+                   Debug::Extra << "helper (CHILD) PID: " << getpid() <<
+                   Debug::Extra << "helper program name: " << prog <<
+                   Debug::Extra << "dup(2) system call error for FD " << oldFd << ": " << xstrerr(savedErrno));
+            _exit(EXIT_FAILURE);
+        }
+        return newFd;
+    };
+
     /*
      * This double-dup stuff avoids problems when one of
      *  crfd, cwfd, or debug_log are in the rage 0-2.
@@ -369,17 +390,16 @@
 
     do {
         /* First make sure 0-2 is occupied by something. Gets cleaned up later */
-        x = dup(crfd);
-        assert(x > -1);
-    } while (x < 3 && x > -1);
+        x = dupOrExit(crfd);
+    } while (x < 3);
 
     close(x);
 
-    t1 = dup(crfd);
+    t1 = dupOrExit(crfd);
 
-    t2 = dup(cwfd);
+    t2 = dupOrExit(cwfd);
 
-    t3 = dup(fileno(debug_log));
+    t3 = dupOrExit(fileno(debug_log));
 
     assert(t1 > 2 && t2 > 2 && t3 > 2);
 
diff -u -r -N squid-6.4/src/log/DB/log_db_daemon.8 squid-6.5/src/log/DB/log_db_daemon.8
--- squid-6.4/src/log/DB/log_db_daemon.8	2023-10-22 01:47:16.000000000 +1300
+++ squid-6.5/src/log/DB/log_db_daemon.8	2023-11-06 17:36:37.000000000 +1300
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "LOG_DB_DAEMON 8"
-.TH LOG_DB_DAEMON 8 "2023-10-21" "perl v5.36.0" "User Contributed Perl Documentation"
+.TH LOG_DB_DAEMON 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-6.4/src/mem/old_api.cc squid-6.5/src/mem/old_api.cc
--- squid-6.4/src/mem/old_api.cc	2023-10-21 11:40:41.000000000 +1300
+++ squid-6.5/src/mem/old_api.cc	2023-11-06 16:41:43.000000000 +1300
@@ -414,7 +414,7 @@
         new_pool_limit = Config.MemPools.limit;
     else {
         if (Config.MemPools.limit == 0)
-            debugs(13, DBG_IMPORTANT, "memory_pools_limit 0 has been chagned to memory_pools_limit none. Please update your config");
+            debugs(13, DBG_IMPORTANT, "memory_pools_limit 0 has been changed to memory_pools_limit none. Please update your config");
         new_pool_limit = -1;
     }
 
diff -u -r -N squid-6.4/src/MemObject.cc squid-6.5/src/MemObject.cc
--- squid-6.4/src/MemObject.cc	2023-10-21 11:40:41.000000000 +1300
+++ squid-6.5/src/MemObject.cc	2023-11-06 16:41:43.000000000 +1300
@@ -167,7 +167,7 @@
 
     void operator() (store_client const &x) {
         if (x.getType() == STORE_MEM_CLIENT)
-            current = std::min(current, x.readOffset());
+            current = std::min(current, x.discardableHttpEnd());
     }
 
     int64_t current;
diff -u -r -N squid-6.4/src/security/cert_validators/fake/security_fake_certverify.8 squid-6.5/src/security/cert_validators/fake/security_fake_certverify.8
--- squid-6.4/src/security/cert_validators/fake/security_fake_certverify.8	2023-10-22 01:47:16.000000000 +1300
+++ squid-6.5/src/security/cert_validators/fake/security_fake_certverify.8	2023-11-06 17:36:38.000000000 +1300
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SECURITY_FAKE_CERTVERIFY 8"
-.TH SECURITY_FAKE_CERTVERIFY 8 "2023-10-21" "perl v5.36.0" "User Contributed Perl Documentation"
+.TH SECURITY_FAKE_CERTVERIFY 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-6.4/src/SquidString.h squid-6.5/src/SquidString.h
--- squid-6.4/src/SquidString.h	2023-10-21 11:40:41.000000000 +1300
+++ squid-6.5/src/SquidString.h	2023-11-06 16:41:43.000000000 +1300
@@ -140,7 +140,16 @@
 
     size_type len_ = 0;  /* current length  */
 
-    static const size_type SizeMax_ = 65535; ///< 64K limit protects some fixed-size buffers
+    /// An earlier 64KB limit was meant to protect some fixed-size buffers, but
+    /// (a) we do not know where those buffers are (or whether they still exist)
+    /// (b) too many String users unknowingly exceeded that limit and asserted.
+    /// We are now using a larger limit to reduce the number of (b) cases,
+    /// especially cases where "compact" lists of items grow 50% in size when we
+    /// convert them to canonical form. The new limit is selected to withstand
+    /// concatenation and ~50% expansion of two HTTP headers limited by default
+    /// request_header_max_size and reply_header_max_size settings.
+    static const size_type SizeMax_ = 3*64*1024 - 1;
+
     /// returns true after increasing the first argument by extra if the sum does not exceed SizeMax_
     static bool SafeAdd(size_type &base, size_type extra) { if (extra <= SizeMax_ && base <= SizeMax_ - extra) { base += extra; return true; } return false; }
 
diff -u -r -N squid-6.4/src/stmem.cc squid-6.5/src/stmem.cc
--- squid-6.4/src/stmem.cc	2023-10-21 11:40:41.000000000 +1300
+++ squid-6.5/src/stmem.cc	2023-11-06 16:41:43.000000000 +1300
@@ -95,8 +95,6 @@
             break;
     }
 
-    assert (lowestOffset () <= target_offset);
-
     return lowestOffset ();
 }
 
diff -u -r -N squid-6.4/src/store/id_rewriters/file/storeid_file_rewrite.8 squid-6.5/src/store/id_rewriters/file/storeid_file_rewrite.8
--- squid-6.4/src/store/id_rewriters/file/storeid_file_rewrite.8	2023-10-22 01:47:14.000000000 +1300
+++ squid-6.5/src/store/id_rewriters/file/storeid_file_rewrite.8	2023-11-06 17:36:35.000000000 +1300
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "STOREID_FILE_REWRITE 8"
-.TH STOREID_FILE_REWRITE 8 "2023-10-21" "perl v5.36.0" "User Contributed Perl Documentation"
+.TH STOREID_FILE_REWRITE 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-6.4/src/store_client.cc squid-6.5/src/store_client.cc
--- squid-6.4/src/store_client.cc	2023-10-21 11:40:41.000000000 +1300
+++ squid-6.5/src/store_client.cc	2023-11-06 16:41:43.000000000 +1300
@@ -163,6 +163,16 @@
         result = parsingBuffer->packBack();
     result.flags.error = object_ok ? 0 : 1;
 
+    // TODO: Move object_ok handling above into this `if` statement.
+    if (object_ok) {
+        // works for zero hdr_sz cases as well; see also: nextHttpReadOffset()
+        discardableHttpEnd_ = NaturalSum<int64_t>(entry->mem().baseReply().hdr_sz, result.offset, result.length).value();
+    } else {
+        // object_ok is sticky, so we will not be able to use any response bytes
+        discardableHttpEnd_ = entry->mem().endOffset();
+    }
+    debugs(90, 7, "with " << result << "; discardableHttpEnd_=" << discardableHttpEnd_);
+
     // no HTTP headers and no body bytes (but not because there was no space)
     atEof_ = !sendingHttpHeaders() && !result.length && copyInto.length;
 
@@ -265,6 +275,9 @@
 
     parsingBuffer.emplace(copyInto);
 
+    discardableHttpEnd_ = nextHttpReadOffset();
+    debugs(90, 7, "discardableHttpEnd_=" << discardableHttpEnd_);
+
     static bool copying (false);
     assert (!copying);
     copying = true;
diff -u -r -N squid-6.4/src/StoreClient.h squid-6.5/src/StoreClient.h
--- squid-6.4/src/StoreClient.h	2023-10-21 11:40:41.000000000 +1300
+++ squid-6.5/src/StoreClient.h	2023-11-06 16:41:43.000000000 +1300
@@ -74,15 +74,8 @@
     explicit store_client(StoreEntry *);
     ~store_client();
 
-    /// An offset into the stored response bytes, including the HTTP response
-    /// headers (if any). Note that this offset does not include Store entry
-    /// metadata, because it is not a part of the stored response.
-    /// \retval 0 means the client wants to read HTTP response headers.
-    /// \retval +N the response byte that the client wants to read next.
-    /// \retval -N should not occur.
-    // TODO: Callers do not expect negative offset. Verify that the return
-    // value cannot be negative and convert to unsigned in this case.
-    int64_t readOffset() const { return copyInto.offset; }
+    /// the client will not use HTTP response bytes with lower offsets (if any)
+    auto discardableHttpEnd() const { return discardableHttpEnd_; }
 
     int getType() const;
 
@@ -175,8 +168,16 @@
 
     /// Storage and metadata associated with the current copy() request. Ought
     /// to be ignored when not answering a copy() request.
+    /// * copyInto.offset is the requested HTTP response body offset;
+    /// * copyInto.data is the client-owned, client-provided result buffer;
+    /// * copyInto.length is the size of the .data result buffer;
+    /// * copyInto.flags are unused by this class.
     StoreIOBuffer copyInto;
 
+    // TODO: Convert to uint64_t after fixing mem_hdr::endOffset() and friends.
+    /// \copydoc discardableHttpEnd()
+    int64_t discardableHttpEnd_ = 0;
+
     /// the total number of finishCallback() calls
     uint64_t answers;
 
diff -u -r -N squid-6.4/src/time/rfc1123.cc squid-6.5/src/time/rfc1123.cc
--- squid-6.4/src/time/rfc1123.cc	2023-10-21 11:40:41.000000000 +1300
+++ squid-6.5/src/time/rfc1123.cc	2023-11-06 16:41:43.000000000 +1300
@@ -50,7 +50,13 @@
     char month[3];
 
     month[0] = xtoupper(*s);
+    if (!month[0])
+        return -1; // protects *(s + 1) below
+
     month[1] = xtolower(*(s + 1));
+    if (!month[1])
+        return -1; // protects *(s + 2) below
+
     month[2] = xtolower(*(s + 2));
 
     for (i = 0; i < 12; i++)
diff -u -r -N squid-6.4/tools/helper-mux/helper-mux.8 squid-6.5/tools/helper-mux/helper-mux.8
--- squid-6.4/tools/helper-mux/helper-mux.8	2023-10-22 01:47:17.000000000 +1300
+++ squid-6.5/tools/helper-mux/helper-mux.8	2023-11-06 17:36:38.000000000 +1300
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "HELPER-MUX 8"
-.TH HELPER-MUX 8 "2023-10-21" "perl v5.36.0" "User Contributed Perl Documentation"
+.TH HELPER-MUX 8 "2023-11-06" "perl v5.36.0" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l