diff -u -r -N squid-3.4.0.3/ChangeLog squid-3.4.1/ChangeLog
--- squid-3.4.0.3/ChangeLog	2013-12-01 02:20:43.000000000 +1300
+++ squid-3.4.1/ChangeLog	2013-12-09 14:20:54.000000000 +1300
@@ -1,3 +1,10 @@
+Changes to squid-3.4.1 (09 Dec 2013):
+
+	- Bug 3935: Invalid pointer dereference when peeking at origin server certificate
+	- Bug 3589: intercepted and ICAP modified request using a cache_peer
+	- ... and several portability fixes
+	- ... and some documentation updates
+
 Changes to squid-3.4.0.3 (01 Dec 2013):
 
 	- Bug 3941: Release notes error
diff -u -r -N squid-3.4.0.3/configure squid-3.4.1/configure
--- squid-3.4.0.3/configure	2013-12-01 02:21:24.000000000 +1300
+++ squid-3.4.1/configure	2013-12-09 14:22:01.000000000 +1300
@@ -1,7 +1,7 @@
 #! /bin/sh
 # From configure.ac Revision.
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.4.0.3.
+# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.4.1.
 #
 # Report bugs to <http://bugs.squid-cache.org/>.
 #
@@ -575,8 +575,8 @@
 # Identity of this package.
 PACKAGE_NAME='Squid Web Proxy'
 PACKAGE_TARNAME='squid'
-PACKAGE_VERSION='3.4.0.3'
-PACKAGE_STRING='Squid Web Proxy 3.4.0.3'
+PACKAGE_VERSION='3.4.1'
+PACKAGE_STRING='Squid Web Proxy 3.4.1'
 PACKAGE_BUGREPORT='http://bugs.squid-cache.org/'
 PACKAGE_URL=''
 
@@ -1579,7 +1579,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures Squid Web Proxy 3.4.0.3 to adapt to many kinds of systems.
+\`configure' configures Squid Web Proxy 3.4.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1649,7 +1649,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of Squid Web Proxy 3.4.0.3:";;
+     short | recursive ) echo "Configuration of Squid Web Proxy 3.4.1:";;
    esac
   cat <<\_ACEOF
 
@@ -2037,7 +2037,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-Squid Web Proxy configure 3.4.0.3
+Squid Web Proxy configure 3.4.1
 generated by GNU Autoconf 2.68
 
 Copyright (C) 2010 Free Software Foundation, Inc.
@@ -3133,7 +3133,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by Squid Web Proxy $as_me 3.4.0.3, which was
+It was created by Squid Web Proxy $as_me 3.4.1, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
 
   $ $0 $@
@@ -3952,7 +3952,7 @@
 
 # Define the identity of the package.
  PACKAGE='squid'
- VERSION='3.4.0.3'
+ VERSION='3.4.1'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -33133,7 +33133,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by Squid Web Proxy $as_me 3.4.0.3, which was
+This file was extended by Squid Web Proxy $as_me 3.4.1, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -33199,7 +33199,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-Squid Web Proxy config.status 3.4.0.3
+Squid Web Proxy config.status 3.4.1
 configured by $0, generated by GNU Autoconf 2.68,
   with options \\"\$ac_cs_config\\"
 
diff -u -r -N squid-3.4.0.3/configure.ac squid-3.4.1/configure.ac
--- squid-3.4.0.3/configure.ac	2013-12-01 02:21:24.000000000 +1300
+++ squid-3.4.1/configure.ac	2013-12-09 14:22:01.000000000 +1300
@@ -1,4 +1,4 @@
-AC_INIT([Squid Web Proxy],[3.4.0.3],[http://bugs.squid-cache.org/],[squid])
+AC_INIT([Squid Web Proxy],[3.4.1],[http://bugs.squid-cache.org/],[squid])
 AC_PREREQ(2.61)
 AC_CONFIG_HEADERS([include/autoconf.h])
 AC_CONFIG_AUX_DIR(cfgaux)
diff -u -r -N squid-3.4.0.3/helpers/basic_auth/DB/basic_db_auth.8 squid-3.4.1/helpers/basic_auth/DB/basic_db_auth.8
--- squid-3.4.0.3/helpers/basic_auth/DB/basic_db_auth.8	2013-12-01 02:37:27.000000000 +1300
+++ squid-3.4.1/helpers/basic_auth/DB/basic_db_auth.8	2013-12-09 14:42:49.000000000 +1300
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BASIC_DB_AUTH 1"
-.TH BASIC_DB_AUTH 1 "2013-11-30" "perl v5.10.1" "User Contributed Perl Documentation"
+.TH BASIC_DB_AUTH 1 "2013-12-08" "perl v5.10.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.4.0.3/helpers/external_acl/SQL_session/ext_sql_session_acl.8 squid-3.4.1/helpers/external_acl/SQL_session/ext_sql_session_acl.8
--- squid-3.4.0.3/helpers/external_acl/SQL_session/ext_sql_session_acl.8	2013-12-01 02:37:29.000000000 +1300
+++ squid-3.4.1/helpers/external_acl/SQL_session/ext_sql_session_acl.8	2013-12-09 14:42:50.000000000 +1300
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EXT_SQL_SESSION_ACL 1"
-.TH EXT_SQL_SESSION_ACL 1 "2013-11-30" "perl v5.10.1" "User Contributed Perl Documentation"
+.TH EXT_SQL_SESSION_ACL 1 "2013-12-08" "perl v5.10.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.4.0.3/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 squid-3.4.1/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8
--- squid-3.4.0.3/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8	2013-12-01 02:37:29.000000000 +1300
+++ squid-3.4.1/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8	2013-12-09 14:42:51.000000000 +1300
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EXT_WBINFO_GROUP_ACL.PL.IN 1"
-.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2013-11-30" "perl v5.10.1" "User Contributed Perl Documentation"
+.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2013-12-08" "perl v5.10.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.4.0.3/helpers/log_daemon/DB/log_db_daemon.8 squid-3.4.1/helpers/log_daemon/DB/log_db_daemon.8
--- squid-3.4.0.3/helpers/log_daemon/DB/log_db_daemon.8	2013-12-01 02:37:30.000000000 +1300
+++ squid-3.4.1/helpers/log_daemon/DB/log_db_daemon.8	2013-12-09 14:42:51.000000000 +1300
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "LOG_DB_DAEMON 1"
-.TH LOG_DB_DAEMON 1 "2013-11-30" "perl v5.10.1" "User Contributed Perl Documentation"
+.TH LOG_DB_DAEMON 1 "2013-12-08" "perl v5.10.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.4.0.3/helpers/storeid_rewrite/file/storeid_file_rewrite.8 squid-3.4.1/helpers/storeid_rewrite/file/storeid_file_rewrite.8
--- squid-3.4.0.3/helpers/storeid_rewrite/file/storeid_file_rewrite.8	2013-12-01 02:37:30.000000000 +1300
+++ squid-3.4.1/helpers/storeid_rewrite/file/storeid_file_rewrite.8	2013-12-09 14:42:52.000000000 +1300
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "STOREID_FILE_REWRITE 1"
-.TH STOREID_FILE_REWRITE 1 "2013-11-30" "perl v5.10.1" "User Contributed Perl Documentation"
+.TH STOREID_FILE_REWRITE 1 "2013-12-08" "perl v5.10.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.4.0.3/include/version.h squid-3.4.1/include/version.h
--- squid-3.4.0.3/include/version.h	2013-12-01 02:21:24.000000000 +1300
+++ squid-3.4.1/include/version.h	2013-12-09 14:22:01.000000000 +1300
@@ -7,7 +7,7 @@
  */
 
 #ifndef SQUID_RELEASE_TIME
-#define SQUID_RELEASE_TIME 1385817641
+#define SQUID_RELEASE_TIME 1386552053
 #endif
 
 #ifndef APP_SHORTNAME
diff -u -r -N squid-3.4.0.3/lib/rfcnb/std-includes.h squid-3.4.1/lib/rfcnb/std-includes.h
--- squid-3.4.0.3/lib/rfcnb/std-includes.h	2013-12-01 02:20:43.000000000 +1300
+++ squid-3.4.1/lib/rfcnb/std-includes.h	2013-12-09 14:20:54.000000000 +1300
@@ -29,10 +29,16 @@
 #define BOOL int
 typedef short int16;
 
+#if HAVE_NETDB_H
 #include <netdb.h>
+#endif
 #include <sys/types.h>
+#if HAVE_NETINET_IN_H
 #include <netinet/in.h>
+#endif
+#if HAVE_SYS_SOCKET_H
 #include <sys/socket.h>
+#endif
 #include <signal.h>
 #include <errno.h>
 #include <stdio.h>
diff -u -r -N squid-3.4.0.3/src/acl/Acl.cc squid-3.4.1/src/acl/Acl.cc
--- squid-3.4.0.3/src/acl/Acl.cc	2013-12-01 02:20:43.000000000 +1300
+++ squid-3.4.1/src/acl/Acl.cc	2013-12-09 14:20:54.000000000 +1300
@@ -298,13 +298,11 @@
                A->cfgline);
     }
 
-    /* append */
+    // prepend so that ACLs declared later (and possibly using earlier ACLs)
+    // are destroyed earlier (before the ACLs they use are destroyed)
     assert(head && *head == Config.aclList);
     A->registered = true;
-
-    while (*head)
-        head = &(*head)->next;
-
+    A->next = *head;
     *head = A;
 }
 
diff -u -r -N squid-3.4.0.3/src/acl/Acl.h squid-3.4.1/src/acl/Acl.h
--- squid-3.4.0.3/src/acl/Acl.h	2013-12-01 02:20:43.000000000 +1300
+++ squid-3.4.1/src/acl/Acl.h	2013-12-09 14:20:54.000000000 +1300
@@ -135,7 +135,7 @@
 
     char name[ACL_NAME_SZ];
     char *cfgline;
-    ACL *next;
+    ACL *next; // XXX: remove or at least use refcounting
     ACLFlags flags; ///< The list of given ACL flags
     bool registered; ///< added to Config.aclList and can be reused via by FindByName()
 
@@ -247,6 +247,7 @@
 MEMPROXY_CLASS_INLINE(acl_proxy_auth_match_cache);
 
 /// \ingroup ACLAPI
+/// XXX: find a way to remove or at least use a refcounted ACL pointer
 extern const char *AclMatchedName;	/* NULL */
 
 #endif /* SQUID_ACL_H */
diff -u -r -N squid-3.4.0.3/src/acl/InnerNode.h squid-3.4.1/src/acl/InnerNode.h
--- squid-3.4.0.3/src/acl/InnerNode.h	2013-12-01 02:20:43.000000000 +1300
+++ squid-3.4.1/src/acl/InnerNode.h	2013-12-09 14:20:54.000000000 +1300
@@ -40,6 +40,7 @@
     /* ACL API */
     virtual int match(ACLChecklist *checklist);
 
+    // XXX: use refcounting instead of raw pointers
     std::vector<ACL*> nodes; ///< children nodes of this intermediate node
 };
 
diff -u -r -N squid-3.4.0.3/src/client_side_request.cc squid-3.4.1/src/client_side_request.cc
--- squid-3.4.0.3/src/client_side_request.cc	2013-12-01 02:20:43.000000000 +1300
+++ squid-3.4.1/src/client_side_request.cc	2013-12-09 14:20:54.000000000 +1300
@@ -1896,6 +1896,11 @@
         HTTPMSGUNLOCK(request);
         request = new_req;
         HTTPMSGLOCK(request);
+
+        // update the new message to flag whether URL re-writing was done on it
+        if (strcmp(urlCanonical(request),uri) != 0)
+            request->flags.redirected = 1;
+
         /*
          * Store the new URI for logging
          */
diff -u -r -N squid-3.4.0.3/src/DiskIO/DiskThreads/DiskThreads.h squid-3.4.1/src/DiskIO/DiskThreads/DiskThreads.h
--- squid-3.4.0.3/src/DiskIO/DiskThreads/DiskThreads.h	2013-12-01 02:20:43.000000000 +1300
+++ squid-3.4.1/src/DiskIO/DiskThreads/DiskThreads.h	2013-12-09 14:20:54.000000000 +1300
@@ -10,6 +10,12 @@
 #include "dlink.h"
 #include "typedefs.h"
 
+/* this non-standard-conformant include is needed in order to have stat(2) and struct stat
+   properly defined on some systems (e.g. OpenBSD 5.4) */
+#if HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+
 #if AUFS_IO_THREADS
 #define NUMTHREADS AUFS_IO_THREADS
 #else
diff -u -r -N squid-3.4.0.3/src/ipc/UdsOp.cc squid-3.4.1/src/ipc/UdsOp.cc
--- squid-3.4.0.3/src/ipc/UdsOp.cc	2013-12-01 02:20:43.000000000 +1300
+++ squid-3.4.1/src/ipc/UdsOp.cc	2013-12-09 14:20:54.000000000 +1300
@@ -126,12 +126,12 @@
     if (params.flag != COMM_OK && retries-- > 0) {
         // perhaps a fresh connection and more time will help?
         conn()->close();
-        sleep();
+        startSleep();
     }
 }
 
 /// pause for a while before resending the message
-void Ipc::UdsSender::sleep()
+void Ipc::UdsSender::startSleep()
 {
     Must(!sleeping);
     sleeping = true;
diff -u -r -N squid-3.4.0.3/src/ipc/UdsOp.h squid-3.4.1/src/ipc/UdsOp.h
--- squid-3.4.0.3/src/ipc/UdsOp.h	2013-12-01 02:20:43.000000000 +1300
+++ squid-3.4.1/src/ipc/UdsOp.h	2013-12-09 14:20:54.000000000 +1300
@@ -71,7 +71,7 @@
     virtual void timedout(); // UdsOp API
 
 private:
-    void sleep();
+    void startSleep();
     void cancelSleep();
     static void DelayedRetry(void *data);
     void delayedRetry();
diff -u -r -N squid-3.4.0.3/src/RefreshPattern.h squid-3.4.1/src/RefreshPattern.h
--- squid-3.4.0.3/src/RefreshPattern.h	2013-12-01 02:20:43.000000000 +1300
+++ squid-3.4.1/src/RefreshPattern.h	2013-12-09 14:20:54.000000000 +1300
@@ -29,6 +29,8 @@
  *
  */
 
+#include "compat/GnuRegex.h"
+
 /// a representation of a refresh pattern. Currently a POD.
 class RefreshPattern
 {
diff -u -r -N squid-3.4.0.3/src/SquidString.h squid-3.4.1/src/SquidString.h
--- squid-3.4.0.3/src/SquidString.h	2013-12-01 02:20:43.000000000 +1300
+++ squid-3.4.1/src/SquidString.h	2013-12-09 14:20:54.000000000 +1300
@@ -87,7 +87,7 @@
     ~String();
 
     typedef size_t size_type; //storage size intentionally unspecified
-    const static size_type npos = std::string::npos;
+    const static size_type npos = -1;
 
     String &operator =(char const *);
     String &operator =(String const &);
diff -u -r -N squid-3.4.0.3/src/WinSvc.cc squid-3.4.1/src/WinSvc.cc
--- squid-3.4.0.3/src/WinSvc.cc	2013-12-01 02:20:43.000000000 +1300
+++ squid-3.4.1/src/WinSvc.cc	2013-12-09 14:20:54.000000000 +1300
@@ -32,7 +32,10 @@
  */
 
 #include "squid.h"
+#include "Debug.h"
+#include "globals.h"
 #include "protos.h"
+#include "SquidConfig.h"
 
 #if _SQUID_WINDOWS_
 #ifndef _MSWSOCK_
@@ -46,17 +49,17 @@
 
 /* forward declarations */
 static void WIN32_Exit(void);
-static void WIN32_Abort(int);
-
 static unsigned int GetOSVersion();
 void WIN32_svcstatusupdate(DWORD, DWORD);
 void WINAPI WIN32_svcHandler(DWORD);
+extern "C" void WINAPI SquidWinSvcMain(DWORD, char **);
+
 #if USE_WIN32_SERVICE
+static void WIN32_Abort(int);
 static int WIN32_StoreKey(const char *, DWORD, unsigned char *, int);
 static int WIN32_create_key(void);
 static void WIN32_build_argv (char *);
 #endif
-extern "C" void WINAPI SquidWinSvcMain(DWORD, char **);
 
 #if defined(_MSC_VER) /* Microsoft C Compiler ONLY */
 void Squid_Win32InvalidParameterHandler(const wchar_t*, const wchar_t*, const wchar_t*, unsigned int, uintptr_t);
@@ -68,8 +71,6 @@
 static int s_iInitCount = 0;
 static HANDLE NotifyAddrChange_thread = INVALID_HANDLE_VALUE;
 
-static int Squid_Aborting = 0;
-
 #undef NotifyAddrChange
 typedef DWORD(WINAPI * PFNotifyAddrChange) (OUT PHANDLE, IN LPOVERLAPPED);
 #define NOTIFYADDRCHANGE "NotifyAddrChange"
@@ -108,6 +109,8 @@
     NULL,	    /* key[3] */
     NULL	    /* key[4] */
 };
+
+static int Squid_Aborting = 0;
 #endif
 
 /* ====================================================================== */
@@ -388,17 +391,16 @@
 /* PUBLIC FUNCTIONS */
 /* ====================================================================== */
 
+#if USE_WIN32_SERVICE
 void
 WIN32_Abort(int sig)
 {
-#if USE_WIN32_SERVICE
     svcStatus.dwWin32ExitCode = ERROR_SERVICE_SPECIFIC_ERROR;
     svcStatus.dwServiceSpecificExitCode = 1;
-#endif
-
     Squid_Aborting = 1;
     WIN32_Exit();
 }
+#endif
 
 void
 WIN32_IpAddrChangeMonitorExit()
@@ -924,6 +926,7 @@
     char *c;
     char stderr_path[256];
 
+    SetErrorMode(SEM_NOGPFAULTERRORBOX);
     if ((argc == 2) && strstr(argv[1], _WIN_SQUID_SERVICE_OPTION)) {
         strcpy(stderr_path, argv[0]);
         strcat(stderr_path,".log");