diff -Nru squid3-3.3.8/debian/changelog squid3-3.3.8/debian/changelog
--- squid3-3.3.8/debian/changelog	2016-03-05 08:59:03.000000000 +1300
+++ squid3-3.3.8/debian/changelog	2016-03-24 12:31:57.000000000 +1300
@@ -1,3 +1,9 @@
+squid3 (3.3.8-1ubuntu6.7) trusty; urgency=medium
+
+  * Backport fix for upstream bug #3769. (LP: #1561007)
+
+ -- Michael Hudson-Doyle <michael.hudson@canonical.com>  Thu, 24 Mar 2016 12:28:46 +1300
+
 squid3 (3.3.8-1ubuntu6.6) trusty-security; urgency=medium
 
   [ Scott Moser ]
diff -Nru squid3-3.3.8/debian/patches/bug-3769.diff squid3-3.3.8/debian/patches/bug-3769.diff
--- squid3-3.3.8/debian/patches/bug-3769.diff	1970-01-01 12:00:00.000000000 +1200
+++ squid3-3.3.8/debian/patches/bug-3769.diff	2016-03-24 12:28:42.000000000 +1300
@@ -0,0 +1,48 @@
+Description: Backport fix for upstream bug #3769
+ This bug caused the client_netmask directive in Squid-3.2 and Squid-3.3
+ releases to have no effect. The designed behaviour of masking client IPs
+ in logs is now restored. 
+
+Origin: http://bazaar.launchpad.net/~squid/squid/3.3/revision/12672
+Bug: http://bugs.squid-cache.org/show_bug.cgi?id=3769
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/AccessLogEntry.cc	2013-05-07 08:48:36 +0000
++++ b/src/AccessLogEntry.cc	2014-02-20 01:27:16 +0000
+@@ -15,17 +15,30 @@
+ void
+ AccessLogEntry::getLogClientIp(char *buf, size_t bufsz) const
+ {
++    Ip::Address log_ip;
++
+ #if FOLLOW_X_FORWARDED_FOR
+     if (Config.onoff.log_uses_indirect_client && request)
+-        request->indirect_client_addr.NtoA(buf, bufsz);
++        log_ip = request->indirect_client_addr;
+     else
+ #endif
+         if (tcpClient != NULL)
+-            tcpClient->remote.NtoA(buf, bufsz);
+-        else if (cache.caddr.IsNoAddr()) // e.g., ICAP OPTIONS lack client
++            log_ip = tcpClient->remote;
++        else if (cache.caddr.IsNoAddr()) { // e.g., ICAP OPTIONS lack client
+             strncpy(buf, "-", bufsz);
+-        else
+-            cache.caddr.NtoA(buf, bufsz);
++            return;
++        } else
++            log_ip = cache.caddr;
++
++    // Apply so-called 'privacy masking' to IPv4 clients
++    // - localhost IP is always shown in full
++    // - IPv4 clients masked with client_netmask
++    // - IPv6 clients use 'privacy addressing' instead.
++
++    if (!log_ip.IsLocalhost() && log_ip.IsIPv4())
++        log_ip.ApplyMask(Config.Addrs.client_netmask);
++
++    log_ip.NtoA(buf, bufsz);
+ }
+ 
+ AccessLogEntry::~AccessLogEntry()
+
diff -Nru squid3-3.3.8/debian/patches/series squid3-3.3.8/debian/patches/series
--- squid3-3.3.8/debian/patches/series	2016-03-05 08:58:43.000000000 +1300
+++ squid3-3.3.8/debian/patches/series	2016-03-24 12:21:55.000000000 +1300
@@ -14,3 +14,4 @@
 CVE-2014-6270.patch
 CVE-2015-3455.patch
 CVE-2016-2571.patch
+bug-3769.diff