Release date:
2026-03-31 08:57:50 UTC
Description:
* SECURITY UPDATE: Denial of Service in ICP request handling via double
rfc1738_escape() call causing heap use-after-free
- debian/patches/CVE-2026-33526.patch: Remove redundant rfc1738_escape()
call in icpGetRequest()
- CVE-2026-33526
* SECURITY UPDATE: Denial of Service in ICP v3 query handling via
use-after-free of HttpRequest object
- debian/patches/CVE-2026-32748.patch: Add proper HTTPMSGLOCK/HTTPMSGUNLOCK
to doV3Query() to match doV2Query() locking pattern
- CVE-2026-32748
* SECURITY UPDATE: Out-of-bounds read in ICP message handling allows
information disclosure
- debian/patches/CVE-2026-33515.patch: Add icpGetUrl() validation function
to check packet bounds and NUL-termination of URLs in ICP messages
- CVE-2026-33515
Updated packages:
-
squid_4.6-1+deb10u10+tuxcare.els4_amd64.deb
sha:fbd8bd2f199de7fc49df2d9b7a46cc28f1568b5d
-
squid-cgi_4.6-1+deb10u10+tuxcare.els4_amd64.deb
sha:466108633c86276ff1af9d42559f1b8800f354be
-
squid-common_4.6-1+deb10u10+tuxcare.els4_all.deb
sha:06315839150619eef4f57a8eb74c0df074ca1afd
-
squid-purge_4.6-1+deb10u10+tuxcare.els4_amd64.deb
sha:fde27d9a1be6144bc323ba03c0609e44c1f41466
-
squid3_4.6-1+deb10u10+tuxcare.els4_all.deb
sha:10d8ca8573e9e47986ca387775224c19e07b52d4
-
squidclient_4.6-1+deb10u10+tuxcare.els4_amd64.deb
sha:2e9dde0eeb6f9e3288c77543ae6b9ad3ca9ae803
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
