Explore top 10 tips to secure your open-source projects now. Read More
×
Multiple security issues were discovered in the Squid proxy caching server, which could result in information disclosure or denial of service. For the stable distribution (trixie), these problems have been fixed in version 6.13-2+deb13u2. We recommend that you upgrade your squid packages.. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6360-1
Several security issues were fixed in Squid.. ========================================================================== Ubuntu Security Notice USN-8435-1 June 16, 2026 squid vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in Squid. Software Description: - squid: Web proxy cache server Details: It was discovered that Squid incorrectly handled FTP gateway processing under certain circumstances, which could result in an out-of-bounds read. A remote attacker could use this issue to cause Squid to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2026-47729) It was discovered that Squid incorrectly handled cache digest processing under certain circumstances, which could result in a heap-based buffer overflow. A remote attacker could use this issue to cause Squid to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-50012) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS squid 7.2-2ubuntu2.2 Ubuntu 25.10 squid 6.14-0ubuntu0.25.10.4 Ubuntu 24.04 LTS squid 6.14-0ubuntu0.24.04.4 Ubuntu 22.04 LTS squid 5.9-0ubuntu0.22.04.7 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8435-1 CVE-2026-47729, CVE-2026-50012 Package Information: https://launchpad.net/ubuntu/+source/squid/7.2-2ubuntu2.2 https://launchpad.net/ubuntu/+source/squid/6.14-0ubuntu0.25.10.4 https://launchpad.net/ubuntu/+source/squid/6.14-0ubuntu0.24.04.4 https://launchpad.net/ubuntu/+source/squid/5.9-0ubuntu0.22.04.7 . Several issues in Squid lead to potential denialof service and code execution in Ubuntu 22.04, 24.04, 25.10, and 26.04.. Squid security issues, Ubuntu advisory 8435-1, denial of service Squid, buffer overflow security. . Severity: Important. LinuxSecurity.com Team
The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-8880 http://linux.oracle.com/errata/ELSA-2026-8880.html The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network: x86_64: squid-3.5.20-17.0.11.el7_9.13.x86_64.rpm squid-migration-script-3.5.20-17.0.11.el7_9.13.x86_64.rpm squid-sysvinit-3.5.20-17.0.11.el7_9.13.x86_64.rpm SRPMS: http://oss.oracle.com/ol7/SRPMS-updates/squid-3.5.20-17.0.11.el7_9.13.src.rpm Related CVEs: CVE-2026-32748 CVE-2026-33526 Description of changes: [7:3.5.20-17.0.11.13] - Security update for CVE-2026-32748 CVE-2026-33526 [Orabug: 39230173] [7:3.5.20-17.0.9.13] - Fixes CVE-2025-62168, squid: Squid vulnerable to information disclosure via - authentication credential leakage in error handling [Orabug: 38587551] [7:3.5.20-17.0.7.13] - Fixes CVE-2025-54574, add URN access disabling config options [Orabug: 38350105] [7:3.5.20-17.0.5.13] - Fixed cve 2023-46846 for http and icap request/response smuggling [Orabug: 37326730] _______________________________________________ El-errata mailing list
new version 7.5 security update. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-e6a4814a4d 2026-05-06 16:45:18.195694+00:00 -------------------------------------------------------------------------------- Name : squid Product : Fedora 43 Version : 7.5 Release : 1.fc43 URL : http://www.squid-cache.org Summary : The Squid proxy caching server Description : Squid is a high-performance proxy caching server for Web clients, supporting FTP and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests. Squid consists of a main server program squid, a Domain Name System lookup program (dnsserver), a program for retrieving FTP data (ftpget), and some management and client tools. -------------------------------------------------------------------------------- Update Information: new version 7.5 security update -------------------------------------------------------------------------------- ChangeLog: * Mon Apr 27 2026 Lubo\u0161 Uhliarik - 7:7.5-1 - new version 7.5 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2431445 - squid-7.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2431445 [ 2 ] Bug #2451599 - CVE-2026-33526 squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2451599 [ 3 ] Bug #2451601 - CVE-2026-32748 squid: Squid: Denial of Service via crafted ICP traffic [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2451601 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnfupgrade --advisory FEDORA-2026-e6a4814a4d' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Fedora 43 Squid 7.5 update resolves Critical security issues and Denial of Service risks.. Fedora Squid update security DoS. . Severity: Critical. LinuxSecurity.com Team
new version 7.5 security update. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-c0590bd498 2026-05-06 00:48:51.045777+00:00 -------------------------------------------------------------------------------- Name : squid Product : Fedora 44 Version : 7.5 Release : 1.fc44 URL : http://www.squid-cache.org Summary : The Squid proxy caching server Description : Squid is a high-performance proxy caching server for Web clients, supporting FTP and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests. Squid consists of a main server program squid, a Domain Name System lookup program (dnsserver), a program for retrieving FTP data (ftpget), and some management and client tools. -------------------------------------------------------------------------------- Update Information: new version 7.5 security update -------------------------------------------------------------------------------- ChangeLog: * Mon Apr 27 2026 Lubo\u0161 Uhliarik - 7:7.5-1 - new version 7.5 - Add tmpfiles.d rules for /var directories (bootc compatibility) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2431445 - squid-7.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2431445 [ 2 ] Bug #2451599 - CVE-2026-33526 squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2451599 [ 3 ] Bug #2451601 - CVE-2026-32748 squid: Squid: Denial of Service via crafted ICP traffic [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2451601 -------------------------------------------------------------------------------- Thisupdate can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-c0590bd498' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Security update for Fedora 44 Squid 7.5 includes fixes for critical Denial of Service vulnerabilities. Update recommended.. Fedora Squid Update, Security Advisory Fedore 44, Denial of Service Fix. . Severity: Important. LinuxSecurity.com Team
The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-8317 http://linux.oracle.com/errata/ELSA-2026-8317.html The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network: x86_64: libecap-1.0.1-2.module+el8.9.0+90083+f7556140.x86_64.rpm libecap-devel-1.0.1-2.module+el8.9.0+90083+f7556140.x86_64.rpm squid-4.15-10.module+el8.10.0+90877+04e4d7e0.11.x86_64.rpm aarch64: libecap-1.0.1-2.module+el8.9.0+90083+f7556140.aarch64.rpm libecap-devel-1.0.1-2.module+el8.9.0+90083+f7556140.aarch64.rpm squid-4.15-10.module+el8.10.0+90877+04e4d7e0.11.aarch64.rpm SRPMS: http://oss.oracle.com/ol8/SRPMS-updates/libecap-1.0.1-2.module+el8.9.0+90083+f7556140.src.rpm http://oss.oracle.com/ol8/SRPMS-updates/squid-4.15-10.module+el8.10.0+90877+04e4d7e0.11.src.rpm Related CVEs: CVE-2026-32748 CVE-2026-33526 Description of changes: libecap [1.0.1-2] - Resolves: #1695587 - Ensure modular RPM upgrade path [1.0.1-1] - new version 1.0.1 - autoconf.h moved from lookaside to dist-git [1.0.0-7] - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild [1.0.0-6] - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild [1.0.0-5] - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild [1.0.0-4] - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild [1.0.0-3] - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild [1.0.0-2] - Rebuilt for GCC 5 C++11 ABI change [1.0.0-1] - new version 1.0.0 [0.2.0-10] - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild squid [7:4.15-10.11] - Fix patch for CVE-2026-32748 - Resolves: RHEL-160675 [7:4.15-10.10] - Resolves: RHEL-160675 - squid:4/squid: Squid: Denial of Service via crafted ICP traffic (CVE-2026-32748) - Resolves: RHEL-160674 - squid:4/squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling (CVE-2026-33526) [7:4.15-10.9] - Resolves:RHEL-122484 - squid: Squid vulnerable to information disclosure via authentication credential leakage in error handling (CVE-2025-62168) [7:4.15-10.6] - Resolves: RHEL-84420 - A squid child process causes a memory reference error and the squid service terminates abnormally [7:4.15-10.5] - Resolves: RHEL-66120 - squid caches DNS entries despite having TTL set to 0 [7:4.15-10.4] - Resolves: RHEL-67870 - Remove gopher mention from spec file [7:4.15-10.3] - Resolves: RHEL-22593 - CVE-2024-23638 squid:4/squid: vulnerable to a Denial of Service attack against Cache Manager error responses [7:4.15-10.2] - Disable ESI support - Resolves: RHEL-65075 - CVE-2024-45802 squid:4/squid: Denial of Service processing ESI response content [7:4.15-10.1] - Resolves: RHEL-56024 - (Regression) Transfer-encoding:chunked data is not sent to the client in its complementary [7:4.15-10] - Resolves: RHEL-28529 - squid:4/squid: Denial of Service in HTTP Chunked Decoding (CVE-2024-25111) - Resolves: RHEL-26088 - squid:4/squid: denial of service in HTTP header parser (CVE-2024-25617) _______________________________________________ El-errata mailing list
Important: squid:4 security update. {"type": "TYPE_SECURITY", "shortCode": "RL", "name": "RLSA-2026:8317", "synopsis": "Important: squid:4 security update", "severity": "SEVERITY_IMPORTANT", "topic": "An update is available for squid, libecap, module.libecap, module.squid.\nThis update affects Rocky Linux 8.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", "description": "Squid is a high-performance proxy caching server for web clients, supporting FTP, and HTTP data objects.\n\nSecurity Fix(es):\n\n* squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling (CVE-2026-33526)\n\n* Squid: Squid: Denial of Service via crafted ICP traffic (CVE-2026-32748)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "solution": null, "affectedProducts": ["Rocky Linux 8"], "fixes": [{"ticket": "2451574", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2451574", "description": ""}, {"ticket": "2451577", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2451577", "description": ""}], "cves": [{"name": "CVE-2026-32748", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-32748", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-826"}, {"name": "CVE-2026-33526", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-33526", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-825"}], "references": [], "publishedAt": "2026-04-16T00:01:17.370160Z", "rpms": {"Rocky Linux 8": {"nvras": ["libecap-0:1.0.1-2.module+el8.9.0+1437+df5ea8f0.aarch64.rpm", "libecap-0:1.0.1-2.module+el8.9.0+1437+df5ea8f0.src.rpm","libecap-0:1.0.1-2.module+el8.9.0+1437+df5ea8f0.x86_64.rpm", "libecap-debuginfo-0:1.0.1-2.module+el8.9.0+1437+df5ea8f0.aarch64.rpm", "libecap-debuginfo-0:1.0.1-2.module+el8.9.0+1437+df5ea8f0.x86_64.rpm", "libecap-debugsource-0:1.0.1-2.module+el8.9.0+1437+df5ea8f0.aarch64.rpm", "libecap-debugsource-0:1.0.1-2.module+el8.9.0+1437+df5ea8f0.x86_64.rpm", "libecap-devel-0:1.0.1-2.module+el8.9.0+1437+df5ea8f0.aarch64.rpm", "libecap-devel-0:1.0.1-2.module+el8.9.0+1437+df5ea8f0.x86_64.rpm", "squid-7:4.15-10.module+el8.10.0+2080+49064dbd.9.aarch64.rpm", "squid-7:4.15-10.module+el8.10.0+1758+80ba9f4b.aarch64.rpm", "squid-7:4.15-10.module+el8.10.0+1985+eaf982f0.6.aarch64.rpm", "squid-7:4.15-10.module+el8.10.0+1928+e8441768.5.aarch64.rpm", "squid-7:4.15-10.module+el8.10.0+1881+7e31fb44.1.aarch64.rpm", "squid-7:4.15-10.module+el8.10.0+1885+e30b7122.3.aarch64.rpm", "squid-7:4.15-10.module+el8.10.0+1928+e8441768.5.src.rpm", "squid-7:4.15-10.module+el8.10.0+1985+eaf982f0.6.src.rpm", "squid-7:4.15-10.module+el8.10.0+1885+e30b7122.3.src.rpm", "squid-7:4.15-10.module+el8.10.0+2080+49064dbd.9.src.rpm", "squid-7:4.15-10.module+el8.10.0+1758+80ba9f4b.src.rpm", "squid-7:4.15-10.module+el8.10.0+1881+7e31fb44.1.src.rpm", "squid-7:4.15-10.module+el8.10.0+1928+e8441768.5.x86_64.rpm", "squid-7:4.15-10.module+el8.10.0+1881+7e31fb44.1.x86_64.rpm", "squid-7:4.15-10.module+el8.10.0+1758+80ba9f4b.x86_64.rpm", "squid-7:4.15-10.module+el8.10.0+2080+49064dbd.9.x86_64.rpm", "squid-7:4.15-10.module+el8.10.0+1985+eaf982f0.6.x86_64.rpm", "squid-7:4.15-10.module+el8.10.0+1885+e30b7122.3.x86_64.rpm", "squid-debuginfo-7:4.15-10.module+el8.10.0+1985+eaf982f0.6.aarch64.rpm", "squid-debuginfo-7:4.15-10.module+el8.10.0+1885+e30b7122.3.aarch64.rpm", "squid-debuginfo-7:4.15-10.module+el8.10.0+2080+49064dbd.9.aarch64.rpm", "squid-debuginfo-7:4.15-10.module+el8.10.0+1928+e8441768.5.aarch64.rpm", "squid-debuginfo-7:4.15-10.module+el8.10.0+1881+7e31fb44.1.aarch64.rpm", "squid-debuginfo-7:4.15-10.module+el8.10.0+1758+80ba9f4b.aarch64.rpm","squid-debuginfo-7:4.15-10.module+el8.10.0+2080+49064dbd.9.x86_64.rpm", "squid-debuginfo-7:4.15-10.module+el8.10.0+1758+80ba9f4b.x86_64.rpm", "squid-debuginfo-7:4.15-10.module+el8.10.0+1985+eaf982f0.6.x86_64.rpm", "squid-debuginfo-7:4.15-10.module+el8.10.0+1881+7e31fb44.1.x86_64.rpm", "squid-debuginfo-7:4.15-10.module+el8.10.0+1885+e30b7122.3.x86_64.rpm", "squid-debuginfo-7:4.15-10.module+el8.10.0+1928+e8441768.5.x86_64.rpm", "squid-debugsource-7:4.15-10.module+el8.10.0+1928+e8441768.5.aarch64.rpm", "squid-debugsource-7:4.15-10.module+el8.10.0+1985+eaf982f0.6.aarch64.rpm", "squid-debugsource-7:4.15-10.module+el8.10.0+2080+49064dbd.9.aarch64.rpm", "squid-debugsource-7:4.15-10.module+el8.10.0+1758+80ba9f4b.aarch64.rpm", "squid-debugsource-7:4.15-10.module+el8.10.0+1881+7e31fb44.1.aarch64.rpm", "squid-debugsource-7:4.15-10.module+el8.10.0+1885+e30b7122.3.aarch64.rpm", "squid-debugsource-7:4.15-10.module+el8.10.0+1758+80ba9f4b.x86_64.rpm", "squid-debugsource-7:4.15-10.module+el8.10.0+1881+7e31fb44.1.x86_64.rpm", "squid-debugsource-7:4.15-10.module+el8.10.0+1985+eaf982f0.6.x86_64.rpm", "squid-debugsource-7:4.15-10.module+el8.10.0+2080+49064dbd.9.x86_64.rpm", "squid-debugsource-7:4.15-10.module+el8.10.0+1928+e8441768.5.x86_64.rpm", "squid-debugsource-7:4.15-10.module+el8.10.0+1885+e30b7122.3.x86_64.rpm"]}}, "rebootSuggested": false, "buildReferences": []}. Important security update available for Squid in Rocky Linux addressing multiple denial of service issues.. squid update, Rocky Linux security, denial of service fix. . Severity: Important. LinuxSecurity.com Team
Important: squid security update. {"type": "TYPE_SECURITY", "shortCode": "RL", "name": "RLSA-2026:8119", "synopsis": "Important: squid security update", "severity": "SEVERITY_IMPORTANT", "topic": "An update is available for squid.\nThis update affects Rocky Linux 10.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", "description": "Squid is a high-performance proxy caching server for web clients, supporting FTP, and HTTP data objects.\n\nSecurity Fix(es):\n\n* squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling (CVE-2026-33526)\n\n* Squid: Squid: Denial of Service via crafted ICP traffic (CVE-2026-32748)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "solution": null, "affectedProducts": ["Rocky Linux 10"], "fixes": [{"ticket": "2451574", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2451574", "description": ""}, {"ticket": "2451577", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2451577", "description": ""}], "cves": [{"name": "CVE-2026-32748", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-32748", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-826"}, {"name": "CVE-2026-33526", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2026-33526", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-825"}], "references": [], "publishedAt": "2026-04-15T12:07:10.074197Z", "rpms": {"Rocky Linux 10": {"nvras": ["squid-debugsource-7:6.10-6.el10_1.3.aarch64.rpm", "squid-7:6.10-6.el10_1.3.x86_64.rpm", "squid-debuginfo-7:6.10-6.el10_1.3.s390x.rpm", "squid-debuginfo-7:6.10-6.el10_1.3.aarch64.rpm","squid-7:6.10-6.el10_1.3.ppc64le.rpm", "squid-debugsource-7:6.10-6.el10_1.3.ppc64le.rpm", "squid-7:6.10-6.el10_1.3.s390x.rpm", "squid-debugsource-7:6.10-6.el10_1.3.s390x.rpm", "squid-debuginfo-7:6.10-6.el10_1.3.x86_64.rpm", "squid-7:6.10-6.el10_1.3.src.rpm", "squid-debuginfo-7:6.10-6.el10_1.3.ppc64le.rpm", "squid-debugsource-7:6.10-6.el10_1.3.x86_64.rpm", "squid-7:6.10-6.el10_1.3.aarch64.rpm"]}}, "rebootSuggested": false, "buildReferences": []}. Critical update for squid in Rocky Linux addresses Denial of Service vulnerabilities with multiple CVEs for web clients.. Rocky Linux security update, squid Denial of Service, CVE-2026-33526. . Severity: Important. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.