Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN331 _____________________________________________________________________ DATE : 25/03/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Squid versions prior to 7.5. ===================================================================== https://ml-archives.squid-cache.org/squid-announce/2026-March/000181.html https://ml-archives.squid-cache.org/squid-announce/2026-March/000180.html https://ml-archives.squid-cache.org/squid-announce/2026-March/000179.html _____________________________________________________________________ __________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2026:3 __________________________________________________________________ Advisory ID: | SQUID-2026:3 (CVE-2026-33515) Date: | March 25, 2026 Summary: | Out of Bounds Read in ICP message handling Affected versions: | Squid 3.x -> 3.5.28 | Squid 4.x -> 4.17 | Squid 5.x -> 5.9 | Squid 6.x -> 6.14 | Squid 7.x -> 7.4 Fixed in version: | Squid 7.5 __________________________________________________________________ Problem Description: Due to improper input validation bugs, Squid is vulnerable to out of bounds reads when handling ICP traffic. __________________________________________________________________ Severity: This problem allows a remote attacker to receive small amounts of memory potentially containing sensitive information when responding with errors to invalid ICP requests. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero icp_port). This problem _cannot_ be mitigated by denying ICP queries using icp_access rules. __________________________________________________________________ Updated Packages These bugs were fixed in Squid version 7.5. In addition, patches addressing this problem for the stable releases can be found in our patch archives: Squid 7: Note: we are aware this patch may not apply cleanly. Ensure that the patch for SQUID-2026:1 is applied first. If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable Run the following command to identify whether your Squid has been configured with ICP enabled: squid -k parse 2>&1 | grep -E "(icp|udp)_port" | tail -n1 All Squid configured with port 0 are not vulnerable. All Squid-3.0 up to and including 7.4 configured with a non-zero port should be assumed to be vulnerable. All Squid-3.2 up to and including 7.4 configured without any port value can be assumed to be not vulnerable. __________________________________________________________________ Workaround Either, * Do not enable ICP support, Or, * explicitly disable ICP using "icp_port 0". Warning: These problems _cannot_ be mitigated by denying ICP queries using icp_access rules. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If you install and build Squid from the original Squid sources then the mailing list is your primary support point. For subscription details see . For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used . For reporting of security sensitive bugs send an email to the mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits Discovered and Fixed by: * Joshua Rogers with ZeroPath * Alex Rousskov, The Measurement Factory __________________________________________________________________ Revision history: 2025-09-07 20:22:00 EDT Report of the first set of vulnerabilities 2026-01-26 08:48:00 EDT Report of additional vulnerabilities 2026-02-12 20:28:43 UTC official fixes in master branch __________________________________________________________________ END _____________________________________________________________________ __________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2026:2 __________________________________________________________________ Advisory ID: | SQUID-2026:2 (CVE-2026-32748) Date: | March 25, 2026 Summary: | Denial of Service in ICP Request handling Affected versions: | Squid 3.x -> 3.5.28 | Squid 4.x -> 4.17 | Squid 5.x -> 5.9 | Squid 6.x -> 6.14 | Squid 7.x -> 7.4 Fixed in version: | Squid 7.5 __________________________________________________________________ Problem Description: Due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. __________________________________________________________________ Severity: This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero icp_port). This problem _cannot_ be mitigated by denying ICP queries using icp_access rules. __________________________________________________________________ Updated Packages This bug is fixed in Squid version 7.5. In addition, patches addressing this problem for the stable releases can be found in our patch archives: Squid 7: If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable Run the following command to identify whether your Squid has been configured with ICP enabled: squid -k parse 2>&1 | grep -E "(icp|udp)_port" | tail -n1 All Squid configured with port 0 are not vulnerable. All Squid-3.0 up to and including 7.4 configured with a non-zero port should be assumed to be vulnerable. All Squid-3.2 up to and including 7.4 configured without any port value can be assumed to be not vulnerable. __________________________________________________________________ Workaround Either, * Do not enable ICP support, Or, * explicitly disable ICP using "icp_port 0". Warning: These problems _cannot_ be mitigated by denying ICP queries using icp_access rules. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If you install and build Squid from the original Squid sources then the mailing list is your primary support point. For subscription details see . For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used . For reporting of security sensitive bugs send an email to the mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits Discovered and Fixed by Alex Rousskov, The Measurement Factory __________________________________________________________________ Revision history: 2026-02-08 21:20:00 EDT Report of vulnerability 2026-02-18 21:13:26 UTC official fixes in master branch __________________________________________________________________ END _____________________________________________________________________ __________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2026:1 __________________________________________________________________ Advisory ID: | SQUID-2026:1 (CVE-2026-33526) Date: | March 25, 2026 Summary: | Denial of Service in ICP Request handling Affected versions: | Squid 3.x -> 3.5.28 | Squid 4.x -> 4.17 | Squid 5.x -> 5.9 | Squid 6.x -> 6.14 | Squid 7.x -> 7.4 Fixed in version: | Squid 7.5 __________________________________________________________________ Problem Description: Due to a heap Use-After-Free bug Squid is vulnerable to Denial of Service when handling ICP traffic. __________________________________________________________________ Severity: This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero icp_port). This problem _cannot_ be mitigated by denying ICP queries using icp_access rules. __________________________________________________________________ Updated Packages These bugs were fixed in Squid version 7.5. In addition, patches addressing this problem for the stable releases can be found in our patch archives: Squid 7: If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable Run the following command to identify whether your Squid has been configured with ICP enabled: squid -k parse 2>&1 | grep -E "(icp|udp)_port" | tail -n1 All Squid configured with port 0 are not vulnerable. All Squid-3.0 up to and including 7.4 configured with a non-zero port should be assumed to be vulnerable. All Squid-3.2 up to and including 7.4 configured without any port value can be assumed to be not vulnerable. __________________________________________________________________ Workaround Either, * Do not enable ICP support, Or, * explicitly disable ICP using "icp_port 0". Warning: These problems _cannot_ be mitigated by denying ICP queries using icp_access rules. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If you install and build Squid from the original Squid sources then the mailing list is your primary support point. For subscription details see . For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used . For reporting of security sensitive bugs send an email to the mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits Discovered by: * Joshua Rogers with ZeroPath * Asim Viladi Oglu Manizada Fixed by: * Joshua Rogers with ZeroPath __________________________________________________________________ Revision history: 2025-09-07 20:22:00 EDT Report of the first set of vulnerabilities 2026-01-26 08:48:00 EDT Report of additional vulnerabilities 2026-02-10 19:58:49 UTC official fixes in master branch __________________________________________________________________ END ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================