Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN663 _____________________________________________________________________ DATE : 23/06/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running squid versions prior to 7.6. ===================================================================== https://github.com/squid-cache/squid/security/advisories/GHSA-8c37-pxjq-qwrg https://github.com/squid-cache/squid/security/advisories/GHSA-5vmx-9x64-9284 _____________________________________________________________________ SQUID-2026:4 Memory disclosure in FTP gateway Moderate yadij published GHSA-8c37-pxjq-qwrg Jun 23, 2026 Package squid Affected versions < 7.6 Patched versions 7.6 Description Due to a Improper Validation of Syntactic Correctness of Input bug, Squid is vulnerable to a Out-of-bounds Read attack against the FTP gateway. Severity: This problem allows a trusted client to perform an Out-of-Bounds Read from random unrelated transactions when accessing a misbehaving FTP server through Squid's gateway feature. Updated Packages: This bug is fixed by Squid version 7.6 In addition, patches addressing this problem for the stable releases can be found in our patch archives: Squid 7: https://github.com/squid-cache/squid/commit/865a131c7d557e68c965043d98c2eccae26deef8.patch If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. Determining if your version is vulnerable: Squid older than 3.5.28 have not been tested and should be assumed to be vulnerable. All Squid-4.x are vulnerable. All Squid-5.x are vulnerable. All Squid-6.x are vulnerable. All Squid-7.x up to and including 7.5 are vulnerable. Workaround: Place these squid.conf settings above any custom 'http_access allow' lines in your squid.conf: acl FTP proto FTP acl ftp_allowlist url_regex ^ftp://trusted\.server\.example\.com http_access deny FTP !ftp_allowlist Note: The ftp_allowlist ACL is optional, for those who need to allow some FTP access to trusted servers. Best workaround is not to use one unless necessary. Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If you install and build Squid from the original Squid sources then the squid-users@lists.squid-cache.org mailing list is your primary support point. For subscription details see https://www.squid-cache.org/Support/mailing-lists.html. For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used https://bugs.squid-cache.org/. For reporting of security sensitive bugs send an email to the squid-bugs@lists.squid-cache.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. Credits: This vulnerability was discovered and reported independently by Pavel Kohout of Aisle Research, and Lam Jun Rong of Calif.io in collaboration with Anthropic Research, and Youssef Awad of CTF.ae Fixed by Alex Rousskov, The Measurement Factory. Revision history: 2026-03-04 12:41:54 UTC Initial Report by Pavel Kohout of Aisle Research 2026-04-17: Initial Report by Lam Jun Rong 2026-05-07: Initial Report by Youssef Awad 2026-05-17 06:04:47 UTC patch published END Severity Moderate 6.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Unchanged Confidentiality High Integrity None Availability None CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE ID CVE-2026-47729 Weaknesses Weakness CWE-125 Weakness CWE-200 Weakness CWE-1286 Credits @rousskov rousskov Remediation developer @jro-calif jro-calif Reporter @DeadPackets DeadPackets Reporter @kinkie kinkie Coordinator _____________________________________________________________________ SQUID-2026:5 Memory corruption in cache_digest reply handling Moderate yadij published GHSA-5vmx-9x64-9284 Jun 23, 2026 Package Squid Affected versions < 7.6 Patched versions 7.6 Description Squid Proxy Cache Security Update Advisory SQUID-2026:5 Advisory ID: SQUID-2026:5 Date: 2026-06-14 Summary: Memory corruption in cache_digest reply handling Affected versions: Squid 3.x -> 3.5.27 Squid 4.x -> 4.17 Squid 5.x -> 5.9 Squid 6.x -> 6.14 Squid 7.x -> 7.5 Fixed in version: Squid 7.6 Problem Description: Due to an Improper Input Validation bug, Squid is vulnerable to a Heap-based Buffer Overflow attack against cache digests. Severity: This problem allows a trusted server to perform a Heap-based Buffer Overflow when sending maliciously crafted replies to cache_digest request messages. This attack is limited to Squid instances that have been compiled with the --enable-cache-digests option. Trusted peers are expected to be servers within the same administrative domain. As cache digests are exchanged over TCP, there is no risk of spoofing. Updated Packages: This bug is fixed by Squid version 7.6 In addition, patches addressing this problem for the stable releases can be found in our patch archives: Squid 7: https://github.com/squid-cache/squid/commit/19fcfe922717c8b255270c032dcde4071c003bcd.patch If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. Determining if your version is vulnerable: The following test can be used to determine affected feature use: squid -v | grep -q 'enable-cache-digests' && squid -k parse 2>&1 | grep -w cache_peer | grep -v no-digest All Squid 7.5 and older without output are not vulnerable. All Squid 7.5 and older with output are vulnerable. All Squid 7.6 and later are not vulnerable. Workaround: Either Audit your squid configuration and ensure that all configured cache_peer's are under your organisational control and fully trusted. This will greatly reduce the risk. or Disable cache digests for those peers by adding the 'no-digest' option for cache_peer you do not directly control. This will remove the vulnerability at cost of increased bandwidth. Use of HTCP or ICP can reduce that cost. Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If you install and build Squid from the original Squid sources then the squid-users@lists.squid-cache.org mailing list is your primary support point. For subscription details see https://www.squid-cache.org/Support/mailing-lists.html. For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used https://bugs.squid-cache.org/. For reporting of security sensitive bugs send an email to the squid-bugs@lists.squid-cache.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. Credits: This vulnerability was discovered independently by Huy Hoàng Nguyễn of Sun Asterisk Vietnam, and Sarthak Munshi Fixed by Francesco Chemolli kinkie@squid-cache.org Revision history: 2026-05-11 Initial Report 2026-05-30 10:16:33 Patch published END Severity Moderate 5.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required High User interaction None Scope Unchanged Confidentiality None Integrity Low Availability High CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H CVE ID CVE-2026-50012 Weaknesses Weakness CWE-20 Weakness CWE-122 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================