Synopsis:
squid security updateSummary:
An update for squid is now available for openEuler-20.03-LTS-SP4Description:
Squid is a high-performance proxy caching server. It handles all requests in a single, non-blocking, I/O-driven process and keeps meta data and implements negative caching of failed requests.
Security Fix(es):
Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling ICP traffic. This problem allows a remote attacker to receive small amounts of memory potentially containing sensitive information when responding with errors to invalid ICP requests. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero icp_port). This problem cannot be mitigated by denying ICP queries using icp_access rules. Version 7.5 contains a patch.(CVE-2026-33515)
Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero icp_port). This problem cannot be mitigated by denying ICP queries using icp_access rules. Version 7.5 contains a patch.(CVE-2026-33526)Topic:
An update for squid is now available for openEuler-20.03-LTS-SP4.
openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Severity:
CriticalAffected Component:
squid
4.9-26.oe2003sp44.9-26.oe2003sp44.9-26.oe2003sp4Exploitability
AV:NAC:LPR:NUI:N9.2/CVSS:3.1/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H