[ubuntu/noble-security] squid 6.13-0ubuntu0.24.04.2 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Mon Oct 6 12:33:42 UTC 2025 

squid (6.13-0ubuntu0.24.04.2) noble-security; urgency=medium

  * SECURITY UPDATE: ASN.1 encoding mishandling
    - debian/patches/CVE-2025-59362.patch: fix ASN.1 encoding of long SNMP
      OIDs in lib/snmplib/asn1.c.
    - CVE-2025-59362

squid (6.13-0ubuntu0.24.04.1) noble; urgency=medium

  * New upstream version 6.13 (LP: #2085197)
    - Fix getting stuck when RESPMOD is slower than read(2)
    - Fix large uploads fill request buffer and die
    - Fix GCC v14 build [-Wmaybe-uninitialized]
    - Fix GCC v14 [-Wanalyzer-null-dereference] warnings in Kerberos
    - Fix nil request dereference in ACLExtUser and SourceDomainCheck ACLs
    - Fix systemd startup sequence to require active Local Filesystem
    - Fix validation of Digest auth header parameters
    - Improve robustness of DNS code on reconfigure
    - Prevent slow memory leak in TCP DNS queries
    - Improve errors emitted when invalid ACLs are parsed
    - ext_time_quota_acl: remove -l option

squid (6.10-0ubuntu0.24.04.1) noble; urgency=medium

  * New upstream version 6.10 (LP: #2073322):
    - Fix issue where successful tunnels were being logged as TCP_TUNNEL/500.
    - Fix a logic error when starting squid with the -a option, which could
      lead to a crash.
    - Fix marking of problematic cached IP addresses.
    - For a comprehensive list of changes, please see
      https://www.squid-cache.org/Versions/v6/squid-6.10-RELEASENOTES.html.
  * d/u/signing-key.asc: update keyring file. (Closes: #1084734)
  * Dropped changes:
    - SECURITY UPDATE: DoS via chunked decoder uncontrolled recursion bug
      + debian/patches/CVE-2024-25111.patch: fix infinite recursion in
        src/http.cc, src/http.h.
      + CVE-2024-25111
      [ Fixed in 6.8 ]
    - SECURITY UPDATE: DoS in ESI processing using multi-byte characters
      + debian/patches/CVE-2024-37894.patch: fix variable datatype to handle
        variables names outside standard ASCII characters
      + CVE-2024-37894
      [ Fixed in 6.10 ]

Date: 2025-10-03 16:27:19.896860+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/squid/6.13-0ubuntu0.24.04.2
-------------- next part --------------
Sorry, changesfile not available.

More information about the noble-changes mailing list