[ubuntu/resolute-proposed] squid 7.2-2ubuntu2 (Accepted)

Marc Deslauriers marc.deslauriers at ubuntu.com
Fri Apr 3 09:35:37 UTC 2026 

squid (7.2-2ubuntu2) resolute; urgency=medium

  * SECURITY UPDATE: use-after-free via ICP protocol
    - debian/patches/CVE-2026-32748.patch: fix HttpRequest lifetime for ICP
      v3 queries in src/ICP.h, src/icp_v2.cc, src/icp_v3.cc,
      src/tests/stub_icp.cc.
    - CVE-2026-32748
  * SECURITY UPDATE: out-of-bounds read via ICP protocol
    - debian/patches/CVE-2026-33515.patch: fix validation of packet sizes
      and URLs in src/ICP.h, src/icp_v2.cc, src/icp_v3.cc,
      src/tests/stub_icp.cc.
    - CVE-2026-33515
  * SECURITY UPDATE: use-after-free via ICP protocol
    - debian/patches/CVE-2026-33526.patch: do not escape malformed URI
      twice when sending ICP errors in src/icp_v2.cc.
    - CVE-2026-33526

Date: Thu, 02 Apr 2026 13:07:11 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/squid/7.2-2ubuntu2
-------------- next part --------------
Format: 1.8
Date: Thu, 02 Apr 2026 13:07:11 -0400
Source: squid
Built-For-Profiles: derivative.ubuntu noudeb
Architecture: source
Version: 7.2-2ubuntu2
Distribution: resolute
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Changes:
 squid (7.2-2ubuntu2) resolute; urgency=medium
 .
   * SECURITY UPDATE: use-after-free via ICP protocol
     - debian/patches/CVE-2026-32748.patch: fix HttpRequest lifetime for ICP
       v3 queries in src/ICP.h, src/icp_v2.cc, src/icp_v3.cc,
       src/tests/stub_icp.cc.
     - CVE-2026-32748
   * SECURITY UPDATE: out-of-bounds read via ICP protocol
     - debian/patches/CVE-2026-33515.patch: fix validation of packet sizes
       and URLs in src/ICP.h, src/icp_v2.cc, src/icp_v3.cc,
       src/tests/stub_icp.cc.
     - CVE-2026-33515
   * SECURITY UPDATE: use-after-free via ICP protocol
     - debian/patches/CVE-2026-33526.patch: do not escape malformed URI
       twice when sending ICP errors in src/icp_v2.cc.
     - CVE-2026-33526
Checksums-Sha1:
 ad68c68db6ee9ac16bc0660fecbfe8b7d3420dd9 2653 squid_7.2-2ubuntu2.dsc
 e3b1ae6a45c4197c362a274ff8f396ca56f39e71 58652 squid_7.2-2ubuntu2.debian.tar.xz
 85a40a29eab9822a98865faacba030e24a2d947a 8490 squid_7.2-2ubuntu2_source.buildinfo
Checksums-Sha256:
 1808286f5a5d7e7956c68e0fc1d2c7457bef1f13e76aee85d1bafb89efdd18e5 2653 squid_7.2-2ubuntu2.dsc
 2323dc47fa72dc0281fb87cbc36a9db5b3c2696709111e9feab72d14cb70edf8 58652 squid_7.2-2ubuntu2.debian.tar.xz
 cc8506408a4dd403d3fe601ac2ddf36d29053e43f1ccdd067a1fab7e9de61107 8490 squid_7.2-2ubuntu2_source.buildinfo
Files:
 27d9bab642a3ec7de2da9b46539a9ef3 2653 web optional squid_7.2-2ubuntu2.dsc
 30467af2091bac2c4ace77bcf107d0e3 58652 web optional squid_7.2-2ubuntu2.debian.tar.xz
 c5fcc94034045a4bfcd2219644730c7a 8490 web optional squid_7.2-2ubuntu2_source.buildinfo
Original-Maintainer: Luigi Gangitano <luigi at debian.org>

More information about the Resolute-changes mailing list