[CLSA-2026:1775724625] Fix CVE(s): CVE-2026-32748, CVE-2026-33526

Type:

security

Severity:

Important

Release date:

2026-04-09 08:50:29 UTC

Description:

   * SECURITY UPDATE: denial of service via use-after-free in ICP
     - debian/patches/CVE-2026-33526.patch: remove duplicate
       rfc1738_escape call in icpGetRequest that invalidated the
       previously escaped URL pointer
     - CVE-2026-33526
   * SECURITY UPDATE: denial of service via use-after-free in ICP
     request handling
     - debian/patches/CVE-2026-32748.patch: return HttpRequestPointer
       and move icpAccessAllowed into icpGetRequest to fix HttpRequest
       lifetime for ICP v3 queries
     - CVE-2026-32748

Updated packages:

squid_3.5.12-1ubuntu7.17+tuxcare.els13_amd64.deb
sha:ca69f1091932e333a1a741ce4826ba2871831b0f
squid-cgi_3.5.12-1ubuntu7.17+tuxcare.els13_amd64.deb
sha:9321a494594532f0e80fbfa35fbf27cab8ffcfa9
squid-common_3.5.12-1ubuntu7.17+tuxcare.els13_all.deb
sha:c6a040182501fc7266470165dcbfaf721b112fa7
squid-purge_3.5.12-1ubuntu7.17+tuxcare.els13_amd64.deb
sha:f21262e696662e1c11eba4d1fc5dcd8dbaa23f46
squid3_3.5.12-1ubuntu7.17+tuxcare.els13_all.deb
sha:b2ffe17295ba2cc0da5e2c8a700da59d7cf051d2
squidclient_3.5.12-1ubuntu7.17+tuxcare.els13_amd64.deb
sha:56ff562ba66e3eb0d09827dda313d9bb3e927889

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.