[CLSA-2026:1775688811] Fix CVE(s): CVE-2026-32748, CVE-2026-33526

Type:

security

Severity:

Important

Release date:

2026-04-08 22:53:40 UTC

Description:

   * SECURITY UPDATE: denial of service via use-after-free in ICP
     - debian/patches/CVE-2026-33526.patch: remove duplicate
       rfc1738_escape call in icpGetRequest that invalidated the
       previously escaped URL pointer
     - CVE-2026-33526
   * SECURITY UPDATE: denial of service via use-after-free in ICP
     request handling
     - debian/patches/CVE-2026-32748.patch: return HttpRequestPointer
       and move icpAccessAllowed into icpGetRequest to fix HttpRequest
       lifetime for ICP v3 queries
     - CVE-2026-32748

Updated packages:

squid_3.5.27-1ubuntu1.14+tuxcare.els11_amd64.deb
sha:3be25b1cbd9fdaf156de6bed83d1b8ba7cab9252
squid-cgi_3.5.27-1ubuntu1.14+tuxcare.els11_amd64.deb
sha:515f4eb73aad6d0351484d0c35ca72a21324bec8
squid-common_3.5.27-1ubuntu1.14+tuxcare.els11_all.deb
sha:cef351c62f0a150b4d63c20d9e24e8b65e425d5c
squid-purge_3.5.27-1ubuntu1.14+tuxcare.els11_amd64.deb
sha:20a0b244e4c5cd576f7fe361b8364e9e4fd064c1
squid3_3.5.27-1ubuntu1.14+tuxcare.els11_all.deb
sha:82ab3390cd419e0344cf584529df2c3e1069f197
squidclient_3.5.27-1ubuntu1.14+tuxcare.els11_amd64.deb
sha:2dbd53f6b9c2b49f1b1938448cf71f5866382f99

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.