[CLSA-2026:1775734284] Fix CVE(s): CVE-2026-32748, CVE-2026-33526

Type:

security

Severity:

Important

Release date:

2026-04-09 11:31:29 UTC

Description:

   * SECURITY UPDATE: denial of service via use-after-free in ICP
     - debian/patches/CVE-2026-33526.patch: remove duplicate
       rfc1738_escape call in icpGetRequest that invalidated the
       previously escaped URL pointer
     - CVE-2026-33526
   * SECURITY UPDATE: denial of service via use-after-free in ICP
     request handling
     - debian/patches/CVE-2026-32748.patch: return HttpRequestPointer
       and move icpAccessAllowed into icpGetRequest to fix HttpRequest
       lifetime for ICP v3 queries
     - CVE-2026-32748

Updated packages:

squid_4.10-1ubuntu1.13+tuxcare.els2_amd64.deb
sha:4a9cf71f3318171baef7350d27d05de6a4933876
squid-cgi_4.10-1ubuntu1.13+tuxcare.els2_amd64.deb
sha:0da8c8584cb9190ecf6e9e088df47f893f5d86fa
squid-common_4.10-1ubuntu1.13+tuxcare.els2_all.deb
sha:fa55380dc1f1f7c56874e4c3208d0145fa0c2722
squid-purge_4.10-1ubuntu1.13+tuxcare.els2_amd64.deb
sha:6399b28609c37d1b9a64096ceb6bcb2fdb4f99e8
squidclient_4.10-1ubuntu1.13+tuxcare.els2_amd64.deb
sha:4f0a6a2dcb67b8184390c8a9a394f61a48e59784

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.