UbuntuUpdates.org

Package "squid"

Name: squid

Description:

Full featured Web Proxy cache (HTTP proxy GnuTLS flavour)
Latest version: 5.9-0ubuntu0.22.04.5
Release: jammy (22.04)
Level: updates
Repository: main
Homepage: http://www.squid-cache.org

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "squid"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "squid" in Jammy

Repository Area Version
base main 5.2-1ubuntu4
base universe 5.2-1ubuntu4
security main 5.9-0ubuntu0.22.04.5
security universe 5.9-0ubuntu0.22.04.5
updates universe 5.9-0ubuntu0.22.04.5

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 5.9-0ubuntu0.22.04.5 2026-04-09 05:09:43 UTC

  squid (5.9-0ubuntu0.22.04.5) jammy-security; urgency=medium

  * SECURITY UPDATE: use-after-free via ICP protocol
    - debian/patches/CVE-2026-32748.patch: fix HttpRequest lifetime for ICP
      v3 queries in src/ICP.h, src/icp_v2.cc, src/icp_v3.cc,
      src/tests/stub_icp.cc.
    - CVE-2026-32748
  * SECURITY UPDATE: out-of-bounds read via ICP protocol
    - debian/patches/CVE-2026-33515.patch: fix validation of packet sizes
      and URLs in src/ICP.h, src/icp_v2.cc, src/icp_v3.cc,
      src/tests/stub_icp.cc.
    - CVE-2026-33515
  * SECURITY UPDATE: use-after-free via ICP protocol
    - debian/patches/CVE-2026-33526.patch: do not escape malformed URI
      twice when sending ICP errors in src/icp_v2.cc.
    - CVE-2026-33526

 -- Marc Deslauriers <email address hidden> Thu, 02 Apr 2026 14:27:26 -0400
Source diff to previous version
CVE-2026-32748 Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bug
CVE-2026-33515 Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling
CVE-2026-33526 Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP tr

Version: 5.9-0ubuntu0.22.04.4 2025-10-29 15:07:28 UTC

  squid (5.9-0ubuntu0.22.04.4) jammy-security; urgency=medium

  * SECURITY UPDATE: HTTP Authentication credential leak
    - debian/patches/CVE-2025-62168.patch: Add maskSensitiveInfo parameter to
      pack and pass it to packInto in src/HttpRequest.cc. Add maskSensitiveInfo
      to pack in src/HttpRequest.h. Adapt code with new parameter in
      src/client_side_reply.cc, and src/errorpage.cc. Remove request_hdr NULL
      assign in src/errorpage.h.
    - CVE-2025-62168

 -- Hlib Korzhynskyy <email address hidden> Mon, 27 Oct 2025 12:58:52 -0230
Source diff to previous version
CVE-2025-62168 Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows in

Version: 5.9-0ubuntu0.22.04.3 2025-10-06 19:07:27 UTC

  squid (5.9-0ubuntu0.22.04.3) jammy-security; urgency=medium

  * SECURITY UPDATE: ASN.1 encoding mishandling
    - debian/patches/CVE-2025-59362.patch: fix ASN.1 encoding of long SNMP
      OIDs in lib/snmplib/asn1.c.
    - CVE-2025-59362

 -- Marc Deslauriers <email address hidden> Fri, 03 Oct 2025 09:35:24 -0400
Source diff to previous version
CVE-2025-59362 Squid through 7.1 mishandles ASN.1 encoding of long SNMP OIDs. This occurs in asn_build_objid in lib/snmplib/asn1.c.

Version: 5.9-0ubuntu0.22.04.2 2024-07-22 13:07:03 UTC

  squid (5.9-0ubuntu0.22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: DoS in ESI processing using multi-byte characters
    - debian/patches/CVE-2024-37894.patch: fix variable datatype to handle
      variables names outside standard ASCII characters
    - CVE-2024-37894

 -- Vyom Yadav <email address hidden> Tue, 09 Jul 2024 15:49:37 +0530
Source diff to previous version
CVE-2024-37894 Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Out-of-bounds Write error when assigning ESI variables, Squid i

Version: 5.9-0ubuntu0.22.04.1 2024-07-04 22:07:06 UTC

  squid (5.9-0ubuntu0.22.04.1) jammy; urgency=medium

  * New upstream version 5.9 (LP: #2040470):
    - mgr:index URL do not produce MGR_INDEX template
    - Block all non-localhost requests by default
    - Block to-localhost, to-link-local requests by default
    - ext_kerberos_ldap_group_acl: Support -b with -D
    - For a comprehensive list of changes, please see
      http://www.squid-cache.org/Versions/v5/ChangeLog.html.
  * Refresh patches:
    - d/p/0001-Default-configuration-file-for-debian.patch
    - d/p/CVE-{2023-5824-1,2024-25111}.patch
  * d/p/0001-Default-configuration-file-for-debian.patch: Comment
    disruptive upstream changes introduced because of upstream bug
    #5241.
  * d/NEWS: Write news entry regarding the decision to comment out the
    more strict defaults for connection to localhost and link-local
    networks.

 -- Sergio Durigan Junior <email address hidden> Wed, 03 Apr 2024 12:31:46 -0400
2040470 Upstream microrelease of squid 5.9


About   -   Send Feedback to @ubuntu_updates