UbuntuUpdates.org

Package "squid"

Name: squid

Description:

Full featured Web Proxy cache (HTTP proxy GnuTLS flavour)
Latest version: 6.14-0ubuntu0.25.10.2
Release: questing (25.10)
Level: security
Repository: main
Homepage: http://www.squid-cache.org

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "squid"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "squid" in Questing

Repository Area Version
base main 6.13-1ubuntu4
base universe 6.13-1ubuntu4
security universe 6.14-0ubuntu0.25.10.2
updates universe 6.14-0ubuntu0.25.10.2
updates main 6.14-0ubuntu0.25.10.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 6.14-0ubuntu0.25.10.2 2026-04-08 16:09:18 UTC

  squid (6.14-0ubuntu0.25.10.2) questing-security; urgency=medium

  * SECURITY UPDATE: use-after-free via ICP protocol
    - debian/patches/CVE-2026-32748.patch: fix HttpRequest lifetime for ICP
      v3 queries in src/ICP.h, src/icp_v2.cc, src/icp_v3.cc,
      src/tests/stub_icp.cc.
    - CVE-2026-32748
  * SECURITY UPDATE: out-of-bounds read via ICP protocol
    - debian/patches/CVE-2026-33515.patch: fix validation of packet sizes
      and URLs in src/ICP.h, src/icp_v2.cc, src/icp_v3.cc,
      src/tests/stub_icp.cc.
    - CVE-2026-33515
  * SECURITY UPDATE: use-after-free via ICP protocol
    - debian/patches/CVE-2026-33526.patch: do not escape malformed URI
      twice when sending ICP errors in src/icp_v2.cc.
    - CVE-2026-33526

 -- Marc Deslauriers <email address hidden> Thu, 02 Apr 2026 13:17:20 -0400
Source diff to previous version
CVE-2026-32748 Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bug
CVE-2026-33515 Squid is a caching proxy for the Web. Prior to version 7.5, due to improper input validation, Squid is vulnerable to out of bounds read when handling
CVE-2026-33526 Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP tr

Version: 6.13-1ubuntu4.1 2025-10-29 00:07:11 UTC

  squid (6.13-1ubuntu4.1) questing-security; urgency=medium

  * SECURITY UPDATE: HTTP Authentication credential leak
    - debian/patches/CVE-2025-62168.patch: Add maskSensitiveInfo parameter to
      pack and pass it to packInto in src/HttpRequest.cc. Add maskSensitiveInfo
      to pack in src/HttpRequest.h. Adapt code with new parameter in
      src/client_side_reply.cc, and src/errorpage.cc. Remove request_hdr NULL
      assign in src/errorpage.h.
    - CVE-2025-62168

 -- Hlib Korzhynskyy <email address hidden> Wed, 22 Oct 2025 14:48:23 -0230
CVE-2025-62168 Squid is a caching proxy for the Web. In Squid versions prior to 7.2, a failure to redact HTTP authentication credentials in error handling allows in


About   -   Send Feedback to @ubuntu_updates