squid-5.5-22.el9_7.4

エラータID: AXSA:2026-387:02

Release date: 
Thursday, April 2, 2026 - 17:36
Subject: 
squid-5.5-22.el9_7.4
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

Squid is a high-performance proxy caching server for web clients, supporting FTP, and HTTP data objects.

Security Fix(es):

* squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling (CVE-2026-33526)
* Squid: Squid: Denial of Service via crafted ICP traffic (CVE-2026-32748)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2026-32748
Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. This bug is fixed in Squid version 7.5.
CVE-2026-33526
Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.

Solution: 

Update packages.

CVEs: 
CVE-2026-32748
Squid is a caching proxy for the Web. Prior to version 7.5, due to premature release of resource during expected lifetime and heap Use-After-Free bugs, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. This bug is fixed in Squid version 7.5.
CVE-2026-33526
Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
Additional Info: 

N/A

Download: 

SRPMS
  1. squid-5.5-22.el9_7.4.src.rpm
    MD5: 1fa3ef3d709e7ef34e16ddebce467987
    SHA-256: c8b5ce9488c2690c7d4fb05628bb88b44e29fa4f808a4b6582f3b1a33a1f3557
    Size: 2.68 MB

Asianux Server 9 for x86_64
  1. squid-5.5-22.el9_7.4.x86_64.rpm
    MD5: 941ff871d6576009ee1626757ba264bb
    SHA-256: 20a611fbdd7590ef2891cb8987094317d33f09e0082d403459e628e4f25bf6a3
    Size: 3.80 MB