On 12/06/2026 20:21, Amos Jeffries wrote:
Hi all,
Squid 7.6 release contains fixes for and releases the embargo on
CVE-2026-47729 and CVE-2026-50012.
Apologies, this first one (CVE-2026-47729) embargo is over, but the fix
will actually be in Squid 7.7.
CVE-2026-47729
Due to a Improper Validation of Syntactic Correctness of Input
bug, Squid is vulnerable to a Out-of-bounds Read
attack against the FTP gateway.
This problem allows a trusted client to perform an Out-of-Bounds
Read from random unrelated transactions when accessing a
misbehaving FTP server through Squid's gateway feature.
<https://github.com/squid-cache/squid/
commit/865a131c7d557e68c965043d98c2eccae26deef8.patch>