Re: Squid CVE-2026-47729 and CVE-2026-50012

[Rolf Reintjes <rolf.reintjes () web de>]

Am 24.06.2026 um 11:38 schrieb Christian Fischer:
> Hello,
>
> On 6/22/26 8:35 AM, Salvatore Bonaccorso wrote:
> > Hi Amos,
> >
> > On Mon, Jun 15, 2026 at 11:26:10PM +1200, Amos Jeffries wrote:
> > > On 12/06/2026 20:21, Amos Jeffries wrote:
> > > > Hi all,
> > > >
> > > > Squid 7.6 release contains fixes for and releases the embargo on
> > > > CVE-2026-47729 and CVE-2026-50012.
> > >
> > > Apologies, this first one (CVE-2026-47729) embargo is over, but the 
> > > fix will
> > > actually be in Squid 7.7.
> > >
> > > > CVE-2026-47729
> > > >
> > > > Due to a Improper Validation of Syntactic Correctness of Input
> > > > bug, Squid is vulnerable to a Out-of-bounds Read
> > > > attack against the FTP gateway.
> > > >
> > > > This problem allows a trusted client to perform an Out-of-Bounds
> > > > Read from random unrelated transactions when accessing a
> > > > misbehaving FTP server through Squid's gateway feature.
> > > >
> > > > <https://github.com/squid-cache/squid/
> > > > commit/865a131c7d557e68c965043d98c2eccae26deef8.patch>
> >
> > I'm slightly confused about this. The referenced fix is in 7.6. Can
> > you point us to the correct fix in 7.7 for CVE-2026-47729?
> >
> > At least
> > https://github.com/squid-cache/squid/ 
> > commit/865a131c7d557e68c965043d98c2eccae26deef8
> > matches as well the followup from Alan.
>
> Official advisories for both CVEs seems to be available now:
> - https://github.com/squid-cache/squid/security/advisories/GHSA-8c37- 
> pxjq-qwrg
> - https://github.com/squid-cache/squid/security/advisories/ 
> GHSA-5vmx-9x64-9284
>
> For CVE-2026-47729 the advisory now also lists versions < 7.6 as fixed 
> not < 7.7.

I think >= 7.6 would be correct.