Version in base suite: 6.13-2+deb13u1 Base version: squid_6.13-2+deb13u1 Target version: squid_6.13-2+deb13u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/squid/squid_6.13-2+deb13u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/squid/squid_6.13-2+deb13u2.dsc changelog | 9 ++ patches/CVE-2026-33515.patch | 166 +++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2026-33526.patch | 16 ++++ patches/CVE-2026-47729.patch | 26 ++++++ patches/CVE-2026-50012.patch | 27 ++++++ patches/series | 4 + 6 files changed, 248 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmplqwd6z8c/squid_6.13-2+deb13u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmplqwd6z8c/squid_6.13-2+deb13u2.dsc: no acceptable signature found diff -Nru squid-6.13/debian/changelog squid-6.13/debian/changelog --- squid-6.13/debian/changelog 2025-10-26 08:31:13.000000000 +0000 +++ squid-6.13/debian/changelog 2026-06-19 15:54:19.000000000 +0000 @@ -1,3 +1,12 @@ +squid (6.13-2+deb13u2) trixie-security; urgency=medium + + * CVE-2026-33515 + * CVE-2026-33526 + * CVE-2026-47729 + * CVE-2026-50012 + + -- Moritz Mühlenhoff Fri, 19 Jun 2026 18:54:11 +0200 + squid (6.13-2+deb13u1) trixie-security; urgency=high * Non Maintainer Upload by LTS team diff -Nru squid-6.13/debian/patches/CVE-2026-33515.patch squid-6.13/debian/patches/CVE-2026-33515.patch --- squid-6.13/debian/patches/CVE-2026-33515.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-6.13/debian/patches/CVE-2026-33515.patch 2026-06-19 14:04:28.000000000 +0000 @@ -0,0 +1,166 @@ +From 8138e909d2058d4401e0ad49b583afaec912b165 Mon Sep 17 00:00:00 2001 +From: Joshua Rogers +Date: Thu, 12 Feb 2026 20:28:43 +0000 +Subject: [PATCH] ICP: Fix validation of packet sizes and URLs (#2220) + +--- squid-6.13.orig/src/ICP.h ++++ squid-6.13/src/ICP.h +@@ -89,8 +89,12 @@ extern Comm::ConnectionPointer icpIncomi + extern Comm::ConnectionPointer icpOutgoingConn; + extern Ip::Address theIcpPublicHostID; + ++/// A URI extracted from the given raw packet buffer. ++/// On errors, details the problem and returns nil. ++const char *icpGetUrl(const Ip::Address &from, const char *, const icp_common_t &); ++ + /// \ingroup ServerProtocolICPAPI +-HttpRequest* icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from); ++HttpRequest *icpGetRequest(const char *url, int reqnum, int fd, const Ip::Address &from); + + /// \ingroup ServerProtocolICPAPI + bool icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request); +@@ -102,7 +106,7 @@ void icpCreateAndSend(icp_opcode, int fl + icp_opcode icpGetCommonOpcode(); + + /// \ingroup ServerProtocolICPAPI +-void icpDenyAccess(Ip::Address &from, char *url, int reqnum, int fd); ++void icpDenyAccess(const Ip::Address &from, const char *url, int reqnum, int fd); + + /// \ingroup ServerProtocolICPAPI + PF icpHandleUdp; +--- squid-6.13.orig/src/icp_v2.cc ++++ squid-6.13/src/icp_v2.cc +@@ -425,7 +425,7 @@ icpCreateAndSend(icp_opcode opcode, int + } + + void +-icpDenyAccess(Ip::Address &from, char *url, int reqnum, int fd) ++icpDenyAccess(const Ip::Address &from, const char * const url, const int reqnum, const int fd) + { + debugs(12, 2, "icpDenyAccess: Access Denied for " << from << " by " << AclMatchedName << "."); + +@@ -453,8 +453,41 @@ icpAccessAllowed(Ip::Address &from, Http + return checklist.fastCheck().allowed(); + } + ++const char * ++icpGetUrl(const Ip::Address &from, const char * const buf, const icp_common_t &header) ++{ ++ const auto receivedPacketSize = static_cast(header.length); ++ const auto payloadOffset = sizeof(header); ++ ++ // Query payload contains a "Requester Host Address" followed by a URL. ++ // Payload of other ICP packets (with opcode that we recognize) is a URL. ++ const auto urlOffset = payloadOffset + ((header.opcode == ICP_QUERY) ? sizeof(uint32_t) : 0); ++ ++ // A URL field cannot be empty because it includes a terminating NUL char. ++ // Ensure that the packet has at least one URL field byte. ++ if (urlOffset >= receivedPacketSize) { ++ debugs(12, 3, "too small packet from " << from << ": " << urlOffset << " >= " << receivedPacketSize); ++ return nullptr; ++ } ++ ++ // All ICP packets (with opcode that we recognize) _end_ with a URL field. ++ // RFC 2186 requires all URLs to be "Null-Terminated". ++ if (buf[receivedPacketSize - 1] != '\0') { ++ debugs(12, 3, "unterminated URL or trailing garbage from " << from); ++ return nullptr; ++ } ++ ++ const auto url = buf + urlOffset; // a possibly empty c-string ++ if (urlOffset + strlen(url) + 1 != receivedPacketSize) { ++ debugs(12, 3, "URL with an embedded NUL or trailing garbage from " << from); ++ return nullptr; ++ } ++ ++ return url; ++} ++ + HttpRequest * +-icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from) ++icpGetRequest(const char * const url, const int reqnum, const int fd, const Ip::Address &from) + { + if (strpbrk(url, w_space)) { + url = rfc1738_escape(url); +@@ -472,13 +505,18 @@ icpGetRequest(char *url, int reqnum, int + } + + static void +-doV2Query(int fd, Ip::Address &from, char *buf, icp_common_t header) ++doV2Query(const int fd, Ip::Address &from, const char * const buf, icp_common_t header) + { + int rtt = 0; + int src_rtt = 0; + uint32_t flags = 0; +- /* We have a valid packet */ +- char *url = buf + sizeof(icp_common_t) + sizeof(uint32_t); ++ ++ const auto url = icpGetUrl(from, buf, header); ++ if (!url) { ++ icpCreateAndSend(ICP_ERR, 0, "", header.reqnum, 0, fd, from, nullptr); ++ return; ++ } ++ + HttpRequest *icp_request = icpGetRequest(url, header.reqnum, fd, from); + + if (!icp_request) +@@ -545,7 +583,9 @@ icp_common_t::handleReply(char *buf, Ip: + neighbors_do_private_keys = 0; + } + +- char *url = buf + sizeof(icp_common_t); ++ const auto url = icpGetUrl(from, buf, *this); ++ if (!url) ++ return; + debugs(12, 3, "icpHandleIcpV2: " << icp_opcode_str[opcode] << " from " << from << " for '" << url << "'"); + + const cache_key *key = icpGetCacheKey(url, (int) reqnum); +@@ -680,7 +720,10 @@ icpHandleUdp(int sock, void *) + + icp_version = (int) buf[1]; /* cheat! */ + +- if (icpOutgoingConn->local == from) ++ // XXX: The IP equality comparison below ignores port differences but ++ // should not. It also fails to detect loops when `local` is a wildcard ++ // address (e.g., [::]:3130) because `from` address is never a wildcard. ++ if (icpOutgoingConn && icpOutgoingConn->local == from) + // ignore ICP packets which loop back (multicast usually) + debugs(12, 4, "icpHandleUdp: Ignoring UDP packet sent by myself"); + else if (icp_version == ICP_VERSION_2) +--- squid-6.13.orig/src/icp_v3.cc ++++ squid-6.13/src/icp_v3.cc +@@ -32,10 +32,14 @@ public: + + /// \ingroup ServerProtocolICPInternal3 + static void +-doV3Query(int fd, Ip::Address &from, char *buf, icp_common_t header) ++doV3Query(int fd, Ip::Address &from, const char * const buf, icp_common_t header) + { +- /* We have a valid packet */ +- char *url = buf + sizeof(icp_common_t) + sizeof(uint32_t); ++ const auto url = icpGetUrl(from, buf, header); ++ if (!url) { ++ icpCreateAndSend(ICP_ERR, 0, "", header.reqnum, 0, fd, from, nullptr); ++ return; ++ } ++ + HttpRequest *icp_request = icpGetRequest(url, header.reqnum, fd, from); + + if (!icp_request) +--- squid-6.13.orig/src/tests/stub_icp.cc ++++ squid-6.13/src/tests/stub_icp.cc +@@ -29,11 +29,12 @@ Comm::ConnectionPointer icpIncomingConn; + Comm::ConnectionPointer icpOutgoingConn; + Ip::Address theIcpPublicHostID; + +-HttpRequest* icpGetRequest(char *, int, int, Ip::Address &) STUB_RETVAL(nullptr) ++const char *icpGetUrl(const Ip::Address &, const char *, const icp_common_t &) STUB_RETVAL(nullptr) ++HttpRequest* icpGetRequest(const char *, int, int, const Ip::Address &) STUB_RETVAL(nullptr) + bool icpAccessAllowed(Ip::Address &, HttpRequest *) STUB_RETVAL(false) + void icpCreateAndSend(icp_opcode, int, char const *, int, int, int, const Ip::Address &, AccessLogEntryPointer) STUB + icp_opcode icpGetCommonOpcode() STUB_RETVAL(ICP_INVALID) +-void icpDenyAccess(Ip::Address &, char *, int, int) STUB ++void icpDenyAccess(const Ip::Address &, const char *, int, int) STUB + void icpHandleIcpV3(int, Ip::Address &, char *, int) STUB + void icpConnectionShutdown(void) STUB + int icpSetCacheKey(const cache_key *) STUB_RETVAL(0) diff -Nru squid-6.13/debian/patches/CVE-2026-33526.patch squid-6.13/debian/patches/CVE-2026-33526.patch --- squid-6.13/debian/patches/CVE-2026-33526.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-6.13/debian/patches/CVE-2026-33526.patch 2026-06-19 14:05:16.000000000 +0000 @@ -0,0 +1,16 @@ +From 8a7d42f9d44befb8fcbbb619505587c8de6a1e91 Mon Sep 17 00:00:00 2001 +From: Joshua Rogers +Date: Tue, 10 Feb 2026 19:58:49 +0000 +Subject: [PATCH] Do not escape malformed URI twice when sending ICP errors + (#2374) + +--- squid-6.13.orig/src/icp_v2.cc ++++ squid-6.13/src/icp_v2.cc +@@ -490,7 +490,6 @@ HttpRequest * + icpGetRequest(const char * const url, const int reqnum, const int fd, const Ip::Address &from) + { + if (strpbrk(url, w_space)) { +- url = rfc1738_escape(url); + icpCreateAndSend(ICP_ERR, 0, rfc1738_escape(url), reqnum, 0, fd, from, nullptr); + return nullptr; + } diff -Nru squid-6.13/debian/patches/CVE-2026-47729.patch squid-6.13/debian/patches/CVE-2026-47729.patch --- squid-6.13/debian/patches/CVE-2026-47729.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-6.13/debian/patches/CVE-2026-47729.patch 2026-06-19 14:05:58.000000000 +0000 @@ -0,0 +1,26 @@ +From 865a131c7d557e68c965043d98c2eccae26deef8 Mon Sep 17 00:00:00 2001 +From: squidadm +Date: Sun, 17 May 2026 18:04:47 +1200 +Subject: [PATCH] Improve parsing of certain FTP directory listing formats + (#2408) (#2409) + +--- squid-6.13.orig/src/clients/FtpGateway.cc ++++ squid-6.13/src/clients/FtpGateway.cc +@@ -622,7 +622,7 @@ ftpListParseParts(const char *buf, struc + // point after tokens[i+2] : + copyFrom = buf + tokens[i + 2].pos + strlen(tokens[i + 2].token); + if (flags.skip_whitespace) { +- while (strchr(w_space, *copyFrom)) ++ while (*copyFrom && strchr(w_space, *copyFrom)) + ++copyFrom; + } else { + /* Handle the following four formats: +@@ -633,7 +633,7 @@ ftpListParseParts(const char *buf, struc + * Assuming a single space between date and filename + * suggested by: Nathan.Bailey@cc.monash.edu.au and + * Mike Battersby */ +- if (strchr(w_space, *copyFrom)) ++ if (*copyFrom && strchr(w_space, *copyFrom)) + ++copyFrom; + } + diff -Nru squid-6.13/debian/patches/CVE-2026-50012.patch squid-6.13/debian/patches/CVE-2026-50012.patch --- squid-6.13/debian/patches/CVE-2026-50012.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-6.13/debian/patches/CVE-2026-50012.patch 2026-06-19 14:06:57.000000000 +0000 @@ -0,0 +1,27 @@ +From 19fcfe922717c8b255270c032dcde4071c003bcd Mon Sep 17 00:00:00 2001 +From: Francesco Chemolli <5175948+kinkie@users.noreply.github.com> +Date: Sat, 30 May 2026 10:16:33 +0000 +Subject: [PATCH] Harden peerDigestSwapInMask against invalid cache digest + reply (#2423) + +From 2c89b9b4054ad14ea191bc7cd35f969feba8df53 Mon Sep 17 00:00:00 2001 +From: Francesco Chemolli <5175948+kinkie@users.noreply.github.com> +Date: Tue, 2 Jun 2026 20:53:07 +0000 +Subject: [PATCH] Fix -Wsign-compare on arm32 (#2432) + + +--- squid-6.13.orig/src/peer_digest.cc ++++ squid-6.13/src/peer_digest.cc +@@ -622,6 +622,12 @@ peerDigestSwapInMask(void *data, char *b + * NOTENOTENOTENOTENOTE: buf doesn't point to pd->cd->mask anymore! + * we need to do the copy ourselves! + */ ++ Assure(size >= 0); ++ Assure(pd->cd->mask_size >= fetch->mask_offset); ++ if (static_cast(size) > pd->cd->mask_size - fetch->mask_offset) { ++ peerDigestFetchAbort(fetch, buf, "peer digest mask data too large"); ++ return -1; ++ } + memcpy(pd->cd->mask + fetch->mask_offset, buf, size); + + /* NOTE! buf points to the middle of pd->cd->mask! */ diff -Nru squid-6.13/debian/patches/series squid-6.13/debian/patches/series --- squid-6.13/debian/patches/series 2025-10-26 08:31:13.000000000 +0000 +++ squid-6.13/debian/patches/series 2026-06-19 14:06:29.000000000 +0000 @@ -4,3 +4,7 @@ 0006-upstream-807ae4df2164defbb5f59b99282e24010b4a0b85.patch CVE-2025-62168.patch CVE-2025-59362.patch +CVE-2026-33515.patch +CVE-2026-33526.patch +CVE-2026-47729.patch +CVE-2026-50012.patch