On 6/15/26 04:26, Amos Jeffries wrote:
On 12/06/2026 20:21, Amos Jeffries wrote:
Hi all,
Squid 7.6 release contains fixes for and releases the embargo on
CVE-2026-47729 and CVE-2026-50012.
Apologies, this first one (CVE-2026-47729) embargo is over, but the fix will
actually be in Squid 7.7.
A blog was posted about it today:
https://blog.calif.io/p/squidbleed-cve-2026-47729
It says the root cause was a misunderstanding of what the C standard requires:
strchr(w_space, '\0') returns non-NULL per C11 ยง7.24.5.2 (terminating NUL
is part of the string).
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - https://blogs.oracle.com/solaris