Hi Amos, On Mon, Jun 15, 2026 at 11:26:10PM +1200, Amos Jeffries wrote: > On 12/06/2026 20:21, Amos Jeffries wrote: > > Hi all, > > > > Squid 7.6 release contains fixes for and releases the embargo on > > CVE-2026-47729 and CVE-2026-50012. > > > > Apologies, this first one (CVE-2026-47729) embargo is over, but the fix will > actually be in Squid 7.7. > > > > > CVE-2026-47729 > > > > Due to a Improper Validation of Syntactic Correctness of Input > > bug, Squid is vulnerable to a Out-of-bounds Read > > attack against the FTP gateway. > > > > This problem allows a trusted client to perform an Out-of-Bounds > > Read from random unrelated transactions when accessing a > > misbehaving FTP server through Squid's gateway feature. > > > > <https://github.com/squid-cache/squid/ > > commit/865a131c7d557e68c965043d98c2eccae26deef8.patch>
I'm slightly confused about this. The referenced fix is in 7.6. Can you point us to the correct fix in 7.7 for CVE-2026-47729? At least https://github.com/squid-cache/squid/commit/865a131c7d557e68c965043d98c2eccae26deef8 matches as well the followup from Alan. Regards, Salvatore
