is still reporting vulnerabilities even on a current / the most recent version 6.5 of Squid and there is no need for any update to the VT because many of these vulnerabilities (currently: 32) are not fixed yet by the Squid team / project.
but the problem is that in the higher versions these security vulnerabilities are addressed as per Security Overview · squid-cache/squid · GitHub and if all versions of squid are marked as vulnerable how can i prove to an auditor that the vulnerability is patched if my scanner still show it.
I do understand that is very difficult to keep track of all of these but i think that versions should be tagged individually rather than as a blanket
Only a few of these security vulnerabilities are addressed, not all of them and thus the report is valid and there is no fix available for the other remaining 32 ones (e.g. the mentioned SQUID-2023:3 released recently fixed only a single out of the initial 35 open / reported vulnerabilities).
In short:
Even the most recent version 6.5 of Squid is affected by the remaining 32 vulnerabilities
There are no fix available for these yet
Reporting all versions of Squid as vulnerable against the remaining 32 vulnerabilities is expected / correct for the reasons outlined previously
It probably will take a few more months until the project / vendor will be able fix the remaining open 32 vulnerabilities