From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cr5Vb6GMVz32wZ for ; Mon, 20 Oct 2025 19:44:55 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cr5VX3l4Vz2xJy for ; Mon, 20 Oct 2025 19:44:52 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4cr5V65Y8tz2kX for ; Mon, 20 Oct 2025 19:44:30 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1760989470; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=d7jAdKjd57pi4vFwrFdDDbVsTdDO1xOolsp/aUXLp9k=; b=UYCb1XlTeeYaRad0BfGNvuhXkECoclcZgL1SfnlYOjsdLWs6NQ/VRt60Vgu1z16F/NOtY6 VPTlEHcq9zgRXMDg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1760989470; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=d7jAdKjd57pi4vFwrFdDDbVsTdDO1xOolsp/aUXLp9k=; b=BHCfd88dICoM9sGdjOVtMDPxprGWqNgAb62KheoqqXN/2fKftBzqoP/581WUmtLrnXv85y sncYisUM3TWyLSMJz74pZdBvjUo+kvjnPiL1NSUe+JJfbyDNlRWieV4t8QKpN2OtCB+ZBl qZOOSVqti151v8v8+aXt5YjJvdbdhI4HXQ+FTOpwA70ZmklmsvqihEhJLsvpKG4VMtdjDO ShmhpXEqjEDF8y4zhBDOL+GjkLI5WaHlrD1hXV7pXSYB5x7ZvR9gLNyA3/+rwZr3dQdWgu O4zFV8JU3uZoCtW0y60cp/D4c547iXpGoIk8SwtWkMkgOi6omSWP8L+n52HT/w== Message-ID: <0bfb7746-bd76-487c-a489-b6e66a0d24f6@ipfire.org> Date: Mon, 20 Oct 2025 21:44:23 +0200 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Subject: Re: [PATCH] proxy.cgi: Mitigation for CVE-2025-62168 on squid Content-Language: en-US To: development@lists.ipfire.org References: <20251020104829.2151809-1-adolf.belka@ipfire.org> From: Matthias Fischer In-Reply-To: <20251020104829.2151809-1-adolf.belka@ipfire.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Hi, On 20.10.2025 12:48, Adolf Belka wrote: > - The full fix for CVE-2025-62168 is in version squid-7.2 > - However there are a lot of changes in squid from version 6 to 7 with all the error > language files no longer provided directly, they have to be obtained from separate > langauage packs now. Also several tools like cachmgr.cgi have been removed as the > options can be obtained via different approaches. > - I have had a look at squid-7.2 and I believe I can do the upgrade but it will take some > time to be sure it is working properly. > - In the interim, this patch adds the mitigation "email_err_data off" into squid.conf > that is referenced in the CVE report. > - If someone else has already worked on squid-7.2 and has it ready to go now or soon, > then this patch can be dropped. Yes, I did it - and I'm testing it with Core 197: ... 2025/10/20 19:52:50 kid1| Processing Configuration File: /etc/squid/squid.conf (depth 0) 2025/10/20 19:52:50 kid1| Current Directory is / 2025/10/20 19:52:50 kid1| Starting Squid Cache version 7.2 for x86_64-pc-linux-gnu... ... But I don't really trust the new 'squid' yet. Building was simple - I only changed version and checksum in the existing lfs-file, that's all it needed. And a few changes in the rootfile - as Adolf wrote, several tools have been removed. By the way: in the current v7.2, the "error language files" are included, no need to download them seperately! So upgrading was easy, but... ;-) Right now, its running without seen problems. What bothers me, is that the 'proxy.cgi' needs to be adjusted. This seems to be a bit tricky and I won't have the time for this in the near future. Even if my original 'squid.conf' works fine I don't know what happens if someone needs the removed "basic_smb_lm_auth and ntlm_smb_lm_auth helpers" (e.g. from changelog) and clicks on "Save and restart"... Other changes (v7.0.1): - Remove Edge Side Include (ESI) protocol - Remove Ident protocol support - Remove cache_object protocol support - Remove cachemgr.cgi tool - Remove tool 'purge' for management of UFS/AUFS/DiskD caches - Remove squidclient And the list goes on... A change in v7.2 ("Bug 5504: Document that Squid discards invalid rewrite-url") made an acl necessary (url_rewrite_access deny CONNECT) because 'squid.conf' was suddenly flooded with errors: "URL-rewrite produces invalid request: CONNECT http://[ROUTER_IP_DELETED]:81/images/urlfilter/1x1.gif HTTP/1.1 current master transaction: master53" And the v7.1 didn't ran at all, because of similar problems with the urlfilter. Hm... So I would recommend that we adjust the 'proxy'cgi' accordingly and test very carefully, before we upgrade 'squid' to 7.2. I'll test and report... Jm2c - Regards Matthias > Signed-off-by: Adolf Belka > --- > html/cgi-bin/proxy.cgi | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi > index fdb7c6a77..f0547e249 100644 > --- a/html/cgi-bin/proxy.cgi > +++ b/html/cgi-bin/proxy.cgi > @@ -3109,6 +3109,7 @@ sub writeconfig > shutdown_lifetime 5 seconds > icp_port 0 > httpd_suppress_version_string on > +email_err_data off > > END > ;