From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Cc: Adolf Belka <adolf.belka@ipfire.org>
Subject: [PATCH] proxy.cgi: Mitigation for CVE-2025-62168 on squid
Date: Mon, 20 Oct 2025 12:48:29 +0200 [thread overview]
Message-ID: <20251020104829.2151809-1-adolf.belka@ipfire.org> (raw)
- The full fix for CVE-2025-62168 is in version squid-7.2
- However there are a lot of changes in squid from version 6 to 7 with all the error
language files no longer provided directly, they have to be obtained from separate
langauage packs now. Also several tools like cachmgr.cgi have been removed as the
options can be obtained via different approaches.
- I have had a look at squid-7.2 and I believe I can do the upgrade but it will take some
time to be sure it is working properly.
- In the interim, this patch adds the mitigation "email_err_data off" into squid.conf
that is referenced in the CVE report.
- If someone else has already worked on squid-7.2 and has it ready to go now or soon,
then this patch can be dropped.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
html/cgi-bin/proxy.cgi | 1 +
1 file changed, 1 insertion(+)
diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index fdb7c6a77..f0547e249 100644
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -3109,6 +3109,7 @@ sub writeconfig
shutdown_lifetime 5 seconds
icp_port 0
httpd_suppress_version_string on
+email_err_data off
END
;
--
2.51.1.dirty
next reply other threads:[~2025-10-20 10:49 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-20 10:48 Adolf Belka [this message]
2025-10-20 19:44 ` Matthias Fischer
2025-10-22 10:10 ` Michael Tremer
2025-10-22 13:28 ` Matthias Fischer
2025-10-22 14:25 ` Adolf Belka
2025-10-24 10:31 ` Michael Tremer
2025-10-24 10:31 ` Michael Tremer
2025-10-22 10:03 ` Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251020104829.2151809-1-adolf.belka@ipfire.org \
--to=adolf.belka@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox