From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cqscJ2PRYz32wX for ; Mon, 20 Oct 2025 10:49:04 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cqscF0Dmxz2xP7 for ; Mon, 20 Oct 2025 10:49:01 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4cqsbk1xqhz2S; Mon, 20 Oct 2025 10:48:34 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1760957314; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=nkQwaOHbaEYd01VIOVMs/Go/dLdk2OIO2DWocx66uWc=; b=0Vq0Bhg/4R/Ob7PFss3BeZ9pfWEzPxOvtOCBv8y/Gqj2kVIHqoCG7ajKagPzBTA244ruBS WDo+ywlve7LYZODw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1760957314; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=nkQwaOHbaEYd01VIOVMs/Go/dLdk2OIO2DWocx66uWc=; b=Ov/JOXXoZlkLOADnPgLy9n/sVwczlRwVcrdgCDOcoks3Mwukf/DUncgpdQXqwwjm2K3l5+ w2hzotRWbeeNJXtoC1qbxouB2YkL0bcVQIHHKamI7cAJRxURMLfQaDMrXQXOXsN5Q7dzln UQdkFiDrUeMsssxxw5MIy2Zyjfh/s6ZT7r36bIFTI0WlTQ8EPcZSyjkdoPygWhhVXEmlQC mY+Nz+rH7HWhIjgXL4EHZ6aBITWiwps1h3r81WmrI+BvLasIoRM/0AmPEZLE0YvUfYuywm 0EtGusjDBq91l3i/QvvG+VoQJ7zRfYTfqvgD5c9vFzvQlQWBYsHoSSTO2GtQVw== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] proxy.cgi: Mitigation for CVE-2025-62168 on squid Date: Mon, 20 Oct 2025 12:48:29 +0200 Message-ID: <20251020104829.2151809-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit - The full fix for CVE-2025-62168 is in version squid-7.2 - However there are a lot of changes in squid from version 6 to 7 with all the error language files no longer provided directly, they have to be obtained from separate langauage packs now. Also several tools like cachmgr.cgi have been removed as the options can be obtained via different approaches. - I have had a look at squid-7.2 and I believe I can do the upgrade but it will take some time to be sure it is working properly. - In the interim, this patch adds the mitigation "email_err_data off" into squid.conf that is referenced in the CVE report. - If someone else has already worked on squid-7.2 and has it ready to go now or soon, then this patch can be dropped. Signed-off-by: Adolf Belka --- html/cgi-bin/proxy.cgi | 1 + 1 file changed, 1 insertion(+) diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index fdb7c6a77..f0547e249 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -3109,6 +3109,7 @@ sub writeconfig shutdown_lifetime 5 seconds icp_port 0 httpd_suppress_version_string on +email_err_data off END ; -- 2.51.1.dirty