From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cs94713l5z3314 for ; Wed, 22 Oct 2025 13:29:11 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cs9435jc7z2xRF for ; Wed, 22 Oct 2025 13:29:07 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4cs93d3ZwGz3N4 for ; Wed, 22 Oct 2025 13:28:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1761139725; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=P9rEr+8nMW/M1zsaOcwaTPuaQw9woEWV9tepBHcUOWY=; b=WIDcRfdEDlG2/EwR3VbZ8rFy+aUJ8Vge7tdS9Xg2TPHYx3U9r4RmfHc3xUMbMyWXNdTuEz XJf4/dgVjHovApub3WYfNkrFm0FY92c7fP7EE61k7H4hO9FrVLhvS3KBzHjLQ1gBuPjtX9 Io+yWMBRkP3DsPTQYWG/GojKdyNU6ShbuIIsjfD3KvN/MyabtG8HZEhzYXv/mlaostLPPV HXlB7MCkt+ceaweiSnJ84LteaiIp0BNk3iV0NPUKgygltSG5RYyHM+K1iPoKQqkMXpvI29 +TDsQ4aeTnvTiDD28/AgXo08u5IARd69qv/whVRFp10RWN7/bpqgBh1tiQJUHQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1761139725; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=P9rEr+8nMW/M1zsaOcwaTPuaQw9woEWV9tepBHcUOWY=; b=NwITuIeCR42CwT8BRfQB+VZmF5gY/SPQ1agmU0kp8KVqEPRApKLalmTSuPBii6UTEuTkWI pCNuaapAFMi+NsAg== Message-ID: Date: Wed, 22 Oct 2025 15:28:37 +0200 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Subject: Re: [PATCH] proxy.cgi: Mitigation for CVE-2025-62168 on squid To: development@lists.ipfire.org References: <20251020104829.2151809-1-adolf.belka@ipfire.org> <0bfb7746-bd76-487c-a489-b6e66a0d24f6@ipfire.org> <1AEDBC18-8794-438F-9475-5650A43152C3@ipfire.org> Content-Language: en-US From: Matthias Fischer In-Reply-To: <1AEDBC18-8794-438F-9475-5650A43152C3@ipfire.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On 22.10.2025 12:10, Michael Tremer wrote: > Hello Matthias, Hi Michael, > Thanks for looking into this. It seems that we have a bit of work on our hands, but doesn’t sound too bad after all. As far as I can see by now, adjusting the UI could be sufficient. IMHO. Since my last post, v7.2 is running without any problems or logged errors. I even activated 'privoxy' for testing - which the old 'squid' didn't really like - and got no problems. See further comments below. >> On 20 Oct 2025, at 20:44, Matthias Fischer wrote: >> >> Hi, >> >> On 20.10.2025 12:48, Adolf Belka wrote: >>> - The full fix for CVE-2025-62168 is in version squid-7.2 >>> - However there are a lot of changes in squid from version 6 to 7 with all the error >>> language files no longer provided directly, they have to be obtained from separate >>> langauage packs now. Also several tools like cachmgr.cgi have been removed as the >>> options can be obtained via different approaches. >>> - I have had a look at squid-7.2 and I believe I can do the upgrade but it will take some >>> time to be sure it is working properly. >>> - In the interim, this patch adds the mitigation "email_err_data off" into squid.conf >>> that is referenced in the CVE report. >>> - If someone else has already worked on squid-7.2 and has it ready to go now or soon, >>> then this patch can be dropped. >> >> Yes, I did it - and I'm testing it with Core 197: >> >> ... >> 2025/10/20 19:52:50 kid1| Processing Configuration File: >> /etc/squid/squid.conf (depth 0) >> 2025/10/20 19:52:50 kid1| Current Directory is / >> 2025/10/20 19:52:50 kid1| Starting Squid Cache version 7.2 for >> x86_64-pc-linux-gnu... >> ... >> >> But I don't really trust the new 'squid' yet. Building was simple - I >> only changed version and checksum in the existing lfs-file, that's all >> it needed. And a few changes in the rootfile - as Adolf wrote, several >> tools have been removed. By the way: in the current v7.2, the "error >> language files" are included, no need to download them seperately! So >> upgrading was easy, but... ;-) >> >> Right now, its running without seen problems. What bothers me, is that >> the 'proxy.cgi' needs to be adjusted. This seems to be a bit tricky and >> I won't have the time for this in the near future. Even if my original >> 'squid.conf' works fine I don't know what happens if someone needs the >> removed "basic_smb_lm_auth and ntlm_smb_lm_auth helpers" (e.g. from >> changelog) and clicks on "Save and restart"... >> >> Other changes (v7.0.1): >> - Remove Edge Side Include (ESI) protocol >> - Remove Ident protocol support >> - Remove cache_object protocol support >> - Remove cachemgr.cgi tool >> - Remove tool 'purge' for management of UFS/AUFS/DiskD caches >> - Remove squidclient >> And the list goes on... > > Let’s go through this one by one... > > - Remove Edge Side Include (ESI) protocol > > We don’t use this as far as I can see. > > - Remove Ident protocol support > > We have the option, but hopefully nobody is using this any more. We will have to remove it from the UI, mention it in the changelog and done. This is something I'm not so familiar with: how do we remove "ident protocol support" from 'proxy.cgi'!? This CGI is...huge...to say the least. ;-) At a quick glance I find 137 lines of code containing "ident". E.g., I find "my $identdir =", "my $identhosts =", various $proxysettings. Can all these entries and lines be deleted? For example, what has to be done with code blocks as starting at line 438: ... if (!($proxysettings{'AUTH_METHOD'} eq 'none')) { unless (($proxysettings{'AUTH_METHOD'} eq 'ident') && ... and 1704: ... if (!($proxysettings{'AUTH_METHOD'} eq 'none')) { if (!($proxysettings{'AUTH_METHOD'} eq 'ident')) { print < > - Remove cache_object protocol support > > We should not be using this. > > - Remove cachemgr.cgi tool > > This is installed and linked on the web UI. We will have to remove this too. This could be easier... > - Remove tool 'purge' for management of UFS/AUFS/DiskD caches > > This is installed, but we don’t call it. Same as above. > - Remove squidclient > > Installed, but also not used. > > - Remove disabled classful networks code > > I don’t know what this could possibly mean. I don’t think it is referring to parsing the ACLs, but if it does, we found find out about it very quickly. > > - Remove dead Multicast Miss Stream feature > - Remove broken and disabled icpPktDump() > - Remove deprecated string memory pools API > > Since these are all dead and broken, we should not worry about them at all. > >> A change in v7.2 ("Bug 5504: Document that Squid discards invalid >> rewrite-url") made an acl necessary (url_rewrite_access deny CONNECT) >> because 'squid.conf' was suddenly flooded with errors: "URL-rewrite >> produces invalid request: CONNECT >> http://[ROUTER_IP_DELETED]:81/images/urlfilter/1x1.gif HTTP/1.1 current >> master transaction: master53" >> And the v7.1 didn't ran at all, because of similar problems with the >> urlfilter. Hm... > > That is not good. But testing will tell us more about where this is going wrong. > >> So I would recommend that we adjust the 'proxy'cgi' accordingly and test >> very carefully, before we upgrade 'squid' to 7.2. I'll test and report... > > Would you like to create a branch and submit the changes one by one? I can try - but it will take a while. We will go on vacation for the next two weeks and since my wife is unfortunately seriously ill, I don't have as much time for projects like this as I used to. When were back, I'll take a look and if in doubt, I will ask. By the way - wouldn't it also make sense to remove the still contained 'clamav'-entries? I'll see what I can do. ;-) Best Matthias > -Michael > >> >> Jm2c - Regards >> Matthias >>> Signed-off-by: Adolf Belka >>> --- >>> html/cgi-bin/proxy.cgi | 1 + >>> 1 file changed, 1 insertion(+) >>> >>> diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi >>> index fdb7c6a77..f0547e249 100644 >>> --- a/html/cgi-bin/proxy.cgi >>> +++ b/html/cgi-bin/proxy.cgi >>> @@ -3109,6 +3109,7 @@ sub writeconfig >>> shutdown_lifetime 5 seconds >>> icp_port 0 >>> httpd_suppress_version_string on >>> +email_err_data off >>> >>> END >>> ; >> >> > >