[git.ipfire.org] IPFire 2.x development tree branch, master, updated. 018db0afbc778057f2fe03dfdbb2f03c05e5c1bd

[git.ipfire.org] IPFire 2.x development tree branch, master, updated. 018db0afbc778057f2fe03dfdbb2f03c05e5c1bd

[Michael Tremer]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, master has been updated
       via  018db0afbc778057f2fe03dfdbb2f03c05e5c1bd (commit)
       via  e99655e9c77c67b19fdf10575755b8d4f392570e (commit)
      from  d451f131ff19cc090d78712adc9309dd5bed2990 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 018db0afbc778057f2fe03dfdbb2f03c05e5c1bd
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Wed Oct 22 10:01:53 2025 +0000

    core198: Update squid.conf and reload
    
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

commit e99655e9c77c67b19fdf10575755b8d4f392570e
Author: Adolf Belka <adolf.belka@ipfire.org>
Date:   Mon Oct 20 12:48:29 2025 +0200

    proxy.cgi: Mitigation for CVE-2025-62168 on squid
    
    - The full fix for CVE-2025-62168 is in version squid-7.2
    - However there are a lot of changes in squid from version 6 to 7 with all the error
       language files no longer provided directly, they have to be obtained from separate
       langauage packs now. Also several tools like cachmgr.cgi have been removed as the
       options can be obtained via different approaches.
    - I have had a look at squid-7.2 and I believe I can do the upgrade but it will take some
       time to be sure it is working properly.
    - In the interim, this patch adds the mitigation "email_err_data off" into squid.conf
       that is referenced in the CVE report.
    - If someone else has already worked on squid-7.2 and has it ready to go now or soon,
       then this patch can be dropped.
    
    Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 config/rootfiles/core/198/filelists/files | 1 +
 config/rootfiles/core/198/update.sh       | 4 ++++
 html/cgi-bin/proxy.cgi                    | 1 +
 3 files changed, 6 insertions(+)

Difference in files:
diff --git a/config/rootfiles/core/198/filelists/files b/config/rootfiles/core/198/filelists/files
index 709788ae8..bc82e6c2a 100644
--- a/config/rootfiles/core/198/filelists/files
+++ b/config/rootfiles/core/198/filelists/files
@@ -1,6 +1,7 @@
 etc/rc.d/init.d/cleanfs
 etc/rc.d/init.d/suricata
 srv/web/ipfire/cgi-bin/dns.cgi
+srv/web/ipfire/cgi-bin/proxy.cgi
 var/ipfire/graphs.pl
 var/ipfire/header.pl
 var/ipfire/ids-functions.pl
diff --git a/config/rootfiles/core/198/update.sh b/config/rootfiles/core/198/update.sh
index bb08f493e..12c1d5bf0 100644
--- a/config/rootfiles/core/198/update.sh
+++ b/config/rootfiles/core/198/update.sh
@@ -53,6 +53,10 @@ usermod -a -G mail suricata
 chmod 640 /var/ipfire/dma/auth.conf
 chown nobody:mail /var/ipfire/dma/auth.conf
 
+# Upgrade the proxy configuration
+sudo -u nobody /srv/web/ipfire/cgi-bin/proxy.cgi
+/etc/init.d/squid reload
+
 # update linker config
 ldconfig
 
diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index fdb7c6a77..f0547e249 100644
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -3109,6 +3109,7 @@ sub writeconfig
 shutdown_lifetime 5 seconds
 icp_port 0
 httpd_suppress_version_string on
+email_err_data off
 
 END
 	;


hooks/post-receive
--
IPFire 2.x development tree