Version in base suite: 5.7-2+deb12u3 Base version: squid_5.7-2+deb12u3 Target version: squid_5.7-2+deb12u4 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/squid/squid_5.7-2+deb12u3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/squid/squid_5.7-2+deb12u4.dsc changelog | 6 + patches/CVE-2025-62168.patch | 163 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 170 insertions(+) gpgv: Signature made Mon Aug 18 19:04:32 2025 UTC gpgv: using RSA key B6E62F3D12AC38495C0DA90510C293B6C37C4E36 gpgv: issuer "jmm@debian.org" gpgv: Note: signatures using the SHA1 algorithm are rejected gpgv: Can't check signature: Bad public key dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp_xmpv6e5/squid_5.7-2+deb12u3.dsc: no acceptable signature found gpgv: Signature made Wed Oct 29 10:00:59 2025 UTC gpgv: using RSA key B6E62F3D12AC38495C0DA90510C293B6C37C4E36 gpgv: Note: signatures using the SHA1 algorithm are rejected gpgv: Can't check signature: Bad public key dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp_xmpv6e5/squid_5.7-2+deb12u4.dsc: no acceptable signature found diff -Nru squid-5.7/debian/changelog squid-5.7/debian/changelog --- squid-5.7/debian/changelog 2025-08-18 18:41:21.000000000 +0000 +++ squid-5.7/debian/changelog 2025-10-28 23:05:08.000000000 +0000 @@ -1,3 +1,9 @@ +squid (5.7-2+deb12u4) bookworm-security; urgency=medium + + * CVE-2025-62168 (Closes: #1118341) + + -- Moritz Mühlenhoff Wed, 29 Oct 2025 00:05:08 +0100 + squid (5.7-2+deb12u3) bookworm-security; urgency=medium * CVE-2023-5824 / CVE-2025-54574, based on backports done by Marc diff -Nru squid-5.7/debian/patches/CVE-2025-62168.patch squid-5.7/debian/patches/CVE-2025-62168.patch --- squid-5.7/debian/patches/CVE-2025-62168.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-5.7/debian/patches/CVE-2025-62168.patch 2025-10-28 23:05:08.000000000 +0000 @@ -0,0 +1,163 @@ +Backported from: + +From 0951a0681011dfca3d78c84fd7f1e19c78a4443f Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Sat, 11 Oct 2025 16:33:02 +1300 +Subject: [PATCH] Bug 3390: Proxy auth data visible to scripts (#2249) + +--- squid-5.7.orig/src/HttpRequest.cc ++++ squid-5.7/src/HttpRequest.cc +@@ -342,7 +342,7 @@ HttpRequest::swapOut(StoreEntry * e) + + /* packs request-line and headers, appends terminator */ + void +-HttpRequest::pack(Packable * p) const ++HttpRequest::pack(Packable * const p, const bool maskSensitiveInfo) const + { + assert(p); + /* pack request-line */ +@@ -350,8 +350,8 @@ HttpRequest::pack(Packable * p) const + SQUIDSBUFPRINT(method.image()), SQUIDSBUFPRINT(url.path()), + http_ver.major, http_ver.minor); + /* headers */ +- header.packInto(p); +- /* trailer */ ++ header.packInto(p, maskSensitiveInfo); ++ /* indicate the end of the header section */ + p->append("\r\n", 2); + } + +--- squid-5.7.orig/src/HttpRequest.h ++++ squid-5.7/src/HttpRequest.h +@@ -206,7 +206,7 @@ public: + + void swapOut(StoreEntry * e); + +- void pack(Packable * p) const; ++ void pack(Packable * p, bool maskSensitiveInfo = false) const; + + static void httpRequestPack(void *obj, Packable *p); + +--- squid-5.7.orig/src/cf.data.pre ++++ squid-5.7/src/cf.data.pre +@@ -8722,12 +8722,18 @@ NAME: email_err_data + COMMENT: on|off + TYPE: onoff + LOC: Config.onoff.emailErrData +-DEFAULT: on ++DEFAULT: off + DOC_START + If enabled, information about the occurred error will be + included in the mailto links of the ERR pages (if %W is set) + so that the email body contains the data. + Syntax is %w ++ ++ SECURITY WARNING: ++ Request headers and other included facts may contain ++ sensitive information about transaction history, the ++ Squid instance, and its environment which would be ++ unavailable to error recipients otherwise. + DOC_END + + NAME: deny_info +--- squid-5.7.orig/src/client_side_reply.cc ++++ squid-5.7/src/client_side_reply.cc +@@ -100,7 +100,7 @@ clientReplyContext::clientReplyContext(C + void + clientReplyContext::setReplyToError( + err_type err, Http::StatusCode status, const HttpRequestMethod& method, char const *uri, +- Ip::Address &addr, HttpRequest * failedrequest, const char *unparsedrequest, ++ Ip::Address &addr, HttpRequest * failedrequest, const char *, + #if USE_AUTH + Auth::UserRequest::Pointer auth_user_request + #else +@@ -110,9 +110,6 @@ clientReplyContext::setReplyToError( + { + auto errstate = clientBuildError(err, status, uri, addr, failedrequest, http->al); + +- if (unparsedrequest) +- errstate->request_hdrs = xstrdup(unparsedrequest); +- + #if USE_AUTH + errstate->auth_user_request = auth_user_request; + #endif +@@ -1088,11 +1085,14 @@ clientReplyContext::traceReply() + triggerInitialStoreRead(); + http->storeEntry()->releaseRequest(); + http->storeEntry()->buffer(); ++ MemBuf content; ++ content.init(); ++ http->request->pack(&content, true /* hide authorization data */); + const HttpReplyPointer rep(new HttpReply); +- rep->setHeaders(Http::scOkay, NULL, "text/plain", http->request->prefixLen(), 0, squid_curtime); ++ rep->setHeaders(Http::scOkay, NULL, "message/http", content.contentSize(), 0, squid_curtime); ++ rep->body.set(SBuf(content.buf, content.size)); + http->storeEntry()->replaceHttpReply(rep); +- http->request->swapOut(http->storeEntry()); +- http->storeEntry()->complete(); ++ http->storeEntry()->completeSuccessfully("traceReply() stored the entire response"); + } + + #define SENDING_BODY 0 +--- squid-5.7.orig/src/errorpage.cc ++++ squid-5.7/src/errorpage.cc +@@ -787,7 +787,6 @@ ErrorState::~ErrorState() + { + safe_free(redirect_url); + safe_free(url); +- safe_free(request_hdrs); + wordlistDestroy(&ftp.server_msg); + safe_free(ftp.request); + safe_free(ftp.reply); +@@ -845,7 +844,7 @@ ErrorState::Dump(MemBuf * mb) + SQUIDSBUFPRINT(request->url.path()), + AnyP::ProtocolType_str[request->http_ver.protocol], + request->http_ver.major, request->http_ver.minor); +- request->header.packInto(&str); ++ request->header.packInto(&str, true /* hide authorization data */); + } + + str.append("\r\n", 2); +@@ -1106,18 +1105,10 @@ ErrorState::compileLegacyCode(Build &bui + p = "[no request]"; + break; + } +- if (request) { +- mb.appendf(SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\n", +- SQUIDSBUFPRINT(request->method.image()), +- SQUIDSBUFPRINT(request->url.path()), +- AnyP::ProtocolType_str[request->http_ver.protocol], +- request->http_ver.major, request->http_ver.minor); +- request->header.packInto(&mb, true); //hide authorization data +- } else if (request_hdrs) { +- p = request_hdrs; +- } else { ++ else if (request) ++ request->pack(&mb, true /* hide authorization data */); ++ else + p = "[no request]"; +- } + break; + + case 's': +--- squid-5.7.orig/src/errorpage.h ++++ squid-5.7/src/errorpage.h +@@ -192,7 +192,6 @@ public: + MemBuf *listing = nullptr; + } ftp; + +- char *request_hdrs = nullptr; + char *err_msg = nullptr; /* Preformatted error message from the cache */ + + AccessLogEntryPointer ale; ///< transaction details (or nil) +--- squid-5.7.orig/src/tests/stub_HttpRequest.cc ++++ squid-5.7/src/tests/stub_HttpRequest.cc +@@ -45,7 +45,7 @@ bool HttpRequest::expectingBody(const Ht + bool HttpRequest::bodyNibbled() const STUB_RETVAL(false) + int HttpRequest::prefixLen() const STUB_RETVAL(0) + void HttpRequest::swapOut(StoreEntry *) STUB +-void HttpRequest::pack(Packable *) const STUB ++void HttpRequest::pack(Packable *, bool) const STUB + void HttpRequest::httpRequestPack(void *, Packable *) STUB + HttpRequest * HttpRequest::FromUrl(const SBuf &, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr) + HttpRequest * HttpRequest::FromUrlXXX(const char *, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr) diff -Nru squid-5.7/debian/patches/series squid-5.7/debian/patches/series --- squid-5.7/debian/patches/series 2025-08-18 18:41:21.000000000 +0000 +++ squid-5.7/debian/patches/series 2025-10-28 23:05:08.000000000 +0000 @@ -16,3 +16,4 @@ CVE-2024-25617.patch CVE-2024-37894.patch CVE-2025-54574_CVE-2023-5824.patch +CVE-2025-62168.patch