Version in base suite: 5.7-2+deb12u3 Version in overlay suite: 5.7-2+deb12u4 Base version: squid_5.7-2+deb12u4 Target version: squid_5.7-2+deb12u5 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/squid/squid_5.7-2+deb12u4.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/squid/squid_5.7-2+deb12u5.dsc changelog | 18 ++ patches/CVE-2023-46728.patch | 334 +++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2025-59362.patch | 50 ++++++ patches/series | 2 rules | 4 5 files changed, 407 insertions(+), 1 deletion(-) gpgv: Signature made Wed Oct 29 10:00:59 2025 UTC gpgv: using RSA key B6E62F3D12AC38495C0DA90510C293B6C37C4E36 gpgv: Note: signatures using the SHA1 algorithm are rejected gpgv: Can't check signature: Bad public key dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpode2ohn8/squid_5.7-2+deb12u4.dsc: no acceptable signature found diff -Nru squid-5.7/debian/changelog squid-5.7/debian/changelog --- squid-5.7/debian/changelog 2025-10-28 23:05:08.000000000 +0000 +++ squid-5.7/debian/changelog 2025-11-14 19:44:29.000000000 +0000 @@ -1,3 +1,21 @@ +squid (5.7-2+deb12u5) bookworm; urgency=medium + + * Non maintainer upload by LTS team + * Fix CVE-2023-46728: + Due to a NULL pointer dereference bug Squid is vulnerable + to a Denial of Service attack against Squid's Gopher gateway. + * Fix CVE-2025-59362 (Closes: #1117048) + Squid mishandles ASN.1 encoding of long SNMP OIDs. + * Remove Gopher support + * Fix CVE-2024-45802: Disable ESI feature support. + Due to Input Validation, Premature Release of Resource During Expected + Lifetime, and Missing Release of Resource after Effective Lifetime bugs, + Squid is vulnerable to Denial of Service attacks by a trusted server + against all clients using the proxy. This problem is fixed by changing + the build configuration to specify the --disable-esi option. + + -- Bastien Roucariès Fri, 14 Nov 2025 20:44:29 +0100 + squid (5.7-2+deb12u4) bookworm-security; urgency=medium * CVE-2025-62168 (Closes: #1118341) diff -Nru squid-5.7/debian/patches/CVE-2023-46728.patch squid-5.7/debian/patches/CVE-2023-46728.patch --- squid-5.7/debian/patches/CVE-2023-46728.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-5.7/debian/patches/CVE-2023-46728.patch 2025-11-14 19:43:29.000000000 +0000 @@ -0,0 +1,334 @@ +From: Alex Rousskov +Date: Tue, 26 Jul 2022 15:05:54 +0000 +Subject: Remove support for Gopher protocol (#1092) + +Gopher code quality remains too low for production use in most +environments. The code is a persistent source of vulnerabilities and +fixing it requires significant effort. We should not be spending scarce +Project resources on improving that code, especially given the lack of +strong demand for Gopher support. + +With this change, Gopher requests will be handled like any other request +with an unknown (to Squid) protocol. For example, HTTP requests with +Gopher URI scheme result in ERR_UNSUP_REQ. + +Default Squid configuration still considers TCP port 70 "safe". The +corresponding Safe_ports ACL rule has not been removed for consistency +sake: We consider WAIS port safe even though Squid refuses to forward +WAIS requests: + + acl Safe_ports port 70 # gopher + acl Safe_ports port 210 # wais + +origin: backport, https://github.com/squid-cache/squid/commit/6ea12e8fb590ac6959e9356a81aa3370576568c3 +bug: https://github.com/squid-cache/squid/security/advisories/GHSA-cg5h-v6vc-w33f +bug-github-pull: https://github.com/squid-cache/squid/pull/1092 +bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-46728 +--- + src/FwdState.cc | 5 ----- + src/HttpRequest.cc | 6 ------ + src/IoStats.h | 2 +- + src/Makefile.am | 8 -------- + src/adaptation/ecap/Host.cc | 1 - + src/adaptation/ecap/MessageRep.cc | 2 -- + src/anyp/ProtocolType.h | 1 - + src/anyp/Uri.cc | 2 -- + src/anyp/UriScheme.cc | 3 --- + src/client_side_request.cc | 4 ---- + src/error/forward.h | 2 +- + src/http/Message.h | 1 - + src/mgr/IoAction.cc | 3 --- + src/mgr/IoAction.h | 2 -- + src/stat.cc | 19 ------------------- + src/tests/Stub.am | 1 - + 16 files changed, 2 insertions(+), 60 deletions(-) + +diff --git a/src/FwdState.cc b/src/FwdState.cc +index bdcfcd6..bb9f496 100644 +--- a/src/FwdState.cc ++++ b/src/FwdState.cc +@@ -29,7 +29,6 @@ + #include "fde.h" + #include "FwdState.h" + #include "globals.h" +-#include "gopher.h" + #include "HappyConnOpener.h" + #include "hier_code.h" + #include "http.h" +@@ -1285,10 +1284,6 @@ FwdState::dispatch() + httpStart(this); + break; + +- case AnyP::PROTO_GOPHER: +- gopherStart(this); +- break; +- + case AnyP::PROTO_FTP: + if (request->flags.ftpNative) + Ftp::StartRelay(this); +diff --git a/src/HttpRequest.cc b/src/HttpRequest.cc +index fd20600..1b4e337 100644 +--- a/src/HttpRequest.cc ++++ b/src/HttpRequest.cc +@@ -19,7 +19,6 @@ + #include "Downloader.h" + #include "error/Detail.h" + #include "globals.h" +-#include "gopher.h" + #include "http.h" + #include "http/ContentLengthInterpreter.h" + #include "http/one/RequestParser.h" +@@ -560,11 +559,6 @@ HttpRequest::maybeCacheable() + return false; + break; + +- case AnyP::PROTO_GOPHER: +- if (!gopherCachable(this)) +- return false; +- break; +- + case AnyP::PROTO_CACHE_OBJECT: + return false; + +diff --git a/src/IoStats.h b/src/IoStats.h +index 96f64f5..886607a 100644 +--- a/src/IoStats.h ++++ b/src/IoStats.h +@@ -22,7 +22,7 @@ public: + int writes; + int write_hist[histSize]; + } +- Http, Ftp, Gopher; ++ Http, Ftp; + }; + + #endif /* SQUID_IOSTATS_H_ */ +diff --git a/src/Makefile.am b/src/Makefile.am +index dfb67a9..e664699 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -410,8 +410,6 @@ squid_SOURCES = \ + fs_io.cc \ + fs_io.h \ + globals.h \ +- gopher.cc \ +- gopher.h \ + helper.cc \ + helper.h \ + hier_code.h \ +@@ -1966,8 +1964,6 @@ tests_test_http_range_SOURCES = \ + fqdncache.h \ + fs_io.cc \ + fs_io.h \ +- tests/stub_gopher.cc \ +- gopher.h \ + helper.cc \ + hier_code.h \ + http.cc \ +@@ -2356,8 +2352,6 @@ tests_testHttpRequest_SOURCES = \ + fqdncache.h \ + fs_io.cc \ + fs_io.h \ +- tests/stub_gopher.cc \ +- gopher.h \ + helper.cc \ + hier_code.h \ + http.cc \ +@@ -2662,8 +2656,6 @@ tests_testCacheManager_SOURCES = \ + fqdncache.h \ + fs_io.cc \ + fs_io.h \ +- tests/stub_gopher.cc \ +- gopher.h \ + helper.cc \ + hier_code.h \ + http.cc \ +diff --git a/src/adaptation/ecap/Host.cc b/src/adaptation/ecap/Host.cc +index edb55de..b1d8a8d 100644 +--- a/src/adaptation/ecap/Host.cc ++++ b/src/adaptation/ecap/Host.cc +@@ -49,7 +49,6 @@ Adaptation::Ecap::Host::Host() + libecap::protocolHttp.assignHostId(AnyP::PROTO_HTTP); + libecap::protocolHttps.assignHostId(AnyP::PROTO_HTTPS); + libecap::protocolFtp.assignHostId(AnyP::PROTO_FTP); +- libecap::protocolGopher.assignHostId(AnyP::PROTO_GOPHER); + libecap::protocolWais.assignHostId(AnyP::PROTO_WAIS); + libecap::protocolUrn.assignHostId(AnyP::PROTO_URN); + libecap::protocolWhois.assignHostId(AnyP::PROTO_WHOIS); +diff --git a/src/adaptation/ecap/MessageRep.cc b/src/adaptation/ecap/MessageRep.cc +index c5ade9c..cd543bd 100644 +--- a/src/adaptation/ecap/MessageRep.cc ++++ b/src/adaptation/ecap/MessageRep.cc +@@ -140,8 +140,6 @@ Adaptation::Ecap::FirstLineRep::protocol() const + return libecap::protocolHttps; + case AnyP::PROTO_FTP: + return libecap::protocolFtp; +- case AnyP::PROTO_GOPHER: +- return libecap::protocolGopher; + case AnyP::PROTO_WAIS: + return libecap::protocolWais; + case AnyP::PROTO_WHOIS: +diff --git a/src/anyp/ProtocolType.h b/src/anyp/ProtocolType.h +index e736c19..a233da5 100644 +--- a/src/anyp/ProtocolType.h ++++ b/src/anyp/ProtocolType.h +@@ -27,7 +27,6 @@ typedef enum { + PROTO_HTTPS, + PROTO_COAP, + PROTO_COAPS, +- PROTO_GOPHER, + PROTO_WAIS, + PROTO_CACHE_OBJECT, + PROTO_ICP, +diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc +index 848a773..81ebb18 100644 +--- a/src/anyp/Uri.cc ++++ b/src/anyp/Uri.cc +@@ -885,8 +885,6 @@ urlCheckRequest(const HttpRequest * r) + if (r->method == Http::METHOD_PUT) + rc = 1; + +- case AnyP::PROTO_GOPHER: +- + case AnyP::PROTO_WAIS: + + case AnyP::PROTO_WHOIS: +diff --git a/src/anyp/UriScheme.cc b/src/anyp/UriScheme.cc +index 7f11537..81079fd 100644 +--- a/src/anyp/UriScheme.cc ++++ b/src/anyp/UriScheme.cc +@@ -87,9 +87,6 @@ AnyP::UriScheme::defaultPort() const + // Assuming IANA policy of allocating same port for base and TLS protocol versions will occur. + return 5683; + +- case AnyP::PROTO_GOPHER: +- return 70; +- + case AnyP::PROTO_WAIS: + return 210; + +diff --git a/src/client_side_request.cc b/src/client_side_request.cc +index ed5e947..c7c09d4 100644 +--- a/src/client_side_request.cc ++++ b/src/client_side_request.cc +@@ -33,7 +33,6 @@ + #include "fd.h" + #include "fde.h" + #include "format/Token.h" +-#include "gopher.h" + #include "helper.h" + #include "helper/Reply.h" + #include "http.h" +@@ -973,9 +972,6 @@ clientHierarchical(ClientHttpRequest * http) + if (request->url.getScheme() == AnyP::PROTO_HTTP) + return method.respMaybeCacheable(); + +- if (request->url.getScheme() == AnyP::PROTO_GOPHER) +- return gopherCachable(request); +- + if (request->url.getScheme() == AnyP::PROTO_CACHE_OBJECT) + return 0; + +diff --git a/src/error/forward.h b/src/error/forward.h +index b14a6ee..c105a66 100644 +--- a/src/error/forward.h ++++ b/src/error/forward.h +@@ -67,7 +67,7 @@ typedef enum { + ERR_GATEWAY_FAILURE, + + /* Special Cases */ +- ERR_DIR_LISTING, /* Display of remote directory (FTP, Gopher) */ ++ ERR_DIR_LISTING, /* Display of remote directory (FTP) */ + ERR_SQUID_SIGNATURE, /* not really an error */ + ERR_SHUTTING_DOWN, + ERR_PROTOCOL_UNKNOWN, +diff --git a/src/http/Message.h b/src/http/Message.h +index 1807023..92b5b1d 100644 +--- a/src/http/Message.h ++++ b/src/http/Message.h +@@ -40,7 +40,6 @@ public: + srcFtp = 1 << (16 + 1), ///< ftp_port or FTP server + srcIcap = 1 << (16 + 2), ///< traditional ICAP service without encryption + srcEcap = 1 << (16 + 3), ///< eCAP service that uses insecure libraries/daemons +- srcGopher = 1 << (16 + 14), ///< Gopher server + srcWhois = 1 << (16 + 15), ///< Whois server + srcUnsafe = 0xFFFF0000, ///< Unsafe sources mask + srcSafe = 0x0000FFFF ///< Safe sources mask +diff --git a/src/mgr/IoAction.cc b/src/mgr/IoAction.cc +index 94a5c03..062d5e3 100644 +--- a/src/mgr/IoAction.cc ++++ b/src/mgr/IoAction.cc +@@ -35,9 +35,6 @@ Mgr::IoActionData::operator += (const IoActionData& stats) + ftp_reads += stats.ftp_reads; + for (int i = 0; i < IoStats::histSize; ++i) + ftp_read_hist[i] += stats.ftp_read_hist[i]; +- gopher_reads += stats.gopher_reads; +- for (int i = 0; i < IoStats::histSize; ++i) +- gopher_read_hist[i] += stats.gopher_read_hist[i]; + + return *this; + } +diff --git a/src/mgr/IoAction.h b/src/mgr/IoAction.h +index 7e9ad1a..dc4a3a5 100644 +--- a/src/mgr/IoAction.h ++++ b/src/mgr/IoAction.h +@@ -27,10 +27,8 @@ public: + public: + double http_reads; + double ftp_reads; +- double gopher_reads; + double http_read_hist[IoStats::histSize]; + double ftp_read_hist[IoStats::histSize]; +- double gopher_read_hist[IoStats::histSize]; + }; + + /// implement aggregated 'io' action +diff --git a/src/stat.cc b/src/stat.cc +index 6171077..3bc1f47 100644 +--- a/src/stat.cc ++++ b/src/stat.cc +@@ -206,12 +206,6 @@ GetIoStats(Mgr::IoActionData& stats) + for (i = 0; i < IoStats::histSize; ++i) { + stats.ftp_read_hist[i] = IOStats.Ftp.read_hist[i]; + } +- +- stats.gopher_reads = IOStats.Gopher.reads; +- +- for (i = 0; i < IoStats::histSize; ++i) { +- stats.gopher_read_hist[i] = IOStats.Gopher.read_hist[i]; +- } + } + + void +@@ -244,19 +238,6 @@ DumpIoStats(Mgr::IoActionData& stats, StoreEntry* sentry) + Math::doublePercent(stats.ftp_read_hist[i], stats.ftp_reads)); + } + +- storeAppendPrintf(sentry, "\n"); +- storeAppendPrintf(sentry, "Gopher I/O\n"); +- storeAppendPrintf(sentry, "number of reads: %.0f\n", stats.gopher_reads); +- storeAppendPrintf(sentry, "Read Histogram:\n"); +- +- for (i = 0; i < IoStats::histSize; ++i) { +- storeAppendPrintf(sentry, "%5d-%5d: %9.0f %2.0f%%\n", +- i ? (1 << (i - 1)) + 1 : 1, +- 1 << i, +- stats.gopher_read_hist[i], +- Math::doublePercent(stats.gopher_read_hist[i], stats.gopher_reads)); +- } +- + storeAppendPrintf(sentry, "\n"); + } + +diff --git a/src/tests/Stub.am b/src/tests/Stub.am +index 3972203..410f2e5 100644 +--- a/src/tests/Stub.am ++++ b/src/tests/Stub.am +@@ -29,7 +29,6 @@ STUB_SOURCE = \ + tests/stub_external_acl.cc \ + tests/stub_fatal.cc \ + tests/stub_fd.cc \ +- tests/stub_gopher.cc \ + tests/stub_helper.cc \ + tests/stub_HelperChildConfig.cc \ + tests/stub_http.cc \ diff -Nru squid-5.7/debian/patches/CVE-2025-59362.patch squid-5.7/debian/patches/CVE-2025-59362.patch --- squid-5.7/debian/patches/CVE-2025-59362.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-5.7/debian/patches/CVE-2025-59362.patch 2025-11-14 19:44:29.000000000 +0000 @@ -0,0 +1,50 @@ +From: Alex Rousskov +Date: Sat, 30 Aug 2025 06:49:36 +0000 +Subject: Fix ASN.1 encoding of long SNMP OIDs (#2149) + +origin: https://github.com/squid-cache/squid/commit/0d89165ee6da10e6fa50c44998b3cd16d59400e9 +bug: https://github.com/squid-cache/squid/pull/2149 +--- + lib/snmplib/asn1.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +Index: squid/lib/snmplib/asn1.c +=================================================================== +--- squid.orig/lib/snmplib/asn1.c 2025-10-28 13:50:49.198775582 +0100 ++++ squid/lib/snmplib/asn1.c 2025-10-28 13:50:49.196276818 +0100 +@@ -771,6 +771,7 @@ + * lastbyte ::= 0 7bitvalue + */ + u_char buf[MAX_OID_LEN]; ++ u_char *bufEnd = buf + sizeof(buf); + u_char *bp = buf; + oid *op = objid; + int asnlength; +@@ -789,6 +790,10 @@ + while (objidlength-- > 0) { + subid = *op++; + if (subid < 127) { /* off by one? */ ++ if (bp >= bufEnd) { ++ snmp_set_api_error(SNMPERR_ASN_ENCODE); ++ return (NULL); ++ } + *bp++ = subid; + } else { + mask = 0x7F; /* handle subid == 0 case */ +@@ -806,8 +811,16 @@ + /* fix a mask that got truncated above */ + if (mask == 0x1E00000) + mask = 0xFE00000; ++ if (bp >= bufEnd) { ++ snmp_set_api_error(SNMPERR_ASN_ENCODE); ++ return (NULL); ++ } + *bp++ = (u_char) (((subid & mask) >> bits) | ASN_BIT8); + } ++ if (bp >= bufEnd) { ++ snmp_set_api_error(SNMPERR_ASN_ENCODE); ++ return (NULL); ++ } + *bp++ = (u_char) (subid & mask); + } + } diff -Nru squid-5.7/debian/patches/series squid-5.7/debian/patches/series --- squid-5.7/debian/patches/series 2025-10-28 23:05:08.000000000 +0000 +++ squid-5.7/debian/patches/series 2025-11-14 19:44:29.000000000 +0000 @@ -17,3 +17,5 @@ CVE-2024-37894.patch CVE-2025-54574_CVE-2023-5824.patch CVE-2025-62168.patch +CVE-2023-46728.patch +CVE-2025-59362.patch diff -Nru squid-5.7/debian/rules squid-5.7/debian/rules --- squid-5.7/debian/rules 2024-03-05 22:14:44.000000000 +0000 +++ squid-5.7/debian/rules 2025-11-14 19:44:29.000000000 +0000 @@ -46,7 +46,6 @@ --enable-storeid-rewrite-helpers="file" \ --enable-url-rewrite-helpers="fake" \ --enable-eui \ - --enable-esi \ --enable-icmp \ --enable-zph-qos \ --enable-ecap \ @@ -58,6 +57,9 @@ --with-large-files \ --with-default-user=proxy +## CVE-2024-45802 +DEB_CONFIGURE_EXTRA_FLAGS += --disable-esi + ifeq ($(DEB_HOST_ARCH_OS), kfreebsd) DEB_CONFIGURE_EXTRA_FLAGS += --enable-kqueue endif