Version in base suite: 6.13-2 Base version: squid_6.13-2 Target version: squid_6.13-2+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/squid/squid_6.13-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/squid/squid_6.13-2+deb13u1.dsc changelog | 11 ++ patches/CVE-2025-59362.patch | 50 ++++++++++ patches/CVE-2025-62168.patch | 210 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 2 4 files changed, 273 insertions(+) diff -Nru squid-6.13/debian/changelog squid-6.13/debian/changelog --- squid-6.13/debian/changelog 2025-06-09 08:35:20.000000000 +0000 +++ squid-6.13/debian/changelog 2025-10-26 08:31:13.000000000 +0000 @@ -1,3 +1,14 @@ +squid (6.13-2+deb13u1) trixie-security; urgency=high + + * Non Maintainer Upload by LTS team + * Fix CVE-2025-62168 (Closes: #1118341) + Due to a failure to redact HTTP Authentication credentials + Squid is vulnerable to an Information Disclosure attack. + * Fix CVE-2025-59362 (Closes: #1117048) + Squid mishandles ASN.1 encoding of long SNMP OIDs. + + -- Bastien Roucariès Sun, 26 Oct 2025 09:31:13 +0100 + squid (6.13-2) unstable; urgency=low [ Amos Jeffries ] diff -Nru squid-6.13/debian/patches/CVE-2025-59362.patch squid-6.13/debian/patches/CVE-2025-59362.patch --- squid-6.13/debian/patches/CVE-2025-59362.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-6.13/debian/patches/CVE-2025-59362.patch 2025-10-26 08:31:13.000000000 +0000 @@ -0,0 +1,50 @@ +From: Alex Rousskov +Date: Sat, 30 Aug 2025 06:49:36 +0000 +Subject: Fix ASN.1 encoding of long SNMP OIDs (#2149) + +origin: https://github.com/squid-cache/squid/commit/0d89165ee6da10e6fa50c44998b3cd16d59400e9 +bug: https://github.com/squid-cache/squid/pull/2149 +--- + lib/snmplib/asn1.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/lib/snmplib/asn1.c b/lib/snmplib/asn1.c +index 9d2d799..142c103 100644 +--- a/lib/snmplib/asn1.c ++++ b/lib/snmplib/asn1.c +@@ -735,6 +735,7 @@ asn_build_objid(u_char * data, int *datalength, + * lastbyte ::= 0 7bitvalue + */ + u_char buf[MAX_OID_LEN]; ++ u_char *bufEnd = buf + sizeof(buf); + u_char *bp = buf; + oid *op = objid; + int asnlength; +@@ -753,6 +754,10 @@ asn_build_objid(u_char * data, int *datalength, + while (objidlength-- > 0) { + subid = *op++; + if (subid < 127) { /* off by one? */ ++ if (bp >= bufEnd) { ++ snmp_set_api_error(SNMPERR_ASN_ENCODE); ++ return (NULL); ++ } + *bp++ = subid; + } else { + mask = 0x7F; /* handle subid == 0 case */ +@@ -770,8 +775,16 @@ asn_build_objid(u_char * data, int *datalength, + /* fix a mask that got truncated above */ + if (mask == 0x1E00000) + mask = 0xFE00000; ++ if (bp >= bufEnd) { ++ snmp_set_api_error(SNMPERR_ASN_ENCODE); ++ return (NULL); ++ } + *bp++ = (u_char) (((subid & mask) >> bits) | ASN_BIT8); + } ++ if (bp >= bufEnd) { ++ snmp_set_api_error(SNMPERR_ASN_ENCODE); ++ return (NULL); ++ } + *bp++ = (u_char) (subid & mask); + } + } diff -Nru squid-6.13/debian/patches/CVE-2025-62168.patch squid-6.13/debian/patches/CVE-2025-62168.patch --- squid-6.13/debian/patches/CVE-2025-62168.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-6.13/debian/patches/CVE-2025-62168.patch 2025-10-26 08:31:13.000000000 +0000 @@ -0,0 +1,210 @@ +From: Amos Jeffries +Date: Sat, 11 Oct 2025 16:33:02 +1300 +Subject: [PATCH] Bug 3390: Proxy auth data visible to scripts (#2249) + +Original changes to redact credentials from error page %R code +expansion output was incomplete. It missed the parse failure +case where ErrorState::request_hdrs raw buffer contained +sensitive information. + +Also missed was the %W case where full request message headers +were generated in a mailto link. This case is especially +problematic as it may be delivered over insecure SMTP even if +the error was secured with HTTPS. + +After this change: +* The HttpRequest message packing code for error pages is de-duplicated + and elides authentication headers for both %R and %W code outputs. +* The %R code output includes the CRLF request message terminator. +* The email_err_data directive causing advanced details to be added to + %W mailto links is disabled by default. + +Also redact credentials from generated TRACE responses. + +--------- + +Co-authored-by: Alex Rousskov + +origin: backport, https://github.com/squid-cache/squid/commit/0951a0681011dfca3d78c84fd7f1e19c78a4443f +bug: https://github.com/squid-cache/squid/security/advisories/GHSA-c8cc-phh7-xmxr +debian-bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118341 +--- + src/HttpRequest.cc | 6 +++--- + src/HttpRequest.h | 2 +- + src/cf.data.pre | 8 +++++++- + src/client_side_reply.cc | 14 +++++++------- + src/errorpage.cc | 17 ++++------------- + src/errorpage.h | 1 - + src/tests/stub_HttpRequest.cc | 2 +- + 7 files changed, 23 insertions(+), 27 deletions(-) + +diff --git a/src/HttpRequest.cc b/src/HttpRequest.cc +index 513f5e9..b374ec3 100644 +--- a/src/HttpRequest.cc ++++ b/src/HttpRequest.cc +@@ -341,7 +341,7 @@ HttpRequest::swapOut(StoreEntry * e) + + /* packs request-line and headers, appends terminator */ + void +-HttpRequest::pack(Packable * p) const ++HttpRequest::pack(Packable * const p, const bool maskSensitiveInfo) const + { + assert(p); + /* pack request-line */ +@@ -349,8 +349,8 @@ HttpRequest::pack(Packable * p) const + SQUIDSBUFPRINT(method.image()), SQUIDSBUFPRINT(url.path()), + http_ver.major, http_ver.minor); + /* headers */ +- header.packInto(p); +- /* trailer */ ++ header.packInto(p, maskSensitiveInfo); ++ /* indicate the end of the header section */ + p->append("\r\n", 2); + } + +diff --git a/src/HttpRequest.h b/src/HttpRequest.h +index bf27729..baf8427 100644 +--- a/src/HttpRequest.h ++++ b/src/HttpRequest.h +@@ -206,7 +206,7 @@ public: + + void swapOut(StoreEntry * e); + +- void pack(Packable * p) const; ++ void pack(Packable * p, bool maskSensitiveInfo = false) const; + + static void httpRequestPack(void *obj, Packable *p); + +diff --git a/src/cf.data.pre b/src/cf.data.pre +index aad421a..e8eca17 100644 +--- a/src/cf.data.pre ++++ b/src/cf.data.pre +@@ -8944,12 +8944,18 @@ NAME: email_err_data + COMMENT: on|off + TYPE: onoff + LOC: Config.onoff.emailErrData +-DEFAULT: on ++DEFAULT: off + DOC_START + If enabled, information about the occurred error will be + included in the mailto links of the ERR pages (if %W is set) + so that the email body contains the data. + Syntax is %w ++ ++ SECURITY WARNING: ++ Request headers and other included facts may contain ++ sensitive information about transaction history, the ++ Squid instance, and its environment which would be ++ unavailable to error recipients otherwise. + DOC_END + + NAME: deny_info +diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc +index 601e8bd..427f5a9 100644 +--- a/src/client_side_reply.cc ++++ b/src/client_side_reply.cc +@@ -94,7 +94,7 @@ clientReplyContext::clientReplyContext(ClientHttpRequest *clientContext) : + void + clientReplyContext::setReplyToError( + err_type err, Http::StatusCode status, char const *uri, +- const ConnStateData *conn, HttpRequest *failedrequest, const char *unparsedrequest, ++ const ConnStateData *conn, HttpRequest *failedrequest, const char *, + #if USE_AUTH + Auth::UserRequest::Pointer auth_user_request + #else +@@ -104,9 +104,6 @@ clientReplyContext::setReplyToError( + { + auto errstate = clientBuildError(err, status, uri, conn, failedrequest, http->al); + +- if (unparsedrequest) +- errstate->request_hdrs = xstrdup(unparsedrequest); +- + #if USE_AUTH + errstate->auth_user_request = auth_user_request; + #endif +@@ -995,11 +992,14 @@ clientReplyContext::traceReply() + triggerInitialStoreRead(); + http->storeEntry()->releaseRequest(); + http->storeEntry()->buffer(); ++ MemBuf content; ++ content.init(); ++ http->request->pack(&content, true /* hide authorization data */); + const HttpReplyPointer rep(new HttpReply); +- rep->setHeaders(Http::scOkay, nullptr, "text/plain", http->request->prefixLen(), 0, squid_curtime); ++ rep->setHeaders(Http::scOkay, nullptr, "message/http", content.contentSize(), 0, squid_curtime); ++ rep->body.set(SBuf(content.buf, content.size)); + http->storeEntry()->replaceHttpReply(rep); +- http->request->swapOut(http->storeEntry()); +- http->storeEntry()->complete(); ++ http->storeEntry()->completeSuccessfully("traceReply() stored the entire response"); + } + + #define SENDING_BODY 0 +diff --git a/src/errorpage.cc b/src/errorpage.cc +index 4a24bf1..6659fb1 100644 +--- a/src/errorpage.cc ++++ b/src/errorpage.cc +@@ -792,7 +792,6 @@ ErrorState::~ErrorState() + { + safe_free(redirect_url); + safe_free(url); +- safe_free(request_hdrs); + wordlistDestroy(&ftp.server_msg); + safe_free(ftp.request); + safe_free(ftp.reply); +@@ -850,7 +849,7 @@ ErrorState::Dump(MemBuf * mb) + SQUIDSBUFPRINT(request->url.path()), + AnyP::ProtocolType_str[request->http_ver.protocol], + request->http_ver.major, request->http_ver.minor); +- request->header.packInto(&str); ++ request->header.packInto(&str, true /* hide authorization data */); + } + + str.append("\r\n", 2); +@@ -1112,18 +1111,10 @@ ErrorState::compileLegacyCode(Build &build) + p = "[no request]"; + break; + } +- if (request) { +- mb.appendf(SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\n", +- SQUIDSBUFPRINT(request->method.image()), +- SQUIDSBUFPRINT(request->url.path()), +- AnyP::ProtocolType_str[request->http_ver.protocol], +- request->http_ver.major, request->http_ver.minor); +- request->header.packInto(&mb, true); //hide authorization data +- } else if (request_hdrs) { +- p = request_hdrs; +- } else { ++ else if (request) ++ request->pack(&mb, true /* hide authorization data */); ++ else + p = "[no request]"; +- } + break; + + case 's': +diff --git a/src/errorpage.h b/src/errorpage.h +index cf15949..56fe5ef 100644 +--- a/src/errorpage.h ++++ b/src/errorpage.h +@@ -194,7 +194,6 @@ public: + MemBuf *listing = nullptr; + } ftp; + +- char *request_hdrs = nullptr; + char *err_msg = nullptr; /* Preformatted error message from the cache */ + + AccessLogEntryPointer ale; ///< transaction details (or nil) +diff --git a/src/tests/stub_HttpRequest.cc b/src/tests/stub_HttpRequest.cc +index ab03fa2..d8d3f10 100644 +--- a/src/tests/stub_HttpRequest.cc ++++ b/src/tests/stub_HttpRequest.cc +@@ -45,7 +45,7 @@ bool HttpRequest::expectingBody(const HttpRequestMethod &, int64_t &) const STUB + bool HttpRequest::bodyNibbled() const STUB_RETVAL(false) + int HttpRequest::prefixLen() const STUB_RETVAL(0) + void HttpRequest::swapOut(StoreEntry *) STUB +-void HttpRequest::pack(Packable *) const STUB ++void HttpRequest::pack(Packable *, bool) const STUB + void HttpRequest::httpRequestPack(void *, Packable *) STUB + HttpRequest * HttpRequest::FromUrl(const SBuf &, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr) + HttpRequest * HttpRequest::FromUrlXXX(const char *, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr) diff -Nru squid-6.13/debian/patches/series squid-6.13/debian/patches/series --- squid-6.13/debian/patches/series 2025-06-09 08:35:20.000000000 +0000 +++ squid-6.13/debian/patches/series 2025-10-26 08:31:13.000000000 +0000 @@ -2,3 +2,5 @@ 0002-Change-default-file-locations-for-debian.patch 0005-Use-RuntimeDirectory-to-create-run-squid.patch 0006-upstream-807ae4df2164defbb5f59b99282e24010b4a0b85.patch +CVE-2025-62168.patch +CVE-2025-59362.patch