From: Adolf Belka Date: Mon, 20 Oct 2025 10:48:29 +0000 (+0200) Subject: proxy.cgi: Mitigation for CVE-2025-62168 on squid X-Git-Tag: v2.29-core199~17^2~154 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=12c71a758b6ecb1cf0652e42bfd7dd41e4481595;p=ipfire-2.x.git proxy.cgi: Mitigation for CVE-2025-62168 on squid - The full fix for CVE-2025-62168 is in version squid-7.2 - However there are a lot of changes in squid from version 6 to 7 with all the error language files no longer provided directly, they have to be obtained from separate langauage packs now. Also several tools like cachmgr.cgi have been removed as the options can be obtained via different approaches. - I have had a look at squid-7.2 and I believe I can do the upgrade but it will take some time to be sure it is working properly. - In the interim, this patch adds the mitigation "email_err_data off" into squid.conf that is referenced in the CVE report. - If someone else has already worked on squid-7.2 and has it ready to go now or soon, then this patch can be dropped. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer --- diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index fdb7c6a77..f0547e249 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -3109,6 +3109,7 @@ sub writeconfig shutdown_lifetime 5 seconds icp_port 0 httpd_suppress_version_string on +email_err_data off END ;