proxy.cgi: Mitigation for CVE-2025-62168 on squid

- The full fix for CVE-2025-62168 is in version squid-7.2
- However there are a lot of changes in squid from version 6 to 7 with all the error
   language files no longer provided directly, they have to be obtained from separate
   langauage packs now. Also several tools like cachmgr.cgi have been removed as the
   options can be obtained via different approaches.
- I have had a look at squid-7.2 and I believe I can do the upgrade but it will take some
   time to be sure it is working properly.
- In the interim, this patch adds the mitigation "email_err_data off" into squid.conf
   that is referenced in the CVE report.
- If someone else has already worked on squid-7.2 and has it ready to go now or soon,
   then this patch can be dropped.

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index fdb7c6a77878cb60a39c8df367d95682d367b813..f0547e249ce4d6767d7881d1fe6dccb7e861b184 100644 (file)
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -3109,6 +3109,7 @@ sub writeconfig
 shutdown_lifetime 5 seconds
 icp_port 0
 httpd_suppress_version_string on
+email_err_data off
 
 END
        ;