Your message dated Sat, 01 Nov 2025 18:49:21 +0000
with message-id <[email protected]>
and subject line Bug#1118341: fixed in squid 5.7-2+deb12u4
has caused the Debian Bug report #1118341,
regarding squid: CVE-2025-62168
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1118341: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118341
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: squid
Version: 7.1-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for squid.
CVE-2025-62168[0]:
| Squid is a caching proxy for the Web. In Squid versions prior to
| 7.2, a failure to redact HTTP authentication credentials in error
| handling allows information disclosure. The vulnerability allows a
| script to bypass browser security protections and learn the
| credentials a trusted client uses to authenticate. This potentially
| allows a remote client to identify security tokens or credentials
| used internally by a web application using Squid for backend load
| balancing. These attacks do not require Squid to be configured with
| HTTP authentication. The vulnerability is fixed in version 7.2. As a
| workaround, disable debug information in administrator mailto links
| generated by Squid by configuring squid.conf with email_err_data
| off.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-62168
https://www.cve.org/CVERecord?id=CVE-2025-62168
[1] https://github.com/squid-cache/squid/security/advisories/GHSA-c8cc-phh7-xmxr
[2]
https://github.com/squid-cache/squid/commit/0951a0681011dfca3d78c84fd7f1e19c78a4443f
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: squid
Source-Version: 5.7-2+deb12u4
Done: Moritz Mühlenhoff <[email protected]>
We believe that the bug you reported is fixed in the latest version of
squid, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <[email protected]> (supplier of updated squid package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 29 Oct 2025 00:05:08 +0100
Source: squid
Architecture: source
Version: 5.7-2+deb12u4
Distribution: bookworm-security
Urgency: medium
Maintainer: Luigi Gangitano <[email protected]>
Changed-By: Moritz Mühlenhoff <[email protected]>
Closes: 1118341
Changes:
squid (5.7-2+deb12u4) bookworm-security; urgency=medium
.
* CVE-2025-62168 (Closes: #1118341)
Checksums-Sha1:
5dc1b3012320962b176b9e0a101b644d1373c766 2720 squid_5.7-2+deb12u4.dsc
302a46e86e7c356f66e69ea004d76c6538510f75 87888
squid_5.7-2+deb12u4.debian.tar.xz
12f670b73447a8a59dd55fce4813b0e54d60f746 11055
squid_5.7-2+deb12u4_amd64.buildinfo
Checksums-Sha256:
3e8a474013b7731d4a5dc38498fa80807b694e7420c793ee0c2cc7473a85b479 2720
squid_5.7-2+deb12u4.dsc
606c08d12452481ea709f93751584f28ce3ad1a1a8b875269a3578a2c0d9dd67 87888
squid_5.7-2+deb12u4.debian.tar.xz
03d7369b4008956ad9aa4ee8c76339cad9da5d73fe90e0cb82ca03105d21c7d2 11055
squid_5.7-2+deb12u4_amd64.buildinfo
Files:
1cee1d76c38897001842597abf563ab8 2720 web optional squid_5.7-2+deb12u4.dsc
5f4531786af8f2bc6bf33c2c41449832 87888 web optional
squid_5.7-2+deb12u4.debian.tar.xz
de539896565a66e8ed5769ba63b401d4 11055 web optional
squid_5.7-2+deb12u4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmkB5dsACgkQEMKTtsN8
TjZMdw/7BDEr+4Hq9O5E+nDdalpiPWRRVi/rkW9ehXLON2R5IXu8YJ5veXH8aBYy
4mvAJjFfwlVdefZRI7Pjtf/TMMQEGRpu3QGpCldiOwb+Affvbe+nyzYwzmDgBOGn
6hihd+kZuA8Yps8fXMsYniz6tPU4EHPIs/TQc9Y4ufOgGS66+AHID0WutVAwyHEf
O2TBim5O++lhMaCRFRIh8THiEQtIF9nrkrp67t1nYAnZgJ+L0/ssb37uSg3UNLyi
nIMT3/5okWjhEFqGQLc97nx/v+mnSv/yqFyxQ1Q59VxGedwgWZHZYcogu0EI1Jjj
+OQIZ41iOUxR81/wGBAwoVSqgEx+EoOtnNB8VeRv9C5rc98xexdPBXrRn17QdEag
Wez6Oqmkj/8JmUutoLu6OgBiht0Cl+fzji/WmNO8IdgQszL4m8yj9kJcK/pMdxK/
8WJgwo3xp1c/IwfWnxbkitmX+42VpwD3Ol2Rrvf0OjMr1GbB3aH2iL+2+dW7LZ+H
PQ/wsl6gvz5jAwJ4DrQFKkcmEvu5+p+kADSKf1b5WzXdmGa+iY7KNa80koo9IH5Q
2mOibDdYDEljJ+eXu+bkvUusLO/y61WmBi/BoHDA+8zADok4AkmoNVM9d5+cMUaq
sg3crvrLiyUKtMecoSzKw/SbBF4zIfzJmRc7h7CMiRbMaFcy4zA=
=M03C
-----END PGP SIGNATURE-----
pgpmNx2TmbSMi.pgp
Description: PGP signature
--- End Message ---
