Sorry, I missed including this in my latest test queue. Will take it up now.
Thanks, Anuj On Fri, Nov 7, 2025 at 5:02 AM Peter Marko via lists.openembedded.org <[email protected]> wrote: > From: Peter Marko <[email protected]> > > Pick commit mentioned in NVD CVE report. > > Conflict in src/errorpage.cc resolved per patch from Debian bookworm. > > Signed-off-by: Peter Marko <[email protected]> > --- > v2: added missing patch statuses (CVE, sign-off, upstream status) > > .../squid/files/CVE-2025-62168.patch | 211 ++++++++++++++++++ > .../recipes-daemons/squid/squid_6.9.bb | 1 + > 2 files changed, 212 insertions(+) > create mode 100644 > meta-networking/recipes-daemons/squid/files/CVE-2025-62168.patch > > diff --git > a/meta-networking/recipes-daemons/squid/files/CVE-2025-62168.patch > b/meta-networking/recipes-daemons/squid/files/CVE-2025-62168.patch > new file mode 100644 > index 0000000000..b4e05656ba > --- /dev/null > +++ b/meta-networking/recipes-daemons/squid/files/CVE-2025-62168.patch > @@ -0,0 +1,211 @@ > +From 0951a0681011dfca3d78c84fd7f1e19c78a4443f Mon Sep 17 00:00:00 2001 > +From: Amos Jeffries <[email protected]> > +Date: Sat, 11 Oct 2025 16:33:02 +1300 > +Subject: [PATCH] Bug 3390: Proxy auth data visible to scripts (#2249) > + > +Original changes to redact credentials from error page %R code > +expansion output was incomplete. It missed the parse failure > +case where ErrorState::request_hdrs raw buffer contained > +sensitive information. > + > +Also missed was the %W case where full request message headers > +were generated in a mailto link. This case is especially > +problematic as it may be delivered over insecure SMTP even if > +the error was secured with HTTPS. > + > +After this change: > +* The HttpRequest message packing code for error pages is de-duplicated > + and elides authentication headers for both %R and %W code outputs. > +* The %R code output includes the CRLF request message terminator. > +* The email_err_data directive causing advanced details to be added to > + %W mailto links is disabled by default. > + > +Also redact credentials from generated TRACE responses. > + > +--------- > + > +Co-authored-by: Alex Rousskov <[email protected]> > + > +CVE: CVE-2025-62168 > +Upstream-Status: Backport [ > https://github.com/squid-cache/squid/commit/0951a0681011dfca3d78c84fd7f1e19c78a4443f > ] > +Signed-off-by: Peter Marko <[email protected]> > +--- > v2: added missing patch tags (cve, upstream-status, signed-off-by) > > + src/HttpRequest.cc | 6 +++--- > + src/HttpRequest.h | 2 +- > + src/cf.data.pre | 8 +++++++- > + src/client_side_reply.cc | 14 +++++++------- > + src/errorpage.cc | 17 ++++------------- > + src/errorpage.h | 1 - > + src/tests/stub_HttpRequest.cc | 2 +- > + 7 files changed, 23 insertions(+), 27 deletions(-) > + > +diff --git a/src/HttpRequest.cc b/src/HttpRequest.cc > +index cd7ee71d4..c6ed5bee4 100644 > +--- a/src/HttpRequest.cc > ++++ b/src/HttpRequest.cc > +@@ -341,7 +341,7 @@ HttpRequest::swapOut(StoreEntry * e) > + > + /* packs request-line and headers, appends <crlf> terminator */ > + void > +-HttpRequest::pack(Packable * p) const > ++HttpRequest::pack(Packable * const p, const bool maskSensitiveInfo) const > + { > + assert(p); > + /* pack request-line */ > +@@ -349,8 +349,8 @@ HttpRequest::pack(Packable * p) const > + SQUIDSBUFPRINT(method.image()), > SQUIDSBUFPRINT(url.path()), > + http_ver.major, http_ver.minor); > + /* headers */ > +- header.packInto(p); > +- /* trailer */ > ++ header.packInto(p, maskSensitiveInfo); > ++ /* indicate the end of the header section */ > + p->append("\r\n", 2); > + } > + > +diff --git a/src/HttpRequest.h b/src/HttpRequest.h > +index 6d3690293..28dc4daf9 100644 > +--- a/src/HttpRequest.h > ++++ b/src/HttpRequest.h > +@@ -206,7 +206,7 @@ public: > + > + void swapOut(StoreEntry * e); > + > +- void pack(Packable * p) const; > ++ void pack(Packable * p, bool maskSensitiveInfo = false) const; > + > + static void httpRequestPack(void *obj, Packable *p); > + > +diff --git a/src/cf.data.pre b/src/cf.data.pre > +index 0a73020e1..2dce65a4d 100644 > +--- a/src/cf.data.pre > ++++ b/src/cf.data.pre > +@@ -8915,12 +8915,18 @@ NAME: email_err_data > + COMMENT: on|off > + TYPE: onoff > + LOC: Config.onoff.emailErrData > +-DEFAULT: on > ++DEFAULT: off > + DOC_START > + If enabled, information about the occurred error will be > + included in the mailto links of the ERR pages (if %W is set) > + so that the email body contains the data. > + Syntax is <A HREF="mailto:%w%W";>%w</A> > ++ > ++ SECURITY WARNING: > ++ Request headers and other included facts may contain > ++ sensitive information about transaction history, the > ++ Squid instance, and its environment which would be > ++ unavailable to error recipients otherwise. > + DOC_END > + > + NAME: deny_info > +diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc > +index d73bf3f99..fc2feccf8 100644 > +--- a/src/client_side_reply.cc > ++++ b/src/client_side_reply.cc > +@@ -94,7 +94,7 @@ > clientReplyContext::clientReplyContext(ClientHttpRequest *clientContext) : > + void > + clientReplyContext::setReplyToError( > + err_type err, Http::StatusCode status, char const *uri, > +- const ConnStateData *conn, HttpRequest *failedrequest, const char > *unparsedrequest, > ++ const ConnStateData *conn, HttpRequest *failedrequest, const char *, > + #if USE_AUTH > + Auth::UserRequest::Pointer auth_user_request > + #else > +@@ -104,9 +104,6 @@ clientReplyContext::setReplyToError( > + { > + auto errstate = clientBuildError(err, status, uri, conn, > failedrequest, http->al); > + > +- if (unparsedrequest) > +- errstate->request_hdrs = xstrdup(unparsedrequest); > +- > + #if USE_AUTH > + errstate->auth_user_request = auth_user_request; > + #endif > +@@ -995,11 +992,14 @@ clientReplyContext::traceReply() > + triggerInitialStoreRead(); > + http->storeEntry()->releaseRequest(); > + http->storeEntry()->buffer(); > ++ MemBuf content; > ++ content.init(); > ++ http->request->pack(&content, true /* hide authorization data */); > + const HttpReplyPointer rep(new HttpReply); > +- rep->setHeaders(Http::scOkay, nullptr, "text/plain", > http->request->prefixLen(), 0, squid_curtime); > ++ rep->setHeaders(Http::scOkay, nullptr, "message/http", > content.contentSize(), 0, squid_curtime); > ++ rep->body.set(SBuf(content.buf, content.size)); > + http->storeEntry()->replaceHttpReply(rep); > +- http->request->swapOut(http->storeEntry()); > +- http->storeEntry()->complete(); > ++ http->storeEntry()->completeSuccessfully("traceReply() stored the > entire response"); > + } > + > + #define SENDING_BODY 0 > +diff --git a/src/errorpage.cc b/src/errorpage.cc > +index d7a588d09..06046de9e 100644 > +--- a/src/errorpage.cc > ++++ b/src/errorpage.cc > +@@ -792,7 +792,6 @@ ErrorState::~ErrorState() > + { > + safe_free(redirect_url); > + safe_free(url); > +- safe_free(request_hdrs); > + wordlistDestroy(&ftp.server_msg); > + safe_free(ftp.request); > + safe_free(ftp.reply); > +@@ -850,7 +849,7 @@ ErrorState::Dump(MemBuf * mb) > + SQUIDSBUFPRINT(request->url.path()), > + AnyP::ProtocolType_str[request->http_ver.protocol], > + request->http_ver.major, request->http_ver.minor); > +- request->header.packInto(&str); > ++ request->header.packInto(&str, true /* hide authorization data > */); > + } > + > + str.append("\r\n", 2); > +@@ -1112,18 +1111,10 @@ ErrorState::compileLegacyCode(Build &build) > + p = "[no request]"; > + break; > + } > +- if (request) { > +- mb.appendf(SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\n", > +- SQUIDSBUFPRINT(request->method.image()), > +- SQUIDSBUFPRINT(request->url.path()), > +- > AnyP::ProtocolType_str[request->http_ver.protocol], > +- request->http_ver.major, request->http_ver.minor); > +- request->header.packInto(&mb, true); //hide authorization > data > +- } else if (request_hdrs) { > +- p = request_hdrs; > +- } else { > ++ else if (request) > ++ request->pack(&mb, true /* hide authorization data */); > ++ else > + p = "[no request]"; > +- } > + break; > + > + case 's': > +diff --git a/src/errorpage.h b/src/errorpage.h > +index abca4a17d..297b30697 100644 > +--- a/src/errorpage.h > ++++ b/src/errorpage.h > +@@ -194,7 +194,6 @@ public: > + MemBuf *listing = nullptr; > + } ftp; > + > +- char *request_hdrs = nullptr; > + char *err_msg = nullptr; /* Preformatted error message from the > cache */ > + > + AccessLogEntryPointer ale; ///< transaction details (or nil) > +diff --git a/src/tests/stub_HttpRequest.cc b/src/tests/stub_HttpRequest.cc > +index 495597d9a..48a0f1ce0 100644 > +--- a/src/tests/stub_HttpRequest.cc > ++++ b/src/tests/stub_HttpRequest.cc > +@@ -45,7 +45,7 @@ bool HttpRequest::expectingBody(const HttpRequestMethod > &, int64_t &) const STUB > + bool HttpRequest::bodyNibbled() const STUB_RETVAL(false) > + int HttpRequest::prefixLen() const STUB_RETVAL(0) > + void HttpRequest::swapOut(StoreEntry *) STUB > +-void HttpRequest::pack(Packable *) const STUB > ++void HttpRequest::pack(Packable *, bool) const STUB > + void HttpRequest::httpRequestPack(void *, Packable *) STUB > + HttpRequest * HttpRequest::FromUrl(const SBuf &, const > MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr) > + HttpRequest * HttpRequest::FromUrlXXX(const char *, const > MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr) > diff --git a/meta-networking/recipes-daemons/squid/squid_6.9.bb > b/meta-networking/recipes-daemons/squid/squid_6.9.bb > index 490a5401c3..26460d4619 100644 > --- a/meta-networking/recipes-daemons/squid/squid_6.9.bb > +++ b/meta-networking/recipes-daemons/squid/squid_6.9.bb > @@ -22,6 +22,7 @@ SRC_URI = " > http://www.squid-cache.org/Versions/v${MAJ_VER}/${BPN}-${PV}.tar.xz \ > file://squid.nm \ > file://CVE-2024-37894.patch \ > file://CVE-2025-59362.patch \ > + file://CVE-2025-62168.patch \ > " > > SRC_URI[sha256sum] = > "1ad72d46e1cb556e9561214f0fb181adb87c7c47927ef69bc8acd68a03f61882" > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#121651): https://lists.openembedded.org/g/openembedded-devel/message/121651 Mute This Topic: https://lists.openembedded.org/mt/116160723/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
