Hi,
On 20.10.2025 12:48, Adolf Belka wrote:
> - The full fix for CVE-2025-62168 is in version squid-7.2
> - However there are a lot of changes in squid from version 6 to 7 with all
> the error
> language files no longer provided directly, they have to be obtained from
> separate
> langauage packs now. Also several tools like cachmgr.cgi have been removed
> as the
> options can be obtained via different approaches.
> - I have had a look at squid-7.2 and I believe I can do the upgrade but it
> will take some
> time to be sure it is working properly.
> - In the interim, this patch adds the mitigation "email_err_data off" into
> squid.conf
> that is referenced in the CVE report.
> - If someone else has already worked on squid-7.2 and has it ready to go now
> or soon,
> then this patch can be dropped.
Yes, I did it - and I'm testing it with Core 197:
...
2025/10/20 19:52:50 kid1| Processing Configuration File:
/etc/squid/squid.conf (depth 0)
2025/10/20 19:52:50 kid1| Current Directory is /
2025/10/20 19:52:50 kid1| Starting Squid Cache version 7.2 for
x86_64-pc-linux-gnu...
...
But I don't really trust the new 'squid' yet. Building was simple - I
only changed version and checksum in the existing lfs-file, that's all
it needed. And a few changes in the rootfile - as Adolf wrote, several
tools have been removed. By the way: in the current v7.2, the "error
language files" are included, no need to download them seperately! So
upgrading was easy, but... ;-)
Right now, its running without seen problems. What bothers me, is that
the 'proxy.cgi' needs to be adjusted. This seems to be a bit tricky and
I won't have the time for this in the near future. Even if my original
'squid.conf' works fine I don't know what happens if someone needs the
removed "basic_smb_lm_auth and ntlm_smb_lm_auth helpers" (e.g. from
changelog) and clicks on "Save and restart"...
Other changes (v7.0.1):
- Remove Edge Side Include (ESI) protocol
- Remove Ident protocol support
- Remove cache_object protocol support
- Remove cachemgr.cgi tool
- Remove tool 'purge' for management of UFS/AUFS/DiskD caches
- Remove squidclient
And the list goes on...
A change in v7.2 ("Bug 5504: Document that Squid discards invalid
rewrite-url") made an acl necessary (url_rewrite_access deny CONNECT)
because 'squid.conf' was suddenly flooded with errors: "URL-rewrite
produces invalid request: CONNECT
http://[ROUTER_IP_DELETED]:81/images/urlfilter/1x1.gif HTTP/1.1 current
master transaction: master53"
And the v7.1 didn't ran at all, because of similar problems with the
urlfilter. Hm...
So I would recommend that we adjust the 'proxy'cgi' accordingly and test
very carefully, before we upgrade 'squid' to 7.2. I'll test and report...
Jm2c - Regards
Matthias
> Signed-off-by: Adolf Belka <[email protected]>
> ---
> html/cgi-bin/proxy.cgi | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
> index fdb7c6a77..f0547e249 100644
> --- a/html/cgi-bin/proxy.cgi
> +++ b/html/cgi-bin/proxy.cgi
> @@ -3109,6 +3109,7 @@ sub writeconfig
> shutdown_lifetime 5 seconds
> icp_port 0
> httpd_suppress_version_string on
> +email_err_data off
>
> END
> ;
![http://[ROUTER_IP_DELETED]:81/images/urlfilter/1x1.gif](http://[ROUTER_IP_DELETED]:81/images/urlfilter/1x1.gif){kind=link}