new version 6.14

Resolves: CVE-2025-62168 - Information disclosure in Squid
2025-10-18 15:38:02 +02:00
4 changed files with 184 additions and 4 deletions
--- a/4
+++ b/4
@ -1,3 +1,3 @@
-SHA512 (squid-6.13.tar.xz) = a67276a7eb38d00271962b67bff7f08e760db73bc6b0f94ab71297d520405033df65ebb0b38ee5db02bd6c00d81cd600b60d918fe7fff64e06255deaf78f00c1
-SHA512 (squid-6.13.tar.xz.asc) = 66d8d657793ca3bd20e4a728dc0d3568fac078334d57f3105bb67f1c6fbc5e89e21b757f38048f2361b670938ff350d1afd956ba3dfa5d55dfb54d13e4620fc9
+SHA512 (squid-6.14.tar.xz) = 5905060ae8d70128516c26cf379ed5b434c02525efe0e17ac56d4e060af7542b4a7a41ac3eca5ba5a00867791aed18ed5ed0e247b18a376e1ae7bc13039782f5
+SHA512 (squid-6.14.tar.xz.asc) = 5cc102787796db1cf4c71e9e21d3462becdd869eb72cd69a5c4ca74f60628a98a5543aabe7a0d0bc74c99a62bae0678d3ae6eab9dfe0e4dfb9c063678005f2e3
 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d
--- a/squid-6.1-perlpath.patch
+++ b/squid-6.1-perlpath.patch
@ -6,5 +6,5 @@ index e965e9e..ed5ffcb 100755
 -#!/usr/local/bin/perl -Tw
 +#!/usr/bin/perl -Tw
 #
- # * Copyright (C) 1996-2024 The Squid Software Foundation and contributors
+ # * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
 # *
--- a/squid-6.14-CVE-2025-62168.patch
+++ b/squid-6.14-CVE-2025-62168.patch
@ -0,0 +1,173 @@
+diff --git a/src/HttpRequest.cc b/src/HttpRequest.cc
+index d6be6ae..5c85eb8 100644
+--- a/src/HttpRequest.cc
+++ b/src/HttpRequest.cc
+@@ -341,7 +341,7 @@ HttpRequest::swapOut(StoreEntry * e)
+ 
+ /* packs request-line and headers, appends <crlf> terminator */
+ void
+-HttpRequest::pack(Packable * p) const
+HttpRequest::pack(Packable * const p, const bool maskSensitiveInfo) const
+ {
+     assert(p);
+     /* pack request-line */
+@@ -349,8 +349,8 @@ HttpRequest::pack(Packable * p) const
+                SQUIDSBUFPRINT(method.image()), SQUIDSBUFPRINT(url.path()),
+                http_ver.major, http_ver.minor);
+     /* headers */
+-    header.packInto(p);
+-    /* trailer */
+    header.packInto(p, maskSensitiveInfo);
+    /* indicate the end of the header section */
+     p->append("\r\n", 2);
+ }
+ 
+diff --git a/src/HttpRequest.h b/src/HttpRequest.h
+index 2256a55..2ada8e5 100644
+--- a/src/HttpRequest.h
+++ b/src/HttpRequest.h
+@@ -206,7 +206,7 @@ public:
+ 
+     void swapOut(StoreEntry * e);
+ 
+-    void pack(Packable * p) const;
+    void pack(Packable * p, bool maskSensitiveInfo = false) const;
+ 
+     static void httpRequestPack(void *obj, Packable *p);
+ 
+diff --git a/src/cf.data.pre b/src/cf.data.pre
+index 20a7338..d1f3317 100644
+--- a/src/cf.data.pre
+++ b/src/cf.data.pre
+@@ -8941,12 +8941,18 @@ NAME: email_err_data
+ COMMENT: on|off
+ TYPE: onoff
+ LOC: Config.onoff.emailErrData
+-DEFAULT: on
+DEFAULT: off
+ DOC_START
+ 	If enabled, information about the occurred error will be
+ 	included in the mailto links of the ERR pages (if %W is set)
+ 	so that the email body contains the data.
+ 	Syntax is <A HREF="mailto:%w%W">%w</A>
+
+	SECURITY WARNING:
+		Request headers and other included facts may contain
+		sensitive information about transaction history, the
+		Squid instance, and its environment which would be
+		unavailable to error recipients otherwise.
+ DOC_END
+ 
+ NAME: deny_info
+diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc
+index 6818d76..860edfc 100644
+--- a/src/client_side_reply.cc
+++ b/src/client_side_reply.cc
+@@ -94,7 +94,7 @@ clientReplyContext::clientReplyContext(ClientHttpRequest *clientContext) :
+ void
+ clientReplyContext::setReplyToError(
+     err_type err, Http::StatusCode status, char const *uri,
+-    const ConnStateData *conn, HttpRequest *failedrequest, const char *unparsedrequest,
+    const ConnStateData *conn, HttpRequest *failedrequest, const char *,
+ #if USE_AUTH
+     Auth::UserRequest::Pointer auth_user_request
+ #else
+@@ -104,9 +104,6 @@ clientReplyContext::setReplyToError(
+ {
+     auto errstate = clientBuildError(err, status, uri, conn, failedrequest, http->al);
+ 
+-    if (unparsedrequest)
+-        errstate->request_hdrs = xstrdup(unparsedrequest);
+-
+ #if USE_AUTH
+     errstate->auth_user_request = auth_user_request;
+ #endif
+@@ -995,11 +992,14 @@ clientReplyContext::traceReply()
+     triggerInitialStoreRead();
+     http->storeEntry()->releaseRequest();
+     http->storeEntry()->buffer();
+    MemBuf content;
+    content.init();
+    http->request->pack(&content, true /* hide authorization data */);
+     const HttpReplyPointer rep(new HttpReply);
+-    rep->setHeaders(Http::scOkay, nullptr, "text/plain", http->request->prefixLen(), 0, squid_curtime);
+    rep->setHeaders(Http::scOkay, nullptr, "message/http", content.contentSize(), 0, squid_curtime);
+    rep->body.set(SBuf(content.buf, content.size));
+     http->storeEntry()->replaceHttpReply(rep);
+-    http->request->swapOut(http->storeEntry());
+-    http->storeEntry()->complete();
+    http->storeEntry()->completeSuccessfully("traceReply() stored the entire response");
+ }
+ 
+ #define SENDING_BODY 0
+diff --git a/src/errorpage.cc b/src/errorpage.cc
+index 0b7e5b8..31566dc 100644
+--- a/src/errorpage.cc
+++ b/src/errorpage.cc
+@@ -792,7 +792,6 @@ ErrorState::~ErrorState()
+ {
+     safe_free(redirect_url);
+     safe_free(url);
+-    safe_free(request_hdrs);
+     wordlistDestroy(&ftp.server_msg);
+     safe_free(ftp.request);
+     safe_free(ftp.reply);
+@@ -850,7 +849,10 @@ ErrorState::Dump(MemBuf * mb)
+                     SQUIDSBUFPRINT(request->url.path()),
+                     AnyP::ProtocolType_str[request->http_ver.protocol],
+                     request->http_ver.major, request->http_ver.minor);
+-        request->header.packInto(&str);
+        MemBuf r;
+        r.init();
+        request->pack(&r, true /* hide authorization data */);
+        str.append(r.content(), r.contentSize());
+     }
+ 
+     str.append("\r\n", 2);
+@@ -1112,18 +1114,10 @@ ErrorState::compileLegacyCode(Build &build)
+                 p = "[no request]";
+             break;
+         }
+-        if (request) {
+-            mb.appendf(SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\n",
+-                       SQUIDSBUFPRINT(request->method.image()),
+-                       SQUIDSBUFPRINT(request->url.path()),
+-                       AnyP::ProtocolType_str[request->http_ver.protocol],
+-                       request->http_ver.major, request->http_ver.minor);
+-            request->header.packInto(&mb, true); //hide authorization data
+-        } else if (request_hdrs) {
+-            p = request_hdrs;
+-        } else {
+        else if (request)
+            request->pack(&mb, true /* hide authorization data */);
+        else
+             p = "[no request]";
+-        }
+         break;
+ 
+     case 's':
+diff --git a/src/errorpage.h b/src/errorpage.h
+index 8d23857..0dc10d7 100644
+--- a/src/errorpage.h
+++ b/src/errorpage.h
+@@ -194,7 +194,6 @@ public:
+         MemBuf *listing = nullptr;
+     } ftp;
+ 
+-    char *request_hdrs = nullptr;
+     char *err_msg = nullptr; /* Preformatted error message from the cache */
+ 
+     AccessLogEntryPointer ale; ///< transaction details (or nil)
+diff --git a/src/tests/stub_HttpRequest.cc b/src/tests/stub_HttpRequest.cc
+index 495597d..48a0f1c 100644
+--- a/src/tests/stub_HttpRequest.cc
+++ b/src/tests/stub_HttpRequest.cc
+@@ -45,7 +45,7 @@ bool HttpRequest::expectingBody(const HttpRequestMethod &, int64_t &) const STUB
+ bool HttpRequest::bodyNibbled() const STUB_RETVAL(false)
+ int HttpRequest::prefixLen() const STUB_RETVAL(0)
+ void HttpRequest::swapOut(StoreEntry *) STUB
+-void HttpRequest::pack(Packable *) const STUB
+void HttpRequest::pack(Packable *, bool) const STUB
+ void HttpRequest::httpRequestPack(void *, Packable *) STUB
+ HttpRequest * HttpRequest::FromUrl(const SBuf &, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr)
+ HttpRequest * HttpRequest::FromUrlXXX(const char *, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr)
--- a/squid.spec
+++ b/squid.spec
@ -1,7 +1,7 @@
 %define __perl_requires %{SOURCE98}

 Name:     squid
-Version:  6.13
+Version:  6.14
 Release:  1%{?dist}
 Summary:  The Squid proxy caching server
 Epoch:    7
@ -41,6 +41,9 @@ Patch205: squid-6.1-crash-half-closed.patch
 # Upstream PR: https://github.com/squid-cache/squid/pull/1914
 Patch206: squid-6.11-ignore-wsp-after-chunk-size.patch

+# Security patches
+Patch500: squid-6.14-CVE-2025-62168.patch
+
 # cache_swap.sh
 Requires: bash gawk
 # for httpd conf file - cachemgr script alias
@ -314,6 +317,10 @@ fi


 %changelog
+* Sat Oct 18 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:6.14-1
+- new version 6.14
+- Resolves: CVE-2025-62168 - Information disclosure in Squid
+
 * Tue Feb 04 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:6.13-1
 - new version 6.13