[SECURITY] [DLA 4369-1] squid security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 4369-1] squid security update
From: rouca@debian.org
Date: Tue, 11 Nov 2025 23:26:01 +0100
Message-id: <[🔎] 210b77f413ebd60bc5900af2590c2ced@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4369-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien RoucariÃ¨s
November 11, 2025                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : squid
Version        : 4.13-10+deb11u6
CVE ID         : CVE-2025-59362 CVE-2025-62168
Debian Bug     : 1117048 1118341

Squid a popular proxy server was affected by multiple vulnerabilities

CVE-2025-59362

    Squid mishandles ASN.1 encoding of long SNMP OIDs. This occurs in
    asn_build_objid in lib/snmplib/asn1.c.

CVE-2025-62168

    A failure to redact HTTP authentication credentials in error
    handling allows information disclosure. The vulnerability allows a
    script to bypass browser security protections and learn the
    credentials a trusted client uses to authenticate.
    This potentially allows a remote client to identify security tokens
    or credentials used internally by a web application using Squid for
    backend load balancing. These attacks do not require Squid to
    be configured with HTTP authentication

For Debian 11 bullseye, these problems have been fixed in version
4.13-10+deb11u6.

We recommend that you upgrade your squid packages.

For the detailed security status of squid please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/squid

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmkTt/kACgkQADoaLapB
CF+cdhAAh7SNraWVUc3rko9+mNw0E53Ooj5VtNZZhectVSvwH8DXdvCVgEeNbdB6
I/ptgExO+a0LfWdw8U7xflyPhgBCAFllwDJURFx9ln5AIH/O1nsVumKrq74hb6BM
wVcjtULDprVms1BBhLPkxErUNBZoPQtaOYKvx1Gpb8R2cCdfH2oJ3eMMQS9LrAhj
TRpiqyouq2bBhiHp3qzoLyg6oyhlXHurryK+Irzl9cW1WRZllCDzSuWRIGLWlvH9
u5lugxKmrQ8RsRsvCuDHv7SzIf7SXiyS30Ohb16F1ZJEUEMktOGulRJPVQmpTqSG
mWjlR81dJ758q49XjkxWKabXnTyoJDdY/iToMOBJ37TvWsoXLvepmYWq8o9ImPde
VVmRKSAhUWWDeHo8H3hrbrVL8ZgPREAQeKo39Uxqoc7xXVhN+Ci+vJw3bBYEdOp0
FNKTpPIVUroZE8bdtnhVkWfTFnpohyBJYgioMu1KprAbPakMc/OS+x4fz5f4E7Dg
ZZVsOxzaeOk/EC4vrDAmauQ00LWFhsKHrB8e8U9MfAtH50k9ecsV/lE4fjHHUSxa
mWItqoxVWE6YVQunyBK74ZjoBmWH7aM0VHcRaaVhb8d4m78dgEPqlbD9AKoTeVrm
MYQUjcfEtbbKOIAAheKtPA2XkOQjI9GW0Hqf2AKp94tBYkxsrjQ=
=mhJg
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4368-1] libarchive security update
Next by Date: [SECURITY] [DLA 4370-1] firefox-esr security update
Previous by thread: [SECURITY] [DLA 4368-1] libarchive security update
Next by thread: [SECURITY] [DLA 4370-1] firefox-esr security update
Index(es):
- Date
- Thread