Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: squid3@packages.debian.org
Control: affects -1 + src:squid3
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
* Fix CVE-2023-46728:
Due to a NULL pointer dereference bug Squid is vulnerable
to a Denial of Service attack against Squid's Gopher gateway.
* Fix CVE-2025-59362 (Closes: #1117048)
Squid mishandles ASN.1 encoding of long SNMP OIDs.
* Remove Gopher support
* Fix CVE-2024-45802: Disable ESI feature support.
Due to Input Validation, Premature Release of Resource During Expected
Lifetime, and Missing Release of Resource after Effective Lifetime bugs,
Squid is vulnerable to Denial of Service attacks by a trusted server
against all clients using the proxy. This problem is fixed by changing
the build configuration to specify the --disable-esi option.
Moreover these CVEs are fixed in bullseye and trixie
[ Impact ]
Low
[ Tests ]
Automated test suite
[ Risks ]
Low already tested in bullseye trixie
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
* Fix CVE-2023-46728:
Due to a NULL pointer dereference bug Squid is vulnerable
to a Denial of Service attack against Squid's Gopher gateway.
* Fix CVE-2025-59362 (Closes: #1117048)
Squid mishandles ASN.1 encoding of long SNMP OIDs.
* Remove Gopher support
* Fix CVE-2024-45802: Disable ESI feature support.
Due to Input Validation, Premature Release of Resource During Expected
Lifetime, and Missing Release of Resource after Effective Lifetime bugs,
Squid is vulnerable to Denial of Service attacks by a trusted server
against all clients using the proxy. This problem is fixed by changing
the build configuration to specify the --disable-esi option.
[ Other info ]
these CVEs are fixed in bullseye and trixie do not fixing expose to bookworm
regression
diff -Nru squid-5.7/debian/changelog squid-5.7/debian/changelog
--- squid-5.7/debian/changelog 2025-08-18 18:41:21.000000000 +0000
+++ squid-5.7/debian/changelog 2025-11-14 19:44:29.000000000 +0000
@@ -1,3 +1,27 @@
+squid (5.7-2+deb12u5) bookworm; urgency=medium
+
+ * Non maintainer upload by LTS team
+ * Fix CVE-2023-46728:
+ Due to a NULL pointer dereference bug Squid is vulnerable
+ to a Denial of Service attack against Squid's Gopher gateway.
+ * Fix CVE-2025-59362 (Closes: #1117048)
+ Squid mishandles ASN.1 encoding of long SNMP OIDs.
+ * Remove Gopher support
+ * Fix CVE-2024-45802: Disable ESI feature support.
+ Due to Input Validation, Premature Release of Resource During Expected
+ Lifetime, and Missing Release of Resource after Effective Lifetime bugs,
+ Squid is vulnerable to Denial of Service attacks by a trusted server
+ against all clients using the proxy. This problem is fixed by changing
+ the build configuration to specify the --disable-esi option.
+
+ -- Bastien Roucariès <rouca@debian.org> Fri, 14 Nov 2025 20:44:29 +0100
+
+squid (5.7-2+deb12u4) bookworm-security; urgency=medium
+
+ * CVE-2025-62168 (Closes: #1118341)
+
+ -- Moritz Mühlenhoff <jmm@debian.org> Wed, 29 Oct 2025 00:05:08 +0100
+
squid (5.7-2+deb12u3) bookworm-security; urgency=medium
* CVE-2023-5824 / CVE-2025-54574, based on backports done by Marc
diff -Nru squid-5.7/debian/patches/CVE-2023-46728.patch squid-5.7/debian/patches/CVE-2023-46728.patch
--- squid-5.7/debian/patches/CVE-2023-46728.patch 1970-01-01 00:00:00.000000000 +0000
+++ squid-5.7/debian/patches/CVE-2023-46728.patch 2025-11-14 19:43:29.000000000 +0000
@@ -0,0 +1,334 @@
+From: Alex Rousskov <rousskov@measurement-factory.com>
+Date: Tue, 26 Jul 2022 15:05:54 +0000
+Subject: Remove support for Gopher protocol (#1092)
+
+Gopher code quality remains too low for production use in most
+environments. The code is a persistent source of vulnerabilities and
+fixing it requires significant effort. We should not be spending scarce
+Project resources on improving that code, especially given the lack of
+strong demand for Gopher support.
+
+With this change, Gopher requests will be handled like any other request
+with an unknown (to Squid) protocol. For example, HTTP requests with
+Gopher URI scheme result in ERR_UNSUP_REQ.
+
+Default Squid configuration still considers TCP port 70 "safe". The
+corresponding Safe_ports ACL rule has not been removed for consistency
+sake: We consider WAIS port safe even though Squid refuses to forward
+WAIS requests:
+
+ acl Safe_ports port 70 # gopher
+ acl Safe_ports port 210 # wais
+
+origin: backport, https://github.com/squid-cache/squid/commit/6ea12e8fb590ac6959e9356a81aa3370576568c3
+bug: https://github.com/squid-cache/squid/security/advisories/GHSA-cg5h-v6vc-w33f
+bug-github-pull: https://github.com/squid-cache/squid/pull/1092
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-46728
+---
+ src/FwdState.cc | 5 -----
+ src/HttpRequest.cc | 6 ------
+ src/IoStats.h | 2 +-
+ src/Makefile.am | 8 --------
+ src/adaptation/ecap/Host.cc | 1 -
+ src/adaptation/ecap/MessageRep.cc | 2 --
+ src/anyp/ProtocolType.h | 1 -
+ src/anyp/Uri.cc | 2 --
+ src/anyp/UriScheme.cc | 3 ---
+ src/client_side_request.cc | 4 ----
+ src/error/forward.h | 2 +-
+ src/http/Message.h | 1 -
+ src/mgr/IoAction.cc | 3 ---
+ src/mgr/IoAction.h | 2 --
+ src/stat.cc | 19 -------------------
+ src/tests/Stub.am | 1 -
+ 16 files changed, 2 insertions(+), 60 deletions(-)
+
+diff --git a/src/FwdState.cc b/src/FwdState.cc
+index bdcfcd6..bb9f496 100644
+--- a/src/FwdState.cc
++++ b/src/FwdState.cc
+@@ -29,7 +29,6 @@
+ #include "fde.h"
+ #include "FwdState.h"
+ #include "globals.h"
+-#include "gopher.h"
+ #include "HappyConnOpener.h"
+ #include "hier_code.h"
+ #include "http.h"
+@@ -1285,10 +1284,6 @@ FwdState::dispatch()
+ httpStart(this);
+ break;
+
+- case AnyP::PROTO_GOPHER:
+- gopherStart(this);
+- break;
+-
+ case AnyP::PROTO_FTP:
+ if (request->flags.ftpNative)
+ Ftp::StartRelay(this);
+diff --git a/src/HttpRequest.cc b/src/HttpRequest.cc
+index fd20600..1b4e337 100644
+--- a/src/HttpRequest.cc
++++ b/src/HttpRequest.cc
+@@ -19,7 +19,6 @@
+ #include "Downloader.h"
+ #include "error/Detail.h"
+ #include "globals.h"
+-#include "gopher.h"
+ #include "http.h"
+ #include "http/ContentLengthInterpreter.h"
+ #include "http/one/RequestParser.h"
+@@ -560,11 +559,6 @@ HttpRequest::maybeCacheable()
+ return false;
+ break;
+
+- case AnyP::PROTO_GOPHER:
+- if (!gopherCachable(this))
+- return false;
+- break;
+-
+ case AnyP::PROTO_CACHE_OBJECT:
+ return false;
+
+diff --git a/src/IoStats.h b/src/IoStats.h
+index 96f64f5..886607a 100644
+--- a/src/IoStats.h
++++ b/src/IoStats.h
+@@ -22,7 +22,7 @@ public:
+ int writes;
+ int write_hist[histSize];
+ }
+- Http, Ftp, Gopher;
++ Http, Ftp;
+ };
+
+ #endif /* SQUID_IOSTATS_H_ */
+diff --git a/src/Makefile.am b/src/Makefile.am
+index dfb67a9..e664699 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -410,8 +410,6 @@ squid_SOURCES = \
+ fs_io.cc \
+ fs_io.h \
+ globals.h \
+- gopher.cc \
+- gopher.h \
+ helper.cc \
+ helper.h \
+ hier_code.h \
+@@ -1966,8 +1964,6 @@ tests_test_http_range_SOURCES = \
+ fqdncache.h \
+ fs_io.cc \
+ fs_io.h \
+- tests/stub_gopher.cc \
+- gopher.h \
+ helper.cc \
+ hier_code.h \
+ http.cc \
+@@ -2356,8 +2352,6 @@ tests_testHttpRequest_SOURCES = \
+ fqdncache.h \
+ fs_io.cc \
+ fs_io.h \
+- tests/stub_gopher.cc \
+- gopher.h \
+ helper.cc \
+ hier_code.h \
+ http.cc \
+@@ -2662,8 +2656,6 @@ tests_testCacheManager_SOURCES = \
+ fqdncache.h \
+ fs_io.cc \
+ fs_io.h \
+- tests/stub_gopher.cc \
+- gopher.h \
+ helper.cc \
+ hier_code.h \
+ http.cc \
+diff --git a/src/adaptation/ecap/Host.cc b/src/adaptation/ecap/Host.cc
+index edb55de..b1d8a8d 100644
+--- a/src/adaptation/ecap/Host.cc
++++ b/src/adaptation/ecap/Host.cc
+@@ -49,7 +49,6 @@ Adaptation::Ecap::Host::Host()
+ libecap::protocolHttp.assignHostId(AnyP::PROTO_HTTP);
+ libecap::protocolHttps.assignHostId(AnyP::PROTO_HTTPS);
+ libecap::protocolFtp.assignHostId(AnyP::PROTO_FTP);
+- libecap::protocolGopher.assignHostId(AnyP::PROTO_GOPHER);
+ libecap::protocolWais.assignHostId(AnyP::PROTO_WAIS);
+ libecap::protocolUrn.assignHostId(AnyP::PROTO_URN);
+ libecap::protocolWhois.assignHostId(AnyP::PROTO_WHOIS);
+diff --git a/src/adaptation/ecap/MessageRep.cc b/src/adaptation/ecap/MessageRep.cc
+index c5ade9c..cd543bd 100644
+--- a/src/adaptation/ecap/MessageRep.cc
++++ b/src/adaptation/ecap/MessageRep.cc
+@@ -140,8 +140,6 @@ Adaptation::Ecap::FirstLineRep::protocol() const
+ return libecap::protocolHttps;
+ case AnyP::PROTO_FTP:
+ return libecap::protocolFtp;
+- case AnyP::PROTO_GOPHER:
+- return libecap::protocolGopher;
+ case AnyP::PROTO_WAIS:
+ return libecap::protocolWais;
+ case AnyP::PROTO_WHOIS:
+diff --git a/src/anyp/ProtocolType.h b/src/anyp/ProtocolType.h
+index e736c19..a233da5 100644
+--- a/src/anyp/ProtocolType.h
++++ b/src/anyp/ProtocolType.h
+@@ -27,7 +27,6 @@ typedef enum {
+ PROTO_HTTPS,
+ PROTO_COAP,
+ PROTO_COAPS,
+- PROTO_GOPHER,
+ PROTO_WAIS,
+ PROTO_CACHE_OBJECT,
+ PROTO_ICP,
+diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc
+index 848a773..81ebb18 100644
+--- a/src/anyp/Uri.cc
++++ b/src/anyp/Uri.cc
+@@ -885,8 +885,6 @@ urlCheckRequest(const HttpRequest * r)
+ if (r->method == Http::METHOD_PUT)
+ rc = 1;
+
+- case AnyP::PROTO_GOPHER:
+-
+ case AnyP::PROTO_WAIS:
+
+ case AnyP::PROTO_WHOIS:
+diff --git a/src/anyp/UriScheme.cc b/src/anyp/UriScheme.cc
+index 7f11537..81079fd 100644
+--- a/src/anyp/UriScheme.cc
++++ b/src/anyp/UriScheme.cc
+@@ -87,9 +87,6 @@ AnyP::UriScheme::defaultPort() const
+ // Assuming IANA policy of allocating same port for base and TLS protocol versions will occur.
+ return 5683;
+
+- case AnyP::PROTO_GOPHER:
+- return 70;
+-
+ case AnyP::PROTO_WAIS:
+ return 210;
+
+diff --git a/src/client_side_request.cc b/src/client_side_request.cc
+index ed5e947..c7c09d4 100644
+--- a/src/client_side_request.cc
++++ b/src/client_side_request.cc
+@@ -33,7 +33,6 @@
+ #include "fd.h"
+ #include "fde.h"
+ #include "format/Token.h"
+-#include "gopher.h"
+ #include "helper.h"
+ #include "helper/Reply.h"
+ #include "http.h"
+@@ -973,9 +972,6 @@ clientHierarchical(ClientHttpRequest * http)
+ if (request->url.getScheme() == AnyP::PROTO_HTTP)
+ return method.respMaybeCacheable();
+
+- if (request->url.getScheme() == AnyP::PROTO_GOPHER)
+- return gopherCachable(request);
+-
+ if (request->url.getScheme() == AnyP::PROTO_CACHE_OBJECT)
+ return 0;
+
+diff --git a/src/error/forward.h b/src/error/forward.h
+index b14a6ee..c105a66 100644
+--- a/src/error/forward.h
++++ b/src/error/forward.h
+@@ -67,7 +67,7 @@ typedef enum {
+ ERR_GATEWAY_FAILURE,
+
+ /* Special Cases */
+- ERR_DIR_LISTING, /* Display of remote directory (FTP, Gopher) */
++ ERR_DIR_LISTING, /* Display of remote directory (FTP) */
+ ERR_SQUID_SIGNATURE, /* not really an error */
+ ERR_SHUTTING_DOWN,
+ ERR_PROTOCOL_UNKNOWN,
+diff --git a/src/http/Message.h b/src/http/Message.h
+index 1807023..92b5b1d 100644
+--- a/src/http/Message.h
++++ b/src/http/Message.h
+@@ -40,7 +40,6 @@ public:
+ srcFtp = 1 << (16 + 1), ///< ftp_port or FTP server
+ srcIcap = 1 << (16 + 2), ///< traditional ICAP service without encryption
+ srcEcap = 1 << (16 + 3), ///< eCAP service that uses insecure libraries/daemons
+- srcGopher = 1 << (16 + 14), ///< Gopher server
+ srcWhois = 1 << (16 + 15), ///< Whois server
+ srcUnsafe = 0xFFFF0000, ///< Unsafe sources mask
+ srcSafe = 0x0000FFFF ///< Safe sources mask
+diff --git a/src/mgr/IoAction.cc b/src/mgr/IoAction.cc
+index 94a5c03..062d5e3 100644
+--- a/src/mgr/IoAction.cc
++++ b/src/mgr/IoAction.cc
+@@ -35,9 +35,6 @@ Mgr::IoActionData::operator += (const IoActionData& stats)
+ ftp_reads += stats.ftp_reads;
+ for (int i = 0; i < IoStats::histSize; ++i)
+ ftp_read_hist[i] += stats.ftp_read_hist[i];
+- gopher_reads += stats.gopher_reads;
+- for (int i = 0; i < IoStats::histSize; ++i)
+- gopher_read_hist[i] += stats.gopher_read_hist[i];
+
+ return *this;
+ }
+diff --git a/src/mgr/IoAction.h b/src/mgr/IoAction.h
+index 7e9ad1a..dc4a3a5 100644
+--- a/src/mgr/IoAction.h
++++ b/src/mgr/IoAction.h
+@@ -27,10 +27,8 @@ public:
+ public:
+ double http_reads;
+ double ftp_reads;
+- double gopher_reads;
+ double http_read_hist[IoStats::histSize];
+ double ftp_read_hist[IoStats::histSize];
+- double gopher_read_hist[IoStats::histSize];
+ };
+
+ /// implement aggregated 'io' action
+diff --git a/src/stat.cc b/src/stat.cc
+index 6171077..3bc1f47 100644
+--- a/src/stat.cc
++++ b/src/stat.cc
+@@ -206,12 +206,6 @@ GetIoStats(Mgr::IoActionData& stats)
+ for (i = 0; i < IoStats::histSize; ++i) {
+ stats.ftp_read_hist[i] = IOStats.Ftp.read_hist[i];
+ }
+-
+- stats.gopher_reads = IOStats.Gopher.reads;
+-
+- for (i = 0; i < IoStats::histSize; ++i) {
+- stats.gopher_read_hist[i] = IOStats.Gopher.read_hist[i];
+- }
+ }
+
+ void
+@@ -244,19 +238,6 @@ DumpIoStats(Mgr::IoActionData& stats, StoreEntry* sentry)
+ Math::doublePercent(stats.ftp_read_hist[i], stats.ftp_reads));
+ }
+
+- storeAppendPrintf(sentry, "\n");
+- storeAppendPrintf(sentry, "Gopher I/O\n");
+- storeAppendPrintf(sentry, "number of reads: %.0f\n", stats.gopher_reads);
+- storeAppendPrintf(sentry, "Read Histogram:\n");
+-
+- for (i = 0; i < IoStats::histSize; ++i) {
+- storeAppendPrintf(sentry, "%5d-%5d: %9.0f %2.0f%%\n",
+- i ? (1 << (i - 1)) + 1 : 1,
+- 1 << i,
+- stats.gopher_read_hist[i],
+- Math::doublePercent(stats.gopher_read_hist[i], stats.gopher_reads));
+- }
+-
+ storeAppendPrintf(sentry, "\n");
+ }
+
+diff --git a/src/tests/Stub.am b/src/tests/Stub.am
+index 3972203..410f2e5 100644
+--- a/src/tests/Stub.am
++++ b/src/tests/Stub.am
+@@ -29,7 +29,6 @@ STUB_SOURCE = \
+ tests/stub_external_acl.cc \
+ tests/stub_fatal.cc \
+ tests/stub_fd.cc \
+- tests/stub_gopher.cc \
+ tests/stub_helper.cc \
+ tests/stub_HelperChildConfig.cc \
+ tests/stub_http.cc \
diff -Nru squid-5.7/debian/patches/CVE-2025-59362.patch squid-5.7/debian/patches/CVE-2025-59362.patch
--- squid-5.7/debian/patches/CVE-2025-59362.patch 1970-01-01 00:00:00.000000000 +0000
+++ squid-5.7/debian/patches/CVE-2025-59362.patch 2025-11-14 19:44:29.000000000 +0000
@@ -0,0 +1,50 @@
+From: Alex Rousskov <rousskov@measurement-factory.com>
+Date: Sat, 30 Aug 2025 06:49:36 +0000
+Subject: Fix ASN.1 encoding of long SNMP OIDs (#2149)
+
+origin: https://github.com/squid-cache/squid/commit/0d89165ee6da10e6fa50c44998b3cd16d59400e9
+bug: https://github.com/squid-cache/squid/pull/2149
+---
+ lib/snmplib/asn1.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+Index: squid/lib/snmplib/asn1.c
+===================================================================
+--- squid.orig/lib/snmplib/asn1.c 2025-10-28 13:50:49.198775582 +0100
++++ squid/lib/snmplib/asn1.c 2025-10-28 13:50:49.196276818 +0100
+@@ -771,6 +771,7 @@
+ * lastbyte ::= 0 7bitvalue
+ */
+ u_char buf[MAX_OID_LEN];
++ u_char *bufEnd = buf + sizeof(buf);
+ u_char *bp = buf;
+ oid *op = objid;
+ int asnlength;
+@@ -789,6 +790,10 @@
+ while (objidlength-- > 0) {
+ subid = *op++;
+ if (subid < 127) { /* off by one? */
++ if (bp >= bufEnd) {
++ snmp_set_api_error(SNMPERR_ASN_ENCODE);
++ return (NULL);
++ }
+ *bp++ = subid;
+ } else {
+ mask = 0x7F; /* handle subid == 0 case */
+@@ -806,8 +811,16 @@
+ /* fix a mask that got truncated above */
+ if (mask == 0x1E00000)
+ mask = 0xFE00000;
++ if (bp >= bufEnd) {
++ snmp_set_api_error(SNMPERR_ASN_ENCODE);
++ return (NULL);
++ }
+ *bp++ = (u_char) (((subid & mask) >> bits) | ASN_BIT8);
+ }
++ if (bp >= bufEnd) {
++ snmp_set_api_error(SNMPERR_ASN_ENCODE);
++ return (NULL);
++ }
+ *bp++ = (u_char) (subid & mask);
+ }
+ }
diff -Nru squid-5.7/debian/patches/CVE-2025-62168.patch squid-5.7/debian/patches/CVE-2025-62168.patch
--- squid-5.7/debian/patches/CVE-2025-62168.patch 1970-01-01 00:00:00.000000000 +0000
+++ squid-5.7/debian/patches/CVE-2025-62168.patch 2025-11-14 19:42:32.000000000 +0000
@@ -0,0 +1,163 @@
+Backported from:
+
+From 0951a0681011dfca3d78c84fd7f1e19c78a4443f Mon Sep 17 00:00:00 2001
+From: Amos Jeffries <yadij@users.noreply.github.com>
+Date: Sat, 11 Oct 2025 16:33:02 +1300
+Subject: [PATCH] Bug 3390: Proxy auth data visible to scripts (#2249)
+
+--- squid-5.7.orig/src/HttpRequest.cc
++++ squid-5.7/src/HttpRequest.cc
+@@ -342,7 +342,7 @@ HttpRequest::swapOut(StoreEntry * e)
+
+ /* packs request-line and headers, appends <crlf> terminator */
+ void
+-HttpRequest::pack(Packable * p) const
++HttpRequest::pack(Packable * const p, const bool maskSensitiveInfo) const
+ {
+ assert(p);
+ /* pack request-line */
+@@ -350,8 +350,8 @@ HttpRequest::pack(Packable * p) const
+ SQUIDSBUFPRINT(method.image()), SQUIDSBUFPRINT(url.path()),
+ http_ver.major, http_ver.minor);
+ /* headers */
+- header.packInto(p);
+- /* trailer */
++ header.packInto(p, maskSensitiveInfo);
++ /* indicate the end of the header section */
+ p->append("\r\n", 2);
+ }
+
+--- squid-5.7.orig/src/HttpRequest.h
++++ squid-5.7/src/HttpRequest.h
+@@ -206,7 +206,7 @@ public:
+
+ void swapOut(StoreEntry * e);
+
+- void pack(Packable * p) const;
++ void pack(Packable * p, bool maskSensitiveInfo = false) const;
+
+ static void httpRequestPack(void *obj, Packable *p);
+
+--- squid-5.7.orig/src/cf.data.pre
++++ squid-5.7/src/cf.data.pre
+@@ -8722,12 +8722,18 @@ NAME: email_err_data
+ COMMENT: on|off
+ TYPE: onoff
+ LOC: Config.onoff.emailErrData
+-DEFAULT: on
++DEFAULT: off
+ DOC_START
+ If enabled, information about the occurred error will be
+ included in the mailto links of the ERR pages (if %W is set)
+ so that the email body contains the data.
+ Syntax is <A HREF="mailto:%w%W";>%w</A>
++
++ SECURITY WARNING:
++ Request headers and other included facts may contain
++ sensitive information about transaction history, the
++ Squid instance, and its environment which would be
++ unavailable to error recipients otherwise.
+ DOC_END
+
+ NAME: deny_info
+--- squid-5.7.orig/src/client_side_reply.cc
++++ squid-5.7/src/client_side_reply.cc
+@@ -100,7 +100,7 @@ clientReplyContext::clientReplyContext(C
+ void
+ clientReplyContext::setReplyToError(
+ err_type err, Http::StatusCode status, const HttpRequestMethod& method, char const *uri,
+- Ip::Address &addr, HttpRequest * failedrequest, const char *unparsedrequest,
++ Ip::Address &addr, HttpRequest * failedrequest, const char *,
+ #if USE_AUTH
+ Auth::UserRequest::Pointer auth_user_request
+ #else
+@@ -110,9 +110,6 @@ clientReplyContext::setReplyToError(
+ {
+ auto errstate = clientBuildError(err, status, uri, addr, failedrequest, http->al);
+
+- if (unparsedrequest)
+- errstate->request_hdrs = xstrdup(unparsedrequest);
+-
+ #if USE_AUTH
+ errstate->auth_user_request = auth_user_request;
+ #endif
+@@ -1088,11 +1085,14 @@ clientReplyContext::traceReply()
+ triggerInitialStoreRead();
+ http->storeEntry()->releaseRequest();
+ http->storeEntry()->buffer();
++ MemBuf content;
++ content.init();
++ http->request->pack(&content, true /* hide authorization data */);
+ const HttpReplyPointer rep(new HttpReply);
+- rep->setHeaders(Http::scOkay, NULL, "text/plain", http->request->prefixLen(), 0, squid_curtime);
++ rep->setHeaders(Http::scOkay, NULL, "message/http", content.contentSize(), 0, squid_curtime);
++ rep->body.set(SBuf(content.buf, content.size));
+ http->storeEntry()->replaceHttpReply(rep);
+- http->request->swapOut(http->storeEntry());
+- http->storeEntry()->complete();
++ http->storeEntry()->completeSuccessfully("traceReply() stored the entire response");
+ }
+
+ #define SENDING_BODY 0
+--- squid-5.7.orig/src/errorpage.cc
++++ squid-5.7/src/errorpage.cc
+@@ -787,7 +787,6 @@ ErrorState::~ErrorState()
+ {
+ safe_free(redirect_url);
+ safe_free(url);
+- safe_free(request_hdrs);
+ wordlistDestroy(&ftp.server_msg);
+ safe_free(ftp.request);
+ safe_free(ftp.reply);
+@@ -845,7 +844,7 @@ ErrorState::Dump(MemBuf * mb)
+ SQUIDSBUFPRINT(request->url.path()),
+ AnyP::ProtocolType_str[request->http_ver.protocol],
+ request->http_ver.major, request->http_ver.minor);
+- request->header.packInto(&str);
++ request->header.packInto(&str, true /* hide authorization data */);
+ }
+
+ str.append("\r\n", 2);
+@@ -1106,18 +1105,10 @@ ErrorState::compileLegacyCode(Build &bui
+ p = "[no request]";
+ break;
+ }
+- if (request) {
+- mb.appendf(SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\n",
+- SQUIDSBUFPRINT(request->method.image()),
+- SQUIDSBUFPRINT(request->url.path()),
+- AnyP::ProtocolType_str[request->http_ver.protocol],
+- request->http_ver.major, request->http_ver.minor);
+- request->header.packInto(&mb, true); //hide authorization data
+- } else if (request_hdrs) {
+- p = request_hdrs;
+- } else {
++ else if (request)
++ request->pack(&mb, true /* hide authorization data */);
++ else
+ p = "[no request]";
+- }
+ break;
+
+ case 's':
+--- squid-5.7.orig/src/errorpage.h
++++ squid-5.7/src/errorpage.h
+@@ -192,7 +192,6 @@ public:
+ MemBuf *listing = nullptr;
+ } ftp;
+
+- char *request_hdrs = nullptr;
+ char *err_msg = nullptr; /* Preformatted error message from the cache */
+
+ AccessLogEntryPointer ale; ///< transaction details (or nil)
+--- squid-5.7.orig/src/tests/stub_HttpRequest.cc
++++ squid-5.7/src/tests/stub_HttpRequest.cc
+@@ -45,7 +45,7 @@ bool HttpRequest::expectingBody(const Ht
+ bool HttpRequest::bodyNibbled() const STUB_RETVAL(false)
+ int HttpRequest::prefixLen() const STUB_RETVAL(0)
+ void HttpRequest::swapOut(StoreEntry *) STUB
+-void HttpRequest::pack(Packable *) const STUB
++void HttpRequest::pack(Packable *, bool) const STUB
+ void HttpRequest::httpRequestPack(void *, Packable *) STUB
+ HttpRequest * HttpRequest::FromUrl(const SBuf &, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr)
+ HttpRequest * HttpRequest::FromUrlXXX(const char *, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr)
diff -Nru squid-5.7/debian/patches/series squid-5.7/debian/patches/series
--- squid-5.7/debian/patches/series 2025-08-18 18:41:21.000000000 +0000
+++ squid-5.7/debian/patches/series 2025-11-14 19:44:29.000000000 +0000
@@ -16,3 +16,6 @@
CVE-2024-25617.patch
CVE-2024-37894.patch
CVE-2025-54574_CVE-2023-5824.patch
+CVE-2025-62168.patch
+CVE-2023-46728.patch
+CVE-2025-59362.patch
diff -Nru squid-5.7/debian/rules squid-5.7/debian/rules
--- squid-5.7/debian/rules 2024-03-05 22:14:44.000000000 +0000
+++ squid-5.7/debian/rules 2025-11-14 19:44:29.000000000 +0000
@@ -46,7 +46,6 @@
--enable-storeid-rewrite-helpers="file" \
--enable-url-rewrite-helpers="fake" \
--enable-eui \
- --enable-esi \
--enable-icmp \
--enable-zph-qos \
--enable-ecap \
@@ -58,6 +57,9 @@
--with-large-files \
--with-default-user=proxy
+## CVE-2024-45802
+DEB_CONFIGURE_EXTRA_FLAGS += --disable-esi
+
ifeq ($(DEB_HOST_ARCH_OS), kfreebsd)
DEB_CONFIGURE_EXTRA_FLAGS += --enable-kqueue
endif
Attachment:
signature.asc
Description: This is a digitally signed message part.