Your message dated Fri, 31 Oct 2025 10:32:09 +0000
with message-id <[email protected]>
and subject line Bug#1118341: fixed in squid 6.13-2+deb13u1
has caused the Debian Bug report #1118341,
regarding squid: CVE-2025-62168
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1118341: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118341
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: squid
Version: 7.1-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for squid.
CVE-2025-62168[0]:
| Squid is a caching proxy for the Web. In Squid versions prior to
| 7.2, a failure to redact HTTP authentication credentials in error
| handling allows information disclosure. The vulnerability allows a
| script to bypass browser security protections and learn the
| credentials a trusted client uses to authenticate. This potentially
| allows a remote client to identify security tokens or credentials
| used internally by a web application using Squid for backend load
| balancing. These attacks do not require Squid to be configured with
| HTTP authentication. The vulnerability is fixed in version 7.2. As a
| workaround, disable debug information in administrator mailto links
| generated by Squid by configuring squid.conf with email_err_data
| off.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-62168
https://www.cve.org/CVERecord?id=CVE-2025-62168
[1] https://github.com/squid-cache/squid/security/advisories/GHSA-c8cc-phh7-xmxr
[2]
https://github.com/squid-cache/squid/commit/0951a0681011dfca3d78c84fd7f1e19c78a4443f
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: squid
Source-Version: 6.13-2+deb13u1
Done: Bastien Roucariès <[email protected]>
We believe that the bug you reported is fixed in the latest version of
squid, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <[email protected]> (supplier of updated squid package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 26 Oct 2025 09:31:13 +0100
Source: squid
Architecture: source
Version: 6.13-2+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Luigi Gangitano <[email protected]>
Changed-By: Bastien Roucariès <[email protected]>
Closes: 1117048 1118341
Changes:
squid (6.13-2+deb13u1) trixie-security; urgency=high
.
* Non Maintainer Upload by LTS team
* Fix CVE-2025-62168 (Closes: #1118341)
Due to a failure to redact HTTP Authentication credentials
Squid is vulnerable to an Information Disclosure attack.
* Fix CVE-2025-59362 (Closes: #1117048)
Squid mishandles ASN.1 encoding of long SNMP OIDs.
Checksums-Sha1:
eb1a8c1e688d38b1de7b6fdc0c748c7d24af5d38 2956 squid_6.13-2+deb13u1.dsc
a28f4b39916fd597a02d09859f2e78845a9caf6d 2548680 squid_6.13.orig.tar.xz
03ab27396e4ca9823e5e9a16a6b0c2bf5dce4192 745 squid_6.13.orig.tar.xz.asc
7af0a40fa7fdcff2a6dfeeba7a40cc2cf1c9cc97 48128
squid_6.13-2+deb13u1.debian.tar.xz
ebd82b7d7eda1dddc7ce4005315e52a6bf4d0f40 5641
squid_6.13-2+deb13u1_source.buildinfo
Checksums-Sha256:
c3ffbd08d3fe8a481d7e143c9cb321b38de31e9fc0b3733b18f09fc865fffa94 2956
squid_6.13-2+deb13u1.dsc
232e0567946ccc0115653c3c18f01e83f2d9cc49c43d9dead8b319af0b35ad52 2548680
squid_6.13.orig.tar.xz
e262fd0eb4e9521193f9c8fc650d55661d12b007f7e5c03f0a3f5745130b4b13 745
squid_6.13.orig.tar.xz.asc
800552206b3d1f6e34ce1bf86880250d2073d08adcd1bd67cc200ab47aaa7ecc 48128
squid_6.13-2+deb13u1.debian.tar.xz
612acf38b9542ac5f6d26c4813657e3fa319f3ebf84dfad55f1ecb8cf3d75f75 5641
squid_6.13-2+deb13u1_source.buildinfo
Files:
301c355cb0fc42eec91e3075007dbd4b 2956 web optional squid_6.13-2+deb13u1.dsc
ee5b2728512b6377290cabbe1c2279a0 2548680 web optional squid_6.13.orig.tar.xz
ca8d44bc361c869ca230da8d8e4d68fa 745 web optional squid_6.13.orig.tar.xz.asc
9097a3edc25e89624bf8c10ed5131591 48128 web optional
squid_6.13-2+deb13u1.debian.tar.xz
a696eae1ba13a884a64c3e97cb55d0a1 5641 web optional
squid_6.13-2+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmkB9xYACgkQADoaLapB
CF9acg//dLnXXe726jwvk3SLi/AWm+nrGUk3T0h7JtpGrjYTrvcIqp+VIN7IU0P0
ZJ7J1XttonycAzTSsI7CBMc6eB2AtR/8zn1HPk/Ph4QjKsIYIqLLrmhq5d2Lu8+j
40bs9MWBfpCh+RlzToKM+Bskr1hN8nuYVbEFpewhYd5/ZOpP/3WmVSq9EewvwhPf
+Nd/6KiNnZdJzYmfziOV8TXJlsbm6TiFaALBgL9hECUa9tKhmdOND1jZP1GQs8w9
YBXrX7tsLAI6vdEehgkEzxiqVn+V1GhLE5C0Kp3NWHCTYvjUHu/6tozS4eOTCtM6
yz+YJzL2szzKZ+DN5zVIhCajzfCJ1pGgi5eYsHQnuMW1LFsBzJ1l+CPfSfseTNqq
6qx90o3LykAyN7JiWGSalhElTigzQzELufE/SgKIeSgfyq3O+XV7Z7kV4+sOuFOD
nG6Hgs+qqyjf/XNLZbkcSe7luMblSEzb12txQ3y3S6Y+ZksKcVZxtodqBOlPM+a2
SJ27Myw1wg7fMsDGi1eqKCyHJl/hPuVpsQK9iz3vFi0ySs9ukip7eKnSmplEoJUS
xF4hgsg2xh1+8Iuxfc6wo2bRk0pq4f1fBXbnulbyeNmbK556BbcjTA7wARiOK1vi
KecB/Nphyf99OjUMXh7TSpzb09moQQxfMTb46lGkYLaYm8wYEMk=
=4x4K
-----END PGP SIGNATURE-----
pgpIoaccqfWqG.pgp
Description: PGP signature
--- End Message ---
