Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <7207f941-760b-4261-9aa0-2153f9189ab2@treenet.co.nz>
Date: Wed, 5 Nov 2025 15:44:04 +1300
From: Amos Jeffries <squid3@...enet.co.nz>
To: oss-security@...ts.openwall.com
Subject: [CVE-2025-62168] SQUID-2025:2 Information Disclosure in Error
 handling

__________________________________________________________________

     Squid Proxy Cache Security Update Advisory SQUID-2025:2
__________________________________________________________________

Advisory ID:       | SQUID-2025:2, CVE-2025-62168
Date:              | October 15, 2025
Summary:           | Information Disclosure in Error handling.
Affected versions: | Squid 3.x -> 3.5.28
                    | Squid 4.x -> 4.17
                    | Squid 5.x -> 5.9
                    | Squid 6.x -> 6.14
                    | Squid 7.x -> 7.1
Fixed in version:  | Squid 7.2
__________________________________________________________________

Problem Description:

   Due to a failure to redact HTTP Authentication credentials
   Squid is vulnerable to an Information Disclosure attack.

__________________________________________________________________

Severity:

   This problem allows a script to bypass Browser security
   protections and learn the credentials a trusted client uses to
   authenticate.

   This problem potentially allows a remote client to identify
   security tokens or credentials used internally by a web
   application using Squid for backend load balancing.

   These attacks do not require Squid to be configured with HTTP
   Authentication.

__________________________________________________________________

Updated Packages:

   This bug is fixed by Squid version 7.2.

   In addition, patches addressing this problem for the stable
   releases can be found in our patch archives:

Squid 7:
  
<https://github.com/squid-cache/squid/commit/0951a0681011dfca3d78c84fd7f1e19c78a4443f>

   If you are using a prepackaged version of Squid then please
   refer to the package vendor for availability information on
   updated packages.

__________________________________________________________________

Determining if your version is vulnerable:

   The following test can be used to determine if your Squid has
   a vulnerable configuration:

      squid -k parse 2>&1 | grep "email_err_data"

   All Squid with `email_err_data off` are not vulnerable.

   All Squid up to and including 7.1 with `email_err_data on`
   are vulnerable.

   All Squid up to and including 7.1 without `email_err_data`
   are vulnerable.

__________________________________________________________________

Workaround:

   Disable debug information in administrator mailto links
   generated by Squid. By configuring squid.conf with:

      email_err_data off

__________________________________________________________________

Contact details for the Squid project:

   For installation / upgrade support on binary packaged versions
   of Squid: Your first point of contact should be your binary
   package vendor.

   If you install and build Squid from the original Squid sources
   then the <squid-users at lists.squid-cache.org> mailing list is
   your primary support point. For subscription details see
   <http://www.squid-cache.org/Support/mailing-lists.html>.

   For reporting of non-security bugs in the latest STABLE release
   the squid bugzilla database should be used
   <https://bugs.squid-cache.org/>.

   For reporting of security sensitive bugs send an email to the
   <squid-bugs at lists.squid-cache.org> mailing list. It's a closed
   list (though anyone can post) and security related bug reports
   are treated in confidence until the impact has been established.

__________________________________________________________________

Credits:


   This vulnerability was discovered by Leonardo Giovannini of
   Doyensec.

   Fixed by Amos Jeffries of Treehouse Networks Ltd.

__________________________________________________________________

Revision history:

   2025-09-12 08:52:20 UTC Initial Report
   2025-10-11 07:42:00 UTC Patch Released
   2025-10-13 14:35:00 UTC CVE Assignment
__________________________________________________________________
END

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.