From 49b8a8b494fc1f59d83955b449d754165662ce85 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 11 Nov 2025 22:16:37 +0000 Subject: [PATCH] import UBI squid-6.10-6.el10_1.1 --- squid-6.10-CVE-2025-62168.patch | 173 ++++++++++++++++ squid-6.10-cache-peer-connect-errors.patch | 223 +++++++++++++++++++++ squid.spec | 17 +- 3 files changed, 412 insertions(+), 1 deletion(-) create mode 100644 squid-6.10-CVE-2025-62168.patch create mode 100644 squid-6.10-cache-peer-connect-errors.patch diff --git a/squid-6.10-CVE-2025-62168.patch b/squid-6.10-CVE-2025-62168.patch new file mode 100644 index 0000000..650918c --- /dev/null +++ b/squid-6.10-CVE-2025-62168.patch @@ -0,0 +1,173 @@ +diff --git a/src/HttpRequest.cc b/src/HttpRequest.cc +index d6be6ae..5c85eb8 100644 +--- a/src/HttpRequest.cc ++++ b/src/HttpRequest.cc +@@ -341,7 +341,7 @@ HttpRequest::swapOut(StoreEntry * e) + + /* packs request-line and headers, appends terminator */ + void +-HttpRequest::pack(Packable * p) const ++HttpRequest::pack(Packable * const p, const bool maskSensitiveInfo) const + { + assert(p); + /* pack request-line */ +@@ -349,8 +349,8 @@ HttpRequest::pack(Packable * p) const + SQUIDSBUFPRINT(method.image()), SQUIDSBUFPRINT(url.path()), + http_ver.major, http_ver.minor); + /* headers */ +- header.packInto(p); +- /* trailer */ ++ header.packInto(p, maskSensitiveInfo); ++ /* indicate the end of the header section */ + p->append("\r\n", 2); + } + +diff --git a/src/HttpRequest.h b/src/HttpRequest.h +index 2256a55..2ada8e5 100644 +--- a/src/HttpRequest.h ++++ b/src/HttpRequest.h +@@ -206,7 +206,7 @@ public: + + void swapOut(StoreEntry * e); + +- void pack(Packable * p) const; ++ void pack(Packable * p, bool maskSensitiveInfo = false) const; + + static void httpRequestPack(void *obj, Packable *p); + +diff --git a/src/cf.data.pre b/src/cf.data.pre +index 20a7338..d1f3317 100644 +--- a/src/cf.data.pre ++++ b/src/cf.data.pre +@@ -8941,12 +8941,18 @@ NAME: email_err_data + COMMENT: on|off + TYPE: onoff + LOC: Config.onoff.emailErrData +-DEFAULT: on ++DEFAULT: off + DOC_START + If enabled, information about the occurred error will be + included in the mailto links of the ERR pages (if %W is set) + so that the email body contains the data. + Syntax is %w ++ ++ SECURITY WARNING: ++ Request headers and other included facts may contain ++ sensitive information about transaction history, the ++ Squid instance, and its environment which would be ++ unavailable to error recipients otherwise. + DOC_END + + NAME: deny_info +diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc +index 6818d76..860edfc 100644 +--- a/src/client_side_reply.cc ++++ b/src/client_side_reply.cc +@@ -94,7 +94,7 @@ clientReplyContext::clientReplyContext(ClientHttpRequest *clientContext) : + void + clientReplyContext::setReplyToError( + err_type err, Http::StatusCode status, char const *uri, +- const ConnStateData *conn, HttpRequest *failedrequest, const char *unparsedrequest, ++ const ConnStateData *conn, HttpRequest *failedrequest, const char *, + #if USE_AUTH + Auth::UserRequest::Pointer auth_user_request + #else +@@ -104,9 +104,6 @@ clientReplyContext::setReplyToError( + { + auto errstate = clientBuildError(err, status, uri, conn, failedrequest, http->al); + +- if (unparsedrequest) +- errstate->request_hdrs = xstrdup(unparsedrequest); +- + #if USE_AUTH + errstate->auth_user_request = auth_user_request; + #endif +@@ -995,11 +992,14 @@ clientReplyContext::traceReply() + triggerInitialStoreRead(); + http->storeEntry()->releaseRequest(); + http->storeEntry()->buffer(); ++ MemBuf content; ++ content.init(); ++ http->request->pack(&content, true /* hide authorization data */); + const HttpReplyPointer rep(new HttpReply); +- rep->setHeaders(Http::scOkay, nullptr, "text/plain", http->request->prefixLen(), 0, squid_curtime); ++ rep->setHeaders(Http::scOkay, nullptr, "message/http", content.contentSize(), 0, squid_curtime); ++ rep->body.set(SBuf(content.buf, content.size)); + http->storeEntry()->replaceHttpReply(rep); +- http->request->swapOut(http->storeEntry()); +- http->storeEntry()->complete(); ++ http->storeEntry()->completeSuccessfully("traceReply() stored the entire response"); + } + + #define SENDING_BODY 0 +diff --git a/src/errorpage.cc b/src/errorpage.cc +index 0b7e5b8..31566dc 100644 +--- a/src/errorpage.cc ++++ b/src/errorpage.cc +@@ -792,7 +792,6 @@ ErrorState::~ErrorState() + { + safe_free(redirect_url); + safe_free(url); +- safe_free(request_hdrs); + wordlistDestroy(&ftp.server_msg); + safe_free(ftp.request); + safe_free(ftp.reply); +@@ -850,7 +849,10 @@ ErrorState::Dump(MemBuf * mb) + SQUIDSBUFPRINT(request->url.path()), + AnyP::ProtocolType_str[request->http_ver.protocol], + request->http_ver.major, request->http_ver.minor); +- request->header.packInto(&str); ++ MemBuf r; ++ r.init(); ++ request->pack(&r, true /* hide authorization data */); ++ str.append(r.content(), r.contentSize()); + } + + str.append("\r\n", 2); +@@ -1112,18 +1114,10 @@ ErrorState::compileLegacyCode(Build &build) + p = "[no request]"; + break; + } +- if (request) { +- mb.appendf(SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\n", +- SQUIDSBUFPRINT(request->method.image()), +- SQUIDSBUFPRINT(request->url.path()), +- AnyP::ProtocolType_str[request->http_ver.protocol], +- request->http_ver.major, request->http_ver.minor); +- request->header.packInto(&mb, true); //hide authorization data +- } else if (request_hdrs) { +- p = request_hdrs; +- } else { ++ else if (request) ++ request->pack(&mb, true /* hide authorization data */); ++ else + p = "[no request]"; +- } + break; + + case 's': +diff --git a/src/errorpage.h b/src/errorpage.h +index 8d23857..0dc10d7 100644 +--- a/src/errorpage.h ++++ b/src/errorpage.h +@@ -194,7 +194,6 @@ public: + MemBuf *listing = nullptr; + } ftp; + +- char *request_hdrs = nullptr; + char *err_msg = nullptr; /* Preformatted error message from the cache */ + + AccessLogEntryPointer ale; ///< transaction details (or nil) +diff --git a/src/tests/stub_HttpRequest.cc b/src/tests/stub_HttpRequest.cc +index 495597d..48a0f1c 100644 +--- a/src/tests/stub_HttpRequest.cc ++++ b/src/tests/stub_HttpRequest.cc +@@ -45,7 +45,7 @@ bool HttpRequest::expectingBody(const HttpRequestMethod &, int64_t &) const STUB + bool HttpRequest::bodyNibbled() const STUB_RETVAL(false) + int HttpRequest::prefixLen() const STUB_RETVAL(0) + void HttpRequest::swapOut(StoreEntry *) STUB +-void HttpRequest::pack(Packable *) const STUB ++void HttpRequest::pack(Packable *, bool) const STUB + void HttpRequest::httpRequestPack(void *, Packable *) STUB + HttpRequest * HttpRequest::FromUrl(const SBuf &, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr) + HttpRequest * HttpRequest::FromUrlXXX(const char *, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr) diff --git a/squid-6.10-cache-peer-connect-errors.patch b/squid-6.10-cache-peer-connect-errors.patch new file mode 100644 index 0000000..edb091c --- /dev/null +++ b/squid-6.10-cache-peer-connect-errors.patch @@ -0,0 +1,223 @@ +diff --git a/src/CachePeer.cc b/src/CachePeer.cc +index 1a5ea04..b67ac3f 100644 +--- a/src/CachePeer.cc ++++ b/src/CachePeer.cc +@@ -68,20 +68,11 @@ CachePeer::noteSuccess() + } + } + +-void +-CachePeer::noteFailure(const Http::StatusCode code) +-{ +- if (Http::Is4xx(code)) +- return; // this failure is not our fault +- +- countFailure(); +-} +- + // TODO: Require callers to detail failures instead of using one (and often + // misleading!) "connection failed" phrase for all of them. + /// noteFailure() helper for handling failures attributed to this peer + void +-CachePeer::countFailure() ++CachePeer::noteFailure() + { + stats.last_connect_failure = squid_curtime; + if (tcp_up > 0) +diff --git a/src/CachePeer.h b/src/CachePeer.h +index 6c4e4fc..180c76d 100644 +--- a/src/CachePeer.h ++++ b/src/CachePeer.h +@@ -38,9 +38,8 @@ public: + /// reacts to a successful establishment of a connection to this cache_peer + void noteSuccess(); + +- /// reacts to a failure on a connection to this cache_peer +- /// \param code a received response status code, if any +- void noteFailure(Http::StatusCode code); ++ /// reacts to a failed attempt to establish a connection to this cache_peer ++ void noteFailure(); + + /// (re)configure cache_peer name=value + void rename(const char *); +@@ -238,14 +237,13 @@ NoteOutgoingConnectionSuccess(CachePeer * const peer) + peer->noteSuccess(); + } + +-/// reacts to a failure on a connection to an origin server or cache_peer ++/// reacts to a failed attempt to establish a connection to an origin server or cache_peer + /// \param peer nil if the connection is to an origin server +-/// \param code a received response status code, if any + inline void +-NoteOutgoingConnectionFailure(CachePeer * const peer, const Http::StatusCode code) ++NoteOutgoingConnectionFailure(CachePeer * const peer) + { + if (peer) +- peer->noteFailure(code); ++ peer->noteFailure(); + } + + /// identify the given cache peer in cache.log messages and such +diff --git a/src/HappyConnOpener.cc b/src/HappyConnOpener.cc +index 9812160..a2d3052 100644 +--- a/src/HappyConnOpener.cc ++++ b/src/HappyConnOpener.cc +@@ -638,7 +638,7 @@ HappyConnOpener::handleConnOpenerAnswer(Attempt &attempt, const CommConnectCbPar + lastError = makeError(ERR_CONNECT_FAIL); + lastError->xerrno = params.xerrno; + +- NoteOutgoingConnectionFailure(params.conn->getPeer(), lastError->httpStatus); ++ NoteOutgoingConnectionFailure(params.conn->getPeer()); + + if (spareWaiting) + updateSpareWaitAfterPrimeFailure(); +diff --git a/src/PeerPoolMgr.cc b/src/PeerPoolMgr.cc +index 7becaf6..448bfed 100644 +--- a/src/PeerPoolMgr.cc ++++ b/src/PeerPoolMgr.cc +@@ -86,7 +86,7 @@ PeerPoolMgr::handleOpenedConnection(const CommConnectCbParams ¶ms) + } + + if (params.flag != Comm::OK) { +- NoteOutgoingConnectionFailure(peer, Http::scNone); ++ NoteOutgoingConnectionFailure(peer); + checkpoint("conn opening failure"); // may retry + return; + } +diff --git a/src/clients/HttpTunneler.cc b/src/clients/HttpTunneler.cc +index f31ce52..4840866 100644 +--- a/src/clients/HttpTunneler.cc ++++ b/src/clients/HttpTunneler.cc +@@ -90,7 +90,7 @@ Http::Tunneler::handleConnectionClosure(const CommCloseCbParams &) + { + closer = nullptr; + if (connection) { +- countFailingConnection(nullptr); ++ countFailingConnection(); + connection->noteClosure(); + connection = nullptr; + } +@@ -355,7 +355,7 @@ Http::Tunneler::bailWith(ErrorState *error) + + if (const auto failingConnection = connection) { + // TODO: Reuse to-peer connections after a CONNECT error response. +- countFailingConnection(error); ++ countFailingConnection(); + disconnect(); + failingConnection->close(); + } +@@ -374,10 +374,12 @@ Http::Tunneler::sendSuccess() + } + + void +-Http::Tunneler::countFailingConnection(const ErrorState * const error) ++Http::Tunneler::countFailingConnection() + { + assert(connection); +- NoteOutgoingConnectionFailure(connection->getPeer(), error ? error->httpStatus : Http::scNone); ++ // No NoteOutgoingConnectionFailure(connection->getPeer()) call here because ++ // we do not blame cache_peer for CONNECT failures (on top of a successfully ++ // established connection to that cache_peer). + if (noteFwdPconnUse && connection->isOpen()) + fwdPconnPool->noteUses(fd_table[connection->fd].pconn.uses); + } +diff --git a/src/clients/HttpTunneler.h b/src/clients/HttpTunneler.h +index eb8dcee..d5090d3 100644 +--- a/src/clients/HttpTunneler.h ++++ b/src/clients/HttpTunneler.h +@@ -80,7 +80,7 @@ private: + void disconnect(); + + /// updates connection usage history before the connection is closed +- void countFailingConnection(const ErrorState *); ++ void countFailingConnection(); + + AsyncCall::Pointer writer; ///< called when the request has been written + AsyncCall::Pointer reader; ///< called when the response should be read +diff --git a/src/neighbors.cc b/src/neighbors.cc +index cf03505..628b801 100644 +--- a/src/neighbors.cc ++++ b/src/neighbors.cc +@@ -1311,7 +1311,7 @@ peerProbeConnectDone(const Comm::ConnectionPointer &conn, Comm::Flag status, int + if (status == Comm::OK) + p->noteSuccess(); + else +- p->noteFailure(Http::scNone); ++ p->noteFailure(); + + -- p->testing_now; + conn->close(); +diff --git a/src/security/BlindPeerConnector.cc b/src/security/BlindPeerConnector.cc +index 7372df9..b884127 100644 +--- a/src/security/BlindPeerConnector.cc ++++ b/src/security/BlindPeerConnector.cc +@@ -76,7 +76,7 @@ Security::BlindPeerConnector::noteNegotiationDone(ErrorState *error) + // based on TCP results, SSL results, or both. And the code is probably not + // consistent in this aspect across tunnelling and forwarding modules. + if (peer && peer->secure.encryptTransport) +- peer->noteFailure(error->httpStatus); ++ peer->noteFailure(); + return; + } + +diff --git a/src/security/PeerConnector.cc b/src/security/PeerConnector.cc +index f122294..96c2f0e 100644 +--- a/src/security/PeerConnector.cc ++++ b/src/security/PeerConnector.cc +@@ -115,7 +115,7 @@ Security::PeerConnector::commCloseHandler(const CommCloseCbParams ¶ms) + err->detailError(d); + + if (serverConn) { +- countFailingConnection(err); ++ countFailingConnection(); + serverConn->noteClosure(); + serverConn = nullptr; + } +@@ -507,7 +507,7 @@ Security::PeerConnector::bail(ErrorState *error) + answer().error = error; + + if (const auto failingConnection = serverConn) { +- countFailingConnection(error); ++ countFailingConnection(); + disconnect(); + failingConnection->close(); + } +@@ -525,10 +525,10 @@ Security::PeerConnector::sendSuccess() + } + + void +-Security::PeerConnector::countFailingConnection(const ErrorState * const error) ++Security::PeerConnector::countFailingConnection() + { + assert(serverConn); +- NoteOutgoingConnectionFailure(serverConn->getPeer(), error ? error->httpStatus : Http::scNone); ++ NoteOutgoingConnectionFailure(serverConn->getPeer()); + // TODO: Calling PconnPool::noteUses() should not be our responsibility. + if (noteFwdPconnUse && serverConn->isOpen()) + fwdPconnPool->noteUses(fd_table[serverConn->fd].pconn.uses); +diff --git a/src/security/PeerConnector.h b/src/security/PeerConnector.h +index 3c7c01b..b00f385 100644 +--- a/src/security/PeerConnector.h ++++ b/src/security/PeerConnector.h +@@ -150,7 +150,7 @@ protected: + void disconnect(); + + /// updates connection usage history before the connection is closed +- void countFailingConnection(const ErrorState *); ++ void countFailingConnection(); + + /// If called the certificates validator will not used + void bypassCertValidator() {useCertValidator_ = false;} +diff --git a/src/tests/stub_libsecurity.cc b/src/tests/stub_libsecurity.cc +index 3b6eb79..8e14ac1 100644 +--- a/src/tests/stub_libsecurity.cc ++++ b/src/tests/stub_libsecurity.cc +@@ -97,7 +97,7 @@ void PeerConnector::bail(ErrorState *) STUB + void PeerConnector::sendSuccess() STUB + void PeerConnector::callBack() STUB + void PeerConnector::disconnect() STUB +-void PeerConnector::countFailingConnection(const ErrorState *) STUB ++void PeerConnector::countFailingConnection() STUB + void PeerConnector::recordNegotiationDetails() STUB + EncryptorAnswer &PeerConnector::answer() STUB_RETREF(EncryptorAnswer) + } diff --git a/squid.spec b/squid.spec index 81bc0f0..4b6024b 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 6.10 -Release: 5%{?dist} +Release: 6%{?dist}.1 Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -42,6 +42,13 @@ Patch205: squid-6.1-crash-half-closed.patch Patch206: squid-6.10-ignore-wsp-after-chunk-size.patch # https://bugs.squid-cache.org/show_bug.cgi?id=5214 Patch207: squid-6.10-large-upload-buffer-dies.patch +# Upstream commit: https://github.com/squid-cache/squid/commit/2e7dea3cedd3ef2f071dee82867c4147f17376dd +# https://issues.redhat.com/browse/RHEL-86817 +Patch208: squid-6.10-cache-peer-connect-errors.patch + +# Security patches +# https://bugzilla.redhat.com/show_bug.cgi?id=2404736 +Patch500: squid-6.10-CVE-2025-62168.patch # cache_swap.sh Requires: bash gawk @@ -326,6 +333,14 @@ fi %changelog +* Mon Oct 20 2025 Luboš Uhliarik - 7:6.10-6.1 +- Resolves: RHEL-122480 - CVE-2025-62168 squid: Squid vulnerable to information + disclosure via authentication credential leakage in error handling + +* Thu Apr 10 2025 Luboš Uhliarik - 7:6.10-6 +- Resolves: RHEL-86817 - ”TCP connection to XX.XX.XX.XX/XXXX failed” message is + output frequently on RHEL10 + * Thu Nov 07 2024 Luboš Uhliarik - 7:6.10-5 - Disable ESI support - Resolves: RHEL-65069 - CVE-2024-45802 squid: Denial of Service processing ESI