| Summary: | <net-proxy/tinyproxy-1.8.3 : Multiple Vulnerabilities (CVE-2011-{1499,1843}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Tim Sammut (RETIRED) <underling> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | alexanderyt, jer, net-proxy+disabled |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://banu.com/bugzilla/show_bug.cgi?id=90 | ||
| Whiteboard: | C4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Tim Sammut (RETIRED)
2011-04-13 04:50:57 UTC
The NVD also lists CVE-2011-1843 as fixed in tinyproxy 1.8.3 which I don't see available yet. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1843 https://banu.com/bugzilla/buglist.cgi?product=tinyproxy&target_milestone=1.8.3 --> https://banu.com/bugzilla/show_bug.cgi?id=90 CVE-2011-1843 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1843): Integer overflow in conf.c in Tinyproxy before 1.8.3 might allow remote attackers to bypass intended access restrictions in opportunistic circumstances via a TCP connection, related to improper handling of invalid port numbers. CVE-2011-1499 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1499): acl.c in Tinyproxy before 1.8.3, when an Allow configuration setting specifies a CIDR block, permits TCP connections from all IP addresses, which makes it easier for remote attackers to hide the origin of web traffic by leveraging the open HTTP proxy server. Arch teams, please test and mark stable: =net-proxy/tinyproxy-1.8.3 Target KEYWORDS="alpha amd64 ia64 ppc sparc x86" x86 stable amd64: emerges fine amd64 ok + 17 Aug 2011; Tony Vroon <chainsaw@gentoo.org> tinyproxy-1.8.3.ebuild: + 1.8.3 marked stable on AMD64 based on arch testing by Elijah El Lazkani & + Agostino "ago" Sarubbo in security bug #363425 filed by Tim Sammut. ppc stable alpha/ia64/sparc stable Thanks, everyone. Closing noglsa. |