Summary: | <net-proxy/polipo-1.1.1: multiple vulnerabilities (CVE-{2009-3305,2011-3596}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tim Sammut (RETIRED) <underling> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | bircoph, jlec, net-proxy+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/fulldisclosure/2011/Oct/10 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Tim Sammut (RETIRED)
2011-10-02 03:53:01 UTC
Hello, polipo-1.1.1 is in tree now. It should fix CVE-2011-3596, from CHANGES file: * Fail expectations on the local interface. This might or might not be what CVE-2011-3596 is about, difficult to say since nobody is speaking to me. So upstream is not 100% sure, but at least exploit from comment 1 doesn't work anymore: polipo bails out with "405 Method not allowed". Please not that 1.1.1 also fixes CVE-2009-3305: * Fixed a crash that occurs when a server sends a malformed Cache-Control: header (CVE-2009-3305). Thanks to Stefan Fritsch. Vulnerable unstable version is removed. So what is left to stabilize polipo-1.1.1 and remove old stable. (In reply to Andrew Savchenko from comment #1) > Vulnerable unstable version is removed. So what is left to stabilize > polipo-1.1.1 and remove old stable. Please add arches in CC and tell them with version to stabilize. Also change the title of the bug to reflect which versions are affected. Arch teams, please stabilize =net-proxy/polipo-1.1.1. x86 done. amd64 stable. Maintainer(s), please cleanup. Security, please vote. All vulnerable versions are removed from tree. GLSA Vote: No Vote: NO. |