can DoS tinyproxy with too many headers in response.
Thanks for the bug, taaroa.
Patches attached to the upstream bug in c0.
tinyproxy before 1.8.3-3 allows remote attackers to cause a denial of
service (CPU and memory consumption) via (1) a large number of headers or
(2) a large number of forged headers that are hashed into the same bucket.
+ 30 May 2013; Tom Wijsman <TomWij@gentoo.org> ChangeLog,
+ +tinyproxy-1.8.3-r2.ebuild, +files/tinyproxy-1.8.3-r2.initd,
+ Use /run instead of /var/run, fixes bug #444167. Apply DoS Prevention
+ patches, temporary fixes for bug #432046. Fix ChangeLog issues; there was an
+ empty log message above header by flameeyes and an empty message by jer.
(In reply to Tom Wijsman (TomWij) from comment #3)
> + 30 May 2013; Tom Wijsman <TomWij@gentoo.org> ChangeLog,
> + +tinyproxy-1.8.3-r2.ebuild, +files/tinyproxy-1.8.3-r2.initd,
> + +files/tinyproxy-1.8.3-r2-DoS-Prevention.patch:
> + Use /run instead of /var/run, fixes bug #444167. Apply DoS Prevention
> + patches, temporary fixes for bug #432046. Fix ChangeLog issues; there was
> + empty log message above header by flameeyes and an empty message by jer.
Maybe -r3 could be stabilized instead of -r2 as the only differences are systemd unit files installation
@maintainers: if it's okay to stable, please CC arches with your target version.
Ok with 1.8.3-r3 then?
Please stabilize =net-proxy/tinyproxy-1.8.3-r3.
Target keywords: alpha amd64 ia64 ppc sparc x86
GLSA request filed. @maintainers: cleanup please.
Hm, that was supposed to be glsa?. Oh well. Request still filed.
+ 10 Oct 2013; Tom Wijsman <TomWij@gentoo.org> -tinyproxy-1.8.3-r1.ebuild,
+ -tinyproxy-1.8.3-r2.ebuild, -tinyproxy-1.8.3.ebuild:
+ Cleanup of old ebuilds for security bug #432046
This issue was resolved and addressed in
GLSA 201312-15 at http://security.gentoo.org/glsa/glsa-201312-15.xml
by GLSA coordinator Sergey Popov (pinkbyte).