CVE-2009-0804 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0804): Ziproxy 2.6.0, when transparent interception mode is enabled, uses the HTTP Host header to determine the remote endpoint, which allows remote attackers to bypass access controls for Flash, Java, Silverlight, and probably other technologies, and possibly communicate with restricted intranet sites, via a crafted web page that causes a client to send HTTP requests with a modified Host header.
http://ziproxy.sourceforge.net/ says: Ziproxy 2.6.9_BETA released. "Added provision for outgoing port restrictions. New options: RestrictOutPortHTTP, RestrictOutPortCONNECT This provision mitigates the transparent proxy vulnerability US-CERT VU#435052" Should we stable the beta or wait for the next stable release?
I've submitted ziproxy-2.6.9_beta to the tree. All supported arches have testing keywords, so there is no need to involve arch teams in this.
Looks like testing-only indeed. Closing.