Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2009-0804: HTTP Host Header Incorrect Relay Behavior Vulnerability

Related Vulnerabilities: CVE-2009-0804  

Source

Debian Bug report logs - #521051
CVE-2009-0804: HTTP Host Header Incorrect Relay Behavior Vulnerability

version graph

Package: ziproxy; Maintainer for ziproxy is Marcos Talau <talau@users.sourceforge.net>; Source for ziproxy is src:ziproxy (PTS, buildd, popcon).

Reported by: Raphael Geissert <atomo64@gmail.com>

Date: Tue, 24 Mar 2009 15:12:01 UTC

Severity: grave

Tags: security

Found in version ziproxy/2.5.2-2

Fixed in version ziproxy/2.7.2-1

Done: Marcos Talau <marcostalau@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Marcos Talau <marcostalau@gmail.com>:
Bug#521051; Package ziproxy. (Tue, 24 Mar 2009 15:12:04 GMT) (full text, mbox, link).

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <atomo64@gmail.com>
To: submit@bugs.debian.org
Subject: CVE-2009-0804: HTTP Host Header Incorrect Relay Behavior Vulnerability
Date: Tue, 24 Mar 2009 08:25:06 -0600
[Message part 1 (text/plain, inline)]
Package: ziproxy
Version: 2.5.2-2
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ziproxy.

CVE-2009-0804[0]:
| Ziproxy 2.6.0, when transparent interception mode is enabled, uses the
| HTTP Host header to determine the remote endpoint, which allows remote
| attackers to bypass access controls for Flash, Java, Silverlight, and
| probably other technologies, and possibly communicate with restricted
| intranet sites, via a crafted web page that causes a client to send
| HTTP requests with a modified Host header.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0804
    http://security-tracker.debian.net/tracker/CVE-2009-0804

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Marcos Talau <marcostalau@gmail.com>:
Bug#521051; Package ziproxy. (Thu, 03 Dec 2009 21:36:06 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Marcos Talau <marcostalau@gmail.com>. (Thu, 03 Dec 2009 21:36:06 GMT) (full text, mbox, link).

Message #8 received at 521051@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: 521051@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: CVE-2009-0804: HTTP Host Header Incorrect Relay Behavior Vulnerability
Date: Thu, 3 Dec 2009 22:31:06 +0100
severity 521051 grave
thanks

On Tue, Mar 24, 2009 at 08:25:06AM -0600, Raphael Geissert wrote:
> Package: ziproxy
> Version: 2.5.2-2
> Severity: important
> Tags: security
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for ziproxy.
> 
> CVE-2009-0804[0]:
> | Ziproxy 2.6.0, when transparent interception mode is enabled, uses the
> | HTTP Host header to determine the remote endpoint, which allows remote
> | attackers to bypass access controls for Flash, Java, Silverlight, and
> | probably other technologies, and possibly communicate with restricted
> | intranet sites, via a crafted web page that causes a client to send
> | HTTP requests with a modified Host header.

This is fixed upstream in 2.7.0. However, since this package has hardly
any users and appears unmaintained, we should probably just remove it?

Cheers,
        Moritz

Severity set to 'grave' from 'important' Request was from Moritz Muehlenhoff <jmm@inutil.org> to control@bugs.debian.org. (Thu, 03 Dec 2009 21:36:09 GMT) (full text, mbox, link).

Reply sent to Marcos Talau <marcostalau@gmail.com>:
You have taken responsibility. (Wed, 30 Dec 2009 15:42:12 GMT) (full text, mbox, link).

Notification sent to Raphael Geissert <atomo64@gmail.com>:
Bug acknowledged by developer. (Wed, 30 Dec 2009 15:42:12 GMT) (full text, mbox, link).

Message #15 received at 521051-close@bugs.debian.org (full text, mbox, reply):

From: Marcos Talau <marcostalau@gmail.com>
To: 521051-close@bugs.debian.org
Subject: Bug#521051: fixed in ziproxy 2.7.2-1
Date: Wed, 30 Dec 2009 15:40:39 +0000
Source: ziproxy
Source-Version: 2.7.2-1

We believe that the bug you reported is fixed in the latest version of
ziproxy, which is due to be installed in the Debian FTP archive:

ziproxy_2.7.2-1.debian.tar.gz
  to main/z/ziproxy/ziproxy_2.7.2-1.debian.tar.gz
ziproxy_2.7.2-1.dsc
  to main/z/ziproxy/ziproxy_2.7.2-1.dsc
ziproxy_2.7.2-1_i386.deb
  to main/z/ziproxy/ziproxy_2.7.2-1_i386.deb
ziproxy_2.7.2.orig.tar.bz2
  to main/z/ziproxy/ziproxy_2.7.2.orig.tar.bz2



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 521051@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marcos Talau <marcostalau@gmail.com> (supplier of updated ziproxy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 07 Dec 2009 23:03:54 -0200
Source: ziproxy
Binary: ziproxy
Architecture: source i386
Version: 2.7.2-1
Distribution: unstable
Urgency: low
Maintainer: Marcos Talau <marcostalau@gmail.com>
Changed-By: Marcos Talau <marcostalau@gmail.com>
Description: 
 ziproxy    - compressing HTTP proxy server
Closes: 521051 543471 543494
Changes: 
 ziproxy (2.7.2-1) unstable; urgency=low
 .
   * Run as a system user (Closes: #543471, #543494)
     - Thanks to Kandalintsev Alexandre.
   * Small fixes in init
   * New upstream release (Closes: #521051)
   * Update to DebSrc3.0
   * Use of DEP-3 compliant headers
   * Updated debian/copyright
   * Small fixes in maintainer scripts
Checksums-Sha1: 
 76c6d94e1370a715b577df565a6ad99f6a24426c 1889 ziproxy_2.7.2-1.dsc
 1e2383d62234961c9acf6a12a0d6f7fa59182f7a 258257 ziproxy_2.7.2.orig.tar.bz2
 95b7dc8f8c1dc017c6aee0b6b4548a9945b0128e 6681 ziproxy_2.7.2-1.debian.tar.gz
 18ebbf2db397725055f4f80b9bf3623f0239381a 133198 ziproxy_2.7.2-1_i386.deb
Checksums-Sha256: 
 94a4c67c392e9d46aef75a51145f27778328a233e879000edece4bf03f75f689 1889 ziproxy_2.7.2-1.dsc
 697e589343d2f7a145182511cdbc46c52e9e30a4f420e82f18e6549ced7b129a 258257 ziproxy_2.7.2.orig.tar.bz2
 9fbb65ff9a2a768d4d9317ef84386cd20ed8c6e765a57d3ba3a6f8d347601f82 6681 ziproxy_2.7.2-1.debian.tar.gz
 9e4c0339b70ebc574a9f813634969c75dea85c2e6bc6d9fcb2fa2eb3a7e43443 133198 ziproxy_2.7.2-1_i386.deb
Files: 
 cc6c1ec982fccb0d08454ef97c1811b6 1889 net extra ziproxy_2.7.2-1.dsc
 a0bc2e60a9c9e29556245b3f38faca0b 258257 net extra ziproxy_2.7.2.orig.tar.bz2
 c919ffb38ea795056ccced38b3c7d454 6681 net extra ziproxy_2.7.2-1.debian.tar.gz
 4ce1ae07699dea530868100dd69d3eb6 133198 net extra ziproxy_2.7.2-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCgAGBQJLO1tyAAoJEKv/7bJACMb5aLcP/jcgOl8jaXUMptlfNXFRuDMl
b6BQf+YL2YmMPAc72K4nsYeHWgac9pqCJzET2HqiqMJUaQN+o+jWIDS2MKqw5Il3
ghU+SOMhvK25rE8F+sOEDNqjieR5mhzfCZXDN8O7/GAVL4cwjt8ReLHPGoHygeNY
9BcFLbhT5/Hh4DdYN6YyB/8mZY3KT+WXTTjLgUnF/BVLmxsNnVgtC7bSCLzASF/M
8VwzQ4aVymbRxC2G7OHfh6wQHeOqkHmT/O+pLJUxATQG8nayFV/LuSCOhxl33rR/
l2H8uRG9Nxd27YsHbQ9S+0x7kxieflyeXBE8zYxHdm/P4S8orOmcq5GdNDcXAysc
ClhC97JeylR55YwmbKjj3wMkJXxbeWx/VDicc3SH3CtwpjV17Zd4QGVn/deBs69m
py2BQ6j4UwiVS/J29zPRBXshtrE4zjSgh/bZN3AYAOV4HN5sdAUoFJIvCgcRg2Xi
aI4mHpMl/EDu63GQbQazR/zXCmT2WCtIKKUkU5vhz60VMzCfvyadhqhc4KzHs8O2
fePcn8bk0vCSUp8ps/eyBW+5Jsy9tjMT/mdyVtrQWqU7J/+XDlzEB0I6AwQma89v
NvBsexhqgY6O9HM/lAJNbtYzuZtOdX6+zwx8twrBI5xmh+fQ8p1Mq5UVWRxvHSJZ
VXOL/AetosmVN8j6xYjA
=Dqn6
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#521051; Package ziproxy. (Thu, 14 Jan 2010 03:21:03 GMT) (full text, mbox, link).

Acknowledgement sent to Marcos Talau <marcostalau@gmail.com>:
Extra info received and forwarded to list. (Thu, 14 Jan 2010 03:21:03 GMT) (full text, mbox, link).

Message #20 received at 521051@bugs.debian.org (full text, mbox, reply):

From: Marcos Talau <marcostalau@gmail.com>
To: 521051@bugs.debian.org
Subject: Upstream comment about the bug
Date: Thu, 14 Jan 2010 01:18:12 -0200
[Message part 1 (text/plain, inline)]
   Please read:

   http://sourceforge.net/mailarchive/message.php?msg_name=201001132353.25836.dancab%40gmx.net

Regards,
Talau

[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 07 Mar 2011 09:08:40 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:58:09 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started