Debian Bug report logs -
#621493
tinyproxy: allows everyone if using network addresses in Allow rule
Reported by: Christoph Martin <martin@uni-mainz.de>
Date: Thu, 7 Apr 2011 13:18:13 UTC
Severity: grave
Tags: patch, security, squeeze, upstream
Found in version tinyproxy/1.8.2-1
Fixed in versions tinyproxy/1.8.2-2, tinyproxy/1.8.2-1squeeze1
Done: Jordi Mallach <jordi@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, thomas.scheffczyk@uni-mainz.de, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ed Boraas <ed@debian.org>:
Bug#621493; Package tinyproxy.
(Thu, 07 Apr 2011 13:18:24 GMT) (full text, mbox, link).
Acknowledgement sent
to Christoph Martin <martin@uni-mainz.de>:
New Bug report received and forwarded. Copy sent to thomas.scheffczyk@uni-mainz.de, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ed Boraas <ed@debian.org>.
(Thu, 07 Apr 2011 13:18:56 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: tinyproxy
Version: 1.8.2-1
Severity: grave
Tags: upstream security squeeze patch
Justification: user security hole
When including a line like
Allow 192.168.0.0/16
to allow a network of ip addresses instead of only one ip
address per line the access to tinyproxy
is actually allowed for all ip addresses.
This makes tinyproxy usable as an open proxy from everywhere
in the internet.
This bug was reported upstream nearly a year ago:
https://banu.com/bugzilla/show_bug.cgi?id=90
and includes a fix there.
Christoph Martin
-- System Information:
Debian Release: 6.0.1
APT prefers stable
APT policy: (900, 'stable'), (90, 'oldstable'), (70, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages tinyproxy depends on:
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii logrotate 3.7.8-6 Log rotation utility
tinyproxy recommends no packages.
tinyproxy suggests no packages.
-- Configuration Files:
/etc/tinyproxy.conf changed:
User nobody
Group nogroup
Port 8888
Timeout 600
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
Logfile "/var/log/tinyproxy/tinyproxy.log"
LogLevel Info
PidFile "/var/run/tinyproxy/tinyproxy.pid"
MaxClients 100
MinSpareServers 5
MaxSpareServers 20
StartServers 10
MaxRequestsPerChild 0
Allow 127.0.0.1
ViaProxyName "tinyproxy"
ConnectPort 443
ConnectPort 563
-- no debconf information
Reply sent
to Jordi Mallach <jordi@debian.org>:
You have taken responsibility.
(Mon, 18 Apr 2011 21:24:08 GMT) (full text, mbox, link).
Notification sent
to Christoph Martin <martin@uni-mainz.de>:
Bug acknowledged by developer.
(Mon, 18 Apr 2011 21:24:08 GMT) (full text, mbox, link).
Message #10 received at 621493-close@bugs.debian.org (full text, mbox, reply):
Source: tinyproxy
Source-Version: 1.8.2-2
We believe that the bug you reported is fixed in the latest version of
tinyproxy, which is due to be installed in the Debian FTP archive:
tinyproxy_1.8.2-2.debian.tar.bz2
to main/t/tinyproxy/tinyproxy_1.8.2-2.debian.tar.bz2
tinyproxy_1.8.2-2.dsc
to main/t/tinyproxy/tinyproxy_1.8.2-2.dsc
tinyproxy_1.8.2-2_amd64.deb
to main/t/tinyproxy/tinyproxy_1.8.2-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 621493@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jordi Mallach <jordi@debian.org> (supplier of updated tinyproxy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 18 Apr 2011 23:03:16 +0200
Source: tinyproxy
Binary: tinyproxy
Architecture: source amd64
Version: 1.8.2-2
Distribution: unstable
Urgency: high
Maintainer: Ed Boraas <ed@debian.org>
Changed-By: Jordi Mallach <jordi@debian.org>
Description:
tinyproxy - A lightweight, non-caching, optionally anonymizing HTTP proxy
Closes: 588193 621493
Changes:
tinyproxy (1.8.2-2) unstable; urgency=high
.
* Upper case "HTTP" in package descriptions (closes: #588193).
* Add validate_port_number.patch: exit if an invalid port is declared in
the Port directive.
* Add netmask_generation.patch: fix bug in ACL netmask generation, which
could allow to use Tinyproxy as an open proxy very easily
[CVE-2011-1499] (closes: #621493).
* Bump Standards-Version to 3.9.2, with no changes required.
Checksums-Sha1:
658cb823a8e86b600f48069068802000bab50931 1264 tinyproxy_1.8.2-2.dsc
95dd1b1e3eb88ee3d50d85bec9133ef8fb2fde51 12896 tinyproxy_1.8.2-2.debian.tar.bz2
71fdc3bc58851a8f271db6ac989d9d3cc42fa35f 87474 tinyproxy_1.8.2-2_amd64.deb
Checksums-Sha256:
106c7cc671f90c83ced345b848ff473c6ba33ce6f11148c3577f177385aacda3 1264 tinyproxy_1.8.2-2.dsc
f69450e49dafc780ff90c09c5c3a02f59e77221f59bf6e629c34ce74e0f96f60 12896 tinyproxy_1.8.2-2.debian.tar.bz2
48397e02847667008570111a234ac63222eeefdbbb9481d89aa97fdaa64d0ea9 87474 tinyproxy_1.8.2-2_amd64.deb
Files:
95cdf4a682e391600b11fae912df84b5 1264 web optional tinyproxy_1.8.2-2.dsc
653c32d53c35510cfbd740b1ef782946 12896 web optional tinyproxy_1.8.2-2.debian.tar.bz2
8ba955a62e207abfc76e8c1deeb8bd13 87474 web optional tinyproxy_1.8.2-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk2sqPQACgkQJYSUupF6Il4LSgCgm/5gvY13K1UfcOG3z/16q+CD
pNQAoMc/k4HFEPtvrYAyfWIIZ2yhPuX5
=vFjR
-----END PGP SIGNATURE-----
Reply sent
to Jordi Mallach <jordi@debian.org>:
You have taken responsibility.
(Thu, 21 Apr 2011 01:57:07 GMT) (full text, mbox, link).
Notification sent
to Christoph Martin <martin@uni-mainz.de>:
Bug acknowledged by developer.
(Thu, 21 Apr 2011 01:57:07 GMT) (full text, mbox, link).
Message #15 received at 621493-close@bugs.debian.org (full text, mbox, reply):
Source: tinyproxy
Source-Version: 1.8.2-1squeeze1
We believe that the bug you reported is fixed in the latest version of
tinyproxy, which is due to be installed in the Debian FTP archive:
tinyproxy_1.8.2-1squeeze1.debian.tar.bz2
to main/t/tinyproxy/tinyproxy_1.8.2-1squeeze1.debian.tar.bz2
tinyproxy_1.8.2-1squeeze1.dsc
to main/t/tinyproxy/tinyproxy_1.8.2-1squeeze1.dsc
tinyproxy_1.8.2-1squeeze1_amd64.deb
to main/t/tinyproxy/tinyproxy_1.8.2-1squeeze1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 621493@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jordi Mallach <jordi@debian.org> (supplier of updated tinyproxy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 19 Apr 2011 10:05:41 +0200
Source: tinyproxy
Binary: tinyproxy
Architecture: source amd64
Version: 1.8.2-1squeeze1
Distribution: stable-security
Urgency: low
Maintainer: Ed Boraas <ed@debian.org>
Changed-By: Jordi Mallach <jordi@debian.org>
Description:
tinyproxy - A lightweight, non-caching, optionally anonymizing http proxy
Closes: 621493
Changes:
tinyproxy (1.8.2-1squeeze1) stable-security; urgency=low
.
* Add netmask_generation.patch: fix bug in ACL netmask generation,
which could allow to use Tinyproxy as an open proxy very easily
[CVE-2011-1499] (closes: #621493).
Checksums-Sha1:
5b03e7bfc3b640e273d826f84c8bcf5d8b3b20dd 1295 tinyproxy_1.8.2-1squeeze1.dsc
6e1ce865e82ad07e540be89d5e6c6bc75489d42b 202931 tinyproxy_1.8.2.orig.tar.bz2
950ff865a37a2a0d5f6b0aeb967bafce1a39b684 12472 tinyproxy_1.8.2-1squeeze1.debian.tar.bz2
6ffeea5eaea4d581db94d2ce8ebd8e86a2da200a 86462 tinyproxy_1.8.2-1squeeze1_amd64.deb
Checksums-Sha256:
b7b093488f7a83b5f0580b92bbb23d9c14cef0805c37a468f52369f44f58c147 1295 tinyproxy_1.8.2-1squeeze1.dsc
7e9b831f40c4497db114c4edbf3300976e66ab7a47c2f42de8345c103c92f838 202931 tinyproxy_1.8.2.orig.tar.bz2
f4d6939dd831a211042b3a933109bec7890ba7776ffad68d8bde580e0b3d1257 12472 tinyproxy_1.8.2-1squeeze1.debian.tar.bz2
ceb8309a27e318e8a6c1edc0c4bb6d822f304bc52b80dcf501192d88ee2c511b 86462 tinyproxy_1.8.2-1squeeze1_amd64.deb
Files:
b1a385f396e2aa9e6f962e456aa4506d 1295 web optional tinyproxy_1.8.2-1squeeze1.dsc
edc8502193cfed4974d6a770da173755 202931 web optional tinyproxy_1.8.2.orig.tar.bz2
e626dbc16fdd69bb7ebb99f7f3c96044 12472 web optional tinyproxy_1.8.2-1squeeze1.debian.tar.bz2
e70ef24ae2b14ea1045c9a264aca5417 86462 web optional tinyproxy_1.8.2-1squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk2uGccACgkQJYSUupF6Il7K/QCfZl7zBF8p9OCwGFPGJh6Pc5Uw
6h4AoJecMPcTjlv+1RFLQOZEu5hF49SF
=giVF
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 26 Jun 2011 07:38:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:36:42 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon