Debian Bug report logs -
#304793
junkbuster: Attacker might be able to modify settings
Reported by: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>
Date: Fri, 15 Apr 2005 14:48:18 UTC
Severity: grave
Tags: security, woody
Found in version 2.0.2-0.2
Fixed in version 2.0.2-0.2woody1
Done: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Paul Haggart <phaggart@debian.org>:
Bug#304793; Package junkbuster.
(full text, mbox, link).
Acknowledgement sent to Helge Kreutzmann <kreutzm@itp.uni-hannover.de>:
New Bug report received and forwarded. Copy sent to Paul Haggart <phaggart@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: junkbuster
Version: 2.0.2-0.2
Severity: grave
Tags: security, woody
Justification: user security hole
According to
http://lwn.net/Alerts/131964/
JunkBuster is vulnerable to a heap corruption vulnerability, and under
certain configurations may allow an attacker to modify settings.
Impact
======
If JunkBuster has been configured to run in single-threaded mode, an
attacker can disable or modify the filtering of Referrer: HTTP
headers,
potentially compromising the privacy of users. The heap corruption
vulnerability could crash or disrupt the operation of the proxy,
potentially executing arbitrary code.
The fix can probably taken from the above Gentoo security advisory.
You might want to track http://lwn.net/Articles/131972/ for other
vendors responses.
Please also check if the successor, privoxy, is impacted as well.
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pleione 2.4.26-grsec #1 Tue Aug 10 15:42:40 CEST 2004 i686
Locale: LANG=en_US, LC_CTYPE=en_US
Information forwarded to debian-bugs-dist@lists.debian.org, Paul Haggart <phaggart@debian.org>:
Bug#304793; Package junkbuster.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Paul Haggart <phaggart@debian.org>.
(full text, mbox, link).
Message #10 received at 304793@bugs.debian.org (full text, mbox, reply):
Hi,
this issue is CVE-2005-1109 and was addressed by DSA-713 from 2005-04-13.
Do you have reason to believe that the fix used there was incomplete?
Cheers,
Moritz
Reply sent to Helge Kreutzmann <kreutzm@itp.uni-hannover.de>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Helge Kreutzmann <kreutzm@itp.uni-hannover.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #15 received at 304793-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 2.0.2-0.2woody1
Hello Moritz,
On Wed, Nov 02, 2005 at 10:24:44AM +0100, Moritz Muehlenhoff wrote:
> this issue is CVE-2005-1109 and was addressed by DSA-713 from 2005-04-13.
> Do you have reason to believe that the fix used there was incomplete?
(actually CVE-2005-1108 as well). No, I simply missed it. Thus
closing.
Greetings
Helge
--
Dr. Helge Kreutzmann, Dipl.-Phys. Helge.Kreutzmann@itp.uni-hannover.de
gpg signed mail preferred
64bit GNU powered http://www.itp.uni-hannover.de/~kreutzm
Help keep free software "libre": http://www.ffii.de/
[Message part 2 (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 18 Jun 2007 23:45:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:13:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon