Debian Bug report logs -
#644289
polipo denial of service (CVE-2011-3596)
Reported by: "Thijs Kinkhorst" <thijs@debian.org>
Date: Tue, 4 Oct 2011 20:15:08 UTC
Severity: important
Tags: security
Fixed in version polipo/1.0.4.1-1.2
Done: Moritz Muehlenhoff <jmm@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Erinn Clark <erinn@torproject.org>
:
Bug#644289
; Package polipo
.
(Tue, 04 Oct 2011 20:15:11 GMT) (full text, mbox, link).
Acknowledgement sent
to "Thijs Kinkhorst" <thijs@debian.org>
:
New Bug report received and forwarded. Copy sent to Erinn Clark <erinn@torproject.org>
.
(Tue, 04 Oct 2011 20:15:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: polipo
Severity: important
Tags: security
Hi,
A denial of service attack has been published against polipo:
http://seclists.org/fulldisclosure/2011/Oct/10
Given that polipo is intended for a limited audience, the attack needs to
originate from this audience and the result is a denial of service, I
think this doesn't need a full blown DSA. It should be fixed in unstable
though, and possibly through (old)stable-proposed-updates.
Please mention CVE-2011-3596 in your changelog entries.
thanks,
Thijs
Information forwarded
to debian-bugs-dist@lists.debian.org, Erinn Clark <erinn@torproject.org>
:
Bug#644289
; Package polipo
.
(Thu, 22 Dec 2011 16:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Erinn Clark <erinn@torproject.org>
.
(Thu, 22 Dec 2011 16:51:03 GMT) (full text, mbox, link).
Message #10 received at 644289@bugs.debian.org (full text, mbox, reply):
On Tue, Oct 04, 2011 at 10:12:07PM +0200, Thijs Kinkhorst wrote:
> Package: polipo
> Severity: important
> Tags: security
>
> Hi,
>
> A denial of service attack has been published against polipo:
> http://seclists.org/fulldisclosure/2011/Oct/10
>
> Given that polipo is intended for a limited audience, the attack needs to
> originate from this audience and the result is a denial of service, I
> think this doesn't need a full blown DSA. It should be fixed in unstable
> though, and possibly through (old)stable-proposed-updates.
>
> Please mention CVE-2011-3596 in your changelog entries.
What's the status?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Erinn Clark <erinn@torproject.org>
:
Bug#644289
; Package polipo
.
(Sun, 01 Jan 2012 13:54:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Luk Claes <luk@debian.org>
:
Extra info received and forwarded to list. Copy sent to Erinn Clark <erinn@torproject.org>
.
(Sun, 01 Jan 2012 13:54:06 GMT) (full text, mbox, link).
Message #15 received at 644289@bugs.debian.org (full text, mbox, reply):
Hi
There seems to be a pointer to a patch in the RedHat tracker [1].
Cheers
Luk
[1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3596
Reply sent
to Moritz Muehlenhoff <jmm@debian.org>
:
You have taken responsibility.
(Sun, 03 Jun 2012 19:06:11 GMT) (full text, mbox, link).
Notification sent
to "Thijs Kinkhorst" <thijs@debian.org>
:
Bug acknowledged by developer.
(Sun, 03 Jun 2012 19:06:11 GMT) (full text, mbox, link).
Message #20 received at 644289-close@bugs.debian.org (full text, mbox, reply):
Source: polipo
Source-Version: 1.0.4.1-1.2
We believe that the bug you reported is fixed in the latest version of
polipo, which is due to be installed in the Debian FTP archive:
polipo_1.0.4.1-1.2.diff.gz
to main/p/polipo/polipo_1.0.4.1-1.2.diff.gz
polipo_1.0.4.1-1.2.dsc
to main/p/polipo/polipo_1.0.4.1-1.2.dsc
polipo_1.0.4.1-1.2_amd64.deb
to main/p/polipo/polipo_1.0.4.1-1.2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 644289@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Muehlenhoff <jmm@debian.org> (supplier of updated polipo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 01 Jun 2012 16:46:13 +0200
Source: polipo
Binary: polipo
Architecture: source amd64
Version: 1.0.4.1-1.2
Distribution: unstable
Urgency: low
Maintainer: Erinn Clark <erinn@torproject.org>
Changed-By: Moritz Muehlenhoff <jmm@debian.org>
Description:
polipo - a small, caching web proxy
Closes: 644289 666451
Changes:
polipo (1.0.4.1-1.2) unstable; urgency=low
.
* Non-maintainer upload.
* Enable hardened build flags, patch by Steven Chamberlain (Closes: #666451)
* Fix CVE-2011-3596 (Closes: #644289)
Checksums-Sha1:
edac3489295c35d07b166d7fc20221858ea0a0eb 1081 polipo_1.0.4.1-1.2.dsc
72b7c2ecc2c9d76e4b3d25c4f04974388805452c 13441 polipo_1.0.4.1-1.2.diff.gz
f9a6df3d955a704ca5bc61d74ae6d5bf9b31f090 209584 polipo_1.0.4.1-1.2_amd64.deb
Checksums-Sha256:
aed8479da78fdfe616eb2b023ed953842bf24acf839abec0f5d19119ef14d9ea 1081 polipo_1.0.4.1-1.2.dsc
6978c188d26f1467aa6d50a38e42fb6a0f0a360ca11ab965f6aa4476452f63e1 13441 polipo_1.0.4.1-1.2.diff.gz
7110fab50cd67adfa61aa45eaa685d349ff6ea0edc39152cb234cfef9da7a29a 209584 polipo_1.0.4.1-1.2_amd64.deb
Files:
3918c18c8f175cdfe218684067004e3c 1081 web optional polipo_1.0.4.1-1.2.dsc
4da8976665b18aa54421dcb6881100bf 13441 web optional polipo_1.0.4.1-1.2.diff.gz
63b1a1fc6f8ea7f86a7f21eb50dd32bc 209584 web optional polipo_1.0.4.1-1.2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAk/I1scACgkQXm3vHE4uylpO8gCfafR4DVpyEACvc9Zucl2+7K/1
7p8An0lDGVQDuQzvQW53Mmn+W3bOP1Jw
=93lF
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Erinn Clark <erinn@torproject.org>
:
Bug#644289
; Package polipo
.
(Sun, 08 Jul 2012 23:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>
:
Extra info received and forwarded to list. Copy sent to Erinn Clark <erinn@torproject.org>
.
(Sun, 08 Jul 2012 23:42:03 GMT) (full text, mbox, link).
Message #25 received at 644289@bugs.debian.org (full text, mbox, reply):
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.6) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/644289/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Information forwarded
to debian-bugs-dist@lists.debian.org, Erinn Clark <erinn@torproject.org>
:
Bug#644289
; Package polipo
.
(Sun, 08 Jul 2012 23:42:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>
:
Extra info received and forwarded to list. Copy sent to Erinn Clark <erinn@torproject.org>
.
(Sun, 08 Jul 2012 23:42:05 GMT) (full text, mbox, link).
Message #30 received at 644289@bugs.debian.org (full text, mbox, reply):
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.6) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/644289/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 06 Aug 2012 07:35:39 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:07:32 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.