Your message dated Sat, 01 Oct 2022 02:36:02 +0000 with message-id <e1oesme-007fnm...@fasolo.debian.org> and subject line Bug#1021015: fixed in tinyproxy 1.11.1-2 has caused the Debian Bug report #1021015, regarding tinyproxy: CVE-2022-40468 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1021015: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021015 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: tinyproxy X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for tinyproxy. CVE-2022-40468[0]: | Tinyproxy commit 84f203f and earlier does not process HTTP request | lines in the process_request() function and is using uninitialized | buffers. This vulnerability allows attackers to access sensitive | information at system runtime. https://github.com/tinyproxy/tinyproxy/issues/457 https://github.com/tinyproxy/tinyproxy/commit/3764b8551463b900b5b4e3ec0cd9bb9182191cb7 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-40468 https://www.cve.org/CVERecord?id=CVE-2022-40468 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: tinyproxy Source-Version: 1.11.1-2 Done: Unit 193 <unit...@debian.org> We believe that the bug you reported is fixed in the latest version of tinyproxy, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1021...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Unit 193 <unit...@debian.org> (supplier of updated tinyproxy package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA384 Format: 1.8 Date: Fri, 30 Sep 2022 22:08:37 -0400 Source: tinyproxy Architecture: source Version: 1.11.1-2 Distribution: unstable Urgency: medium Maintainer: Mike Gabriel <sunwea...@debian.org> Changed-By: Unit 193 <unit...@debian.org> Closes: 1021015 Changes: tinyproxy (1.11.1-2) unstable; urgency=medium . * d/tinyproxy.service: Change reload signal from SIGHUP to SIGUSR1. * d/p/0001-prevent-junk-from-showing-up-in-error-page-in-invali.patch: - Grab upstream commit to fix a potential leak of left-over heap data if custom error page templates are used. (Closes: #1021015, CVE-2022-40468) Checksums-Sha1: 849725233ccef612108d3e50002095e0b7cc3a23 2017 tinyproxy_1.11.1-2.dsc 215fc3011d16506e26c8f34cb51a34e8378ce391 182080 tinyproxy_1.11.1.orig.tar.xz 7e2fc75e1aa341dcbb8ff9f7fad38b55ce207a7e 23348 tinyproxy_1.11.1-2.debian.tar.xz 6cecde38f71eabc30f94f5b59bfab1167319b4d0 7014 tinyproxy_1.11.1-2_amd64.buildinfo Checksums-Sha256: 44bfa5cacfaebc780420a4e60ff1d5aca7f5191bbd5aa4d8faf6bd3a477106fa 2017 tinyproxy_1.11.1-2.dsc d66388448215d0aeb90d0afdd58ed00386fb81abc23ebac9d80e194fceb40f7c 182080 tinyproxy_1.11.1.orig.tar.xz 0eb27e20a8bb2840be68750de5908b95f1a27513fdb9b7d525fdadb344d43e38 23348 tinyproxy_1.11.1-2.debian.tar.xz b1cd9f346ad44e331c2ad23ee51737f2f3866047178187f27af5f807f163deb2 7014 tinyproxy_1.11.1-2_amd64.buildinfo Files: 39accd353b10ec8a2f37953539dd62bf 2017 web optional tinyproxy_1.11.1-2.dsc 19cad9f7c3d45f477a7333f2d8babb62 182080 web optional tinyproxy_1.11.1.orig.tar.xz a48716fda230e23f1476bada25ff7083 23348 web optional tinyproxy_1.11.1-2.debian.tar.xz 5e9def5e1cb5202d28fc780b4adc636c 7014 web optional tinyproxy_1.11.1-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCQAdFiEEjbPlhoZdK0orGFpcUAHhsJqjdEsFAmM3osEACgkQUAHhsJqj dEuYRw//Ss+E1TX9g0s4PLFk/xYHPrMIRukg95KuIVjD6H8l7jhAPcGtHl/I3ga8 KUsV4qj1Wn7sp+MqQA052cLQDdmbWAhmBXbGC71cb/4WHGihTZyRwlkIhMvwwtET 5vEa6oA1+JH4JzTIkH3uHfISfBUpMCnGtZaiqe9OaDPJJ5wglj7aH9FJTzESTiiq c12IMZJM9kxa7k7hUdKNyLYCelMPu9rMUpOyeODqvnzWFyTLAijFcEkX8Cqz9n9b xNY6EJCCG/PBEWxN5jGlLDL6jbRfXl8tFFuiQcOyEivUaZDbyX6IlpmTSN8dryJB nvZg6/0o4nxnQhP4kgcIuR5DmcIgeXSvaVxmS/rO0QP9kkKQSXkT1Q61Z6SXj2TS x69ZJLrq8zF/SQy3DR7ppkgwIHr7h5PDE52tz98hehax5EKbSlEGxxu3Qm/3y9XG ZYsj0cnCzvzxNsuk93Lg2PFSXAbrGRc8BCIzlwHoGDL/eytRYdJb4GwKZ6LpfHg5 jX6gjv56dp2vwGB64w15dBe9yinZ5hC1MlQO9KZIUv4LAHcnnKp3TG0N+CrJvc8Q KHfiCHtAXlq/XEf8T1HwsiwX0tqGZgZaHJrv20JS+6++5vdb+YIcyRxxoYzRmEwL 7Tvr4UElCBKAD5aNJjYelN7BIaum3AKoWt+jJYhg7LgSPJvFqxY= =/aJN -----END PGP SIGNATURE-----
--- End Message ---
