Source: tinyproxy X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for tinyproxy. CVE-2023-40533[0]: | An uninitialized memory use vulnerability exists in Tinyproxy 1.11.1 | while parsing HTTP requests. In certain configurations, a specially | crafted HTTP request can result in disclosure of data allocated on | the heap, which could contain sensitive information. An attacker can | make an unauthenticated HTTP request to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2023-1902 CVE-2023-49606[1]: | A use-after-free vulnerability exists in the HTTP Connection Headers | parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially | crafted HTTP header can trigger reuse of previously freed memory, | which leads to memory corruption and could lead to remote code | execution. An attacker needs to make an unauthenticated HTTP request | to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-40533 https://www.cve.org/CVERecord?id=CVE-2023-40533 [1] https://security-tracker.debian.org/tracker/CVE-2023-49606 https://www.cve.org/CVERecord?id=CVE-2023-49606 Please adjust the affected versions in the BTS as needed.
