Your message dated Sat, 27 Oct 2012 15:47:05 +0000 with message-id <e1ts8bj-0004ys...@franck.debian.org> and subject line Bug#685281: fixed in tinyproxy 1.8.2-1squeeze3 has caused the Debian Bug report #685281, regarding denial of service via many headers to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 685281: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685281 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: tinyproxy Severity: serious Tags: security patch Hi Jordi, A Denial of Service attack has been reported against tinyproxy: https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985 https://banu.com/bugzilla/show_bug.cgi?id=110#c2 Can you please see to it that this gets addressed in unstable (and by extension wheezy)? Please use CVE-2012-3505 to refer to this issue. Thanks, Thijs -- System Information: Debian Release: 6.0.5 APT prefers stable APT policy: (500, 'stable'), (400, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---Source: tinyproxy Source-Version: 1.8.2-1squeeze3 We believe that the bug you reported is fixed in the latest version of tinyproxy, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 685...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jordi Mallach <jo...@debian.org> (supplier of updated tinyproxy package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 24 Sep 2012 21:05:41 +0200 Source: tinyproxy Binary: tinyproxy Architecture: source amd64 Version: 1.8.2-1squeeze3 Distribution: stable-security Urgency: high Maintainer: Ed Boraas <e...@debian.org> Changed-By: Jordi Mallach <jo...@debian.org> Description: tinyproxy - A lightweight, non-caching, optionally anonymizing http proxy Closes: 685281 Changes: tinyproxy (1.8.2-1squeeze3) stable-security; urgency=high . * Add patches for CVE-2012-3505 (closes: #685281): - CVE-2012-3505-tinyproxy-limit-headers.patch: Limit the number of headers to prevent DoS attacks. - CVE-2012-3505-tinyproxy-randomized-hashmaps.patch: Randomize hashmaps in order to avoid fake headers getting included in the same bucket, allowing for DoS attacks. Bug reported and patches contributed by gpernot. Checksums-Sha1: 8bd439d4b90b54e76da6190c911418711a6af258 1295 tinyproxy_1.8.2-1squeeze3.dsc 0d99220e277d71e89c285cc6b28a0d26fd505316 14264 tinyproxy_1.8.2-1squeeze3.debian.tar.bz2 31164865b8290f8dab68c52689776c5351b42a52 87550 tinyproxy_1.8.2-1squeeze3_amd64.deb Checksums-Sha256: a74f9f7cda2fdd4a98708a6f737f935a15948a11a1e521de273b1134f5546d25 1295 tinyproxy_1.8.2-1squeeze3.dsc 8285a7bcfc674e5e00f0013e0cf14deba476368ca46ed9a72b6801848f163731 14264 tinyproxy_1.8.2-1squeeze3.debian.tar.bz2 5f550c8778e1ed11ccf6484fa6a90e64acde2c1b7a0673b3333d52c1d87fb1a9 87550 tinyproxy_1.8.2-1squeeze3_amd64.deb Files: 95136d26f2d3319b1a3cebb329fa1710 1295 web optional tinyproxy_1.8.2-1squeeze3.dsc 9f1cb3dac6372aa328c9f0c675307dec 14264 web optional tinyproxy_1.8.2-1squeeze3.debian.tar.bz2 2f2952c740e4d1c9b5dfafe414e7d2f1 87550 web optional tinyproxy_1.8.2-1squeeze3_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBqFaUACgkQJYSUupF6Il7LzQCfSdkuQGIwtOAVqxBPSLkiFjUW zsgAoPRUDR/HGOSbYFlfw4COJzRe7vzj =lf60 -----END PGP SIGNATURE-----
--- End Message ---
