Your message dated Sat, 27 Oct 2012 15:47:05 +0000
with message-id <e1ts8bj-0004ys...@franck.debian.org>
and subject line Bug#685281: fixed in tinyproxy 1.8.2-1squeeze3
has caused the Debian Bug report #685281,
regarding denial of service via many headers
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
685281: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685281
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: tinyproxy
Severity: serious
Tags: security patch
Hi Jordi,
A Denial of Service attack has been reported against tinyproxy:
https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985
https://banu.com/bugzilla/show_bug.cgi?id=110#c2
Can you please see to it that this gets addressed in unstable
(and by extension wheezy)?
Please use CVE-2012-3505 to refer to this issue.
Thanks,
Thijs
-- System Information:
Debian Release: 6.0.5
APT prefers stable
APT policy: (500, 'stable'), (400, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
Source: tinyproxy
Source-Version: 1.8.2-1squeeze3
We believe that the bug you reported is fixed in the latest version of
tinyproxy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 685...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jordi Mallach <jo...@debian.org> (supplier of updated tinyproxy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 24 Sep 2012 21:05:41 +0200
Source: tinyproxy
Binary: tinyproxy
Architecture: source amd64
Version: 1.8.2-1squeeze3
Distribution: stable-security
Urgency: high
Maintainer: Ed Boraas <e...@debian.org>
Changed-By: Jordi Mallach <jo...@debian.org>
Description:
tinyproxy - A lightweight, non-caching, optionally anonymizing http proxy
Closes: 685281
Changes:
tinyproxy (1.8.2-1squeeze3) stable-security; urgency=high
.
* Add patches for CVE-2012-3505 (closes: #685281):
- CVE-2012-3505-tinyproxy-limit-headers.patch: Limit the number of
headers to prevent DoS attacks.
- CVE-2012-3505-tinyproxy-randomized-hashmaps.patch: Randomize hashmaps
in order to avoid fake headers getting included in the same bucket,
allowing for DoS attacks.
Bug reported and patches contributed by gpernot.
Checksums-Sha1:
8bd439d4b90b54e76da6190c911418711a6af258 1295 tinyproxy_1.8.2-1squeeze3.dsc
0d99220e277d71e89c285cc6b28a0d26fd505316 14264
tinyproxy_1.8.2-1squeeze3.debian.tar.bz2
31164865b8290f8dab68c52689776c5351b42a52 87550
tinyproxy_1.8.2-1squeeze3_amd64.deb
Checksums-Sha256:
a74f9f7cda2fdd4a98708a6f737f935a15948a11a1e521de273b1134f5546d25 1295
tinyproxy_1.8.2-1squeeze3.dsc
8285a7bcfc674e5e00f0013e0cf14deba476368ca46ed9a72b6801848f163731 14264
tinyproxy_1.8.2-1squeeze3.debian.tar.bz2
5f550c8778e1ed11ccf6484fa6a90e64acde2c1b7a0673b3333d52c1d87fb1a9 87550
tinyproxy_1.8.2-1squeeze3_amd64.deb
Files:
95136d26f2d3319b1a3cebb329fa1710 1295 web optional
tinyproxy_1.8.2-1squeeze3.dsc
9f1cb3dac6372aa328c9f0c675307dec 14264 web optional
tinyproxy_1.8.2-1squeeze3.debian.tar.bz2
2f2952c740e4d1c9b5dfafe414e7d2f1 87550 web optional
tinyproxy_1.8.2-1squeeze3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlBqFaUACgkQJYSUupF6Il7LzQCfSdkuQGIwtOAVqxBPSLkiFjUW
zsgAoPRUDR/HGOSbYFlfw4COJzRe7vzj
=lf60
-----END PGP SIGNATURE-----
--- End Message ---