[Bug 1036985] Re: denial of service of too many headers in response
Launchpad has imported 7 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=849368. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2012-08-18T21:54:05+00:00 Kurt wrote: gpernot reports: Bug 110 - algorithmic complexity denial of service randomized hashmaps to prevent DOS attacks hashmap are not randomized, so that it is possible to forge fake headers that will always go into the same bucket. try 'curl http://78.230.4.96/hashes.asis' via tinyproxy and without it to convince you (~8 MB of headers). I'll remove this url as soon as bug is accepted... attached patch should solve this. it's certainly perfectible, though (autoconf for time() and rand() are missing...). even with this patch, it takes ages. maybe headers should be sanitized before hiting the buckets... Created attachment 60 [details] limit number of headers to prevent DoS attacks External references: https://banu.com/bugzilla/show_bug.cgi?id=110#c2 https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985 Reply at: https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985/comments/8 On 2012-08-18T21:55:06+00:00 Kurt wrote: Created tinyproxy tracking bugs for this issue Affects: fedora-all [bug 849369] Reply at: https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985/comments/9 On 2012-08-18T21:56:32+00:00 Kurt wrote: Created tinyproxy tracking bugs for this issue Affects: epel-all [bug 849370] Reply at: https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985/comments/10 On 2012-08-18T21:56:51+00:00 Kurt wrote: Created attachment 605402 CVE-2012-3505-tinyproxy-limit-headers.patch Reply at: https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985/comments/11 On 2012-08-18T21:57:11+00:00 Kurt wrote: Created attachment 605403 CVE-2012-3505-tinyproxy-randomized-hashmaps.patch Reply at: https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985/comments/12 On 2014-12-13T01:10:29+00:00 Michael wrote: Believe it or not: Fixes pushed to upstream and will be released soon with Tinyproxy 1.8.4. Reply at: https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985/comments/21 On 2016-01-02T00:09:15+00:00 Michael wrote: Upstream release including fix available at https://github.com/tinyproxy/tinyproxy/releases/tag/1.8.4 (Note: upstream hosting is currently changing.) Reply at: https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985/comments/23 ** Changed in: tinyproxy (Fedora) Status: Unknown => Confirmed ** Changed in: tinyproxy (Fedora) Importance: Unknown => Low -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1036985 Title: denial of service of too many headers in response To manage notifications about this bug go to: https://bugs.launchpad.net/tinyproxy/+bug/1036985/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1036985] Re: denial of service of too many headers in response
This was fixed in precise in: tinyproxy (1.8.3-1ubuntu0.1) precise-security; urgency=low * SECURITY UPDATE: Fix for denial of service vulnerability where remote attackers send crafted request headers. (LP: #1154502) - debian/patches/001-CVE-2012-3505.patch: Limit the number of headers to prevent DoS attacks. Randomize hashmaps in order to avoid fake headers getting included in the same bucket, allowing for DoS attacks. - CVE-2012-3505 -- Christian KuersteinerWed, 13 Mar 2013 16:42:14 +0700 Closing the precise task. ** Changed in: tinyproxy (Ubuntu Precise) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1036985 Title: denial of service of too many headers in response To manage notifications about this bug go to: https://bugs.launchpad.net/tinyproxy/+bug/1036985/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1036985] Re: denial of service of too many headers in response
Fix pushed to upstream and will be released very soon in tinyproxy 1.8.4. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1036985 Title: denial of service of too many headers in response To manage notifications about this bug go to: https://bugs.launchpad.net/tinyproxy/+bug/1036985/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1036985] Re: denial of service of too many headers in response
Launchpad has imported 3 comments from the remote bug at https://banu.com/bugzilla/show_bug.cgi?id=110. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2012-08-14T21:54:31+00:00 gpernot wrote: Created attachment 59 randomized hashmaps to prevent DOS attacks hashmap are not randomized, so that it is possible to forge fake headers that will always go into the same bucket. try 'curl http://78.230.4.96/hashes.asis' via tinyproxy and without it to convince you (~8 MB of headers). I'll remove this url as soon as bug is accepted... attached patch should solve this. it's certainly perfectible, though (autoconf for time() and rand() are missing...). Reply at: https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985/comments/0 On 2012-08-14T22:24:55+00:00 gpernot wrote: even with this patch, it takes ages. maybe headers should be sanitized before hiting the buckets... Reply at: https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985/comments/1 On 2012-08-15T07:24:49+00:00 gpernot wrote: Created attachment 60 limit number of headers to prevent DoS attacks Reply at: https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985/comments/2 ** Changed in: tinyproxy Status: Unknown = Confirmed ** Changed in: tinyproxy Importance: Unknown = High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1036985 Title: denial of service of too many headers in response To manage notifications about this bug go to: https://bugs.launchpad.net/tinyproxy/+bug/1036985/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1036985] Re: denial of service of too many headers in response
** Changed in: tinyproxy (Debian) Status: Unknown = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1036985 Title: denial of service of too many headers in response To manage notifications about this bug go to: https://bugs.launchpad.net/tinyproxy/+bug/1036985/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1036985] Re: denial of service of too many headers in response
** Also affects: tinyproxy (Ubuntu Precise) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1036985 Title: denial of service of too many headers in response To manage notifications about this bug go to: https://bugs.launchpad.net/tinyproxy/+bug/1036985/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1036985] Re: denial of service of too many headers in response
I have filed a sync request from Debian in Bug 1059887. ** Bug watch added: Banu Bugzilla #110 https://banu.com/bugzilla/show_bug.cgi?id=110 ** Also affects: tinyproxy via https://banu.com/bugzilla/show_bug.cgi?id=110 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1036985 Title: denial of service of too many headers in response To manage notifications about this bug go to: https://bugs.launchpad.net/tinyproxy/+bug/1036985/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1036985] Re: denial of service of too many headers in response
This bug was fixed in the package tinyproxy - 1.8.3-3 --- tinyproxy (1.8.3-3) unstable; urgency=high * Add patches for CVE-2012-3505 (closes: #685281): - CVE-2012-3505-tinyproxy-limit-headers.patch: Limit the number of headers to prevent DoS attacks. - CVE-2012-3505-tinyproxy-randomized-hashmaps.patch: Randomize hashmaps in order to avoid fake headers getting included in the same bucket, allowing for DoS attacks. Bug reported and patches contributed by gpernot. -- Jordi Mallach jo...@debian.org Mon, 24 Sep 2012 21:05:41 +0200 ** Changed in: tinyproxy (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1036985 Title: denial of service of too many headers in response To manage notifications about this bug go to: https://bugs.launchpad.net/tinyproxy/+bug/1036985/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1036985] Re: denial of service of too many headers in response
** Bug watch added: Debian Bug tracker #685281 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685281 ** Also affects: tinyproxy (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685281 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1036985 Title: denial of service of too many headers in response To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1036985] Re: denial of service of too many headers in response
** Changed in: tinyproxy (Ubuntu) Status: Incomplete = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1036985 Title: denial of service of too many headers in response To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1036985] Re: denial of service of too many headers in response
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3505 ** Bug watch added: Red Hat Bugzilla #849368 https://bugzilla.redhat.com/show_bug.cgi?id=849368 ** Also affects: tinyproxy (Fedora) via https://bugzilla.redhat.com/show_bug.cgi?id=849368 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1036985 Title: denial of service of too many headers in response To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1036985] Re: denial of service of too many headers in response
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures ** Visibility changed to: Public ** Changed in: tinyproxy (Ubuntu) Status: New = Confirmed ** Changed in: tinyproxy (Ubuntu) Status: Confirmed = Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1036985 Title: denial of service of too many headers in response To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1036985] Re: denial of service of too many headers in response
I have requested a CVE for this on oss-security: http://www.openwall.com/lists/oss-security/2012/08/17/3 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1036985 Title: denial of service of too many headers in response To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1036985] Re: denial of service of too many headers in response
The attachment limit number of headers to prevent DoS attacks of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report. [This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1036985 Title: denial of service of too many headers in response To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs