Your message dated Wed, 05 Jun 2024 21:47:14 +0000
with message-id <e1seyts-00anrz...@fasolo.debian.org>
and subject line Bug#1070395: fixed in tinyproxy 1.11.1-2.1+deb12u1
has caused the Debian Bug report #1070395,
regarding tinyproxy: CVE-2023-49606
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1070395: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070395
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: tinyproxy
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for tinyproxy.
CVE-2023-40533[0]:
| An uninitialized memory use vulnerability exists in Tinyproxy 1.11.1
| while parsing HTTP requests. In certain configurations, a specially
| crafted HTTP request can result in disclosure of data allocated on
| the heap, which could contain sensitive information. An attacker can
| make an unauthenticated HTTP request to trigger this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1902
CVE-2023-49606[1]:
| A use-after-free vulnerability exists in the HTTP Connection Headers
| parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially
| crafted HTTP header can trigger reuse of previously freed memory,
| which leads to memory corruption and could lead to remote code
| execution. An attacker needs to make an unauthenticated HTTP request
| to trigger this vulnerability.
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-40533
https://www.cve.org/CVERecord?id=CVE-2023-40533
[1] https://security-tracker.debian.org/tracker/CVE-2023-49606
https://www.cve.org/CVERecord?id=CVE-2023-49606
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: tinyproxy
Source-Version: 1.11.1-2.1+deb12u1
Done: Moritz Mühlenhoff <j...@debian.org>
We believe that the bug you reported is fixed in the latest version of
tinyproxy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1070...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <j...@debian.org> (supplier of updated tinyproxy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 22 May 2024 20:05:05 +0200
Source: tinyproxy
Architecture: source
Version: 1.11.1-2.1+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Mike Gabriel <sunwea...@debian.org>
Changed-By: Moritz Mühlenhoff <j...@debian.org>
Closes: 1070395
Changes:
tinyproxy (1.11.1-2.1+deb12u1) bookworm-security; urgency=medium
.
* CVE-2023-49606 (Closes: #1070395)
Checksums-Sha1:
81a3e2e1111667e84880b81f0d2cdc798bc5ed1e 2057 tinyproxy_1.11.1-2.1+deb12u1.dsc
215fc3011d16506e26c8f34cb51a34e8378ce391 182080 tinyproxy_1.11.1.orig.tar.xz
18f3addbfb1a8365cdc19a946103f99d208a6d77 24292
tinyproxy_1.11.1-2.1+deb12u1.debian.tar.xz
636840598a1153e734dab0c537d876d634d1577f 7340
tinyproxy_1.11.1-2.1+deb12u1_amd64.buildinfo
Checksums-Sha256:
8741be861e85204fa49be56fe782c9b5a57c4d5843d1937dc9c75d4c47b902d9 2057
tinyproxy_1.11.1-2.1+deb12u1.dsc
d66388448215d0aeb90d0afdd58ed00386fb81abc23ebac9d80e194fceb40f7c 182080
tinyproxy_1.11.1.orig.tar.xz
42f01e0d126e9f80e5adfc04482df018b988c5f30447e267387906f887deb059 24292
tinyproxy_1.11.1-2.1+deb12u1.debian.tar.xz
54afe4708ff8099834784b2efbf5e20b8f38833679f596107486c4ed0d31202f 7340
tinyproxy_1.11.1-2.1+deb12u1_amd64.buildinfo
Files:
e2afde3d3cdd92716007f8ff61696af4 2057 web optional
tinyproxy_1.11.1-2.1+deb12u1.dsc
19cad9f7c3d45f477a7333f2d8babb62 182080 web optional
tinyproxy_1.11.1.orig.tar.xz
17fae3203a607c287ea622e6f1cec279 24292 web optional
tinyproxy_1.11.1-2.1+deb12u1.debian.tar.xz
9533ed46b794a541a64fda1b99fb45da 7340 web optional
tinyproxy_1.11.1-2.1+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZONJEACgkQEMKTtsN8
TjbE2xAAsqPiG0UwG80YXN37O2F8p7uqfBlnTL2Z0BKGH/872W/Y0nCe3TNhaD4n
wtqJ3i/NQymI7lwj7gBWcfUz6FZSEsk0cc8Dq7Uph3eBJkF7wyrk67V7jXbzxl6P
yr83Zyqbm4/R/seZ3OQbwuonV/95ozA1lFwylj3CeDWumeTHaijbJkoROuPErRwF
iHindIwbvsdPm6Rs0jHj+1QeT7KpcQkplOWRaClN+m1IDkuz3HKOyhq8Bh09YS+G
bvTiXe8eTJ0n7rdx94UEdYqWzH7F97bFPaLg17Ga73uAGBN0gLEwo1ZZaphy1TUF
hRubm0yYZW8JKiibQ1EP/XDIjE1R0xkDM1hlvYqMQ1gbOm6pyYh+U4bHUKmTuv3h
b8s5z6EdzI8FRCQADZrE1T4IRNZbEkjvJsP4VCqa4litYviJHZm7os9hdZYyM3Tf
7zXVw+EY16XXr1HLESzzFURttNxwWlHinI8AJIJBwaCXL/8TPVrEDbFFyyourE82
DAZU1Zz0CHHYMELosYHCen1HsqLVaO57n+IcebKWZpPxlRnvYgVRzV6Lt89OtbSS
R41MZaGckSOgBXIaXDBwsOxXthQpz2mFlcOhlKfD6n0Uiq0UkbA+bmBzo6t30IiZ
WFXnun3cpnztUkgrD6P1sTnVHA4LvauoKqkYcq01TwLYMSe+Aok=
=U/ts
-----END PGP SIGNATURE-----
pgpJkT4MW8Gxn.pgp
Description: PGP signature
--- End Message ---
