Package: tinyproxy | Debian Sources

Package: tinyproxy / 1.11.1-2.1+deb12u1

Metadata

Package	Version	Patches format
tinyproxy	1.11.1-2.1+deb12u1	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
0001 prevent junk from showing up in error page in invali.patch \| (download)	src/reqs.c \| 4 4 + 0 - 0 ! 1 file changed, 4 insertions(+)	[patch] prevent junk from showing up in error page in invalid requests fixes #457
0002 CVE 2023 49606.patch \| (download)	src/reqs.c \| 9 7 + 2 - 0 ! 1 file changed, 7 insertions(+), 2 deletions(-)	[patch] fix potential uaf in header handling (cve-2023-49606) https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889 this bug was brought to my attention today by the debian tinyproxy package maintainer. the above link states that the issue was known since last year and that maintainers have been contacted, but if that is even true then it probably was done via a private email to a potentially outdated email address of one of the maintainers, not through the channels described clearly on the tinyproxy homepage: > Feel free to report a new bug or suggest features via github issues. > Tinyproxy developers hang out in #tinyproxy on irc.libera.chat. no github issue was filed, and nobody mentioned a vulnerability on the mentioned IRC chat. if the issue had been reported on github or IRC, the bug would have been fixed within a day.

Patch

File delta

Description

0001 prevent junk from showing up in error page in invali.patch | (download)

src/reqs.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 [patch] prevent junk from showing up in error page in invalid
 requests

fixes #457

0002 CVE 2023 49606.patch | (download)

src/reqs.c | 9 7 + 2 - 0 !
1 file changed, 7 insertions(+), 2 deletions(-)

 [patch] fix potential uaf in header handling (cve-2023-49606)

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889

this bug was brought to my attention today by the debian tinyproxy
package maintainer. the above link states that the issue was known
since last year and that maintainers have been contacted, but if
that is even true then it probably was done via a private email
to a potentially outdated email address of one of the maintainers,
not through the channels described clearly on the tinyproxy homepage:

> Feel free to report a new bug or suggest features via github issues.
> Tinyproxy developers hang out in #tinyproxy on irc.libera.chat.

no github issue was filed, and nobody mentioned a vulnerability on
the mentioned IRC chat. if the issue had been reported on github or
IRC, the bug would have been fixed within a day.