severity 521051 grave
thanks
On Tue, Mar 24, 2009 at 08:25:06AM -0600, Raphael Geissert wrote:
> Package: ziproxy
> Version: 2.5.2-2
> Severity: important
> Tags: security
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for ziproxy.
>
> CVE-2009-0804[0]:
> | Ziproxy 2.6.0, when transparent interception mode is enabled, uses the
> | HTTP Host header to determine the remote endpoint, which allows remote
> | attackers to bypass access controls for Flash, Java, Silverlight, and
> | probably other technologies, and possibly communicate with restricted
> | intranet sites, via a crafted web page that causes a client to send
> | HTTP requests with a modified Host header.
This is fixed upstream in 2.7.0. However, since this package has hardly
any users and appears unmaintained, we should probably just remove it?
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
