Bug#521051: marked as done (CVE-2009-0804: HTTP Host Header Incorrect Relay Behavior Vulnerability)

[Debian Bug Tracking System]

Your message dated Wed, 30 Dec 2009 15:40:39 +0000
with message-id <e1nq0f9-0007ck...@ries.debian.org>
and subject line Bug#521051: fixed in ziproxy 2.7.2-1
has caused the Debian Bug report #521051,
regarding CVE-2009-0804: HTTP Host Header Incorrect Relay Behavior Vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
521051: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521051
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: ziproxy
Version: 2.5.2-2
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ziproxy.

CVE-2009-0804[0]:
| Ziproxy 2.6.0, when transparent interception mode is enabled, uses the
| HTTP Host header to determine the remote endpoint, which allows remote
| attackers to bypass access controls for Flash, Java, Silverlight, and
| probably other technologies, and possibly communicate with restricted
| intranet sites, via a crafted web page that causes a client to send
| HTTP requests with a modified Host header.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0804
    http://security-tracker.debian.net/tracker/CVE-2009-0804

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

signature.asc
Description: This is a digitally signed message part.

--- End Message ---

--- Begin Message ---

Source: ziproxy
Source-Version: 2.7.2-1

We believe that the bug you reported is fixed in the latest version of
ziproxy, which is due to be installed in the Debian FTP archive:

ziproxy_2.7.2-1.debian.tar.gz
  to main/z/ziproxy/ziproxy_2.7.2-1.debian.tar.gz
ziproxy_2.7.2-1.dsc
  to main/z/ziproxy/ziproxy_2.7.2-1.dsc
ziproxy_2.7.2-1_i386.deb
  to main/z/ziproxy/ziproxy_2.7.2-1_i386.deb
ziproxy_2.7.2.orig.tar.bz2
  to main/z/ziproxy/ziproxy_2.7.2.orig.tar.bz2



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 521...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marcos Talau <marcosta...@gmail.com> (supplier of updated ziproxy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 07 Dec 2009 23:03:54 -0200
Source: ziproxy
Binary: ziproxy
Architecture: source i386
Version: 2.7.2-1
Distribution: unstable
Urgency: low
Maintainer: Marcos Talau <marcosta...@gmail.com>
Changed-By: Marcos Talau <marcosta...@gmail.com>
Description: 
 ziproxy    - compressing HTTP proxy server
Closes: 521051 543471 543494
Changes: 
 ziproxy (2.7.2-1) unstable; urgency=low
 .
   * Run as a system user (Closes: #543471, #543494)
     - Thanks to Kandalintsev Alexandre.
   * Small fixes in init
   * New upstream release (Closes: #521051)
   * Update to DebSrc3.0
   * Use of DEP-3 compliant headers
   * Updated debian/copyright
   * Small fixes in maintainer scripts
Checksums-Sha1: 
 76c6d94e1370a715b577df565a6ad99f6a24426c 1889 ziproxy_2.7.2-1.dsc
 1e2383d62234961c9acf6a12a0d6f7fa59182f7a 258257 ziproxy_2.7.2.orig.tar.bz2
 95b7dc8f8c1dc017c6aee0b6b4548a9945b0128e 6681 ziproxy_2.7.2-1.debian.tar.gz
 18ebbf2db397725055f4f80b9bf3623f0239381a 133198 ziproxy_2.7.2-1_i386.deb
Checksums-Sha256: 
 94a4c67c392e9d46aef75a51145f27778328a233e879000edece4bf03f75f689 1889 
ziproxy_2.7.2-1.dsc
 697e589343d2f7a145182511cdbc46c52e9e30a4f420e82f18e6549ced7b129a 258257 
ziproxy_2.7.2.orig.tar.bz2
 9fbb65ff9a2a768d4d9317ef84386cd20ed8c6e765a57d3ba3a6f8d347601f82 6681 
ziproxy_2.7.2-1.debian.tar.gz
 9e4c0339b70ebc574a9f813634969c75dea85c2e6bc6d9fcb2fa2eb3a7e43443 133198 
ziproxy_2.7.2-1_i386.deb
Files: 
 cc6c1ec982fccb0d08454ef97c1811b6 1889 net extra ziproxy_2.7.2-1.dsc
 a0bc2e60a9c9e29556245b3f38faca0b 258257 net extra ziproxy_2.7.2.orig.tar.bz2
 c919ffb38ea795056ccced38b3c7d454 6681 net extra ziproxy_2.7.2-1.debian.tar.gz
 4ce1ae07699dea530868100dd69d3eb6 133198 net extra ziproxy_2.7.2-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCgAGBQJLO1tyAAoJEKv/7bJACMb5aLcP/jcgOl8jaXUMptlfNXFRuDMl
b6BQf+YL2YmMPAc72K4nsYeHWgac9pqCJzET2HqiqMJUaQN+o+jWIDS2MKqw5Il3
ghU+SOMhvK25rE8F+sOEDNqjieR5mhzfCZXDN8O7/GAVL4cwjt8ReLHPGoHygeNY
9BcFLbhT5/Hh2DdYN6YyB/8mZY3KT+WXTTjLgUnF/BVLmxsNnVgtC7bSCLzASF/M
8VwzQ4aVymbRxC2G7OHfh6wQHeOqkHmT/O+pLJUxATQG8nayFV/LuSCOhxl33rR/
l2H8uRG9Nxd27YsHbQ9S+0x7kxieflyeXBE8zYxHdm/P4S8orOmcq5GdNDcXAysc
ClhC97JeylR55YwmbKjj3wMkJXxbeWx/VDicc3SH3CtwpjV17Zd4QGVn/deBs69m
py2BQ6j4UwiVS/J29zPRBXshtrE4zjSgh/bZN3AYAOV4HN5sdAUoFJIvCgcRg2Xi
aI4mHpMl/EDu63GQbQazR/zXCmT2WCtIKKUkU5vhz60VMzCfvyadhqhc4KzHs8O2
fePcn8bk0vCSUp8ps/eyBW+5Jsy9tjMT/mdyVtrQWqU7J/+XDlzEB0I6AwQma89v
NvBsexhqgY6O9HM/lAJNbtYzuZtOdX6+zwx8twrBI5xmh+fQ8p1Mq5UVWRxvHSJZ
VXOL/AetosmVN8j6xYjA
=Dqn6
-----END PGP SIGNATURE-----

--- End Message ---