Bug#621493: marked as done (tinyproxy: allows everyone if using network addresses in Allow rule)

Mon, 18 Apr 2011 14:24:22 -0700 

Your message dated Mon, 18 Apr 2011 21:21:01 +0000
with message-id <e1qbvst-0006f0...@franck.debian.org>
and subject line Bug#621493: fixed in tinyproxy 1.8.2-2
has caused the Debian Bug report #621493,
regarding tinyproxy: allows everyone if using network addresses in Allow rule
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
621493: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621493
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: tinyproxy
Version: 1.8.2-1
Severity: grave
Tags: upstream security squeeze patch
Justification: user security hole

When including a line like

Allow 192.168.0.0/16

to allow a network of ip addresses instead of only one ip 
address per line the access to tinyproxy
is actually allowed for all ip addresses.

This makes tinyproxy usable as an open proxy from everywhere
in the internet.

This bug was reported upstream nearly a year ago:

https://banu.com/bugzilla/show_bug.cgi?id=90

and includes a fix there.

Christoph Martin

-- System Information:
Debian Release: 6.0.1
  APT prefers stable
  APT policy: (900, 'stable'), (90, 'oldstable'), (70, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages tinyproxy depends on:
ii  libc6                         2.11.2-10  Embedded GNU C Library: Shared lib
ii  logrotate                     3.7.8-6    Log rotation utility

tinyproxy recommends no packages.

tinyproxy suggests no packages.

-- Configuration Files:
/etc/tinyproxy.conf changed:
User nobody
Group nogroup
Port 8888
Timeout 600
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
Logfile "/var/log/tinyproxy/tinyproxy.log"
LogLevel Info
PidFile "/var/run/tinyproxy/tinyproxy.pid"
MaxClients 100
MinSpareServers 5
MaxSpareServers 20
StartServers 10
MaxRequestsPerChild 0
Allow 127.0.0.1
ViaProxyName "tinyproxy"
ConnectPort 443
ConnectPort 563


-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: tinyproxy
Source-Version: 1.8.2-2

We believe that the bug you reported is fixed in the latest version of
tinyproxy, which is due to be installed in the Debian FTP archive:

tinyproxy_1.8.2-2.debian.tar.bz2
  to main/t/tinyproxy/tinyproxy_1.8.2-2.debian.tar.bz2
tinyproxy_1.8.2-2.dsc
  to main/t/tinyproxy/tinyproxy_1.8.2-2.dsc
tinyproxy_1.8.2-2_amd64.deb
  to main/t/tinyproxy/tinyproxy_1.8.2-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 621...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jordi Mallach <jo...@debian.org> (supplier of updated tinyproxy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 18 Apr 2011 23:03:16 +0200
Source: tinyproxy
Binary: tinyproxy
Architecture: source amd64
Version: 1.8.2-2
Distribution: unstable
Urgency: high
Maintainer: Ed Boraas <e...@debian.org>
Changed-By: Jordi Mallach <jo...@debian.org>
Description: 
 tinyproxy  - A lightweight, non-caching, optionally anonymizing HTTP proxy
Closes: 588193 621493
Changes: 
 tinyproxy (1.8.2-2) unstable; urgency=high
 .
   * Upper case "HTTP" in package descriptions (closes: #588193).
   * Add validate_port_number.patch: exit if an invalid port is declared in
     the Port directive.
   * Add netmask_generation.patch: fix bug in ACL netmask generation, which
     could allow to use Tinyproxy as an open proxy very easily
     [CVE-2011-1499] (closes: #621493).
   * Bump Standards-Version to 3.9.2, with no changes required.
Checksums-Sha1: 
 658cb823a8e86b600f48069068802000bab50931 1264 tinyproxy_1.8.2-2.dsc
 95dd1b1e3eb88ee3d50d85bec9133ef8fb2fde51 12896 tinyproxy_1.8.2-2.debian.tar.bz2
 71fdc3bc58851a8f271db6ac989d9d3cc42fa35f 87474 tinyproxy_1.8.2-2_amd64.deb
Checksums-Sha256: 
 106c7cc671f90c83ced345b848ff473c6ba33ce6f11148c3577f177385aacda3 1264 
tinyproxy_1.8.2-2.dsc
 f69450e49dafc780ff90c09c5c3a02f59e77221f59bf6e629c34ce74e0f96f60 12896 
tinyproxy_1.8.2-2.debian.tar.bz2
 48397e02847667008570111a234ac63222eeefdbbb9481d89aa97fdaa64d0ea9 87474 
tinyproxy_1.8.2-2_amd64.deb
Files: 
 95cdf4a682e391600b11fae912df84b5 1264 web optional tinyproxy_1.8.2-2.dsc
 653c32d53c35510cfbd740b1ef782946 12896 web optional 
tinyproxy_1.8.2-2.debian.tar.bz2
 8ba955a62e207abfc76e8c1deeb8bd13 87474 web optional tinyproxy_1.8.2-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk2sqPQACgkQJYSUupF6Il4LSgCgm/5gvY13K1UfcOG3z/16q+CD
pNQAoMc/k4HFEPtvrYAyfWIIZ2yhPuX5
=vFjR
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to