Your message dated Sun, 30 Sep 2012 17:17:41 +0000 with message-id <e1tin9b-0004zf...@franck.debian.org> and subject line Bug#685281: fixed in tinyproxy 1.8.3-3 has caused the Debian Bug report #685281, regarding denial of service via many headers to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 685281: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685281 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: tinyproxy Severity: serious Tags: security patch Hi Jordi, A Denial of Service attack has been reported against tinyproxy: https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985 https://banu.com/bugzilla/show_bug.cgi?id=110#c2 Can you please see to it that this gets addressed in unstable (and by extension wheezy)? Please use CVE-2012-3505 to refer to this issue. Thanks, Thijs -- System Information: Debian Release: 6.0.5 APT prefers stable APT policy: (500, 'stable'), (400, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---Source: tinyproxy Source-Version: 1.8.3-3 We believe that the bug you reported is fixed in the latest version of tinyproxy, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 685...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jordi Mallach <jo...@debian.org> (supplier of updated tinyproxy package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 24 Sep 2012 21:05:41 +0200 Source: tinyproxy Binary: tinyproxy Architecture: source amd64 Version: 1.8.3-3 Distribution: unstable Urgency: high Maintainer: Ed Boraas <e...@debian.org> Changed-By: Jordi Mallach <jo...@debian.org> Description: tinyproxy - A lightweight, non-caching, optionally anonymizing HTTP proxy Closes: 685281 Changes: tinyproxy (1.8.3-3) unstable; urgency=high . * Add patches for CVE-2012-3505 (closes: #685281): - CVE-2012-3505-tinyproxy-limit-headers.patch: Limit the number of headers to prevent DoS attacks. - CVE-2012-3505-tinyproxy-randomized-hashmaps.patch: Randomize hashmaps in order to avoid fake headers getting included in the same bucket, allowing for DoS attacks. Bug reported and patches contributed by gpernot. Checksums-Sha1: 3964dea8cffcd19439af9011420be6cd288aa526 1324 tinyproxy_1.8.3-3.dsc d726db4d109a91df55d4384d8ba9c91eb5630195 13381 tinyproxy_1.8.3-3.debian.tar.bz2 605c1010fccea946a845dfd631eaf1a3ce4f8236 89094 tinyproxy_1.8.3-3_amd64.deb Checksums-Sha256: 99cc8435faf07ca64f64d6482747d6c252c964e195de1c687b3b1b71db0b8a8c 1324 tinyproxy_1.8.3-3.dsc 56a2361ec88d497ff00284ad06936d2ce3b757ef1c4e965e96ea9e4869da2ceb 13381 tinyproxy_1.8.3-3.debian.tar.bz2 618ec4296f806116c906be0351ec921a9ff6d6fff3079ba69f257567f6a22132 89094 tinyproxy_1.8.3-3_amd64.deb Files: b9f394ce49a952a04c11883c7225858f 1324 web optional tinyproxy_1.8.3-3.dsc f3d31a993d88ec9de54a1893df15f708 13381 web optional tinyproxy_1.8.3-3.debian.tar.bz2 ca0ca97ce87fafd976bb68e1184f276e 89094 web optional tinyproxy_1.8.3-3_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBoeucACgkQJYSUupF6Il5l/QCdHcMv0aCreMqB4l0NjKRyaXLx F1kAnRhnnfEk5v+MFus65TrqVL3dG3f0 =oqJC -----END PGP SIGNATURE-----
--- End Message ---
