[Secure-testing-team] Bug#621493: tinyproxy: allows everyone if using network addresses in Allow rule
Christoph Martin
martin at uni-mainz.de
Thu Apr 7 11:58:28 UTC 2011
Package: tinyproxy
Version: 1.8.2-1
Severity: grave
Tags: upstream security squeeze patch
Justification: user security hole
When including a line like
Allow 192.168.0.0/16
to allow a network of ip addresses instead of only one ip
address per line the access to tinyproxy
is actually allowed for all ip addresses.
This makes tinyproxy usable as an open proxy from everywhere
in the internet.
This bug was reported upstream nearly a year ago:
https://banu.com/bugzilla/show_bug.cgi?id=90
and includes a fix there.
Christoph Martin
-- System Information:
Debian Release: 6.0.1
APT prefers stable
APT policy: (900, 'stable'), (90, 'oldstable'), (70, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages tinyproxy depends on:
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii logrotate 3.7.8-6 Log rotation utility
tinyproxy recommends no packages.
tinyproxy suggests no packages.
-- Configuration Files:
/etc/tinyproxy.conf changed:
User nobody
Group nogroup
Port 8888
Timeout 600
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
Logfile "/var/log/tinyproxy/tinyproxy.log"
LogLevel Info
PidFile "/var/run/tinyproxy/tinyproxy.pid"
MaxClients 100
MinSpareServers 5
MaxSpareServers 20
StartServers 10
MaxRequestsPerChild 0
Allow 127.0.0.1
ViaProxyName "tinyproxy"
ConnectPort 443
ConnectPort 563
-- no debconf information
More information about the Secure-testing-team
mailing list