Debian Bug report logs - #685281
denial of service via many headers

version graph

Package: tinyproxy; Maintainer for tinyproxy is Ed Boraas <ed@debian.org>; Source for tinyproxy is src:tinyproxy.

Reported by: Thijs Kinkhorst <thijs@debian.org>

Date: Sun, 19 Aug 2012 09:45:04 UTC

Severity: serious

Tags: patch, security

Fixed in versions tinyproxy/1.8.3-3, tinyproxy/1.8.2-1squeeze3

Done: Jordi Mallach <jordi@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ed Boraas <ed@debian.org>:
Bug#685281; Package tinyproxy. (Sun, 19 Aug 2012 09:45:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ed Boraas <ed@debian.org>. (Sun, 19 Aug 2012 09:45:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: denial of service via many headers
Date: Sun, 19 Aug 2012 11:42:57 +0200
Package: tinyproxy
Severity: serious
Tags: security patch

Hi Jordi,

A Denial of Service attack has been reported against tinyproxy:
https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985
https://banu.com/bugzilla/show_bug.cgi?id=110#c2

Can you please see to it that this gets addressed in unstable
(and by extension wheezy)?

Please use CVE-2012-3505 to refer to this issue.


Thanks,
Thijs

-- System Information:
Debian Release: 6.0.5
  APT prefers stable
  APT policy: (500, 'stable'), (400, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash



Information forwarded to debian-bugs-dist@lists.debian.org, Ed Boraas <ed@debian.org>:
Bug#685281; Package tinyproxy. (Sun, 19 Aug 2012 11:36:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jordi Mallach <jordi@debian.org>:
Extra info received and forwarded to list. Copy sent to Ed Boraas <ed@debian.org>. (Sun, 19 Aug 2012 11:36:08 GMT) Full text and rfc822 format available.

Message #10 received at 685281@bugs.debian.org (full text, mbox):

From: Jordi Mallach <jordi@debian.org>
To: Thijs Kinkhorst <thijs@debian.org>, 685281@bugs.debian.org
Subject: Re: Bug#685281: denial of service via many headers
Date: Sun, 19 Aug 2012 13:23:38 +0200
[Message part 1 (text/plain, inline)]
On Sun, Aug 19, 2012 at 11:42:57AM +0200, Thijs Kinkhorst wrote:
> A Denial of Service attack has been reported against tinyproxy:
> https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985
> https://banu.com/bugzilla/show_bug.cgi?id=110#c2
> 
> Can you please see to it that this gets addressed in unstable
> (and by extension wheezy)?
> 
> Please use CVE-2012-3505 to refer to this issue.

Will try to get something done ASAP.

Should I do something about stable too? The codebase should be really
similar.

-- 
Jordi Mallach PĂ©rez  --  Debian developer     http://www.debian.org/
jordi@sindominio.net     jordi@debian.org     http://www.sindominio.net/
GnuPG public key information available at http://oskuro.net/
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ed Boraas <ed@debian.org>:
Bug#685281; Package tinyproxy. (Sat, 29 Sep 2012 17:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Ed Boraas <ed@debian.org>. (Sat, 29 Sep 2012 17:18:03 GMT) Full text and rfc822 format available.

Message #15 received at 685281@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Jordi Mallach <jordi@debian.org>, 685281@bugs.debian.org
Cc: Thijs Kinkhorst <thijs@debian.org>, team@security.debian.org
Subject: Re: Bug#685281: denial of service via many headers
Date: Sat, 29 Sep 2012 19:15:46 +0200
[Message part 1 (text/plain, inline)]
Hi Thijs and Jordi

On Sun, Aug 19, 2012 at 01:23:38PM +0200, Jordi Mallach wrote:
> On Sun, Aug 19, 2012 at 11:42:57AM +0200, Thijs Kinkhorst wrote:
> > A Denial of Service attack has been reported against tinyproxy:
> > https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985
> > https://banu.com/bugzilla/show_bug.cgi?id=110#c2
> > 
> > Can you please see to it that this gets addressed in unstable
> > (and by extension wheezy)?
> > 
> > Please use CVE-2012-3505 to refer to this issue.
> 
> Will try to get something done ASAP.
> 
> Should I do something about stable too? The codebase should be really
> similar.

I looked at the current prepared version for unstable in the tinyproxy
subversion repository, attached is the debdiff to the current version
in unstable.

Are you fine if I upload this as it is to unstable?

@SecurityTeam: I'm not Maintainer of the package but tinyproxy
appeared on the radar for RC bugs for wheezy, so noticed this one.

Regards,
Salvatore
[debdiff-tinyproxy_1.8.3-3.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ed Boraas <ed@debian.org>:
Bug#685281; Package tinyproxy. (Sun, 30 Sep 2012 07:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Ed Boraas <ed@debian.org>. (Sun, 30 Sep 2012 07:42:03 GMT) Full text and rfc822 format available.

Message #20 received at 685281@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: "Salvatore Bonaccorso" <carnil@debian.org>
Cc: "Jordi Mallach" <jordi@debian.org>, 685281@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#685281: denial of service via many headers
Date: Sun, 30 Sep 2012 09:33:46 +0200
Hi Salvatore,

On Sat, September 29, 2012 19:15, Salvatore Bonaccorso wrote:
> On Sun, Aug 19, 2012 at 01:23:38PM +0200, Jordi Mallach wrote:
>> On Sun, Aug 19, 2012 at 11:42:57AM +0200, Thijs Kinkhorst wrote:
>> > A Denial of Service attack has been reported against tinyproxy:
>> > https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985
>> > https://banu.com/bugzilla/show_bug.cgi?id=110#c2
>> >
>> > Can you please see to it that this gets addressed in unstable
>> > (and by extension wheezy)?
>> >
>> > Please use CVE-2012-3505 to refer to this issue.
>>
>> Will try to get something done ASAP.
>>
>> Should I do something about stable too? The codebase should be really
>> similar.
>
> I looked at the current prepared version for unstable in the tinyproxy
> subversion repository, attached is the debdiff to the current version
> in unstable.
>
> Are you fine if I upload this as it is to unstable?
>
> @SecurityTeam: I'm not Maintainer of the package but tinyproxy
> appeared on the radar for RC bugs for wheezy, so noticed this one.

Thanks for your work. It looks good. The changelog does have some quirks:
your version number is not NMU-style but maintianer-style, you're not
Jordi Mallach and you added a dot in an unrelated stanza. If you fix these
small items up, please upload this.


Cheers,
Thijs



Information forwarded to debian-bugs-dist@lists.debian.org, Ed Boraas <ed@debian.org>:
Bug#685281; Package tinyproxy. (Sun, 30 Sep 2012 08:12:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Ed Boraas <ed@debian.org>. (Sun, 30 Sep 2012 08:12:03 GMT) Full text and rfc822 format available.

Message #25 received at 685281@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: Jordi Mallach <jordi@debian.org>, 685281@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#685281: denial of service via many headers
Date: Sun, 30 Sep 2012 10:07:51 +0200
[Message part 1 (text/plain, inline)]
Hi Thijs

On Sun, Sep 30, 2012 at 09:33:46AM +0200, Thijs Kinkhorst wrote:
> Hi Salvatore,
> 
> On Sat, September 29, 2012 19:15, Salvatore Bonaccorso wrote:
> > On Sun, Aug 19, 2012 at 01:23:38PM +0200, Jordi Mallach wrote:
> >> On Sun, Aug 19, 2012 at 11:42:57AM +0200, Thijs Kinkhorst wrote:
> >> > A Denial of Service attack has been reported against tinyproxy:
> >> > https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985
> >> > https://banu.com/bugzilla/show_bug.cgi?id=110#c2
> >> >
> >> > Can you please see to it that this gets addressed in unstable
> >> > (and by extension wheezy)?
> >> >
> >> > Please use CVE-2012-3505 to refer to this issue.
> >>
> >> Will try to get something done ASAP.
> >>
> >> Should I do something about stable too? The codebase should be really
> >> similar.
> >
> > I looked at the current prepared version for unstable in the tinyproxy
> > subversion repository, attached is the debdiff to the current version
> > in unstable.
> >
> > Are you fine if I upload this as it is to unstable?
> >
> > @SecurityTeam: I'm not Maintainer of the package but tinyproxy
> > appeared on the radar for RC bugs for wheezy, so noticed this one.
> 
> Thanks for your work. It looks good. The changelog does have some quirks:
> your version number is not NMU-style but maintianer-style, you're not
> Jordi Mallach and you added a dot in an unrelated stanza. If you fix these
> small items up, please upload this.

I actually haven't done the 'real' work. All the real work was already
prepared by Jordi Mallach who pushed his work to the svn repository. I
know he would not be able to upload the package itself in next month,
so I had a look what he did, and builded his version. He asked if
someone can upload this for him.

I'm sorry if I was not clear about this.

Regards,
Salvatore
[signature.asc (application/pgp-signature, inline)]

Reply sent to Jordi Mallach <jordi@debian.org>:
You have taken responsibility. (Sun, 30 Sep 2012 17:21:09 GMT) Full text and rfc822 format available.

Notification sent to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer. (Sun, 30 Sep 2012 17:21:09 GMT) Full text and rfc822 format available.

Message #30 received at 685281-close@bugs.debian.org (full text, mbox):

From: Jordi Mallach <jordi@debian.org>
To: 685281-close@bugs.debian.org
Subject: Bug#685281: fixed in tinyproxy 1.8.3-3
Date: Sun, 30 Sep 2012 17:17:41 +0000
Source: tinyproxy
Source-Version: 1.8.3-3

We believe that the bug you reported is fixed in the latest version of
tinyproxy, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 685281@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jordi Mallach <jordi@debian.org> (supplier of updated tinyproxy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 24 Sep 2012 21:05:41 +0200
Source: tinyproxy
Binary: tinyproxy
Architecture: source amd64
Version: 1.8.3-3
Distribution: unstable
Urgency: high
Maintainer: Ed Boraas <ed@debian.org>
Changed-By: Jordi Mallach <jordi@debian.org>
Description: 
 tinyproxy  - A lightweight, non-caching, optionally anonymizing HTTP proxy
Closes: 685281
Changes: 
 tinyproxy (1.8.3-3) unstable; urgency=high
 .
   * Add patches for CVE-2012-3505 (closes: #685281):
     - CVE-2012-3505-tinyproxy-limit-headers.patch: Limit the number of
       headers to prevent DoS attacks.
     - CVE-2012-3505-tinyproxy-randomized-hashmaps.patch: Randomize hashmaps
       in order to avoid fake headers getting included in the same bucket,
       allowing for DoS attacks.
     Bug reported and patches contributed by gpernot.
Checksums-Sha1: 
 3964dea8cffcd19439af9011420be6cd288aa526 1324 tinyproxy_1.8.3-3.dsc
 d726db4d109a91df55d4384d8ba9c91eb5630195 13381 tinyproxy_1.8.3-3.debian.tar.bz2
 605c1010fccea946a845dfd631eaf1a3ce4f8236 89094 tinyproxy_1.8.3-3_amd64.deb
Checksums-Sha256: 
 99cc8435faf07ca64f64d6482747d6c252c964e195de1c687b3b1b71db0b8a8c 1324 tinyproxy_1.8.3-3.dsc
 56a2361ec88d497ff00284ad06936d2ce3b757ef1c4e965e96ea9e4869da2ceb 13381 tinyproxy_1.8.3-3.debian.tar.bz2
 618ec4296f806116c906be0351ec921a9ff6d6fff3079ba69f257567f6a22132 89094 tinyproxy_1.8.3-3_amd64.deb
Files: 
 b9f394ce49a952a04c11883c7225858f 1324 web optional tinyproxy_1.8.3-3.dsc
 f3d31a993d88ec9de54a1893df15f708 13381 web optional tinyproxy_1.8.3-3.debian.tar.bz2
 ca0ca97ce87fafd976bb68e1184f276e 89094 web optional tinyproxy_1.8.3-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBoeucACgkQJYSUupF6Il5l/QCdHcMv0aCreMqB4l0NjKRyaXLx
F1kAnRhnnfEk5v+MFus65TrqVL3dG3f0
=oqJC
-----END PGP SIGNATURE-----




Reply sent to Jordi Mallach <jordi@debian.org>:
You have taken responsibility. (Sat, 27 Oct 2012 15:51:16 GMT) Full text and rfc822 format available.

Notification sent to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer. (Sat, 27 Oct 2012 15:51:16 GMT) Full text and rfc822 format available.

Message #35 received at 685281-close@bugs.debian.org (full text, mbox):

From: Jordi Mallach <jordi@debian.org>
To: 685281-close@bugs.debian.org
Subject: Bug#685281: fixed in tinyproxy 1.8.2-1squeeze3
Date: Sat, 27 Oct 2012 15:47:05 +0000
Source: tinyproxy
Source-Version: 1.8.2-1squeeze3

We believe that the bug you reported is fixed in the latest version of
tinyproxy, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 685281@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jordi Mallach <jordi@debian.org> (supplier of updated tinyproxy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 24 Sep 2012 21:05:41 +0200
Source: tinyproxy
Binary: tinyproxy
Architecture: source amd64
Version: 1.8.2-1squeeze3
Distribution: stable-security
Urgency: high
Maintainer: Ed Boraas <ed@debian.org>
Changed-By: Jordi Mallach <jordi@debian.org>
Description: 
 tinyproxy  - A lightweight, non-caching, optionally anonymizing http proxy
Closes: 685281
Changes: 
 tinyproxy (1.8.2-1squeeze3) stable-security; urgency=high
 .
   * Add patches for CVE-2012-3505 (closes: #685281):
     - CVE-2012-3505-tinyproxy-limit-headers.patch: Limit the number of
       headers to prevent DoS attacks.
     - CVE-2012-3505-tinyproxy-randomized-hashmaps.patch: Randomize hashmaps
       in order to avoid fake headers getting included in the same bucket,
       allowing for DoS attacks.
     Bug reported and patches contributed by gpernot.
Checksums-Sha1: 
 8bd439d4b90b54e76da6190c911418711a6af258 1295 tinyproxy_1.8.2-1squeeze3.dsc
 0d99220e277d71e89c285cc6b28a0d26fd505316 14264 tinyproxy_1.8.2-1squeeze3.debian.tar.bz2
 31164865b8290f8dab68c52689776c5351b42a52 87550 tinyproxy_1.8.2-1squeeze3_amd64.deb
Checksums-Sha256: 
 a74f9f7cda2fdd4a98708a6f737f935a15948a11a1e521de273b1134f5546d25 1295 tinyproxy_1.8.2-1squeeze3.dsc
 8285a7bcfc674e5e00f0013e0cf14deba476368ca46ed9a72b6801848f163731 14264 tinyproxy_1.8.2-1squeeze3.debian.tar.bz2
 5f550c8778e1ed11ccf6484fa6a90e64acde2c1b7a0673b3333d52c1d87fb1a9 87550 tinyproxy_1.8.2-1squeeze3_amd64.deb
Files: 
 95136d26f2d3319b1a3cebb329fa1710 1295 web optional tinyproxy_1.8.2-1squeeze3.dsc
 9f1cb3dac6372aa328c9f0c675307dec 14264 web optional tinyproxy_1.8.2-1squeeze3.debian.tar.bz2
 2f2952c740e4d1c9b5dfafe414e7d2f1 87550 web optional tinyproxy_1.8.2-1squeeze3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBqFaUACgkQJYSUupF6Il7LzQCfSdkuQGIwtOAVqxBPSLkiFjUW
zsgAoPRUDR/HGOSbYFlfw4COJzRe7vzj
=lf60
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Feb 2013 07:29:50 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 20:09:16 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.