Christoph Martin
2011-Apr-07 11:58 UTC
[Secure-testing-team] Bug#621493: tinyproxy: allows everyone if using network addresses in Allow rule
Package: tinyproxy Version: 1.8.2-1 Severity: grave Tags: upstream security squeeze patch Justification: user security hole When including a line like Allow 192.168.0.0/16 to allow a network of ip addresses instead of only one ip address per line the access to tinyproxy is actually allowed for all ip addresses. This makes tinyproxy usable as an open proxy from everywhere in the internet. This bug was reported upstream nearly a year ago: https://banu.com/bugzilla/show_bug.cgi?id=90 and includes a fix there. Christoph Martin -- System Information: Debian Release: 6.0.1 APT prefers stable APT policy: (900, ''stable''), (90, ''oldstable''), (70, ''testing'') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages tinyproxy depends on: ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib ii logrotate 3.7.8-6 Log rotation utility tinyproxy recommends no packages. tinyproxy suggests no packages. -- Configuration Files: /etc/tinyproxy.conf changed: User nobody Group nogroup Port 8888 Timeout 600 DefaultErrorFile "/usr/share/tinyproxy/default.html" StatFile "/usr/share/tinyproxy/stats.html" Logfile "/var/log/tinyproxy/tinyproxy.log" LogLevel Info PidFile "/var/run/tinyproxy/tinyproxy.pid" MaxClients 100 MinSpareServers 5 MaxSpareServers 20 StartServers 10 MaxRequestsPerChild 0 Allow 127.0.0.1 ViaProxyName "tinyproxy" ConnectPort 443 ConnectPort 563 -- no debconf information