oss-security - Re: CVE request: tinyproxy runs as an open proxy when attempting to restrict allowable IP ranges

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <909072608.466818.1302293821374.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com>
Date: Fri, 8 Apr 2011 16:17:01 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: CVE request: tinyproxy runs as an open proxy
 when attempting to restrict allowable IP ranges

Please use CVE-2011-1499

Thanks.

-- 
    JB

----- Original Message -----
> A bug in tinyproxy prior to 1.8.3 would turn it into an open proxy if
> it
> were defined with an "Allow" statement including an IP address range
> (i.e. 192.168.0.0/24).
> 
> Could a CVE be assigned to this?
> 
> References:
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621493
> https://banu.com/bugzilla/show_bug.cgi?id=90
> https://banu.com/cgit/tinyproxy/commit/?id=e8426f6662dc467bd1d827100481b95d9a4a23e4
> https://bugzilla.redhat.com/show_bug.cgi?id=694658
> 
> --
> Vincent Danen / Red Hat Security Response Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.