oss-sec mailing list archives

Re: CVE request: tinyproxy runs as an open proxy when attempting to restrict allowable IP ranges

From: Josh Bressers <bressers () redhat com>
Date: Fri, 8 Apr 2011 16:17:01 -0400 (EDT)

Please use CVE-2011-1499

Thanks.

-- 
    JB

----- Original Message -----

A bug in tinyproxy prior to 1.8.3 would turn it into an open proxy if
it
were defined with an "Allow" statement including an IP address range
(i.e. 192.168.0.0/24).

Could a CVE be assigned to this?

References:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621493
https://banu.com/bugzilla/show_bug.cgi?id=90
https://banu.com/cgit/tinyproxy/commit/?id=e8426f6662dc467bd1d827100481b95d9a4a23e4
https://bugzilla.redhat.com/show_bug.cgi?id=694658

--
Vincent Danen / Red Hat Security Response Team

Current thread:

CVE request: tinyproxy runs as an open proxy when attempting to restrict allowable IP ranges Vincent Danen (Apr 07)
- Re: CVE request: tinyproxy runs as an open proxy when attempting to restrict allowable IP ranges Josh Bressers (Apr 08)