oss-sec mailing list archives
Re: CVE Request -- Polipo -- Assertion failure by processing certain HTTP POST / PUT requests
From: Juliusz Chroboczek <jch () pps jussieu fr>
Date: Thu, 06 Oct 2011 18:37:01 +0200
a denial of service flaw was found in the way Polipo, a lightweight caching web proxy, processed certain HTTP POST / PUT requests. If polipo was configured to allow remote client connections and particular host was allowed to connect to polipo server instance, a remote attacker could use this flaw to cause denial of service (polipo daemon abort due to assertion failure) via specially-crafted HTTP POST / PUT request.
Yes, this is a known bug with Polipo 1.0.4 and 1.0.4.1. I believe that it is fixed in the Git trunk, which is unfortunately not ready to be released (and might never be unless a maintainer is found). At any rate, I do not recommend running Polipo as a publicly accessible proxy. While I have made reasonable efforts to ensure that this is safe, Polipo was not designed for that. Regards, -- Juliusz
Current thread:
- CVE Request -- Polipo -- Assertion failure by processing certain HTTP POST / PUT requests Jan Lieskovsky (Oct 03)
- Re: CVE Request -- Polipo -- Assertion failure by processing certain HTTP POST / PUT requests Josh Bressers (Oct 04)
- Re: CVE Request -- Polipo -- Assertion failure by processing certain HTTP POST / PUT requests Juliusz Chroboczek (Oct 06)
- Re: Re: CVE Request -- Polipo -- Assertion failure by processing certain HTTP POST / PUT requests Vincent Danen (Oct 07)
- Re: Re: CVE Request -- Polipo -- Assertion failure by processing certain HTTP POST / PUT requests Julien Cristau (Oct 07)
- Re: Re: CVE Request -- Polipo -- Assertion failure by processing certain HTTP POST / PUT requests Julien Cristau (Oct 07)
- Re: Re: CVE Request -- Polipo -- Assertion failure by processing certain HTTP POST / PUT requests Vincent Danen (Oct 07)