Multiple open vulnerabilities in tinyproxy

Note that CVE-2011-1499 and CVE-2011-1843 don't affect precise (higher version than the vulnerable one). Hence just added patch for CVE-2012-3505.

quantal and raring are not affected by any of these vulnerabilities. Both already include all the needed fixes.

Thanks Christian,

I had to make a slight change to the patch to build without warnings -- both <stdlib.h> and <time.h> were already included via a "common.h" header file.

indeed.
I have added updated patches to the upstream bug report:
https://banu.com/bugzilla/show_bug.cgi?id=110
Those adhere to coding guidelines and also add configure check for
the newly used functions (time, rand, srand).

These could go upstream.
I need to really understand the problem though
(i.e I am not certain that I understand the phenomenon.
the bug report does not contain a precise desciption.
or I am not able to reproduce.)

Thanks for any details!

Michael

This bug was fixed in the package tinyproxy - 1.8.3-1ubuntu0.1

---------------
tinyproxy (1.8.3-1ubuntu0.1) precise-security; urgency=low

  * SECURITY UPDATE: Fix for denial of service vulnerability where remote
    attackers send crafted request headers. (LP: #1154502)
    - debian/patches/001-CVE-2012-3505.patch: Limit the number of headers to
      prevent DoS attacks. Randomize hashmaps in order to avoid fake headers
      getting included in the same bucket, allowing for DoS attacks.
    - CVE-2012-3505
 -- Christian Kuersteiner <email address hidden> Wed, 13 Mar 2013 16:42:14 +0700