Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Tinyproxy: Memory Disclosure — GLSA 202305-27

A vulnerability has been discovered in Tinyproxy which could be used to achieve memory disclosure.

Affected packages

Package net-proxy/tinyproxy on all architectures
Affected versions < 1.11.1_p20220908
Unaffected versions >= 1.11.1_p20220908

Background

Tinyproxy is a light-weight HTTP/HTTPS proxy daemon for POSIX operating systems.

Description

Tinyproxy's request processing does not sufficiently null-initialize variables used in error pages.

Impact

Contents of the Tinyproxy server's memory could be disclosed via generated error pages.

Workaround

There is no known workaround at this time.

Resolution

All Tinyproxy users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-proxy/tinyproxy-1.11.1_p20220908"

References

Release date
May 21, 2023

Latest revision
May 21, 2023: 1

Severity
low

Exploitable
remote

Bugzilla entries