Mageia 9: MGASA-2025-0003 critical: tinyproxy remote execution risk
mageia
January 10, 2025
Potential leak of left-over heap data if custom error page templates containing special non-standard variables are used
Summary
Potential leak of left-over heap data if custom error page templates
containing special non-standard variables are used. Tinyproxy commit
84f203f and earlier use uninitialized buffers in process_request()
function.. (CVE-2022-40468)
A use-after-free vulnerability exists in the HTTP Connection Headers
parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted
HTTP header can trigger reuse of previously freed memory, which leads to
memory corruption and could lead to remote code execution. An attacker
needs to make an unauthenticated HTTP request to trigger this
vulnerability. (CVE-2023-49606)
References
- https://bugs.mageia.org/show_bug.cgi?id=33206
- https://www.openwall.com/lists/oss-security/2024/05/07/1
-
-
- https://ubuntu.com/security/notices/USN-7140-1
- https://ubuntu.com/security/notices/USN-7190-1
- https://www.cve.org/CVERecord?id=CVE-2022-40468
- https://www.cve.org/CVERecord?id=CVE-2023-49606
Resolution
SRPMS
- 9/core/tinyproxy-1.10.0-3.1.mga9
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Publication date: 10 Jan 2025
URL: https://advisories.mageia.org/MGASA-2025-0003.html
Type: security
CVE: CVE-2022-40468,
CVE-2023-49606
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!