openSUSE: 2024:0119-1 important: tinyproxy Advisory Security Update
Description
This update for tinyproxy fixes the following issues: - Update to release 1.11.2 * Fix potential use-after-free in header handling [CVE-2023-49606, boo#1223746] * Prevent junk from showing up in error page in invalid requests [CVE-2022-40468, CVE-2023-40533, boo#1223743] - Move tinyproxy program to /usr/bin. - Update to release 1.11.1 * New fnmatch based filtertype - Update to release 1.11 * Support for multiple bind directives. - update to 1.10.0: * Configuration file has moved from /etc/tinyproxy.conf to /etc/tinyproxy/tinyproxy.conf. * Add support for basic HTTP authentication * Add socks upstream support * Log to stdout if no logfile is specified * Activate reverse proxy by default * Support bind with transparent mode * Allow multiple listen statements in the configuration * Fix CVE-2017-11747: Create PID file before dropping privileges. * Fix CVE-2012-3505: algorithmic complexity DoS in hashmap * Bugfixes * BB#110: fix algorithmic complexity DoS in hashmap * BB#106: fix CONNECT requests with IPv6 literal addresses as host * BB#116: fix invalid free for GET requests to ipv6 literal address * BB#115: Drop supplementary groups * BB#109: Fix crash (infinite loop) when writing to log file fails * BB#74: Create log and pid files after we drop privs * BB#83: Use output of id instead of $USER
Patch
Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2024-119=1
Package List
- openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64): tinyproxy-1.11.2-bp155.3.3.1
References
https://www.suse.com/security/cve/CVE-2012-3505.html https://www.suse.com/security/cve/CVE-2017-11747.html https://www.suse.com/security/cve/CVE-2022-40468.html https://www.suse.com/security/cve/CVE-2023-40533.html https://www.suse.com/security/cve/CVE-2023-49606.html https://bugzilla.suse.com/1200028 https://bugzilla.suse.com/1203553 https://bugzilla.suse.com/1223743 https://bugzilla.suse.com/1223746