openSUSE Security Update: Security update for tinyproxy ______________________________________________________________________________ Announcement ID: openSUSE-SU-2024:0119-1 Rating: important References: #1200028 #1203553 #1223743 #1223746 Cross-References: CVE-2012-3505 CVE-2017-11747 CVE-2022-40468 CVE-2023-40533 CVE-2023-49606 CVSS scores: CVE-2017-11747 (NVD) : 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2022-40468 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2022-40468 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2023-40533 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: openSUSE Backports SLE-15-SP5 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for tinyproxy fixes the following issues: - Update to release 1.11.2 * Fix potential use-after-free in header handling [CVE-2023-49606, boo#1223746] * Prevent junk from showing up in error page in invalid requests [CVE-2022-40468, CVE-2023-40533, boo#1223743] - Move tinyproxy program to /usr/bin. - Update to release 1.11.1 * New fnmatch based filtertype - Update to release 1.11 * Support for multiple bind directives. - update to 1.10.0: * Configuration file has moved from /etc/tinyproxy.conf to /etc/tinyproxy/tinyproxy.conf. * Add support for basic HTTP authentication * Add socks upstream support * Log to stdout if no logfile is specified * Activate reverse proxy by default * Support bind with transparent mode * Allow multiple listen statements in the configuration * Fix CVE-2017-11747: Create PID file before dropping privileges. * Fix CVE-2012-3505: algorithmic complexity DoS in hashmap * Bugfixes * BB#110: fix algorithmic complexity DoS in hashmap * BB#106: fix CONNECT requests with IPv6 literal addresses as host * BB#116: fix invalid free for GET requests to ipv6 literal address * BB#115: Drop supplementary groups * BB#109: Fix crash (infinite loop) when writing to log file fails * BB#74: Create log and pid files after we drop privs * BB#83: Use output of id instead of $USER Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2024-119=1 Package List: - openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64): tinyproxy-1.11.2-bp155.3.3.1 References: https://www.suse.com/security/cve/CVE-2012-3505.html https://www.suse.com/security/cve/CVE-2017-11747.html https://www.suse.com/security/cve/CVE-2022-40468.html https://www.suse.com/security/cve/CVE-2023-40533.html https://www.suse.com/security/cve/CVE-2023-49606.html https://bugzilla.suse.com/1200028 https://bugzilla.suse.com/1203553 https://bugzilla.suse.com/1223743 https://bugzilla.suse.com/1223746