Gentoo Security Advisory GLSA 201312-15

2015-09-29T00:00:00

Description

Gentoo Linux Local Security Checks GLSA 201312-15

{"id": "OPENVAS:1361412562310121096", "type": "openvas", "bulletinFamily": "scanner", "title": "Gentoo Security Advisory GLSA 201312-15", "description": "Gentoo Linux Local Security Checks GLSA 201312-15", "published": "2015-09-29T00:00:00", "modified": "2018-10-26T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121096", "reporter": "Eero Volotinen", "references": ["https://security.gentoo.org/glsa/201312-15"], "cvelist": ["CVE-2012-3505"], "lastseen": "2019-05-29T18:36:54", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "archlinux", "idList": ["ASA-201501-11"]}, {"type": "cve", "idList": ["CVE-2012-3505"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2564-1:C8ECA"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2012-3505"]}, {"type": "gentoo", "idList": ["GLSA-201312-15"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-2564.NASL", "GENTOO_GLSA-201312-15.NASL", "OPENSUSE-2013-587.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310111081", "OPENVAS:136141256231072536", "OPENVAS:72536"]}, {"type": "osv", "idList": ["OSV:DSA-2564-1"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:28682", "SECURITYVULNS:VULN:12668"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2012-3505"]}]}, "score": {"value": -0.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "archlinux", "idList": ["ASA-201501-11"]}, {"type": "cve", "idList": ["CVE-2012-3505"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2564-1:C8ECA"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-2564.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:72536"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12668"]}]}, "exploitation": null, "vulnersScore": -0.3}, "pluginID": "1361412562310121096", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201312-15.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121096\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:26:29 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201312-15\");\n script_tag(name:\"insight\", value:\"A vulnerability has been discovered in the way how Tinyproxy works with headers.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201312-15\");\n script_cve_id(\"CVE-2012-3505\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201312-15\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"net-proxy/tinyproxy\", unaffected: make_list(\"ge 1.8.3-r3\"), vulnerable: make_list(\"lt 1.8.3-r3\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "naslFamily": "Gentoo Local Security Checks", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1660004461, "score": 1659908672}, "_internal": {"score_hash": "0924c603f56acfff3ddc9f0ed31294d4"}}

{"nessus": [{"lastseen": "2023-01-11T15:02:30", "description": "The remote host is affected by the vulnerability described in GLSA-201312-15 (Tinyproxy: Denial of Service)\n\n A vulnerability has been discovered in the way how Tinyproxy works with headers.\n Impact :\n\n A remote attacker could send a specially crafted request with too many headers, possibly resulting in a Denial of Service condition.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {}, "published": "2013-12-24T00:00:00", "type": "nessus", "title": "GLSA-201312-15 : Tinyproxy: Denial of Service", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-3505"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:tinyproxy", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201312-15.NASL", "href": "https://www.tenable.com/plugins/nessus/71628", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201312-15.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(71628);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2012-3505\");\n script_bugtraq_id(55099);\n script_xref(name:\"GLSA\", value:\"201312-15\");\n\n script_name(english:\"GLSA-201312-15 : Tinyproxy: Denial of Service\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201312-15\n(Tinyproxy: Denial of Service)\n\n A vulnerability has been discovered in the way how Tinyproxy works with\n headers.\n \nImpact :\n\n A remote attacker could send a specially crafted request with too many\n headers, possibly resulting in a Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201312-15\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Tinyproxy users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-proxy/tinyproxy-1.8.3-r3'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:tinyproxy\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/12/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/12/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-proxy/tinyproxy\", unaffected:make_list(\"ge 1.8.3-r3\"), vulnerable:make_list(\"lt 1.8.3-r3\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Tinyproxy\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-01-11T14:32:14", "description": "gpernot discovered that Tinyproxy, a HTTP proxy, is vulnerable to a denial of service by remote attackers by sending crafted request headers.", "cvss3": {}, "published": "2012-10-24T00:00:00", "type": "nessus", "title": "Debian DSA-2564-1 : tinyproxy - denial of service", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-3505"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:tinyproxy", "cpe:/o:debian:debian_linux:6.0"], "id": "DEBIAN_DSA-2564.NASL", "href": "https://www.tenable.com/plugins/nessus/62666", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2564. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(62666);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-3505\");\n script_bugtraq_id(55099);\n script_xref(name:\"DSA\", value:\"2564\");\n\n script_name(english:\"Debian DSA-2564-1 : tinyproxy - denial of service\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"gpernot discovered that Tinyproxy, a HTTP proxy, is vulnerable to a\ndenial of service by remote attackers by sending crafted request\nheaders.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685281\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/tinyproxy\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2012/dsa-2564\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the tinyproxy packages.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1.8.2-1squeeze3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tinyproxy\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/10/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/10/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"tinyproxy\", reference:\"1.8.2-1squeeze3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-01-18T14:31:40", "description": "Tinyproxy allowed remote attackers to cause a denial of service (CPU and memory consumption) via (1) a large number of headers or (2) a large number of forged headers that trigger hash collisions predictably. bucket.\n\nThis update fixes this by limiting headers and improving the hash keying.", "cvss3": {}, "published": "2014-06-13T00:00:00", "type": "nessus", "title": "openSUSE Security Update : tinyproxy (openSUSE-SU-2013:1201-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-3505"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:tinyproxy", "p-cpe:/a:novell:opensuse:tinyproxy-debuginfo", "p-cpe:/a:novell:opensuse:tinyproxy-debugsource", "cpe:/o:novell:opensuse:12.2", "cpe:/o:novell:opensuse:12.3"], "id": "OPENSUSE-2013-587.NASL", "href": "https://www.tenable.com/plugins/nessus/75087", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2013-587.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(75087);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-3505\");\n\n script_name(english:\"openSUSE Security Update : tinyproxy (openSUSE-SU-2013:1201-1)\");\n script_summary(english:\"Check for the openSUSE-2013-587 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Tinyproxy allowed remote attackers to cause a denial of service (CPU\nand memory consumption) via (1) a large number of headers or (2) a\nlarge number of forged headers that trigger hash collisions\npredictably. bucket.\n\nThis update fixes this by limiting headers and improving the hash\nkeying.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=776506\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2013-07/msg00056.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected tinyproxy packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tinyproxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tinyproxy-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tinyproxy-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.2|SUSE12\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.2 / 12.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.2\", reference:\"tinyproxy-1.8.3-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"tinyproxy-debuginfo-1.8.3-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"tinyproxy-debugsource-1.8.3-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"tinyproxy-1.8.3-4.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"tinyproxy-debuginfo-1.8.3-4.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"tinyproxy-debugsource-1.8.3-4.4.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tinyproxy\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "debian": [{"lastseen": "2021-10-21T23:45:46", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2564-1 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nOctober 23, 2012 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : tinyproxy\nVulnerability : denial of service\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2012-3505\nDebian Bug : 685281\n\ngpernot discovered that Tinyproxy, a HTTP proxy, is vulnerable to a\ndenial of service by remote attackers by sending crafted request\nheaders.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1.8.2-1squeeze3.\n\nFor the testing distribution (wheezy), this problem has been fixed in\nversion 1.8.3-3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.8.3-3.\n\nWe recommend that you upgrade your tinyproxy packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {}, "published": "2012-10-23T17:17:55", "type": "debian", "title": "[SECURITY] [DSA 2564-1] tinyproxy security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-3505"], "modified": "2012-10-23T17:17:55", "id": "DEBIAN:DSA-2564-1:C8ECA", "href": "https://lists.debian.org/debian-security-announce/2012/msg00208.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "openvas": [{"lastseen": "2017-07-24T12:51:19", "description": "The remote host is missing an update to tinyproxy\nannounced via advisory DSA 2564-1.", "cvss3": {}, "published": "2012-10-29T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 2564-1 (tinyproxy)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-3505"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:72536", "href": "http://plugins.openvas.org/nasl.php?oid=72536", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2564_1.nasl 6612 2017-07-07 12:08:03Z cfischer $\n# Description: Auto-generated from advisory DSA 2564-1 (tinyproxy)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"gpernot discovered that Tinyproxy, a HTTP proxy, is vulnerable to a\ndenial of service by remote attackers by sending crafted request\nheaders.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1.8.2-1squeeze3.\n\nFor the testing distribution (wheezy), this problem has been fixed in\nversion 1.8.3-3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.8.3-3.\n\nWe recommend that you upgrade your tinyproxy packages.\";\ntag_summary = \"The remote host is missing an update to tinyproxy\nannounced via advisory DSA 2564-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202564-1\";\n\nif(description)\n{\n script_id(72536);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2012-3505\");\n script_version(\"$Revision: 6612 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:08:03 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-10-29 10:20:07 -0400 (Mon, 29 Oct 2012)\");\n script_name(\"Debian Security Advisory DSA 2564-1 (tinyproxy)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"tinyproxy\", ver:\"1.8.2-1squeeze3\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tinyproxy\", ver:\"1.8.3-3\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:04", "description": "The remote host is missing an update to tinyproxy\nannounced via advisory DSA 2564-1.", "cvss3": {}, "published": "2012-10-29T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 2564-1 (tinyproxy)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-3505"], "modified": "2019-03-18T00:00:00", "id": "OPENVAS:136141256231072536", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231072536", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2564_1.nasl 14275 2019-03-18 14:39:45Z cfischer $\n# Description: Auto-generated from advisory DSA 2564-1 (tinyproxy)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.72536\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2012-3505\");\n script_version(\"$Revision: 14275 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-10-29 10:20:07 -0400 (Mon, 29 Oct 2012)\");\n script_name(\"Debian Security Advisory DSA 2564-1 (tinyproxy)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(6|7)\");\n script_xref(name:\"URL\", value:\"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202564-1\");\n script_tag(name:\"insight\", value:\"gpernot discovered that Tinyproxy, a HTTP proxy, is vulnerable to a\ndenial of service by remote attackers by sending crafted request\nheaders.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1.8.2-1squeeze3.\n\nFor the testing distribution (wheezy), this problem has been fixed in\nversion 1.8.3-3.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.8.3-3.\");\n\n script_tag(name:\"solution\", value:\"We recommend that you upgrade your tinyproxy packages.\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update to tinyproxy\nannounced via advisory DSA 2564-1.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"tinyproxy\", ver:\"1.8.2-1squeeze3\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"tinyproxy\", ver:\"1.8.3-3\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:35:16", "description": "Tinyproxy is prone to multiple remote denial-of-service\n vulnerabilities that affect the ", "cvss3": {}, "published": "2016-02-01T00:00:00", "type": "openvas", "title": "Tinyproxy < 1.8.4 Header Multiple Denial of Service Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-3505"], "modified": "2018-11-12T00:00:00", "id": "OPENVAS:1361412562310111081", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310111081", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: sw_tinyproxy_55099.nasl 12313 2018-11-12 08:53:51Z asteins $\n#\n# Tinyproxy < 1.8.4 Header Multiple Denial of Service Vulnerabilities\n#\n# Authors:\n# Christian Fischer <info@schutzwerk.com>\n#\n# Copyright:\n# Copyright (c) 2016 SCHUTZWERK GmbH, http://www.schutzwerk.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:banu:tinyproxy\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.111081\");\n script_version(\"$Revision: 12313 $\");\n script_cve_id(\"CVE-2012-3505\");\n script_bugtraq_id(55099);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-12 09:53:51 +0100 (Mon, 12 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-02-01 11:00:00 +0100 (Mon, 01 Feb 2016)\");\n script_name(\"Tinyproxy < 1.8.4 Header Multiple Denial of Service Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"Tinyproxy is prone to multiple remote denial-of-service\n vulnerabilities that affect the 'OpenSSL' extension.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"impact\", value:\"Successful attacks will cause the application to consume\n excessive memory, creating a denial-of-service condition.\");\n script_tag(name:\"affected\", value:\"Tinyproxy versions before 1.8.4\");\n script_tag(name:\"solution\", value:\"Upgrade to Tinyproxy 1.8.4.\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/55099\");\n script_xref(name:\"URL\", value:\"https://tinyproxy.github.io/\");\n\n script_copyright(\"This script is Copyright (C) 2016 SCHUTZWERK GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Denial of Service\");\n script_dependencies(\"sw_tinyproxy_detect.nasl\");\n script_mandatory_keys(\"tinyproxy/installed\");\n script_require_ports(\"Services/http_proxy\", 8888);\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( version_is_less( version:vers, test_version:\"1.8.4\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"1.8.4\" );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:49", "description": "Crash on request headers parsing.", "edition": 1, "cvss3": {}, "published": "2012-10-28T00:00:00", "type": "securityvulns", "title": "tinyproxy proxy server DoS", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-3505"], "modified": "2012-10-28T00:00:00", "id": "SECURITYVULNS:VULN:12668", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12668", "sourceData": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:46", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-2564-1 security@debian.org\r\nhttp://www.debian.org/security/ Thijs Kinkhorst\r\nOctober 23, 2012 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : tinyproxy\r\nVulnerability : denial of service\r\nProblem type : remote\r\nDebian-specific: no\r\nCVE ID : CVE-2012-3505\r\nDebian Bug : 685281\r\n\r\ngpernot discovered that Tinyproxy, a HTTP proxy, is vulnerable to a\r\ndenial of service by remote attackers by sending crafted request\r\nheaders.\r\n\r\nFor the stable distribution (squeeze), this problem has been fixed in\r\nversion 1.8.2-1squeeze3.\r\n\r\nFor the testing distribution (wheezy), this problem has been fixed in\r\nversion 1.8.3-3.\r\n\r\nFor the unstable distribution (sid), this problem has been fixed in\r\nversion 1.8.3-3.\r\n\r\nWe recommend that you upgrade your tinyproxy packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: http://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.12 (GNU/Linux)\r\n\r\niQEcBAEBAgAGBQJQhs7pAAoJEFb2GnlAHawErvsIAJaaJhyFq3oQmZ8gwH08KdN4\r\nXbQCFjjtIdouFytvS7+b9DMCZGVYUvZVvjCE3KZ+A6OiHPDK8LRuwKcVFt8oNwZ3\r\ndZXrtdRXMtL1VP0Yu0q3odU1y9VqsdIN/hRFJu6J2q3rCvOMEuciK5AjS0CzzaIA\r\n7KfZBxZ4rlf0ldTlKUK1ygx92c5hz+SfGJwsX3GD0NyqMJJhsbAS4SHrWA+KMJEh\r\nwwtRU6zMAFfStQbmS65q1l4mxVnjksNYbvZirtvoZ23LslzRlzbpTx2SM31qmmN+\r\n5k2H8lDTU1lqktSDMWIGJsjsMqEdY1W+9dDuQfggVxXeWP/XSlzxtcFCMntNuZI=\r\n=FzL0\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "cvss3": {}, "published": "2012-10-28T00:00:00", "title": "[SECURITY] [DSA 2564-1] tinyproxy security update", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-3505"], "modified": "2012-10-28T00:00:00", "id": "SECURITYVULNS:DOC:28682", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28682", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "debiancve": [{"lastseen": "2022-10-20T06:08:32", "description": "Tinyproxy 1.8.3 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via (1) a large number of headers or (2) a large number of forged headers that trigger hash collisions predictably. bucket.", "cvss3": {}, "published": "2012-10-09T23:55:00", "type": "debiancve", "title": "CVE-2012-3505", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-3505"], "modified": "2012-10-09T23:55:00", "id": "DEBIANCVE:CVE-2012-3505", "href": "https://security-tracker.debian.org/tracker/CVE-2012-3505", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "ubuntucve": [{"lastseen": "2022-08-04T14:28:00", "description": "Tinyproxy 1.8.3 and earlier allows remote attackers to cause a denial of\nservice (CPU and memory consumption) via (1) a large number of headers or\n(2) a large number of forged headers that trigger hash collisions\npredictably. bucket.\n\n#### Bugs\n\n * <https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985>\n * <https://banu.com/bugzilla/show_bug.cgi?id=110#c2>\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685281>\n * <https://bugzilla.redhat.com/show_bug.cgi?id=849368>\n", "cvss3": {}, "published": "2012-10-09T00:00:00", "type": "ubuntucve", "title": "CVE-2012-3505", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-3505"], "modified": "2012-10-09T00:00:00", "id": "UB:CVE-2012-3505", "href": "https://ubuntu.com/security/CVE-2012-3505", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:36", "description": "It was discovered that a remote attacker is able to cause a denial of\nservice (CPU and memory consumption) via (1) a large number of headers\nor (2) a large number of forged headers that predictably trigger hash\ncollisions.", "edition": 2, "cvss3": {}, "published": "2015-01-19T00:00:00", "type": "archlinux", "title": "tinyproxy: denial of service", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-3505"], "modified": "2015-01-19T00:00:00", "id": "ASA-201501-11", "href": "https://lists.archlinux.org/pipermail/arch-security/2015-January/000207.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "osv": [{"lastseen": "2022-08-10T07:09:34", "description": "\ngpernot discovered that Tinyproxy, a HTTP proxy, is vulnerable to a\ndenial of service by remote attackers by sending crafted request\nheaders.\n\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1.8.2-1squeeze3.\n\n\nFor the testing distribution (wheezy), this problem has been fixed in\nversion 1.8.3-3.\n\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.8.3-3.\n\n\nWe recommend that you upgrade your tinyproxy packages.\n\n\n", "edition": 1, "cvss3": {}, "published": "2012-10-23T00:00:00", "type": "osv", "title": "tinyproxy - denial of service", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-3505"], "modified": "2022-08-10T07:08:58", "id": "OSV:DSA-2564-1", "href": "https://osv.dev/vulnerability/DSA-2564-1", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "cve": [{"lastseen": "2022-03-23T12:37:18", "description": "Tinyproxy 1.8.3 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via (1) a large number of headers or (2) a large number of forged headers that trigger hash collisions predictably. bucket.", "cvss3": {}, "published": "2012-10-09T23:55:00", "type": "cve", "title": "CVE-2012-3505", "cwe": ["CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-3505"], "modified": "2013-10-10T19:25:00", "cpe": ["cpe:/a:banu:tinyproxy:1.6.1", "cpe:/a:banu:tinyproxy:1.8.2", "cpe:/a:banu:tinyproxy:1.6.0", "cpe:/a:banu:tinyproxy:1.6.2", "cpe:/a:banu:tinyproxy:1.6.4", "cpe:/a:banu:tinyproxy:1.5.0", "cpe:/a:banu:tinyproxy:1.8.3", "cpe:/a:banu:tinyproxy:1.6.5", "cpe:/a:banu:tinyproxy:1.7.0", "cpe:/a:banu:tinyproxy:1.5.3", "cpe:/a:banu:tinyproxy:1.5.2", "cpe:/a:banu:tinyproxy:1.6.3", "cpe:/a:banu:tinyproxy:1.7.1", "cpe:/a:banu:tinyproxy:1.8.1", "cpe:/a:banu:tinyproxy:1.8.0", "cpe:/a:banu:tinyproxy:1.5.1"], "id": "CVE-2012-3505", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3505", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:banu:tinyproxy:1.5.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.8.2:*:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.0:pre5:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.6.0:pre3:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.0:rc4:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.3:rc1:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.6.0:a:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.1:pre3:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.6.0:pre4:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.0:pre2:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.1:pre1:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.1:pre5:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.1:rc3:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.0:pre1:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.0:rc7:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.1:rc2:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.8.3:*:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.6.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.0:pre3:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.0:rc6:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.0:pre4:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.0:rc10:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.0:pre6:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.2:rc2:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.1:pre2:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.6.0:pre2:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.0:rc9:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.1:pre4:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.6.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.6.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.6.0:pre1:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.2:rc1:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.0:rc8:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.0:rc5:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.1:pre6:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.5.1:rc4:*:*:*:*:*:*", "cpe:2.3:a:banu:tinyproxy:1.6.4:*:*:*:*:*:*:*"]}], "gentoo": [{"lastseen": "2022-01-17T19:09:36", "description": "### Background\n\nTinyproxy is a light-weight HTTP/HTTPS proxy daemon for POSIX operating systems. \n\n### Description\n\nA vulnerability has been discovered in the way how Tinyproxy works with headers. \n\n### Impact\n\nA remote attacker could send a specially crafted request with too many headers, possibly resulting in a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Tinyproxy users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-proxy/tinyproxy-1.8.3-r3\"", "cvss3": {}, "published": "2013-12-23T00:00:00", "type": "gentoo", "title": "Tinyproxy: Denial of service", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-3505"], "modified": "2013-12-23T00:00:00", "id": "GLSA-201312-15", "href": "https://security.gentoo.org/glsa/201312-15", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}

Gentoo Security Advisory GLSA 201312-15

Description

Related