acl.c in Tinyproxy before 1.8.3, when an Allow configuration setting specifies a CIDR block, permits TCP connections from all IP addresses, which makes it easier for remote attackers to hide the origin of web traffic by leveraging the open HTTP proxy server.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Tinyproxy | Banu | * | 1.8.2 (including) |
| Tinyproxy | Banu | 1.5.0 (including) | 1.5.0 (including) |
| Tinyproxy | Banu | 1.5.0-pre1 (including) | 1.5.0-pre1 (including) |
| Tinyproxy | Banu | 1.5.0-pre2 (including) | 1.5.0-pre2 (including) |
| Tinyproxy | Banu | 1.5.0-pre3 (including) | 1.5.0-pre3 (including) |
| Tinyproxy | Banu | 1.5.0-pre4 (including) | 1.5.0-pre4 (including) |
| Tinyproxy | Banu | 1.5.0-pre5 (including) | 1.5.0-pre5 (including) |
| Tinyproxy | Banu | 1.5.0-pre6 (including) | 1.5.0-pre6 (including) |
| Tinyproxy | Banu | 1.5.0-rc1 (including) | 1.5.0-rc1 (including) |
| Tinyproxy | Banu | 1.5.0-rc10 (including) | 1.5.0-rc10 (including) |
| Tinyproxy | Banu | 1.5.0-rc2 (including) | 1.5.0-rc2 (including) |
| Tinyproxy | Banu | 1.5.0-rc4 (including) | 1.5.0-rc4 (including) |
| Tinyproxy | Banu | 1.5.0-rc5 (including) | 1.5.0-rc5 (including) |
| Tinyproxy | Banu | 1.5.0-rc6 (including) | 1.5.0-rc6 (including) |
| Tinyproxy | Banu | 1.5.0-rc7 (including) | 1.5.0-rc7 (including) |
| Tinyproxy | Banu | 1.5.0-rc8 (including) | 1.5.0-rc8 (including) |
| Tinyproxy | Banu | 1.5.0-rc9 (including) | 1.5.0-rc9 (including) |
| Tinyproxy | Banu | 1.5.1 (including) | 1.5.1 (including) |
| Tinyproxy | Banu | 1.5.1-pre1 (including) | 1.5.1-pre1 (including) |
| Tinyproxy | Banu | 1.5.1-pre2 (including) | 1.5.1-pre2 (including) |
| Tinyproxy | Banu | 1.5.1-pre3 (including) | 1.5.1-pre3 (including) |
| Tinyproxy | Banu | 1.5.1-pre4 (including) | 1.5.1-pre4 (including) |
| Tinyproxy | Banu | 1.5.1-pre5 (including) | 1.5.1-pre5 (including) |
| Tinyproxy | Banu | 1.5.1-pre6 (including) | 1.5.1-pre6 (including) |
| Tinyproxy | Banu | 1.5.1-rc1 (including) | 1.5.1-rc1 (including) |
| Tinyproxy | Banu | 1.5.1-rc2 (including) | 1.5.1-rc2 (including) |
| Tinyproxy | Banu | 1.5.1-rc3 (including) | 1.5.1-rc3 (including) |
| Tinyproxy | Banu | 1.5.1-rc4 (including) | 1.5.1-rc4 (including) |
| Tinyproxy | Banu | 1.5.2 (including) | 1.5.2 (including) |
| Tinyproxy | Banu | 1.5.2-rc1 (including) | 1.5.2-rc1 (including) |
| Tinyproxy | Banu | 1.5.2-rc2 (including) | 1.5.2-rc2 (including) |
| Tinyproxy | Banu | 1.5.3 (including) | 1.5.3 (including) |
| Tinyproxy | Banu | 1.5.3-rc1 (including) | 1.5.3-rc1 (including) |
| Tinyproxy | Banu | 1.6.0 (including) | 1.6.0 (including) |
| Tinyproxy | Banu | 1.6.0-a (including) | 1.6.0-a (including) |
| Tinyproxy | Banu | 1.6.0-pre1 (including) | 1.6.0-pre1 (including) |
| Tinyproxy | Banu | 1.6.0-pre2 (including) | 1.6.0-pre2 (including) |
| Tinyproxy | Banu | 1.6.0-pre3 (including) | 1.6.0-pre3 (including) |
| Tinyproxy | Banu | 1.6.0-pre4 (including) | 1.6.0-pre4 (including) |
| Tinyproxy | Banu | 1.6.0-rc1 (including) | 1.6.0-rc1 (including) |
| Tinyproxy | Banu | 1.6.0-rc2 (including) | 1.6.0-rc2 (including) |
| Tinyproxy | Banu | 1.6.0-rc3 (including) | 1.6.0-rc3 (including) |
| Tinyproxy | Banu | 1.6.1 (including) | 1.6.1 (including) |
| Tinyproxy | Banu | 1.6.2 (including) | 1.6.2 (including) |
| Tinyproxy | Banu | 1.6.3 (including) | 1.6.3 (including) |
| Tinyproxy | Banu | 1.6.4 (including) | 1.6.4 (including) |
| Tinyproxy | Banu | 1.6.5 (including) | 1.6.5 (including) |
| Tinyproxy | Banu | 1.7.0 (including) | 1.7.0 (including) |
| Tinyproxy | Banu | 1.7.1 (including) | 1.7.1 (including) |
| Tinyproxy | Banu | 1.8.0 (including) | 1.8.0 (including) |
| Tinyproxy | Banu | 1.8.1 (including) | 1.8.1 (including) |
| Tinyproxy | Ubuntu | dapper | * |
| Tinyproxy | Ubuntu | hardy | * |
| Tinyproxy | Ubuntu | lucid | * |
| Tinyproxy | Ubuntu | maverick | * |
| Tinyproxy | Ubuntu | natty | * |
| Tinyproxy | Ubuntu | upstream | * |
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621493
- http://openwall.com/lists/oss-security/2011/04/07/9
- http://openwall.com/lists/oss-security/2011/04/08/3
- http://secunia.com/advisories/44274
- http://www.debian.org/security/2011/dsa-2222
- https://banu.com/bugzilla/show_bug.cgi?id=90
- https://banu.com/cgit/tinyproxy/diff/?id=e8426f6662dc467bd1d827100481b95d9a4a23e4
- https://bugzilla.redhat.com/show_bug.cgi?id=694658
- https://exchange.xforce.ibmcloud.com/vulnerabilities/67256
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621493
- http://openwall.com/lists/oss-security/2011/04/07/9
- http://openwall.com/lists/oss-security/2011/04/08/3
- http://secunia.com/advisories/44274
- http://www.debian.org/security/2011/dsa-2222
- https://banu.com/bugzilla/show_bug.cgi?id=90
- https://banu.com/cgit/tinyproxy/diff/?id=e8426f6662dc467bd1d827100481b95d9a4a23e4
- https://bugzilla.redhat.com/show_bug.cgi?id=694658
- https://exchange.xforce.ibmcloud.com/vulnerabilities/67256