SB2012120603 - Input validation error in tinyproxy (Alpine package)
Published: December 6, 2012
Security Bulletin ID
SB2012120603
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2012-3505)
The vulnerability allows remote attackers to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (CPU and memory consumption) via (1) a large number of headers or (2) a large number of forged headers that trigger hash collisions predictably.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=bb68f414c363d434f63d836ea89ca949dcd2f3be
- https://git.alpinelinux.org/aports/commit/?id=b9015f355a56e1ae6e7996ddbf4c09b78e5072eb
- https://git.alpinelinux.org/aports/commit/?id=d7c55cd683734666163de29824806a7096e998b3
- https://git.alpinelinux.org/aports/commit/?id=e6d0c480e639ebd423330b10f8ff0df492aedfab