[SECURITY] [DLA 2163-1] tinyproxy security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2163-1] tinyproxy security update
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Tue, 31 Mar 2020 18:47:06 +0530
Message-id: <[🔎] ebd0d856-a430-736f-e565-ee1d49f9c066@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : tinyproxy
Version        : 1.8.3-3+deb8u1
CVE ID         : CVE-2017-11747
Debian Bug     : 870307 948283


A minor security issue and a severe packaging bug have been fixed in
tinyproxy, a lightweight http proxy daemon.

CVE-2017-11747

  main.c in Tinyproxy created a /var/run/tinyproxy/tinyproxy.pid file
  after dropping privileges to a non-root account, which might have
  allowed local users to kill arbitrary processes by leveraging access
  to this non-root account for tinyproxy.pid modification before a root
  script executed a "kill `cat /run/tinyproxy/tinyproxy.pid`" command.

OTHER

  Furthermore, a severe flaw had been discovered by Tim Duesterhus in
  Debian's init script for tinyproxy. With the tiny.conf configuration
  file having the PidFile option removed, the next run of logrotate (if
  installed) would have changed the owner of the system's base directory
  ("/") to tinyproxy:tinyproxy.


For Debian 8 "Jessie", this problem has been fixed in version
1.8.3-3+deb8u1. These fixes were prepared by Mike Gabriel.

We recommend that you upgrade your tinyproxy packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Best,
Utkarsh
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl6DQs4ACgkQgj6WdgbD
S5ZzJBAAzoUviI7y+3VdIvD6TSbwhgSlzZ/ahMlFseBQAS1YbCxzF9HUJct8SYNN
LClLlCjUd2fhp39yF1JowNpa/bA4MwZGDjcdH1q3dRteGzWGgw+NrtdbQG4i5T4m
hflXsnnp4ZtcYmreIZaYpfJ4kO/vqLOCCIzowPeSqO55StWW27SXu8ZHdWAj8cxD
VXMYfm7BytfJ2J69MmTPWbpzbY0MA+IyLU2X6eNCFL/w829sQ3Ok/FMZxxZ5igNE
CUz516O3iKWIOYmXXbDMQlVTcHnUVWbeOhStWg0nb8bbLsiKoiPOExUO744v1jog
pmn+Ck3EUbqXBGcc0bc3AnOTpnq53n2I3UmFN54ji7+A38woK9z521cEsmbPrzJl
MNaCfXMdD0A8G8OvEa/ui2HgcUECtjrI07s01U3tslanQ3XaGCJyoAdWNogZpT0a
mE1vzMsKwxM7rkJ3eXxGn0ihIK91MRH46KF3AYOBrCkn70RT1sEyYpJpfCCUvL/S
j8zXo/bDUvDMOsAzeqnT4g/kJaqSBzbnwfSzwyIY98N0/At5C+h8QVKvSN6scgt1
haQxSxs43OgRRyAVzY4fOdvm47j0A1gwy/Apc20SilFgG2HVMMO//28ookAm1yOJ
F+n/lIjHdJSd4VMjW1xstXtdE5G0I3h0bRx6nkfWfjGoFekfA2A=
=T4ka
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2162-1] php-horde-form security update
Next by Date: [SECURITY] [DLA 2164-1] gst-plugins-bad0.10 security update
Previous by thread: [SECURITY] [DLA 2162-1] php-horde-form security update
Next by thread: [SECURITY] [DLA 2164-1] gst-plugins-bad0.10 security update
Index(es):
- Date
- Thread