Updated tinyproxy packages are available for SUSE Linux Enterprise 15 SP5:

openSUSE-SU-2024:0119-1: important: Security update for tinyproxy

openSUSE-SU-2024:0119-1: important: Security update for tinyproxy

openSUSE Security Update: Security update for tinyproxy
_______________________________

Announcement ID: openSUSE-SU-2024:0119-1
Rating: important
References: #1200028 #1203553 #1223743 #1223746
Cross-References: CVE-2012-3505 CVE-2017-11747 CVE-2022-40468
CVE-2023-40533 CVE-2023-49606
CVSS scores:
CVE-2017-11747 (NVD) : 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2022-40468 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2022-40468 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2023-40533 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products:
openSUSE Backports SLE-15-SP5
_______________________________

An update that fixes 5 vulnerabilities is now available.

Description:

This update for tinyproxy fixes the following issues:

- Update to release 1.11.2
* Fix potential use-after-free in header handling [CVE-2023-49606,
boo#1223746]
* Prevent junk from showing up in error page in invalid requests
[CVE-2022-40468, CVE-2023-40533, boo#1223743]

- Move tinyproxy program to /usr/bin.

- Update to release 1.11.1
* New fnmatch based filtertype

- Update to release 1.11
* Support for multiple bind directives.

- update to 1.10.0:
* Configuration file has moved from /etc/tinyproxy.conf to
/etc/tinyproxy/tinyproxy.conf.
* Add support for basic HTTP authentication
* Add socks upstream support
* Log to stdout if no logfile is specified
* Activate reverse proxy by default
* Support bind with transparent mode
* Allow multiple listen statements in the configuration
* Fix CVE-2017-11747: Create PID file before dropping privileges.
* Fix CVE-2012-3505: algorithmic complexity DoS in hashmap
* Bugfixes
* BB#110: fix algorithmic complexity DoS in hashmap
* BB#106: fix CONNECT requests with IPv6 literal addresses as host
* BB#116: fix invalid free for GET requests to ipv6 literal address
* BB#115: Drop supplementary groups
* BB#109: Fix crash (infinite loop) when writing to log file fails
* BB#74: Create log and pid files after we drop privs
* BB#83: Use output of id instead of $USER

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2024-119=1

Package List:

- openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64):

tinyproxy-1.11.2-bp155.3.3.1

References:

https://www.suse.com/security/cve/CVE-2012-3505.html
https://www.suse.com/security/cve/CVE-2017-11747.html
https://www.suse.com/security/cve/CVE-2022-40468.html
https://www.suse.com/security/cve/CVE-2023-40533.html
https://www.suse.com/security/cve/CVE-2023-49606.html
https://bugzilla.suse.com/1200028
https://bugzilla.suse.com/1203553
https://bugzilla.suse.com/1223743
https://bugzilla.suse.com/1223746