A denial of service flaw was found in the way Polipo, a lightweight caching web proxy, processed certain HTTP POST / PUT requests. If polipo was configured to allow remote client connections and particular host was allowed to connect to polipo server instance, a remote attacker could use this flaw to cause denial of service (polipo daemon abort due to assertion failure) via specially-crafted HTTP POST / PUT request. References: [1] http://seclists.org/fulldisclosure/2011/Oct/10 [2] https://bugs.gentoo.org/show_bug.cgi?id=385307
Created attachment 526009 [details] Local copy of the reproducer / PoC file from [1]
This issue affects the versions of the polipo package, as shipped with Fedora release of 14 and 15. Please schedule an update once final upstream patch ready. -- This issue affects the versions of the polipo package, as present within EPEL-5 and EPEL-6 repositories. Please schedule an update once final upstream patch ready.
CVE Request: [3] http://www.openwall.com/lists/oss-security/2011/10/03/1
Created polipo tracking bugs for this issue Affects: fedora-all [bug 742897] Affects: epel-all [bug 742898]
This issue has been assigned the name CVE-2011-3596: http://www.openwall.com/lists/oss-security/2011/10/04/8
According to a post on oss-security [1], this is the fix for this flaw: https://gitweb.torproject.org/chrisd/polipo.git/commitdiff/0e2b44af619e46e365971ea52b97457bc0778cd3 But it is not yet on the github master. [1] http://www.openwall.com/lists/oss-security/2011/10/07/8