{"id":"MGASA-2025-0003","summary":"Updated tinyproxy packages fix security vulnerabilities","details":"Potential leak of left-over heap data if custom error page templates\ncontaining special non-standard variables are used. Tinyproxy commit\n84f203f and earlier use uninitialized buffers in process_request()\nfunction.. (CVE-2022-40468)\nA use-after-free vulnerability exists in the HTTP Connection Headers\nparsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted\nHTTP header can trigger reuse of previously freed memory, which leads to\nmemory corruption and could lead to remote code execution. An attacker\nneeds to make an unauthenticated HTTP request to trigger this\nvulnerability. (CVE-2023-49606)\n","modified":"2026-02-04T04:24:25.224644Z","published":"2025-01-10T19:54:34Z","related":["CVE-2022-40468","CVE-2023-49606"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2025-0003.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=33206"},{"type":"REPORT","url":"https://www.openwall.com/lists/oss-security/2024/05/07/1"},{"type":"REPORT","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/OM62U7F2OTTTTR4PTM6RV3UAOCUHRC75/"},{"type":"REPORT","url":"https://lwn.net/Articles/990818/"},{"type":"REPORT","url":"https://ubuntu.com/security/notices/USN-7140-1"},{"type":"REPORT","url":"https://ubuntu.com/security/notices/USN-7190-1"}],"affected":[{"package":{"name":"tinyproxy","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/tinyproxy?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.10.0-3.1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2025-0003.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}