Detections
Analytics

openSUSE 15 Security Update : tinyproxy (openSUSE-SU-2024:0119-1)

high Nessus Plugin ID 195342

Language:

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2024:0119-1 advisory.

 - Update to release 1.11.2
 * Fix potential use-after-free in header handling [CVE-2023-49606, boo#1223746]
 * Prevent junk from showing up in error page in invalid requests [CVE-2022-40468, CVE-2023-40533, boo#1223743]

 - Move tinyproxy program to /usr/bin.

 - Update to release 1.11.1
 * New fnmatch based filtertype

 - Update to release 1.11
 * Support for multiple bind directives.

 - update to 1.10.0:
 * Configuration file has moved from /etc/tinyproxy.conf to /etc/tinyproxy/tinyproxy.conf.
 * Add support for basic HTTP authentication
 * Add socks upstream support
 * Log to stdout if no logfile is specified
 * Activate reverse proxy by default
 * Support bind with transparent mode
 * Allow multiple listen statements in the configuration
 * Fix CVE-2017-11747: Create PID file before dropping privileges.
 * Fix CVE-2012-3505: algorithmic complexity DoS in hashmap
 * Bugfixes
 * BB#110: fix algorithmic complexity DoS in hashmap
 * BB#106: fix CONNECT requests with IPv6 literal addresses as host
 * BB#116: fix invalid free for GET requests to ipv6 literal address
 * BB#115: Drop supplementary groups
 * BB#109: Fix crash (infinite loop) when writing to log file fails
 * BB#74: Create log and pid files after we drop privs
 * BB#83: Use output of id instead of $USER

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected tinyproxy package.

See Also

https://bugzilla.suse.com/1200028

https://bugzilla.suse.com/1203553

https://bugzilla.suse.com/1223743

https://bugzilla.suse.com/1223746

http://www.nessus.org/u?6a400329

https://www.suse.com/security/cve/CVE-2012-3505

https://www.suse.com/security/cve/CVE-2017-11747

https://www.suse.com/security/cve/CVE-2022-40468

https://www.suse.com/security/cve/CVE-2023-49606

Plugin Details

Severity: High

ID: 195342

File Name: openSUSE-2024-0119-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 5/11/2024

Updated: 9/23/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2012-3505

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2022-40468

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:tinyproxy, cpe:/o:novell:opensuse:15.5

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/10/2024

Vulnerability Publication Date: 8/20/2012

Reference Information

CVE: CVE-2012-3505, CVE-2017-11747, CVE-2022-40468, CVE-2023-49606