FreeBSD Bugzilla – Attachment 234809 Details for
Bug 264782
security/vuxml: add CVE entries related to www/mitmproxy
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
add CVE entries related to www/mitmproxy
vuxml.patch (text/plain), 2.06 KB, created by
Hung-Yi Chen
on 2022-06-20 08:27:20 UTC
(
hide
)
Description:
add CVE entries related to www/mitmproxy
Filename:
MIME Type:
Creator:
Hung-Yi Chen
Created:
2022-06-20 08:27:20 UTC
Size:
2.06 KB
patch
obsolete
>diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml >index 37fbce5754b7..e271df42746b 100644 >--- a/security/vuxml/vuln-2022.xml >+++ b/security/vuxml/vuln-2022.xml >@@ -1,3 +1,42 @@ >+ <vuln vid="ad37a349-ebb7-11ec-b9f7-21427354249d"> >+ <topic>mitmproxy -- Insufficient Protection against HTTP Request Smuggling</topic> >+ <affects> >+ <package> >+ <name>mitmproxy</name> >+ <range><lt>8.0.0</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <p>Zeyu Zhang reports:</p> >+ <blockquote cite="https://github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b"> >+ <p> >+ In mitmproxy 7.0.4 and below, a malicious client or server is able to >+ perform HTTP request smuggling attacks through mitmproxy. This means >+ that a malicious client/server could smuggle a request/response through >+ mitmproxy as part of another request/response's HTTP message body. While >+ mitmproxy would only see one request, the target server would see >+ multiple requests. A smuggled request is still captured as part of >+ another request's body, but it does not appear in the request list and >+ does not go through the usual mitmproxy event hooks, where users may >+ have implemented custom access control checks or input sanitization. >+ </p> >+ <p> >+ Unless you use mitmproxy to protect an HTTP/1 service, no action is required. >+ </p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <cvename>CVE-2022-24766</cvename> >+ <url>https://github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b</url> >+ </references> >+ <dates> >+ <discovery>2022-03-21</discovery> >+ <entry>2022-06-14</entry> >+ </dates> >+ </vuln> >+ > <vuln vid="55cff5d2-e95c-11ec-ae20-001999f8d30b"> > <topic>XFCE -- Allows executing malicious .desktop files pointing to remote code</topic> > <affects>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=234809">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 264782
: 234809