Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tinyproxy for openSUSE:Factory checked in at 2026-06-18 18:44:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tinyproxy (Old) and /work/SRC/openSUSE:Factory/.tinyproxy.new.1981 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tinyproxy" Thu Jun 18 18:44:27 2026 rev:24 rq:1360242 version:1.11.3 Changes: -------- --- /work/SRC/openSUSE:Factory/tinyproxy/tinyproxy.changes 2026-03-31 16:28:26.642313062 +0200 +++ /work/SRC/openSUSE:Factory/.tinyproxy.new.1981/tinyproxy.changes 2026-06-18 18:45:14.416600096 +0200 @@ -1,0 +2,10 @@ +Thu Jun 18 07:03:13 UTC 2026 - Jan Engelhardt <[email protected]> + +- Add 0001-reqs-prevent-request-smuggling-via-both-content-leng.patch + 0001-reqs-prevent-multiple-content-lengths-getting-emitte.patch + [boo#1268474, CVE-2026-54387] + [boo#1268475, CVE-2026-54388] +- Add 0001-reqs-improve-stathost-detection-606.patch + [boo#1268476, CVE-2026-55202] + +------------------------------------------------------------------- New: ---- 0001-reqs-improve-stathost-detection-606.patch 0001-reqs-prevent-multiple-content-lengths-getting-emitte.patch 0001-reqs-prevent-request-smuggling-via-both-content-leng.patch ----------(New B)---------- New: [boo#1268475, CVE-2026-54388] - Add 0001-reqs-improve-stathost-detection-606.patch [boo#1268476, CVE-2026-55202] New:- Add 0001-reqs-prevent-request-smuggling-via-both-content-leng.patch 0001-reqs-prevent-multiple-content-lengths-getting-emitte.patch [boo#1268474, CVE-2026-54387] New: - Add 0001-reqs-prevent-request-smuggling-via-both-content-leng.patch 0001-reqs-prevent-multiple-content-lengths-getting-emitte.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tinyproxy.spec ++++++ --- /var/tmp/diff_new_pack.4XLrOm/_old 2026-06-18 18:45:16.364681496 +0200 +++ /var/tmp/diff_new_pack.4XLrOm/_new 2026-06-18 18:45:16.372681830 +0200 @@ -26,6 +26,9 @@ Source: https://github.com/tinyproxy/tinyproxy/releases/download/%version/%name-%version.tar.xz Source1: %name.logrotate Patch1: 0001-reqs-prevent-potential-int-overflow-when-parsing-chu.patch +Patch2: 0001-reqs-prevent-request-smuggling-via-both-content-leng.patch +Patch3: 0001-reqs-prevent-multiple-content-lengths-getting-emitte.patch +Patch4: 0001-reqs-improve-stathost-detection-606.patch BuildRequires: systemd-rpm-macros BuildRequires: sysuser-tools BuildRequires: xz ++++++ 0001-reqs-improve-stathost-detection-606.patch ++++++ >From 09312a185ae25cc486b4ff5987638a7917a48bce Mon Sep 17 00:00:00 2001 From: rofl0r <[email protected]> Date: Sat, 18 Apr 2026 00:03:15 +0200 Subject: [PATCH] reqs: improve stathost detection (#606) until now, only the basicauth code checked the host header, regular connections didn't. - add a new helper function to compare a hostname with optional trailingcolon/port against the stathost. - add stathost check via host header before transparent proxy check, else stathost might be misdetected as a trans host request. - refactor existing stathost checks to use the new helper this should make it easier to access the stathost, for example by injecting a host header into a curl command line with -H: $ curl -H "Host: tinyproxy.stats" 127.0.0.1:8080 the stathost can also be specified as an ip address, e.g. Stathost "127.0.0.10" + a separate Listen statement for that ip. in such a case e.g. $ curl http://127.0.0.10:8080 would work too, even if curl didn't add a Host header (but it does anyway). --- src/reqs.c | 37 +++++++++++++++++++++++++------------ 1 file changed, 25 insertions(+), 12 deletions(-) diff --git a/src/reqs.c b/src/reqs.c index a0fdd87..2e7542c 100644 --- a/src/reqs.c +++ b/src/reqs.c @@ -316,6 +316,17 @@ static int send_connect_method_response (struct conn_s *connptr) connptr->protocol.minor); } +/* determine whether a hostname with optional trailing colon/port is the + stathost */ +static int is_stathost (const char* host) +{ + const char *p = config->stathost; + const char *q = host; + if (!p || !q) return 0; + while (*p && *(p++) == *(q++)); + return *p == 0 && (*q == 0 || *q == ':'); +} + /* * Break the request line apart and figure out where to connect and * build a new request line. Finally connect to the remote server. @@ -384,6 +395,16 @@ BAD_REQUEST_ERROR: goto fail; } + /* + * Check to see if they're requesting the stat host + */ + if (is_stathost (pseudomap_find (hashofheaders, "host"))) { +got_stathost: + log_message (LOG_NOTICE, "Request for the stathost."); + connptr->show_stats = TRUE; + goto fail; + } + #ifdef REVERSE_SUPPORT if (config->reversepath_list != NULL) { /* @@ -497,19 +518,11 @@ BAD_REQUEST_ERROR: } } #endif - - - /* - * Check to see if they're requesting the stat host - */ - if (config->stathost && strcmp (config->stathost, request->host) == 0) { - log_message (LOG_NOTICE, "Request for the stathost."); - connptr->show_stats = TRUE; - goto fail; - } + /* check whether hostname from url is the stathost */ + if (is_stathost (request->host)) + goto got_stathost; safefree (url); - return request; fail: @@ -1630,7 +1643,7 @@ void handle_connection (struct conn_s *connptr, union sockaddr_union* addr) if (!authstring && config->stathost) { authstring = pseudomap_find (hashofheaders, "host"); - if (authstring && !strncmp(authstring, config->stathost, strlen(config->stathost))) { + if (authstring && is_stathost(authstring)) { authstring = pseudomap_find (hashofheaders, "authorization"); stathost_connect = 1; } else authstring = 0; -- 2.54.0 ++++++ 0001-reqs-prevent-multiple-content-lengths-getting-emitte.patch ++++++ >From 364cdb67e0ea00a8e4a7037e2693e0711e816adb Mon Sep 17 00:00:00 2001 From: rofl0r <[email protected]> Date: Thu, 7 May 2026 16:39:48 +0000 Subject: [PATCH] reqs: prevent multiple content-lengths getting emitted addressing point 2 of #609 --- src/reqs.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/reqs.c b/src/reqs.c index ac30967..0998324 100644 --- a/src/reqs.c +++ b/src/reqs.c @@ -643,6 +643,11 @@ add_header_to_connection (pseudomap *hashofheaders, char *header, size_t len) /* Calculate the new length of just the data */ len -= sep - header - 1; + /* prevent multiple content-length headers from being inserted */ + if (!strcasecmp(header, "content-length") && + pseudomap_find (hashofheaders, "content-length")) + return 0; + return pseudomap_append (hashofheaders, header, sep); } -- 2.54.0 ++++++ 0001-reqs-prevent-request-smuggling-via-both-content-leng.patch ++++++ >From 623bfc093df009296f0b85d40bc677ef9d5c09bb Mon Sep 17 00:00:00 2001 From: rofl0r <[email protected]> Date: Thu, 7 May 2026 16:33:11 +0000 Subject: [PATCH] reqs: prevent request smuggling via both content-length and chunked addressing point 1 of #609 --- src/reqs.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/reqs.c b/src/reqs.c index 2e7542c..ac30967 100644 --- a/src/reqs.c +++ b/src/reqs.c @@ -917,8 +917,13 @@ process_client_headers (struct conn_s *connptr, pseudomap *hashofheaders) connptr->content_length.client = get_content_length (hashofheaders); /* Check whether client sends chunked data. */ - if (connptr->content_length.client == -1 && is_chunked_transfer (hashofheaders)) + if (is_chunked_transfer (hashofheaders)) { + if (connptr->content_length.client != -1) + /* request smuggling, see GH issue #609 */ + pseudomap_remove (hashofheaders, "content-length"); + connptr->content_length.client = -2; + } /* * See if there is a "Connection" header. If so, we need to do a bit -- 2.54.0 ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.4XLrOm/_old 2026-06-18 18:45:16.556689519 +0200 +++ /var/tmp/diff_new_pack.4XLrOm/_new 2026-06-18 18:45:16.568690020 +0200 @@ -1,5 +1,5 @@ -mtime: 1774963273 -commit: 9486bb27c1f76e47c21d3b8e4b5d0664505f417c5533d131ea2fe2548f84c124 +mtime: 1781767182 +commit: 2858face4ed4ae03a364df4692193f6d1d7e6edf31ed0158b93ef92656a4b4f0 url: https://src.opensuse.org/jengelh/tinyproxy revision: master ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-06-18 09:19:42.000000000 +0200 @@ -0,0 +1 @@ +.osc
