Source: tinyproxy Version: 1.11.3-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for tinyproxy. CVE-2026-54387[0]: | Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to | reconcile conflicting Content-Length and Transfer-Encoding: chunked | headers, forwarding both verbatim to the backend while using | Content-Length to determine how many request body bytes to consume. | Remote attackers can desynchronize the proxy and backend parser | state, allowing injection of arbitrary HTTP requests to the backend | to enable cache poisoning, access control bypass, and request | hijacking. CVE-2026-54388[1]: | Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject | requests containing multiple Content-Length headers with differing | values, forwarding all duplicate headers to the backend while using | the first value to determine how many request body bytes to consume. | Remote attackers can desynchronize the proxy and backend parser | state, allowing injection of arbitrary HTTP requests to the backend | to enable cache poisoning, access control bypass, and request | hijacking. CVE-2026-55202[2]: | Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly | validate the Host header during stathost detection, allowing | unauthenticated attackers to access the stats page by injecting a | matching Host header or bypass detection via port manipulation. | Remote attackers can trigger unauthorized access to internal proxy | statistics or misroute requests as transparent proxy connections to | circumvent access controls. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-54387 https://www.cve.org/CVERecord?id=CVE-2026-54387 [1] https://security-tracker.debian.org/tracker/CVE-2026-54388 https://www.cve.org/CVERecord?id=CVE-2026-54388 [2] https://security-tracker.debian.org/tracker/CVE-2026-55202 https://www.cve.org/CVERecord?id=CVE-2026-55202 Regards, Salvatore
