Date: Mon, 20 Jun 2022 14:10:13 GMT From: Li-Wen Hsu <lwhsu@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: e6fdd8b6c34b - main - security/vuxml: Add CVE-2022-24766 for www/mitmproxy Message-ID: <202206201410.25KEADGN013684@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by lwhsu: URL: https://cgit.FreeBSD.org/ports/commit/?id=e6fdd8b6c34ba8a5b747cbbf35b252d934b75785 commit e6fdd8b6c34ba8a5b747cbbf35b252d934b75785 Author: Hung-Yi Chen <gaod@hychen.org> AuthorDate: 2022-06-20 14:07:06 +0000 Commit: Li-Wen Hsu <lwhsu@FreeBSD.org> CommitDate: 2022-06-20 14:09:26 +0000 security/vuxml: Add CVE-2022-24766 for www/mitmproxy PR: 264782 --- security/vuxml/vuln-2022.xml | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml index 7d2f678350eb..869f4468d15b 100644 --- a/security/vuxml/vuln-2022.xml +++ b/security/vuxml/vuln-2022.xml @@ -1,3 +1,42 @@ + <vuln vid="ad37a349-ebb7-11ec-b9f7-21427354249d"> + <topic>mitmproxy -- Insufficient Protection against HTTP Request Smuggling</topic> + <affects> + <package> + <name>mitmproxy</name> + <range><lt>8.0.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Zeyu Zhang reports:</p> + <blockquote cite="https://github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b">; + <p> + In mitmproxy 7.0.4 and below, a malicious client or server is able to + perform HTTP request smuggling attacks through mitmproxy. This means + that a malicious client/server could smuggle a request/response through + mitmproxy as part of another request/response's HTTP message body. While + mitmproxy would only see one request, the target server would see + multiple requests. A smuggled request is still captured as part of + another request's body, but it does not appear in the request list and + does not go through the usual mitmproxy event hooks, where users may + have implemented custom access control checks or input sanitization. + </p> + <p> + Unless you use mitmproxy to protect an HTTP/1 service, no action is required. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2022-24766</cvename> + <url>https://github.com/mitmproxy/mitmproxy/commit/b06fb6d157087d526bd02e7aadbe37c56865c71b</url>; + </references> + <dates> + <discovery>2022-03-21</discovery> + <entry>2022-06-20</entry> + </dates> + </vuln> + <vuln vid="5d1e4f6a-ee4f-11ec-86c2-485b3931c969"> <topic>Tor - Unspecified high severity vulnerability</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202206201410.25KEADGN013684>