Overview
A format string vulnerability in the simpleproxy TCP proxy may allow a remote attacker to execute arbitrary code on a vulnerable system.
Description
simpleproxy, a basic open source TCP proxy, contains a format string vulnerability in an unspecified HTTP proxy request handling routine. If a remote attacker sends simpleproxy a specially crafted HTTP request, they may be able to execute arbitrary code on a vulnerable system. |
Impact
A remote attacker may be able to execute arbitrary code with the privileges of the simpleproxy process. |
Solution
Upgrade Upgrading to simpleproxy version 3.4 corrects this problem. |
Vendor Information
Debian Linux
Notified: September 02, 2005 Updated: September 02, 2005
Status
Vulnerable
Vendor Statement
The old stable distribution (woody) is not affected.
For the stable distribution (sarge) this problem has been fixed in version 3.2-3sarge1.
For the unstable distribution (sid) this problem has been fixed in version 3.2-4.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
simpleproxy
Updated: September 01, 2005
Status
Vulnerable
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
From simpleproxy version 3.4 ChangeLog:
2005-08-22 Vadim Zaliva <lord@zembla.local>
* simpleproxy.c (log): Patch from Ulf Harnhammar
<metaur@telia.com> to avoid security vulnerability which could
have been exploited through replies from remote HTTP proxies.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Apple Computer, Inc.
Notified: September 02, 2005 Updated: October 10, 2005
Status
Not Vulnerable
Vendor Statement
Mac OS X does not ship with simpleproxy.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenWall Linux
Notified: September 02, 2005 Updated: September 06, 2005
Status
Not Vulnerable
Vendor Statement
Openwall GNU/*/Linux is not vulnerable. We do not package simpleproxy.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sun Microsystems, Inc.
Notified: September 02, 2005 Updated: September 06, 2005
Status
Not Vulnerable
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Conectiva Inc.
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cray, Inc.
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
EMC, Inc. (formerly Data General Corporation)
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Engarde Secure Linux
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
F5 Networks, Inc.
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
FreeBSD, Inc.
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Fujitsu Limited
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hewlett-Packard Company
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hitachi Internetworking
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM Corporation
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM Corporation (zseries)
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM eServer
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Immunix Communications, Inc.
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Ingrian, Inc.
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Juniper Networks, Inc.
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Mandriva, Inc.
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Microsoft Corporation
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MontaVista Software
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NEC
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NetBSD
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Novell
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenBSD
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
QNX, Software Systems, Inc.
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Red Hat Software, Inc.
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sequent Computer Systems, Inc.
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Silicon Graphics, Inc.
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sony Corporation
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SuSe
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
The SCO Group (SCO Linux)
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
The SCO Group (SCO UnixWare)
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Turbolinux
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
UNISYS
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Wind River Systems
Notified: September 02, 2005 Updated: September 02, 2005
Status
Unknown
Vendor Statement
No statement is currently available from the vendor regarding this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A |
References
Credit
This vulnerability was reported by Ulf Harnhammar
This document was written by Jeff Gennari.
Other Information
| CVE IDs: | CVE-2005-1857 |
| Severity Metric: | 5.84 |
| Date Public: | 2005-08-26 |
| Date First Published: | 2005-09-02 |
| Date Last Updated: | 2005-10-10 17:31 UTC |
| Document Revision: | 19 |