Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 06 Oct 2011 18:37:01 +0200
From: Juliusz Chroboczek <>
Cc: "Steven M. Christey" <>
Subject: Re: CVE Request -- Polipo -- Assertion failure by processing certain HTTP POST / PUT requests

>   a denial of service flaw was found in the way Polipo, a lightweight
> caching web proxy, processed certain HTTP POST / PUT requests. If
> polipo was configured to allow remote client connections and particular
> host was allowed to connect to polipo server instance, a remote
> attacker could use this flaw to cause denial of service (polipo daemon
> abort due to assertion failure) via specially-crafted HTTP POST / PUT
> request.

Yes, this is a known bug with Polipo 1.0.4 and  I believe that
it is fixed in the Git trunk, which is unfortunately not ready to be
released (and might never be unless a maintainer is found).

At any rate, I do not recommend running Polipo as a publicly accessible
proxy.  While I have made reasonable efforts to ensure that this is
safe, Polipo was not designed for that.


-- Juliusz

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.