mailing list archives
Re: CVE Request -- Polipo -- Assertion failure by processing certain HTTP POST / PUT requests
From: Juliusz Chroboczek <jch () pps jussieu fr>
Date: Thu, 06 Oct 2011 18:37:01 +0200
a denial of service flaw was found in the way Polipo, a lightweight
caching web proxy, processed certain HTTP POST / PUT requests. If
polipo was configured to allow remote client connections and particular
host was allowed to connect to polipo server instance, a remote
attacker could use this flaw to cause denial of service (polipo daemon
abort due to assertion failure) via specially-crafted HTTP POST / PUT
Yes, this is a known bug with Polipo 1.0.4 and 220.127.116.11. I believe that
it is fixed in the Git trunk, which is unfortunately not ready to be
released (and might never be unless a maintainer is found).
At any rate, I do not recommend running Polipo as a publicly accessible
proxy. While I have made reasonable efforts to ensure that this is
safe, Polipo was not designed for that.