CVE-2020-25219

CVE-2020-25219

Name

CVE-2020-25219

Description

url::recvline in url.cpp in libproxy 0.4.x through 0.4.15 allows a remote HTTP server to trigger uncontrolled recursion via a response composed of an infinite stream that lacks a newline character. This leads to stack exhaustion.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Exploit	https://github.com/libproxy/libproxy/issues/134
Third Party Advisory	https://lists.debian.org/debian-lts-announce/2020/09/msg00012.html
UBUNTU	https://usn.ubuntu.com/4514-1/
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CNID6EZVOVH7EZB7KFU2EON54CFDIVUR/
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JF5JSONJNO64ARWRVOS6K6HSIPHEF3H2/
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSVZAAVHBJR3Z4MZNR55QW3OQFAS2STH/
SUSE	http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00030.html
SUSE	http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00033.html
DEBIAN	https://www.debian.org/security/2020/dsa-4800

Type

URI

Exploit

https://github.com/libproxy/libproxy/issues/134

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2020/09/msg00012.html

UBUNTU

https://usn.ubuntu.com/4514-1/

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CNID6EZVOVH7EZB7KFU2EON54CFDIVUR/

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JF5JSONJNO64ARWRVOS6K6HSIPHEF3H2/

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSVZAAVHBJR3Z4MZNR55QW3OQFAS2STH/

SUSE

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00030.html

SUSE

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00033.html

DEBIAN

https://www.debian.org/security/2020/dsa-4800

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:libproxy_project:libproxy::::::::`	libproxy	>= 0.4.0	<= 0.4.15

CPE URI

Source package

Min version

Max version

cpe:2.3:a:libproxy_project:libproxy:*:*:*:*:*:*:*:*

libproxy

>= 0.4.0

<= 0.4.15

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
libproxy	3.11-main	0.4.15-r4	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
libproxy	3.10-main	0.4.15-r2	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

libproxy

3.11-main

0.4.15-r4

Natanael Copa <ncopa@alpinelinux.org>

possibly vulnerable

libproxy

3.10-main

0.4.15-r2

Natanael Copa <ncopa@alpinelinux.org>

possibly vulnerable

References

Match rules

Vulnerable and fixed packages