[00:14] <Unit193> Debian confirmed/concluded that the one of the recent CVEs filed against tinyproxy is a duplicate of one already fixed in stable and in Ubuntu's LTS, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070395#12.  It'd be good if Ubuntu could mark CVE-2023-40533 as a duplicate of CVE-2022-40468 too.
[00:14] -ubottu:#ubuntu-security- Debian bug 1070395 in src:tinyproxy "tinyproxy: CVE-2023-49606" [Grave, Fixed]
[00:14] -ubottu:#ubuntu-security- ** REJECT ** This CVE ID is a duplicate of CVE-2022-40468 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40533>
[00:14] -ubottu:#ubuntu-security- Potential leak of left-over heap data if custom error page templates containing special non-standard variables are used. Tinyproxy commit 84f203f and earlier use uninitialized buffers in process_request() function. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40468>
[00:14] <Unit193> Oh, hah.
[00:16] <Unit193> That still leaves CVE-2023-49606 open anyway, which is far more critical.
[00:16] -ubottu:#ubuntu-security- A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49606>
[00:16] <Unit193> (https://launchpad.net/ubuntu/+source/tinyproxy/1.11.1-4)
[05:26] <sudhackar> hey mcphail: did you get a reply to your ask earlier?
[05:46] <mcphail> sudhackar: no
[06:42] <ebarretto> amurray, fyi ^ 
[07:40] <amurray> mcphail: apologies for the delay on this - I am just now trying to get confirmation from the associated dev team - will let you know ASAP but I hope it shouldn't be more than 1 or 2 weeks at most
[08:16] <mcphail> Cheers amurray :)