<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Multiple DoS issues fixed in Privoxy 3.0.32 stable
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Fabian Keil <freebsd-listen () fabiankeil de>
Date: Sat, 6 Mar 2021 10:08:56 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Fabian Keil <freebsd-listen () fabiankeil de> wrote on 2021-02-28:
Privoxy 3.0.32 fixes multiple DoS issues and a couple of other bugs.
The issues also affect earlier Privoxy releases.
[...]
- ssplit(): Remove an assertion that could be triggered with a
crafted CGI request.
Commit 2256d7b4d67. OVE-20210203-0001.
Reported by: Joshua Rogers (Opera)
CVE-2021-20272.
- cgi_send_banner(): Overrule invalid image types. Prevents a
crash with a crafted CGI request if Privoxy is toggled off.
Commit e711c505c48. OVE-20210206-0001.
Reported by: Joshua Rogers (Opera)
CVE-2021-20273.
- socks5_connect(): Don't try to send credentials when none are
configured. Fixes a crash due to a NULL-pointer dereference
when the socks server misbehaves.
Commit 85817cc55b9. OVE-20210207-0001.
Reported by: Joshua Rogers (Opera)
CVE-2021-20274.
- chunked_body_is_complete(): Prevent an invalid read of size two.
Commit a912ba7bc9c. OVE-20210205-0001.
Reported by: Joshua Rogers (Opera)
CVE-2021-20275.
- Obsolete pcre: Prevent invalid memory accesses with an invalid
pattern passed to pcre_compile(). Note that the obsolete pcre code
is scheduled to be removed before the 3.0.33 release. There has been
a warning since 2008 already.
Commit 28512e5b624. OVE-20210222-0001.
Reported by: Joshua Rogers (Opera)
CVE-2021-20276.
Fabian
Attachment:
_bin
Description: OpenPGP digital signature
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Multiple DoS issues fixed in Privoxy 3.0.32 stable Fabian Keil (Feb 28)
Re: Multiple DoS issues fixed in Privoxy 3.0.32 stable Fabian Keil (Mar 06)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->