Debian Bug report logs -
#775167
privoxy: CVE-2015-1030 CVE-2015-1031
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Mon, 12 Jan 2015 06:03:02 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version privoxy/3.0.16-1
Fixed in versions privoxy/3.0.21-5, privoxy/3.0.19-2+deb7u1
Done: Roland Rosenfeld <roland@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Roland Rosenfeld <roland@debian.org>:
Bug#775167; Package privoxy.
(Mon, 12 Jan 2015 06:03:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Roland Rosenfeld <roland@debian.org>.
(Mon, 12 Jan 2015 06:03:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: privoxy
Severity: grave
Tags: security
Hi Roland,
privoxy 3.0.22 fixes security issues:
http://www.privoxy.org/announce.txt
Fixed a memory leak when rejecting client connections due to
the socket limit being reached (CID 66382). This affected
Privoxy 3.0.21 when compiled with IPv6 support (on most
platforms this is the default).
-> This is CVE-2015-1030
Fixed an immediate-use-after-free bug (CID 66394) and two
additional unconfirmed use-after-free complaints made by
Coverity scan (CID 66391, CID 66376).
-> This is CVE-2015-1031
Since jessie is in freeze, please make a targeted upload
instead of moving to the full 3.0.22 release.
Cheers,
Moritz
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 12 Jan 2015 06:30:05 GMT) (full text, mbox, link).
Reply sent
to Roland Rosenfeld <roland@debian.org>:
You have taken responsibility.
(Wed, 14 Jan 2015 18:36:05 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Wed, 14 Jan 2015 18:36:05 GMT) (full text, mbox, link).
Message #12 received at 775167-close@bugs.debian.org (full text, mbox, reply):
Source: privoxy
Source-Version: 3.0.21-5
We believe that the bug you reported is fixed in the latest version of
privoxy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775167@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roland Rosenfeld <roland@debian.org> (supplier of updated privoxy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 12 Jan 2015 08:44:23 +0100
Source: privoxy
Binary: privoxy
Architecture: source amd64
Version: 3.0.21-5
Distribution: unstable
Urgency: low
Maintainer: Roland Rosenfeld <roland@debian.org>
Changed-By: Roland Rosenfeld <roland@debian.org>
Description:
privoxy - Privacy enhancing HTTP Proxy
Closes: 775167
Changes:
privoxy (3.0.21-5) unstable; urgency=low
.
* 34_CVE-2015-1030: Fix memory leak in rfc2553_connect_to(). CID 66382
* 35_CVE-2015-1031-CID66394: unmap(): Prevent use-after-free if the map
only consists of one item. CID 66394.
* 36_CVE-2015-1031-CID66376: pcrs_execute(): Consistently set *result to
NULL in case of errors. Should make use-after-free in the caller less
likely. CID 66391, CID 66376.
* These 3 patches Closes: #775167.
Checksums-Sha1:
e6de1fb4dae35b1765d0fac21245533af1f72338 1841 privoxy_3.0.21-5.dsc
bf3a257c75fa653a9a1f5c18bd40ab1ad9532f6b 18864 privoxy_3.0.21-5.debian.tar.xz
7e56e47a8a3ad648066071fd56d491e9410dc189 493654 privoxy_3.0.21-5_amd64.deb
Checksums-Sha256:
251dc957fe855ead7ce80390d8318e0bf914c051e51fdbd26023e9c34175ca6e 1841 privoxy_3.0.21-5.dsc
ce5275e0b99103b88435c2f072b6fa7ff005ad6f2297339580e42c3c1d56286a 18864 privoxy_3.0.21-5.debian.tar.xz
d52861ea26d591e38811fe894da679bbb703ba0838c7a34a75d89a3a4f5fe882 493654 privoxy_3.0.21-5_amd64.deb
Files:
f99d22c2f2c4fa8ef232c156f6ce0591 1841 web optional privoxy_3.0.21-5.dsc
35dba6d4a63f69aab569d94e2d1005e5 18864 web optional privoxy_3.0.21-5.debian.tar.xz
9c20250c5b6c96c3976b1e9c214d07c7 493654 web optional privoxy_3.0.21-5_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJUtrKvAAoJEAJxO8/KVBCyoRIQAJyKr2nRPyDdfXc0GsO53b6C
quhp4XihgZNadkJY3jqNuwV5h+Rtk919CGV6U7WZySVPmFMXIDZmt4rTTc0nzCnR
vmI531bTWcV0yksxiFz5X+bpM4t8EnSDWdbY/hjI/HsbNJ0JFITj0b9A+T+SLojC
XIP+xWiOwg5CskSnp0cuLUqoOSuLgN6cVrrTEK50Yav9c+0U0OKEd9nK1/Ai8Ut0
8fFfnn+SGjWPWq6VuZa58Una4dmyoWUOEL5Y/gBsb53v9VeYQut8CNKocHn8ERYG
82cHu+tnOvxRaPH29bN45yrA8NhYSuDdwiXa0FWmpLQb8Yggz9oTNWcQanaNJUxo
Ae2p2OVywihZjXjrY4hEfSr6rNy5NHNQ37K996kE+QMfvD9fGkCXjoYos+zLdPB1
9QYbeg/co40x2xx8EbO7cSwUrdbL46kb48vwWzY1HrGSJ6xAMUf2FV6j+WnZANBN
YnczL5iHM/QM21CE+ei4V/prkkYE6HrdMgklbwHmK7tNzuxWY9PIzXnxfINjRJiv
wEXQPTrrL8nWwAYW+nL7AvAecp3SBcEl+j3mMZkMD+cTTyluMDdxu88cdNmB8yMS
+fX6uU7BHu1VoA3iI61UdYOzYirDiDvxGs9/pshfXO8TRTKVbCJ3LngIzvXv+uP4
d74OqpxwtJZ4PoTSodDD
=Dx9z
-----END PGP SIGNATURE-----
Marked as found in versions privoxy/3.0.16-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 14 Jan 2015 19:15:05 GMT) (full text, mbox, link).
Reply sent
to Roland Rosenfeld <roland@debian.org>:
You have taken responsibility.
(Tue, 20 Jan 2015 21:22:34 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Tue, 20 Jan 2015 21:22:34 GMT) (full text, mbox, link).
Message #19 received at 775167-close@bugs.debian.org (full text, mbox, reply):
Source: privoxy
Source-Version: 3.0.19-2+deb7u1
We believe that the bug you reported is fixed in the latest version of
privoxy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775167@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roland Rosenfeld <roland@debian.org> (supplier of updated privoxy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 17 Jan 2015 17:20:15 +0100
Source: privoxy
Binary: privoxy
Architecture: source amd64
Version: 3.0.19-2+deb7u1
Distribution: stable-security
Urgency: medium
Maintainer: Roland Rosenfeld <roland@debian.org>
Changed-By: Roland Rosenfeld <roland@debian.org>
Description:
privoxy - Privacy enhancing HTTP Proxy
Closes: 775167
Changes:
privoxy (3.0.19-2+deb7u1) stable-security; urgency=medium
.
* 35_CVE-2015-1031-CID66394: unmap(): Prevent use-after-free if the map
only consists of one item. CID 66394.
* 36_CVE-2015-1031-CID66376: pcrs_execute(): Consistently set *result to
NULL in case of errors. Should make use-after-free in the caller less
likely. CID 66391, CID 66376.
* These 2 patches Closes: #775167.
Checksums-Sha1:
274db380555a7b899fa5c19bb40d6800f2d4a57e 1824 privoxy_3.0.19-2+deb7u1.dsc
a82287cbf48375ef449d021473a366baeca49250 1722316 privoxy_3.0.19.orig.tar.gz
b9b38021e8ddfee8cd81e90880aebe8d06a9a307 20601 privoxy_3.0.19-2+deb7u1.debian.tar.gz
3c3f708b11ce8e9bc2e6a045f202db8e7e133bb5 633578 privoxy_3.0.19-2+deb7u1_amd64.deb
Checksums-Sha256:
467f568a1ae13e86de0418635c3cf60e6dc031b510ffdc0f7a0bfd782f97aab0 1824 privoxy_3.0.19-2+deb7u1.dsc
816e627b31caa3d9e71d0a8b83ac9ea7dcbeaaafef3c9a9c792696aa56255232 1722316 privoxy_3.0.19.orig.tar.gz
f2ebbde919e0bc0a206cd1c1680fcb5c55f7cf5c8b31686d22bdcfb21c7e5dd3 20601 privoxy_3.0.19-2+deb7u1.debian.tar.gz
9af0c6b317f69fd865415a93390f63ca65a0dc66e9442250a072c436d70906df 633578 privoxy_3.0.19-2+deb7u1_amd64.deb
Files:
d63736b5d5a8615d4fa18aa949182157 1824 web optional privoxy_3.0.19-2+deb7u1.dsc
57acc79059565cc42eda67982842785d 1722316 web optional privoxy_3.0.19.orig.tar.gz
f23ce084f150727ebc018d4da45ac8c4 20601 web optional privoxy_3.0.19-2+deb7u1.debian.tar.gz
df4fae1a8cc852f62d42c24570e0dfa6 633578 web optional privoxy_3.0.19-2+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJUuuR5AAoJEBDCk7bDfE42zC4QAIMUHFUukDIJe9i5WVe86CzL
43sgxJFB5g/udMKQkDSe/yqxnO6ShR53BVx56U7oAhE6UwQIrNI2JAO3aND5kpH+
krhfMNSmFUkxJKNr02VDRIdmAZg/B01c1LOjJS8vKsXo4jwISNPnQJLMQxbDh42U
ytPk6wKXdf8FHnXqjy4YMgvkINX16UZxjYghQQKMEGc9Lmouay4+uVg4Ac8LImHm
ErVk6tEyAG/wdvvyGj9qvPkmvgT9+fXPYIELRsr8V5EytBe6Is9U5PbaT+ecQWiB
SOYB5hkyt/vZMIKPaAqLB52yZei/tkPtlCA2dRAha+mJa1QBoZodIjQmj0XxeR+G
VxcYD9QSiykF/3XDWAiFjiQYqLfdy5k0BojbKxN5L+Ma/upDNXmr4djHodh6gueh
1YBruPoYZV7nhGrcbzSwIp0cEE1Pj2CBmXT8mmLqhL01VnfrhFaLJ2JYCdLyIZVd
c8DVyDdteG6313vMgJH5WVNWBkw0OJXY/T+cPhdTc/V3uNV5L+QVfju5WTJUAiAq
mCIQRBSERsdgkRnaef+XLcOpMt14QOm+gGuf0bJh4vvzF0cSw/DI/+SqINWSux6r
0LzMjIUR38snUsINBbCTwMaVdEdIFBmFpb9ATAtCiS4akMAqxOPdYoYmDnU0oePo
tN0e+ftGLdiRmKv6FEKe
=O+wy
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 26 Apr 2015 07:48:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:26:00 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon