oss-sec mailing list archives
Multiple DoS issues fixed in Privoxy 3.0.32 stable
From: Fabian Keil <freebsd-listen () fabiankeil de>
Date: Sun, 28 Feb 2021 10:23:46 +0100
Announcing Privoxy 3.0.32 stable -------------------------------------------------------------------- Privoxy 3.0.32 fixes multiple DoS issues and a couple of other bugs. The issues also affect earlier Privoxy releases. -------------------------------------------------------------------- ChangeLog for Privoxy 3.0.32 -------------------------------------------------------------------- - Security/Reliability: - ssplit(): Remove an assertion that could be triggered with a crafted CGI request. Commit 2256d7b4d67. OVE-20210203-0001. Reported by: Joshua Rogers (Opera) - cgi_send_banner(): Overrule invalid image types. Prevents a crash with a crafted CGI request if Privoxy is toggled off. Commit e711c505c48. OVE-20210206-0001. Reported by: Joshua Rogers (Opera) - socks5_connect(): Don't try to send credentials when none are configured. Fixes a crash due to a NULL-pointer dereference when the socks server misbehaves. Commit 85817cc55b9. OVE-20210207-0001. Reported by: Joshua Rogers (Opera) - chunked_body_is_complete(): Prevent an invalid read of size two. Commit a912ba7bc9c. OVE-20210205-0001. Reported by: Joshua Rogers (Opera) - Obsolete pcre: Prevent invalid memory accesses with an invalid pattern passed to pcre_compile(). Note that the obsolete pcre code is scheduled to be removed before the 3.0.33 release. There has been a warning since 2008 already. Commit 28512e5b624. OVE-20210222-0001. Reported by: Joshua Rogers (Opera) [...] ----------------------------------------------------------------- About Privoxy: ----------------------------------------------------------------- Privoxy is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk. Privoxy has a flexible configuration and can be customized to suit individual needs and tastes. It has application for both stand-alone systems and multi-user networks. Privoxy is Free Software and licensed under the GNU GPLv2. [...] Home Page: https://www.privoxy.org/ Complete announcement: https://lists.privoxy.org/pipermail/privoxy-announce/2021-February/000007.html
Attachment:
_bin
Description: OpenPGP digital signature
Current thread:
- Multiple DoS issues fixed in Privoxy 3.0.32 stable Fabian Keil (Feb 28)
- Re: Multiple DoS issues fixed in Privoxy 3.0.32 stable Fabian Keil (Mar 06)