oss-sec mailing list archives
Re: Multiple DoS issues fixed in Privoxy 3.0.32 stable
From: Fabian Keil <freebsd-listen () fabiankeil de>
Date: Sat, 6 Mar 2021 10:08:56 +0100
Fabian Keil <freebsd-listen () fabiankeil de> wrote on 2021-02-28:
Privoxy 3.0.32 fixes multiple DoS issues and a couple of other bugs. The issues also affect earlier Privoxy releases.
[...]
- ssplit(): Remove an assertion that could be triggered with a crafted CGI request. Commit 2256d7b4d67. OVE-20210203-0001. Reported by: Joshua Rogers (Opera)
CVE-2021-20272.
- cgi_send_banner(): Overrule invalid image types. Prevents a crash with a crafted CGI request if Privoxy is toggled off. Commit e711c505c48. OVE-20210206-0001. Reported by: Joshua Rogers (Opera)
CVE-2021-20273.
- socks5_connect(): Don't try to send credentials when none are configured. Fixes a crash due to a NULL-pointer dereference when the socks server misbehaves. Commit 85817cc55b9. OVE-20210207-0001. Reported by: Joshua Rogers (Opera)
CVE-2021-20274.
- chunked_body_is_complete(): Prevent an invalid read of size two. Commit a912ba7bc9c. OVE-20210205-0001. Reported by: Joshua Rogers (Opera)
CVE-2021-20275.
- Obsolete pcre: Prevent invalid memory accesses with an invalid pattern passed to pcre_compile(). Note that the obsolete pcre code is scheduled to be removed before the 3.0.33 release. There has been a warning since 2008 already. Commit 28512e5b624. OVE-20210222-0001. Reported by: Joshua Rogers (Opera)
CVE-2021-20276. Fabian
Attachment:
_bin
Description: OpenPGP digital signature
Current thread:
- Multiple DoS issues fixed in Privoxy 3.0.32 stable Fabian Keil (Feb 28)
- Re: Multiple DoS issues fixed in Privoxy 3.0.32 stable Fabian Keil (Mar 06)