Re: Multiple memory leaks fixed in Privoxy 3.0.29 stable

[Fabian Keil <freebsd-listen () fabiankeil de>]

Alan Coopersmith <alan.coopersmith () oracle com> wrote on 2021-03-23:

> It looks like Red Hat has assigned CVE ids for these issues now, but
> not yet told Mitre to publish them:

I ran into issues getting CVE ids for Privoxy 3.0.29 as described in:
https://seclists.org/oss-sec/2020/q4/234 and
https://seclists.org/oss-sec/2021/q1/90

I've sent CVE ids to this list in February after I finally got them all:
https://seclists.org/oss-sec/2021/q1/101

CVE ids for Privoxy 3.0.31 and 3.0.32 were assigned within days, though.

In related news Canonical seems to have published an advisory for
multiple Privoxy releases including 3.0.29 on 2021-03-22 which claims
that "An attacker could possibly use this issue to cause a denial of
service or obtain sensitive information.":
https://ubuntu.com/security/notices/USN-4886-1

Obviously the memory leaks can be used for denial of service attacks
but I'm not sure what the "obtain sensitive information" part is all
about ...

Fabian

Attachment: _bin
Description: OpenPGP digital signature