Bug 1935974 - privoxy: Multiple security issues fixed in privoxy 3.0.32
Summary: privoxy: Multiple security issues fixed in privoxy 3.0.32
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: CVE-2021-20272 CVE-2021-20273 CVE-2021-20274 CVE-2021-20275 CVE-2021-20276 (view as bug list)
Depends On: 1935975 1935976
Blocks: 1936034
TreeView+ depends on / blocked
 
Reported: 2021-03-05 20:30 UTC by Pedro Sampaio
Modified: 2021-03-08 21:22 UTC (History)
3 users (show)

Fixed In Version: privoxy 3.0.32
Doc Type: If docs needed, set a value
Doc Text:
Multiple vulnerabilities fixed in privoxy 3.0.32.
Clone Of:
Environment:
Last Closed: 2021-03-06 01:03:09 UTC


Attachments (Terms of Use)

Description Pedro Sampaio 2021-03-05 20:30:12 UTC
From release notes:

  - ssplit(): Remove an assertion that could be triggered with a
    crafted CGI request.
    Commit 2256d7b4d67. OVE-20210203-0001.
    Reported by: Joshua Rogers (Opera)
  - cgi_send_banner(): Overrule invalid image types. Prevents a
    crash with a crafted CGI request if Privoxy is toggled off.
    Commit e711c505c48. OVE-20210206-0001.
    Reported by: Joshua Rogers (Opera)
  - socks5_connect(): Don't try to send credentials when none are
    configured. Fixes a crash due to a NULL-pointer dereference
    when the socks server misbehaves.
    Commit 85817cc55b9. OVE-20210207-0001.
    Reported by: Joshua Rogers (Opera)
  - chunked_body_is_complete(): Prevent an invalid read of size two.
    Commit a912ba7bc9c. OVE-20210205-0001.
    Reported by: Joshua Rogers (Opera)
  - Obsolete pcre: Prevent invalid memory accesses with an invalid
    pattern passed to pcre_compile(). Note that the obsolete pcre code
    is scheduled to be removed before the 3.0.33 release. There has been
    a warning since 2008 already.
    Commit 28512e5b624. OVE-20210222-0001.
    Reported by: Joshua Rogers (Opera)


Respectively: CVE-2021-20272, CVE-2021-20273, CVE-2021-20274, CVE-2021-20275, CVE-2021-20276.

References:

https://www.privoxy.org/announce.txt

Comment 1 Pedro Sampaio 2021-03-05 20:30:50 UTC
Created privoxy tracking bugs for this issue:

Affects: epel-all [bug 1935976]
Affects: fedora-all [bug 1935975]

Comment 2 Product Security DevOps Team 2021-03-06 01:03:09 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Comment 3 Pedro Sampaio 2021-03-06 01:59:22 UTC
External References:

https://www.privoxy.org/announce.txt

Comment 4 Pedro Sampaio 2021-03-08 21:04:01 UTC
*** Bug 1936651 has been marked as a duplicate of this bug. ***

Comment 5 Pedro Sampaio 2021-03-08 21:11:00 UTC
*** Bug 1936658 has been marked as a duplicate of this bug. ***

Comment 6 Pedro Sampaio 2021-03-08 21:14:46 UTC
*** Bug 1936662 has been marked as a duplicate of this bug. ***

Comment 7 Pedro Sampaio 2021-03-08 21:19:25 UTC
*** Bug 1936666 has been marked as a duplicate of this bug. ***

Comment 8 Pedro Sampaio 2021-03-08 21:22:49 UTC
*** Bug 1936668 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.