From release notes: - ssplit(): Remove an assertion that could be triggered with a crafted CGI request. Commit 2256d7b4d67. OVE-20210203-0001. Reported by: Joshua Rogers (Opera) - cgi_send_banner(): Overrule invalid image types. Prevents a crash with a crafted CGI request if Privoxy is toggled off. Commit e711c505c48. OVE-20210206-0001. Reported by: Joshua Rogers (Opera) - socks5_connect(): Don't try to send credentials when none are configured. Fixes a crash due to a NULL-pointer dereference when the socks server misbehaves. Commit 85817cc55b9. OVE-20210207-0001. Reported by: Joshua Rogers (Opera) - chunked_body_is_complete(): Prevent an invalid read of size two. Commit a912ba7bc9c. OVE-20210205-0001. Reported by: Joshua Rogers (Opera) - Obsolete pcre: Prevent invalid memory accesses with an invalid pattern passed to pcre_compile(). Note that the obsolete pcre code is scheduled to be removed before the 3.0.33 release. There has been a warning since 2008 already. Commit 28512e5b624. OVE-20210222-0001. Reported by: Joshua Rogers (Opera) Respectively: CVE-2021-20272, CVE-2021-20273, CVE-2021-20274, CVE-2021-20275, CVE-2021-20276. References: https://www.privoxy.org/announce.txt
Created privoxy tracking bugs for this issue: Affects: epel-all [bug 1935976] Affects: fedora-all [bug 1935975]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
External References: https://www.privoxy.org/announce.txt
*** Bug 1936651 has been marked as a duplicate of this bug. ***
*** Bug 1936658 has been marked as a duplicate of this bug. ***
*** Bug 1936662 has been marked as a duplicate of this bug. ***
*** Bug 1936666 has been marked as a duplicate of this bug. ***
*** Bug 1936668 has been marked as a duplicate of this bug. ***