Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 23 Mar 2021 10:13:48 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Re: Multiple memory leaks fixed in Privoxy 3.0.29
 stable

It looks like Red Hat has assigned CVE ids for these issues now, but
not yet told Mitre to publish them:

CVE-2020-35502 privoxy: memory leaks when a response is buffered
https://bugzilla.redhat.com/show_bug.cgi?id=1928749

CVE-2021-20209 privoxy: memory leak in the show-status CGI handler when no
action files are configured
https://bugzilla.redhat.com/show_bug.cgi?id=1928726

CVE-2021-20210 privoxy: memory leak in the show-status CGI handler when no
filter files are configured
https://bugzilla.redhat.com/show_bug.cgi?id=1928729

CVE-2021-20211 privoxy: memory leak when client tags are active
https://bugzilla.redhat.com/show_bug.cgi?id=1928733

CVE-2021-20212 privoxy: memory leak if multiple filters are executed and the
last one is skipped due to a pcre error
https://bugzilla.redhat.com/show_bug.cgi?id=1928736

CVE-2021-20213 privoxy: dereference of a NULL-pointer that could result in a
crash if accept-intercepted-requests was enabled
https://bugzilla.redhat.com/show_bug.cgi?id=1928740

CVE-2021-20214 privoxy: memory leak in the client-tags CGI handler when
client tags are configured
https://bugzilla.redhat.com/show_bug.cgi?id=1928743

CVE-2021-20215 privoxy: memory leaks in the show-status CGI handler when
memory allocations fail
https://bugzilla.redhat.com/show_bug.cgi?id=1928747

	-Alan Coopersmith-               alan.coopersmith@...cle.com
	 Oracle Solaris Engineering - https://blogs.oracle.com/alanc



On 11/29/20 7:53 AM, Fabian Keil wrote:
>                 Announcing Privoxy 3.0.29 stable
> --------------------------------------------------------------------
> 
> Privoxy 3.0.29 stable fixes a couple of memory leaks and introduces
> https inspection which allows to filter encrypted requests and
> responses.
> 
> --------------------------------------------------------------------
> ChangeLog for Privoxy 3.0.29
> --------------------------------------------------------------------
> 
> - Security/Reliability:
>    - Fixed memory leaks when a response is buffered and the buffer
>      limit is reached or Privoxy is running out of memory.
>      Commits bbd53f1010b and 4490d451f9b. OVE-20201118-0001.
>      Sponsored by: Robert Klemme
>    - Fixed a memory leak in the show-status CGI handler when
>      no action files are configured. Commit c62254a686.
>      OVE-20201118-0002.
>      Sponsored by: Robert Klemme
>    - Fixed a memory leak in the show-status CGI handler when
>      no filter files are configured. Commit 1b1370f7a8a.
>      OVE-20201118-0003.
>      Sponsored by: Robert Klemme
>    - Fixes a memory leak when client tags are active.
>      Commit 245e1cf32. OVE-20201118-0004.
>      Sponsored by: Robert Klemme
>    - Fixed a memory leak if multiple filters are executed
>      and the last one is skipped due to a pcre error.
>      Commit 5cfb7bc8fe. OVE-20201118-0005.
>    - Prevent an unlikely dereference of a NULL-pointer that
>      could result in a crash if accept-intercepted-requests
>      was enabled, Privoxy failed to get the request destination
>      from the Host header and a memory allocation failed.
>      Commit 7530132349. CID 267165. OVE-20201118-0006.
>    - Fixed memory leaks in the client-tags CGI handler when
>      client tags are configured and memory allocations fail.
>      Commit cf5640eb2a. CID 267168. OVE-20201118-0007.
>    - Fixed memory leaks in the show-status CGI handler when memory
>      allocations fail. Commit 064eac5fd0 and commit fdee85c0bf3.
>      CID 305233. OVE-20201118-0008.
> 
> - General improvements:
> [...]
> 
> -----------------------------------------------------------------
> About Privoxy:
> -----------------------------------------------------------------
> 
> Privoxy is a non-caching web proxy with advanced filtering capabilities for
> enhancing privacy, modifying web page data and HTTP headers, controlling
> access, and removing ads and other obnoxious Internet junk. Privoxy has a
> flexible configuration and can be customized to suit individual needs and
> tastes. It has application for both stand-alone systems and multi-user
> networks.
> 
> Privoxy is Free Software and licensed under the GNU GPLv2.
> 
> [...]
> 
> Home Page:
>     https://www.privoxy.org/
> 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.