Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20210324063110.6af05039@fabiankeil.de>
Date: Wed, 24 Mar 2021 06:31:10 +0100
From: Fabian Keil <freebsd-listen@...iankeil.de>
To: oss-security@...ts.openwall.com
Subject: Re: Multiple memory leaks fixed in Privoxy 3.0.29
 stable

Alan Coopersmith <alan.coopersmith@...cle.com> wrote on 2021-03-23:

> It looks like Red Hat has assigned CVE ids for these issues now, but
> not yet told Mitre to publish them:

I ran into issues getting CVE ids for Privoxy 3.0.29 as described in:
https://seclists.org/oss-sec/2020/q4/234 and
https://seclists.org/oss-sec/2021/q1/90

I've sent CVE ids to this list in February after I finally got them all:
https://seclists.org/oss-sec/2021/q1/101

CVE ids for Privoxy 3.0.31 and 3.0.32 were assigned within days, though.

In related news Canonical seems to have published an advisory for
multiple Privoxy releases including 3.0.29 on 2021-03-22 which claims
that "An attacker could possibly use this issue to cause a denial of
service or obtain sensitive information.":
https://ubuntu.com/security/notices/USN-4886-1

Obviously the memory leaks can be used for denial of service attacks
but I'm not sure what the "obtain sensitive information" part is all
about ...

Fabian

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.