Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20211209130218.6d96ea6c@fabiankeil.de>
Date: Thu, 9 Dec 2021 13:02:18 +0100
From: Fabian Keil <freebsd-listen@...iankeil.de>
To: oss-security@...ts.openwall.com
Subject: Multiple issues fixed in Privoxy 3.0.33 stable

               Announcing Privoxy 3.0.33 stable
--------------------------------------------------------------------

Privoxy 3.0.33 fixes an XSS issue, multiple DoS issues and a
couple of other bugs. The issues also affect earlier Privoxy releases.
Privoxy 3.0.33 also comes with a couple of general improvements and
new features.

--------------------------------------------------------------------
ChangeLog for Privoxy 3.0.33
--------------------------------------------------------------------
- Security/Reliability:
  - cgi_error_no_template(): Encode the template name to prevent
    XSS (cross-site scripting) when Privoxy is configured to servce
    the user-manual itself.
    Commit 0e668e9409c. OVE-20211102-0001. CVE-2021-44543.
    Reported by: Artem Ivanov
  - get_url_spec_param(): Free memory of compiled pattern spec
    before bailing.
    Reported by Joshua Rogers (Opera) who also provided the fix.
    Commit 652b4b7cb0. OVE-20211201-0003. CVE-2021-44540.
  - process_encrypted_request_headers(): Free header memory when
    failing to get the request destination.
    Reported by Joshua Rogers (Opera) who also provided the fix.
    Commit 0509c58045. OVE-20211201-0002. CVE-2021-44541.
  - send_http_request(): Prevent memory leaks when handling errors
    Reported by Joshua Rogers (Opera) who also provided the fix.
    Commit c48d1d6d08. OVE-20211201-0001. CVE-2021-44542.

[...]

-----------------------------------------------------------------
About Privoxy:
-----------------------------------------------------------------

Privoxy is a non-caching web proxy with advanced filtering capabilities for
enhancing privacy, modifying web page data and HTTP headers, controlling
access, and removing ads and other obnoxious Internet junk. Privoxy has a
flexible configuration and can be customized to suit individual needs and
tastes. It has application for both stand-alone systems and multi-user
networks.

Privoxy is Free Software and licensed under the GNU GPLv2.

[...]

Home Page: 
   https://www.privoxy.org/

Complete announcement:
   https://lists.privoxy.org/pipermail/privoxy-announce/2021-December/000009.html

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.