'[oss-security] Multiple DoS issues fixed in Privoxy 3.0.32 stable'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Multiple DoS issues fixed in Privoxy 3.0.32 stable
From:       Fabian Keil <freebsd-listen () fabiankeil ! de>
Date:       2021-02-28 9:23:46
Message-ID: 20210228102346.65e49420 () fabiankeil ! de
[Download RAW message or body]


               Announcing Privoxy 3.0.32 stable
--------------------------------------------------------------------

Privoxy 3.0.32 fixes multiple DoS issues and a couple of other bugs.
The issues also affect earlier Privoxy releases.

--------------------------------------------------------------------
ChangeLog for Privoxy 3.0.32
--------------------------------------------------------------------
- Security/Reliability:
  - ssplit(): Remove an assertion that could be triggered with a
    crafted CGI request.
    Commit 2256d7b4d67. OVE-20210203-0001.
    Reported by: Joshua Rogers (Opera)
  - cgi_send_banner(): Overrule invalid image types. Prevents a
    crash with a crafted CGI request if Privoxy is toggled off.
    Commit e711c505c48. OVE-20210206-0001.
    Reported by: Joshua Rogers (Opera)
  - socks5_connect(): Don't try to send credentials when none are
    configured. Fixes a crash due to a NULL-pointer dereference
    when the socks server misbehaves.
    Commit 85817cc55b9. OVE-20210207-0001.
    Reported by: Joshua Rogers (Opera)
  - chunked_body_is_complete(): Prevent an invalid read of size two.
    Commit a912ba7bc9c. OVE-20210205-0001.
    Reported by: Joshua Rogers (Opera)
  - Obsolete pcre: Prevent invalid memory accesses with an invalid
    pattern passed to pcre_compile(). Note that the obsolete pcre code
    is scheduled to be removed before the 3.0.33 release. There has been
    a warning since 2008 already.
    Commit 28512e5b624. OVE-20210222-0001.
    Reported by: Joshua Rogers (Opera)

[...]

-----------------------------------------------------------------
About Privoxy:
-----------------------------------------------------------------

Privoxy is a non-caching web proxy with advanced filtering capabilities for
enhancing privacy, modifying web page data and HTTP headers, controlling
access, and removing ads and other obnoxious Internet junk. Privoxy has a
flexible configuration and can be customized to suit individual needs and
tastes. It has application for both stand-alone systems and multi-user
networks.

Privoxy is Free Software and licensed under the GNU GPLv2.

[...]

Home Page: 
   https://www.privoxy.org/

Complete announcement:
   https://lists.privoxy.org/pipermail/privoxy-announce/2021-February/000007.html

[Attachment #3 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic