[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Multiple memory leaks fixed in Privoxy 3.0.29 stable
From:       Fabian Keil <freebsd-listen () fabiankeil ! de>
Date:       2021-03-24 5:31:10
Message-ID: 20210324063110.6af05039 () fabiankeil ! de
[Download RAW message or body]


Alan Coopersmith <alan.coopersmith@oracle.com> wrote on 2021-03-23:

> It looks like Red Hat has assigned CVE ids for these issues now, but
> not yet told Mitre to publish them:

I ran into issues getting CVE ids for Privoxy 3.0.29 as described in:
https://seclists.org/oss-sec/2020/q4/234 and
https://seclists.org/oss-sec/2021/q1/90

I've sent CVE ids to this list in February after I finally got them all:
https://seclists.org/oss-sec/2021/q1/101

CVE ids for Privoxy 3.0.31 and 3.0.32 were assigned within days, though.

In related news Canonical seems to have published an advisory for
multiple Privoxy releases including 3.0.29 on 2021-03-22 which claims
that "An attacker could possibly use this issue to cause a denial of
service or obtain sensitive information.":
https://ubuntu.com/security/notices/USN-4886-1

Obviously the memory leaks can be used for denial of service attacks
but I'm not sure what the "obtain sensitive information" part is all
about ...

Fabian

[Attachment #3 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]