'[oss-security] Multiple issues fixed in Privoxy 3.0.33 stable'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Multiple issues fixed in Privoxy 3.0.33 stable
From:       Fabian Keil <freebsd-listen () fabiankeil ! de>
Date:       2021-12-09 12:02:18
Message-ID: 20211209130218.6d96ea6c () fabiankeil ! de
[Download RAW message or body]


               Announcing Privoxy 3.0.33 stable
--------------------------------------------------------------------

Privoxy 3.0.33 fixes an XSS issue, multiple DoS issues and a
couple of other bugs. The issues also affect earlier Privoxy releases.
Privoxy 3.0.33 also comes with a couple of general improvements and
new features.

--------------------------------------------------------------------
ChangeLog for Privoxy 3.0.33
--------------------------------------------------------------------
- Security/Reliability:
  - cgi_error_no_template(): Encode the template name to prevent
    XSS (cross-site scripting) when Privoxy is configured to servce
    the user-manual itself.
    Commit 0e668e9409c. OVE-20211102-0001. CVE-2021-44543.
    Reported by: Artem Ivanov
  - get_url_spec_param(): Free memory of compiled pattern spec
    before bailing.
    Reported by Joshua Rogers (Opera) who also provided the fix.
    Commit 652b4b7cb0. OVE-20211201-0003. CVE-2021-44540.
  - process_encrypted_request_headers(): Free header memory when
    failing to get the request destination.
    Reported by Joshua Rogers (Opera) who also provided the fix.
    Commit 0509c58045. OVE-20211201-0002. CVE-2021-44541.
  - send_http_request(): Prevent memory leaks when handling errors
    Reported by Joshua Rogers (Opera) who also provided the fix.
    Commit c48d1d6d08. OVE-20211201-0001. CVE-2021-44542.

[...]

-----------------------------------------------------------------
About Privoxy:
-----------------------------------------------------------------

Privoxy is a non-caching web proxy with advanced filtering capabilities for
enhancing privacy, modifying web page data and HTTP headers, controlling
access, and removing ads and other obnoxious Internet junk. Privoxy has a
flexible configuration and can be customized to suit individual needs and
tastes. It has application for both stand-alone systems and multi-user
networks.

Privoxy is Free Software and licensed under the GNU GPLv2.

[...]

Home Page: 
   https://www.privoxy.org/

Complete announcement:
   https://lists.privoxy.org/pipermail/privoxy-announce/2021-December/000009.html

[Attachment #3 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic