ALT-BU-2024-14074-1
Branch c9f2 update bulletin.
Closed vulnerabilities
BDU:2021-04648
Уязвимость функционала show-status обработчика CGI прокси HTTP Privoxy, связанная с неправильным освобождением памяти перед удалением последний ссылки, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2020-35502
A flaw was found in Privoxy in versions before 3.0.29. Memory leaks when a response is buffered and the buffer limit is reached or Privoxy is running out of memory can lead to a system crash.
Modified: 2024-11-21
CVE-2021-20209
A memory leak vulnerability was found in Privoxy before 3.0.29 in the show-status CGI handler when no action files are configured.
- https://bugzilla.redhat.com/show_bug.cgi?id=1928726
- https://bugzilla.redhat.com/show_bug.cgi?id=1928726
- GLSA-202107-16
- GLSA-202107-16
- https://www.privoxy.org/3.0.29/user-manual/whatsnew.html
- https://www.privoxy.org/3.0.29/user-manual/whatsnew.html
- https://www.privoxy.org/gitweb/?p=privoxy.git%3Ba=commit%3Bh=c62254a686
- https://www.privoxy.org/gitweb/?p=privoxy.git%3Ba=commit%3Bh=c62254a686
Modified: 2024-11-21
CVE-2021-20210
A flaw was found in Privoxy in versions before 3.0.29. Memory leak in the show-status CGI handler when no filter files are configured can lead to a system crash.
Modified: 2024-11-21
CVE-2021-20211
A flaw was found in Privoxy in versions before 3.0.29. Memory leak when client tags are active can cause a system crash.
Modified: 2024-11-21
CVE-2021-20212
A flaw was found in Privoxy in versions before 3.0.29. Memory leak if multiple filters are executed and the last one is skipped due to a pcre error leading to a system crash.
Modified: 2024-11-21
CVE-2021-20213
A flaw was found in Privoxy in versions before 3.0.29. Dereference of a NULL-pointer that could result in a crash if accept-intercepted-requests was enabled, Privoxy failed to get the request destination from the Host header and a memory allocation failed.
Modified: 2024-11-21
CVE-2021-20214
A flaw was found in Privoxy in versions before 3.0.29. Memory leaks in the client-tags CGI handler when client tags are configured and memory allocations fail can lead to a system crash.
Modified: 2024-11-21
CVE-2021-20215
A flaw was found in Privoxy in versions before 3.0.29. Memory leaks in the show-status CGI handler when memory allocations fail can lead to a system crash.
Modified: 2024-11-21
CVE-2021-20216
A flaw was found in Privoxy in versions before 3.0.31. A memory leak that occurs when decompression fails unexpectedly may lead to a denial of service. The highest threat from this vulnerability is to system availability.
- https://bugzilla.redhat.com/show_bug.cgi?id=1923256
- https://bugzilla.redhat.com/show_bug.cgi?id=1923256
- GLSA-202107-16
- GLSA-202107-16
- https://www.openwall.com/lists/oss-security/2021/01/31/2
- https://www.openwall.com/lists/oss-security/2021/01/31/2
- https://www.privoxy.org/3.0.31/user-manual/whatsnew.html
- https://www.privoxy.org/3.0.31/user-manual/whatsnew.html
Modified: 2024-11-21
CVE-2021-20217
A flaw was found in Privoxy in versions before 3.0.31. An assertion failure triggered by a crafted CGI request may lead to denial of service. The highest threat from this vulnerability is to system availability.
Modified: 2024-11-21
CVE-2021-20272
A flaw was found in privoxy before 3.0.32. An assertion failure could be triggered with a crafted CGI request leading to server crash.
- https://bugzilla.redhat.com/show_bug.cgi?id=1936651
- https://bugzilla.redhat.com/show_bug.cgi?id=1936651
- [debian-lts-announce] 20210309 [SECURITY] [DLA 2587-1] privoxy security update
- [debian-lts-announce] 20210309 [SECURITY] [DLA 2587-1] privoxy security update
- GLSA-202107-16
- GLSA-202107-16
- https://www.privoxy.org/announce.txt
- https://www.privoxy.org/announce.txt
Modified: 2024-11-21
CVE-2021-20273
A flaw was found in privoxy before 3.0.32. A crash can occur via a crafted CGI request if Privoxy is toggled off.
- https://bugzilla.redhat.com/show_bug.cgi?id=1936658
- https://bugzilla.redhat.com/show_bug.cgi?id=1936658
- [debian-lts-announce] 20210309 [SECURITY] [DLA 2587-1] privoxy security update
- [debian-lts-announce] 20210309 [SECURITY] [DLA 2587-1] privoxy security update
- GLSA-202107-16
- GLSA-202107-16
- https://www.privoxy.org/announce.txt
- https://www.privoxy.org/announce.txt
Modified: 2024-11-21
CVE-2021-20274
A flaw was found in privoxy before 3.0.32. A crash may occur due a NULL-pointer dereference when the socks server misbehaves.
Modified: 2024-11-21
CVE-2021-20275
A flaw was found in privoxy before 3.0.32. A invalid read of size two may occur in chunked_body_is_complete() leading to denial of service.
- https://bugzilla.redhat.com/show_bug.cgi?id=1936666
- https://bugzilla.redhat.com/show_bug.cgi?id=1936666
- [debian-lts-announce] 20210309 [SECURITY] [DLA 2587-1] privoxy security update
- [debian-lts-announce] 20210309 [SECURITY] [DLA 2587-1] privoxy security update
- GLSA-202107-16
- GLSA-202107-16
- https://www.privoxy.org/announce.txt
- https://www.privoxy.org/announce.txt
Modified: 2024-11-21
CVE-2021-20276
A flaw was found in privoxy before 3.0.32. Invalid memory access with an invalid pattern passed to pcre_compile() may lead to denial of service.
- https://bugzilla.redhat.com/show_bug.cgi?id=1936668
- https://bugzilla.redhat.com/show_bug.cgi?id=1936668
- [debian-lts-announce] 20210309 [SECURITY] [DLA 2587-1] privoxy security update
- [debian-lts-announce] 20210309 [SECURITY] [DLA 2587-1] privoxy security update
- GLSA-202107-16
- GLSA-202107-16
- https://www.privoxy.org/announce.txt
- https://www.privoxy.org/announce.txt
Modified: 2024-11-21
CVE-2021-44540
A vulnerability was found in Privoxy which was fixed in get_url_spec_param() by freeing memory of compiled pattern spec before bailing.
Modified: 2024-11-21
CVE-2021-44541
A vulnerability was found in Privoxy which was fixed in process_encrypted_request_headers() by freeing header memory when failing to get the request destination.
Modified: 2024-11-21
CVE-2021-44542
A memory leak vulnerability was found in Privoxy when handling errors.
Modified: 2024-11-21
CVE-2021-44543
An XSS vulnerability was found in Privoxy which was fixed in cgi_error_no_template() by encode the template name when Privoxy is configured to servce the user-manual itself.