Bug 1181743 – VUL-0: privoxy: CVE-2021-20210,CVE-2021-20212,CVE-2021-20211,CVE-2021-20214,CVE-2021-20213,CVE-2021-20209,CVE-2020-35502,CVE-2021-20215: Multiple vulnerabilities fixed in privoxy 3.0.29

Bug 1181743 - (CVE-2020-35502) VUL-0: privoxy: CVE-2021-20210,CVE-2021-20212,CVE-2021-20211,CVE-2021-20214,CVE-2021-20213,CVE-2021-20209,CVE-2020-35502,CVE-2021-20215: Multiple vulnerabilities fixed in privoxy 3.0.29

(CVE-2020-35502)
Summary:	VUL-0: privoxy: CVE-2021-20210,CVE-2021-20212,CVE-2021-20211,CVE-2021-20214,C...

Status:	RESOLVED FIXED

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security
Version:	Leap 15.2
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-02-03 12:37 UTC by Alexandros Toptsoglou
Modified:	2021-02-03 12:38 UTC (History)
CC List:	0 users

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandros Toptsoglou 2021-02-03 12:37:25 UTC

through oss


Here are the updated ChangeLog entries with CVEs:

- Security/Reliability:
  - Fixed memory leaks when a response is buffered and the buffer
    limit is reached or Privoxy is running out of memory.
    Commits bbd53f1010b and 4490d451f9b. OVE-20201118-0001.
    CVE-2020-35502.
    Sponsored by: Robert Klemme
  - Fixed a memory leak in the show-status CGI handler when
    no action files are configured. Commit c62254a686.
    OVE-20201118-0002. CVE-2021-20209.
    Sponsored by: Robert Klemme
  - Fixed a memory leak in the show-status CGI handler when
    no filter files are configured. Commit 1b1370f7a8a.
    OVE-20201118-0003. CVE-2021-20210.
    Sponsored by: Robert Klemme
  - Fixes a memory leak when client tags are active.
    Commit 245e1cf32. OVE-20201118-0004. CVE-2021-20211.
    Sponsored by: Robert Klemme
  - Fixed a memory leak if multiple filters are executed
    and the last one is skipped due to a pcre error.
    Commit 5cfb7bc8fe. OVE-20201118-0005. CVE-2021-20212.
  - Prevent an unlikely dereference of a NULL-pointer that
    could result in a crash if accept-intercepted-requests
    was enabled, Privoxy failed to get the request destination
    from the Host header and a memory allocation failed.
    Commit 7530132349. CID 267165. OVE-20201118-0006. CVE-2021-20213.
  - Fixed memory leaks in the client-tags CGI handler when
    client tags are configured and memory allocations fail.
    Commit cf5640eb2a. CID 267168. OVE-20201118-0007. CVE-2021-20214.
  - Fixed memory leaks in the show-status CGI handler when memory
    allocations fail. Commit 064eac5fd0 and commit fdee85c0bf3.
    CID 305233. OVE-20201118-0008. CVE-2021-20215.

Comment 1 Alexandros Toptsoglou 2021-02-03 12:38:33 UTC

Leap ships already the version 3.0.29 and Factory 3.0.31. We are not affected. Closing