Bug 1193584 – VUL-0: CVE-2021-44540: Multiple issues fixed in Privoxy 3.0.33 stable

Bug 1193584 - (CVE-2021-44540) VUL-0: CVE-2021-44540: Multiple issues fixed in Privoxy 3.0.33 stable

(CVE-2021-44540)
Summary:	VUL-0: CVE-2021-44540: Multiple issues fixed in Privoxy 3.0.33 stable

Status:	RESOLVED FIXED

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security
Version:	Leap 15.4
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor (vote)
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/316954/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-12-09 16:21 UTC by Alexander Bergmann
Modified:	2022-11-02 17:54 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2021-12-09 16:21:13 UTC

CVE-2021-44540 via oss-sec mailing list

https://seclists.org/oss-sec/2021/q4/148

Multiple issues fixed in Privoxy 3.0.33 stable

- CVE-2021-44540: get_url_spec_param(): Free memory of compiled pattern spec before bailing.
- CVE-2021-44541: process_encrypted_request_headers(): Free header memory when failing to get the request destination.
- CVE-2021-44542: send_http_request(): Prevent memory leaks when handling errors
- CVE-2021-44543: cgi_error_no_template(): Encode the template name to prevent XSS (cross-site scripting)

Comment 1 Andreas Stieger 2021-12-10 20:12:17 UTC

https://build.opensuse.org/request/show/939452
https://build.opensuse.org/request/show/939459

Comment 2 Marcus Meissner 2021-12-29 09:55:36 UTC

you used the wrong bugnr andreas (s/8/9/), i adjusted it in the patchinfo, so no need to resubmit

Comment 3 Swamp Workflow Management 2021-12-31 02:18:58 UTC

openSUSE-SU-2021:1646-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1193584
CVE References: CVE-2021-44540,CVE-2021-44541,CVE-2021-44542,CVE-2021-44543
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    privoxy-3.0.33-lp152.3.12.1
openSUSE Backports SLE-15-SP3 (src):    privoxy-3.0.33-bp153.2.3.1

Comment 4 Carsten Ziepke 2022-10-30 06:06:17 UTC

Just updated to openSUSE Leap 15.4 and here is privoxy still on 3.0.32.
openSUSE Leap 15.4 is missing the backport package, like in openSUSE Leap 15.3: openSUSE Backports SLE-15-SP3.

Comment 5 Andreas Stieger 2022-10-30 07:50:53 UTC

submitted

Comment 6 OBSbugzilla Bot 2022-10-30 08:25:03 UTC

This is an autogenerated message for OBS integration:
This bug (1193584) was mentioned in
https://build.opensuse.org/request/show/1032292 Backports:SLE-15-SP4 / privoxy

Comment 7 Carsten Ziepke 2022-10-30 08:48:42 UTC

Thank you very much.

Comment 8 Swamp Workflow Management 2022-11-02 17:25:05 UTC

openSUSE-SU-2022:10186-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1193584
CVE References: CVE-2021-44540,CVE-2021-44541,CVE-2021-44542,CVE-2021-44543
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    privoxy-3.0.33-bp154.3.3.1

Comment 9 Andreas Stieger 2022-11-02 17:54:35 UTC

Done