"Privoxy 3.0.33 fixes an XSS issue, multiple DoS issues and a couple of other bugs. The issues also affect earlier Privoxy releases. Privoxy 3.0.33 also comes with a couple of general improvements and new features. -------------------------------------------------------------------- ChangeLog for Privoxy 3.0.33 -------------------------------------------------------------------- - Security/Reliability: - cgi_error_no_template(): Encode the template name to prevent XSS (cross-site scripting) when Privoxy is configured to servce the user-manual itself. Commit 0e668e9409c. OVE-20211102-0001. CVE-2021-44543. Reported by: Artem Ivanov - get_url_spec_param(): Free memory of compiled pattern spec before bailing. Reported by Joshua Rogers (Opera) who also provided the fix. Commit 652b4b7cb0. OVE-20211201-0003. CVE-2021-44540. - process_encrypted_request_headers(): Free header memory when failing to get the request destination. Reported by Joshua Rogers (Opera) who also provided the fix. Commit 0509c58045. OVE-20211201-0002. CVE-2021-44541. - send_http_request(): Prevent memory leaks when handling errors Reported by Joshua Rogers (Opera) who also provided the fix. Commit c48d1d6d08. OVE-20211201-0001. CVE-2021-44542."
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6eccdbb6b0a53e812fcac7766898d31b756d96e2 commit 6eccdbb6b0a53e812fcac7766898d31b756d96e2 Author: Andrew Savchenko <bircoph@gentoo.org> AuthorDate: 2021-12-13 16:57:54 +0000 Commit: Andrew Savchenko <bircoph@gentoo.org> CommitDate: 2021-12-13 16:58:57 +0000 net-proxy/privoxy: update to 3.0.33 - Version bump to 3.0.33 Fixes: CVE-2021-44540, CVE-2021-44541, CVE-2021-44542, CVE-2021-44543 - Add new USE flags: jit (for PCRE), sanitize - REQUIRED_USE: extended-statistics depends on threads Bug: https://bugs.gentoo.org/769557 Bug: https://bugs.gentoo.org/829051 Package-Manager: Portage-3.0.29, Repoman-3.0.3 Signed-off-by: Andrew Savchenko <bircoph@gentoo.org> net-proxy/privoxy/Manifest | 1 + .../files/privoxy-3.0.33-configure-msan.patch | 13 ++ net-proxy/privoxy/metadata.xml | 3 + net-proxy/privoxy/privoxy-3.0.33.ebuild | 158 +++++++++++++++++++++ 4 files changed, 175 insertions(+)
Ugh, sorry for missing this.
Please cleanup, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb8d247de762a6666b86e2302ebd1ee797f5aa58 commit cb8d247de762a6666b86e2302ebd1ee797f5aa58 Author: Andrew Savchenko <bircoph@gentoo.org> AuthorDate: 2021-12-26 12:19:48 +0000 Commit: Andrew Savchenko <bircoph@gentoo.org> CommitDate: 2021-12-26 12:20:39 +0000 net-proxy/privoxy: remove old Affected by multiple CVEs, see bug for details. Bug: https://bugs.gentoo.org/829051 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Andrew Savchenko <bircoph@gentoo.org> net-proxy/privoxy/Manifest | 1 - net-proxy/privoxy/privoxy-3.0.32-r1.ebuild | 148 ----------------------------- 2 files changed, 149 deletions(-)
