Arch Linux alert ASA-202102-21 (privoxy)
| From: | Remi Gacogne via arch-security <arch-security@lists.archlinux.org> | |
| To: | arch-security@archlinux.org | |
| Subject: | [ASA-202102-21] privoxy: denial of service | |
| Date: | Fri, 12 Feb 2021 08:14:25 +0100 | |
| Message-ID: | <6b01d026-4860-c313-5f4a-8602b3fd0c5e@archlinux.org> | |
| Cc: | Remi Gacogne <rgacogne@archlinux.org> |
Arch Linux Security Advisory ASA-202102-21 ========================================== Severity: Low Date : 2021-02-07 CVE-ID : CVE-2021-20216 CVE-2021-20217 Package : privoxy Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-1524 Summary ======= The package privoxy before version 3.0.31-1 is vulnerable to denial of service. Resolution ========== Upgrade to 3.0.31-1. # pacman -Syu "privoxy>=3.0.31-1" The problems have been fixed upstream in version 3.0.31. Workaround ========== None. Description =========== - CVE-2021-20216 (denial of service) A security issue was found in privoxy before version 3.0.31. A memory leak when decompression fails unexpectedly may lead to denial of service. - CVE-2021-20217 (denial of service) A security issue was found in privoxy before version 3.0.31. An assertion failure triggered by a crafted CGI request may lead to denial of service. Impact ====== A remote attacker might cause the privoxy server to crash using a crafted request. References ========== https://www.openwall.com/lists/oss-security/2021/01/31/2 https://bugzilla.redhat.com/show_bug.cgi?id=1923256 https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;... https://seclists.org/oss-sec/2021/q1/106 https://bugzilla.redhat.com/show_bug.cgi?id=1923252 https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;... https://security.archlinux.org/CVE-2021-20216 https://security.archlinux.org/CVE-2021-20217