Security update for privoxy SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2022:10186-1 Final 1 1 2022-11-02T08:52:06Z current 2022-11-02T08:52:06Z 2022-11-02T08:52:06Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for privoxy This update for privoxy fixes the following issues: privoxy was updated to 3.0.33 (boo#1193584): * CVE-2021-44543: Encode the template name to prevent XSS (cross-side scripting) when Privoxy is configured to servce the user-manual itself * CVE-2021-44540: Free memory of compiled pattern spec before bailing * CVE-2021-44541: Free header memory when failing to get the request destination. * CVE-2021-44542: Prevent memory leaks when handling errors * Disable fast-redirects for a number of domains * Update default block lists * Many bug fixes and minor enhancements The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2022-10186 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2UGN5D6UHVWYBE3WUP7XR2TUJPRGWJ2G/ E-Mail link for openSUSE-SU-2022:10186-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1193584 SUSE Bug 1193584 https://www.suse.com/security/cve/CVE-2021-44540/ SUSE CVE CVE-2021-44540 page https://www.suse.com/security/cve/CVE-2021-44541/ SUSE CVE CVE-2021-44541 page https://www.suse.com/security/cve/CVE-2021-44542/ SUSE CVE CVE-2021-44542 page https://www.suse.com/security/cve/CVE-2021-44543/ SUSE CVE CVE-2021-44543 page SUSE Package Hub 15 SP4 openSUSE Leap 15.4 privoxy-3.0.33-bp154.3.3.1 privoxy-doc-3.0.33-bp154.3.3.1 privoxy-3.0.33-bp154.3.3.1 as a component of SUSE Package Hub 15 SP4 privoxy-doc-3.0.33-bp154.3.3.1 as a component of SUSE Package Hub 15 SP4 privoxy-3.0.33-bp154.3.3.1 as a component of openSUSE Leap 15.4 privoxy-doc-3.0.33-bp154.3.3.1 as a component of openSUSE Leap 15.4 A vulnerability was found in Privoxy which was fixed in get_url_spec_param() by freeing memory of compiled pattern spec before bailing. CVE-2021-44540 SUSE Package Hub 15 SP4:privoxy-3.0.33-bp154.3.3.1 SUSE Package Hub 15 SP4:privoxy-doc-3.0.33-bp154.3.3.1 openSUSE Leap 15.4:privoxy-3.0.33-bp154.3.3.1 openSUSE Leap 15.4:privoxy-doc-3.0.33-bp154.3.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2UGN5D6UHVWYBE3WUP7XR2TUJPRGWJ2G/ https://www.suse.com/security/cve/CVE-2021-44540.html CVE-2021-44540 https://bugzilla.suse.com/1193584 SUSE Bug 1193584 A vulnerability was found in Privoxy which was fixed in process_encrypted_request_headers() by freeing header memory when failing to get the request destination. CVE-2021-44541 SUSE Package Hub 15 SP4:privoxy-3.0.33-bp154.3.3.1 SUSE Package Hub 15 SP4:privoxy-doc-3.0.33-bp154.3.3.1 openSUSE Leap 15.4:privoxy-3.0.33-bp154.3.3.1 openSUSE Leap 15.4:privoxy-doc-3.0.33-bp154.3.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2UGN5D6UHVWYBE3WUP7XR2TUJPRGWJ2G/ https://www.suse.com/security/cve/CVE-2021-44541.html CVE-2021-44541 https://bugzilla.suse.com/1193584 SUSE Bug 1193584 A memory leak vulnerability was found in Privoxy when handling errors. CVE-2021-44542 SUSE Package Hub 15 SP4:privoxy-3.0.33-bp154.3.3.1 SUSE Package Hub 15 SP4:privoxy-doc-3.0.33-bp154.3.3.1 openSUSE Leap 15.4:privoxy-3.0.33-bp154.3.3.1 openSUSE Leap 15.4:privoxy-doc-3.0.33-bp154.3.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2UGN5D6UHVWYBE3WUP7XR2TUJPRGWJ2G/ https://www.suse.com/security/cve/CVE-2021-44542.html CVE-2021-44542 https://bugzilla.suse.com/1193584 SUSE Bug 1193584 An XSS vulnerability was found in Privoxy which was fixed in cgi_error_no_template() by encode the template name when Privoxy is configured to servce the user-manual itself. CVE-2021-44543 SUSE Package Hub 15 SP4:privoxy-3.0.33-bp154.3.3.1 SUSE Package Hub 15 SP4:privoxy-doc-3.0.33-bp154.3.3.1 openSUSE Leap 15.4:privoxy-3.0.33-bp154.3.3.1 openSUSE Leap 15.4:privoxy-doc-3.0.33-bp154.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2UGN5D6UHVWYBE3WUP7XR2TUJPRGWJ2G/ https://www.suse.com/security/cve/CVE-2021-44543.html CVE-2021-44543 https://bugzilla.suse.com/1193584 SUSE Bug 1193584