Ubuntu update for privoxy



Published: 2021-03-22
Risk Medium
Patch available YES
Number of vulnerabilities 14
CVE-ID CVE-2020-35502
CVE-2021-20209
CVE-2021-20210
CVE-2021-20211
CVE-2021-20212
CVE-2021-20213
CVE-2021-20214
CVE-2021-20215
CVE-2021-20216
CVE-2021-20217
CVE-2021-20272
CVE-2021-20273
CVE-2021-20275
CVE-2021-20276
CWE-ID CWE-401
CWE-476
CWE-617
CWE-20
CWE-125
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Ubuntu
Operating systems & Components / Operating system

privoxy (Ubuntu package)
Operating systems & Components / Operating system package or component

Vendor Canonical Ltd.

Security Bulletin

This security bulletin contains information about 14 vulnerabilities.

1) Memory leak

EUVDB-ID: #VU49170

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-35502

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak when a response is buffered and the buffer limit is reached or Privoxy is running out of memory. A remote attacker can force the application to leak memory and perform denial of service attack.

Mitigation

Update the affected package privoxy to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 20.10

privoxy (Ubuntu package): before 3.0.28-3ubuntu0.1

External links

http://ubuntu.com/security/notices/USN-4886-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Memory leak

EUVDB-ID: #VU49171

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20209

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in the show-status CGI handler when no action files are configured. A remote attacker can force the application to leak memory and perform denial of service attack.

Mitigation

Update the affected package privoxy to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 20.10

privoxy (Ubuntu package): before 3.0.28-3ubuntu0.1

External links

http://ubuntu.com/security/notices/USN-4886-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Memory leak

EUVDB-ID: #VU49172

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20210

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in the show-status CGI handler when no filter files are configured. A remote attacker can force the application to leak memory and perform denial of service attack.

Mitigation

Update the affected package privoxy to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 20.10

privoxy (Ubuntu package): before 3.0.28-3ubuntu0.1

External links

http://ubuntu.com/security/notices/USN-4886-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Memory leak

EUVDB-ID: #VU49173

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20211

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak when client tags are active. A remote attacker can force the application to leak memory and perform denial of service attack.

Mitigation

Update the affected package privoxy to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 20.10

privoxy (Ubuntu package): before 3.0.28-3ubuntu0.1

External links

http://ubuntu.com/security/notices/USN-4886-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Memory leak

EUVDB-ID: #VU49174

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20212

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak if multiple filters are executed and the last one is skipped due to a pcre error. A remote attacker can force the application to leak memory and perform denial of service attack.

Mitigation

Update the affected package privoxy to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 20.10

privoxy (Ubuntu package): before 3.0.28-3ubuntu0.1

External links

http://ubuntu.com/security/notices/USN-4886-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) NULL pointer dereference

EUVDB-ID: #VU49177

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20213

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error, if accept-intercepted-requests is  enabled. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation

Update the affected package privoxy to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 20.10

privoxy (Ubuntu package): before 3.0.28-3ubuntu0.1

External links

http://ubuntu.com/security/notices/USN-4886-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Memory leak

EUVDB-ID: #VU49175

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20214

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in the client-tags CGI handler when client tags are configured and memory allocations fail. A remote attacker can force the application to leak memory and perform denial of service attack.

Mitigation

Update the affected package privoxy to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 20.10

privoxy (Ubuntu package): before 3.0.28-3ubuntu0.1

External links

http://ubuntu.com/security/notices/USN-4886-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Memory leak

EUVDB-ID: #VU49176

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20215

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in the show-status CGI handler when memory allocations fail. A remote attacker can force the application to leak memory and perform denial of service attack.

Mitigation

Update the affected package privoxy to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 20.10

privoxy (Ubuntu package): before 3.0.28-3ubuntu0.1

External links

http://ubuntu.com/security/notices/USN-4886-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Memory leak

EUVDB-ID: #VU50157

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20216

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak during decompression. A remote attacker can send specially crafted request to the web server and perform denial of service attack.

Mitigation

Update the affected package privoxy to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 20.10

privoxy (Ubuntu package): before 3.0.28-3ubuntu0.1

External links

http://ubuntu.com/security/notices/USN-4886-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Reachable Assertion

EUVDB-ID: #VU50155

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20217

CWE-ID: CWE-617 - Reachable Assertion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion. A remote attacker can send a specially crafted CGI request to the affected server and perform a denial of service (DoS) attack.

Mitigation

Update the affected package privoxy to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 20.10

privoxy (Ubuntu package): before 3.0.28-3ubuntu0.1

External links

http://ubuntu.com/security/notices/USN-4886-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Reachable Assertion

EUVDB-ID: #VU50973

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20272

CWE-ID: CWE-617 - Reachable Assertion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion within the ssplit() function when processing CGI requests. A remote attacker can send a specially crafted CGI request, trigger an assertion failure and crash the service.

Mitigation

Update the affected package privoxy to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 20.10

privoxy (Ubuntu package): before 3.0.28-3ubuntu0.1

External links

http://ubuntu.com/security/notices/USN-4886-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Input validation error

EUVDB-ID: #VU50974

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20273

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the cgi_send_banner() function. A remote attacker can pass specially crafted CGI request with an invalid image type and perform a denial of service (DoS) attack.

Mitigation

Update the affected package privoxy to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 20.10

privoxy (Ubuntu package): before 3.0.28-3ubuntu0.1

External links

http://ubuntu.com/security/notices/USN-4886-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Out-of-bounds read

EUVDB-ID: #VU50976

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20275

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the chunked_body_is_complete() function. A remote attacker can send specially crafted data to the application, trigger an out-of-bounds read error and read contents of memory on the system.

Mitigation

Update the affected package privoxy to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 20.10

privoxy (Ubuntu package): before 3.0.28-3ubuntu0.1

External links

http://ubuntu.com/security/notices/USN-4886-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Out-of-bounds read

EUVDB-ID: #VU51245

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20276

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition when processing patterns passed to pcre_compile() function. A remote attacker can pass specially crafted data to the application, trigger out-of-bounds read error and perform a denial of service (DoS) attack.

Mitigation

Update the affected package privoxy to the latest version.

Vulnerable software versions

Ubuntu: 14.04 - 20.10

privoxy (Ubuntu package): before 3.0.28-3ubuntu0.1

External links

http://ubuntu.com/security/notices/USN-4886-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###