Re: privoxy CVE-2021-4454[0123] update

[Salvatore Bonaccorso <carnil@debian.org>]

Hi Roland,

On Thu, Dec 09, 2021 at 03:55:44PM +0100, Roland Rosenfeld wrote:
> Hi!
> 
> Here is a little update for CVE-2021-4454[0123]:
> 
> All 4 CVEs are fixed in 3.0.33-1 (sid).

Thanks, already updated earlier.

> CVE-2021-44541 and CVE-2021-44542 both do not affect buster and
> stretch since the vulnerable code was introduced in 3.0.29 or later
> (while buster ships 3.0.28 and stretch ships 3.0.26).

Thanks, updated now the tracker.
> 
> I prepared an update for bullseye (3.0.32-2+deb11u1):
> https://salsa.debian.org/debian/privoxy/-/tree/debian/bullseye
> and will create an request for 11.2 release soon.

Seen that, thank you as well.

> I also prepared an update for buster (3.0.28-2+deb10u2) including only
> CVE-2021-44540 and CVE-2021-44543:
> https://salsa.debian.org/debian/privoxy/-/tree/debian/buster
> and will create an request for the next point release later.

Ack!

> Last but not least I prepared an update for strech (3.0.26-3+deb9u3)
> including only CVE-2021-44540 and CVE-2021-44543:
> https://salsa.debian.org/debian/privoxy/-/tree/debian/stretch
> and will offer this to the LTS team.
> 
> It would great, if you could update the security tracker accordingly.

Regards,
Salvatore