PublicDateAtUSN: 2020-09-30 18:15:00 UTC
Candidate: CVE-2020-26154
PublicDate: 2020-09-30 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26154
 https://ubuntu.com/security/notices/USN-4673-1
Description:
 url.cpp in libproxy through 0.4.15 is prone to a buffer overflow when PAC
 is enabled, as demonstrated by a large PAC file that is delivered without a
 Content-length header.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968366
Priority: medium
Discovered-by: Li Fei
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_libproxy:
 upstream: https://github.com/libproxy/libproxy/pull/126
 upstream: https://github.com/libproxy/libproxy/commit/6d342b50366a048d3d543952e2be271b5742c5f8
upstream_libproxy: needs-triage
precise/esm_libproxy: DNE
trusty_libproxy: ignored (out of standard support)
trusty/esm_libproxy: DNE
xenial_libproxy: released (0.4.11-5ubuntu1.2)
esm-infra/xenial_libproxy: released (0.4.11-5ubuntu1.2)
bionic_libproxy: released (0.4.15-1ubuntu0.2)
focal_libproxy: released (0.4.15-10ubuntu1.2)
groovy_libproxy: released (0.4.15-13ubuntu1.1)
devel_libproxy: not-affected