CVE-2020-26154

Published: 30 September 2020

url.cpp in libproxy through 0.4.15 is prone to a buffer overflow when PAC is enabled, as demonstrated by a large PAC file that is delivered without a Content-length header.

Priority

CVSS 3 base score: 9.8

Status

Package	Release	Status
libproxy Launchpad, Ubuntu, Debian	Upstream	Needs triage



	Ubuntu 20.04 LTS (Focal Fossa)	Released (0.4.15-10ubuntu1.2)
	Ubuntu 18.04 LTS (Bionic Beaver)	Released (0.4.15-1ubuntu0.2)
	Ubuntu 16.04 ESM (Xenial Xerus)	Released (0.4.11-5ubuntu1.2)
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
	Patches: Upstream: https://github.com/libproxy/libproxy/pull/126 Upstream: https://github.com/libproxy/libproxy/commit/6d342b50366a048d3d543952e2be271b5742c5f8

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26154
https://ubuntu.com/security/notices/USN-4673-1
NVD
Launchpad
Debian

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968366

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›