Update Info

openSUSE-2021-460


Security update for privoxy


Type: security
Severity: moderate
Issued: 2021-03-22
Description:
This update for privoxy fixes the following issues:

Update to version 3.0.32:

  - Security/Reliability (boo#1183129)

    - ssplit(): Remove an assertion that could be triggered with a
      crafted CGI request.
      Commit 2256d7b4d67. OVE-20210203-0001. CVE-2021-20272
      Reported by: Joshua Rogers (Opera)
    - cgi_send_banner(): Overrule invalid image types. Prevents a
      crash with a crafted CGI request if Privoxy is toggled off.
      Commit e711c505c48. OVE-20210206-0001. CVE-2021-20273
      Reported by: Joshua Rogers (Opera)
    - socks5_connect(): Don't try to send credentials when none are
      configured. Fixes a crash due to a NULL-pointer dereference
      when the socks server misbehaves.
      Commit 85817cc55b9. OVE-20210207-0001. CVE-2021-20274
      Reported by: Joshua Rogers (Opera)
    - chunked_body_is_complete(): Prevent an invalid read of size
      two.
      Commit a912ba7bc9c. OVE-20210205-0001. CVE-2021-20275
      Reported by: Joshua Rogers (Opera)
    - Obsolete pcre: Prevent invalid memory accesses with an invalid
      pattern passed to pcre_compile(). Note that the obsolete pcre
      code is scheduled to be removed before the 3.0.33 release.
      There has been a warning since 2008 already.
      Commit 28512e5b624. OVE-20210222-0001. CVE-2021-20276
      Reported by: Joshua Rogers (Opera)

  - Bug fixes:

    - Properly parse the client-tag-lifetime directive. Previously it was
      not accepted as an obsolete hash value was being used.
      Reported by: Joshua Rogers (Opera)
    - decompress_iob(): Prevent reading of uninitialized data.
      Reported by: Joshua Rogers (Opera).
    - decompress_iob(): Don't advance cur past eod when looking
      for the end of the file name and comment.
    - decompress_iob(): Cast value to unsigned char before shifting.
      Prevents a left-shift of a negative value which is undefined behaviour.
      Reported by: Joshua Rogers (Opera)
    - gif_deanimate(): Confirm that that we have enough data before doing
      any work. Fixes a crash when fuzzing with an empty document.
      Reported by: Joshua Rogers (Opera).
    - buf_copy(): Fail if there's no data to write or nothing to do.
      Prevents undefined behaviour "applying zero offset to null pointer".
      Reported by: Joshua Rogers (Opera)
    - log_error(): Treat LOG_LEVEL_FATAL as fatal even when --stfu is
      being used while fuzzing.
      Reported by: Joshua Rogers (Opera).
    - Respect DESTDIR when considering whether or not to install
      config files with ".new" extension.
    - OpenSSL ssl_store_cert(): Fix two error messages.
    - Fix a couple of format specifiers.
    - Silence compiler warnings when compiling with NDEBUG.
    - fuzz_server_header(): Fix compiler warning.
    - fuzz_client_header(): Fix compiler warning.
    - cgi_send_user_manual(): Also reject requests if the user-manual
      directive specifies a https:// URL. Previously Privoxy would try and
      fail to open a local file.

  - General improvements:

    - Log the TLS version and the the cipher when debug 2 is enabled.
    - ssl_send_certificate_error(): Respect HEAD requests by not sending a body.
    - ssl_send_certificate_error(): End the body with a single new line.
    - serve(): Increase the chances that the host is logged when closing
      a server socket.
    - handle_established_connection(): Add parentheses to clarify an expression
      Suggested by: David Binderman
    - continue_https_chat(): Explicitly unset CSP_FLAG_CLIENT_CONNECTION_KEEP_ALIVE
      if process_encrypted_request() fails. This makes it more obvious that the
      connection will not be reused. Previously serve() relied on
      CSP_FLAG_SERVER_CONTENT_LENGTH_SET and CSP_FLAG_CHUNKED being unset.
      Inspired by a patch from Joshua Rogers (Opera).
    - decompress_iob(): Add periods to a couple of log messages
    - Terminate the body of the HTTP snipplets with a single new line
      instead of "\r\n".
    - configure: Add --with-assertions option and only enable assertions
      when it is used
    - windows build: Use --with-brotli and --with-mbedtls by default and
      enable dynamic error checking.
    - gif_deanimate(): Confirm we've got an image before trying to write it
      Saves a pointless buf_copy() call.
    - OpenSSL ssl_store_cert(): Remove a superfluous space before the serial number.

  - Action file improvements:

    - Disable fast-redirects for .golem.de/
    - Unblock requests to adri*.
    - Block requests for trc*.taboola.com/
    - Disable fast-redirects for .linkedin.com/

  - Filter file improvements:

    - Make the second pcrs job of the img-reorder filter greedy again.
      The ungreedy version broke the img tags on:
      https://bulk.fefe.de/scalability/.

  - Privoxy-Log-Parser:

    - Highlight a few more messages.
    - Clarify the --statistics output. The shown "Reused connections"
      are server connections so name them appropriately.
    - Bump version to 0.9.3.

  - Privoxy-Regression-Test:

    - Add the --check-bad-ssl option to the --help output.
    - Bump version to 0.7.3.

  - Documentation:

    - Add pushing the created tag to the release steps in the developer manual.
    - Clarify that 'debug 32768' should be used in addition to the other debug
      directives when reporting problems.
    - Add a 'Third-party licenses and copyrights' section to the user manual.

This update was imported from the openSUSE:Leap:15.2:Update update project.

              

Packages


  • privoxy-3.0.32-bp152.4.9.1