| Summary: | privoxy 3.0.31 fixes security issues (CVE-2021-20216 and CVE-2021-20217) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, mageia, nicolas.salguero, ouaurelien, sysadmin-bugs, tarazed25 |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | privoxy-3.0.29-1.mga7.src.rpm | CVE: | CVE-2021-20216, CVE-2021-20217 |
| Status comment: | |||
|
Description
David Walser
2021-02-02 20:32:31 CET
David Walser
2021-02-02 20:33:51 CET
Whiteboard:
(none) =>
MGA7TOO Various packages for this, so assigning it globally. Assignee:
bugsquad =>
pkg-bugs fixed on cauldron Version:
Cauldron =>
7 (In reply to Nicolas Lécureuil from comment #3) > fixed on cauldron nope https://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20210203114820.tmb.duvel.40052/log/privoxy-3.0.31-1.mga8/build.x86_64.0.20210203114910.log you are right :) thanks this is now fixed privoxy-3.0.31-1.mga8 CVEs have been issued: https://www.openwall.com/lists/oss-security/2021/02/04/4 Status comment:
(none) =>
Fixed upstream in 3.0.31 openSUSE has issued an advisory for this on February 8: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LYXYETZZHYGLBE3WLXSZCYBO5VDRKFDT/ Suggested advisory: ======================== The updated package fixes security vulnerabilities: Fixed a memory leak when decompression fails "unexpectedly". (CVE-2021-20216) Prevent an assertion from getting triggered by a crafted CGI request. (CVE-2021-20217) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20216 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20217 http://www.privoxy.org/announce.txt https://www.openwall.com/lists/oss-security/2021/02/04/4 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LYXYETZZHYGLBE3WLXSZCYBO5VDRKFDT/ ======================== Updated package in core/updates_testing: ======================== privoxy-3.0.31-1.mga7 from SRPM: privoxy-3.0.31-1.mga7.src.rpm Status:
NEW =>
ASSIGNED mga7, x64
Installed privoxy-3.0.29-1
Set the network settings for privoxy to default values in firefox and cleared the cache.
Enabled and started the privoxy daemon. Checked the /etc/privoxy/config file and left it with default settings. Confirmed that there was a /var/log/privoxy directory.
No PoC for the CVEs at this time.
Updated to the candidate package. Restarted the privoxy service.
# systemctl status privoxy
● privoxy.service - Privacy enhancing HTTP Proxy
Loaded: loaded (/usr/lib/systemd/system/privoxy.service; enabled; vendor pre>
Active: active (running) since Sun 2021-02-14 14:04:03 GMT; 9s ago
Process: 15967 ExecStart=/usr/sbin/privoxy --pidfile /run/privoxy.pid --user >
Main PID: 15968 (privoxy)
Tasks: 1 (limit: 4915)
Memory: 1.1M
CGroup: /system.slice/privoxy.service
└─15968 /usr/sbin/privoxy --pidfile /run/privoxy.pid --user daemon.d>
Feb 14 14:04:02 difda systemd[1]: Starting Privacy enhancing HTTP Proxy...
Feb 14 14:04:03 difda systemd[1]: Started Privacy enhancing HTTP Proxy.
Browsed a bit - Radio Times, Youtube, tried searches (DuckDuckGo), online newspaper.
/var/log/privoxy logfile remained empty.
Unsure if this suffices as a test but the daemon runs and nothing unusual happens in firefox.
Reeserving judgement - awaiting comments.CC:
(none) =>
tarazed25 MGA7-64 MATE on Peaq C1011 No installatioin issues Ref bug 27678 for testing. # systemctl -l status privoxy ● privoxy.service - Privacy enhancing HTTP Proxy Loaded: loaded (/usr/lib/systemd/system/privoxy.service; disabled; vendor preset: disabled) Active: inactive (dead) # systemctl start privoxy # systemctl -l status privoxy ● privoxy.service - Privacy enhancing HTTP Proxy Loaded: loaded (/usr/lib/systemd/system/privoxy.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2021-02-16 14:38:30 CET; 5s ago Process: 18540 ExecStart=/usr/sbin/privoxy --pidfile /run/privoxy.pid --user daemon.daemon /etc/privoxy/config (code=exited, status=0/SUCCESS) Main PID: 18541 (privoxy) Tasks: 1 (limit: 2285) Memory: 1.8M CGroup: /system.slice/privoxy.service └─18541 /usr/sbin/privoxy --pidfile /run/privoxy.pid --user daemon.daemon /etc/privoxy/config Feb 16 14:38:29 mach7.hviaene.thuis systemd[1]: Starting Privacy enhancing HTTP Proxy... Feb 16 14:38:30 mach7.hviaene.thuis systemd[1]: Started Privacy enhancing HTTP Proxy. Opened port 8118/tcp on firewall, changed firefox network settings to proxy localhost port 8118 Refreshed open tabs in Firefox: allk OK Browse to a non-existent host, e.g. http://www.n.zz/ And I see a privoxy page saying "No such domain". OK Browse to http://ad.example.com/ And I see a privoxy page saying "Request for blocked URL" with reason "Host matches generic block pattern". Revert Firefox network to system-wide, stop privoxy, all active tabs in Firefox OK Good to go. Whiteboard:
(none) =>
MGA7-64-OK Thanks again, guys. Herman, good to see you back. Validating. Advisory in Comment 8. CC:
(none) =>
andrewsfarm, sysadmin-bugs Advisory commited to SVN. Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0089.html Status:
ASSIGNED =>
RESOLVED |