Bug 28456

Summary: privoxy 3.0.32 fixes security issues (CVE-2021-2027[2-6])
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, mageia, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM: privoxy-3.0.31-1.mga8.src.rpm CVE:
Status comment:
Attachments: Privoxy 3.0.32 ChangeLog

Description David Walser 2021-02-26 19:43:15 CET 
Privoxy 3.0.32 has been released on February 25.

The announcement will end up here, but is only on SourceForge for now:
http://www.privoxy.org/announce.txt

It lists 5 security fixes.

Mageia 7 and Mageia 8 are also affected.
Comment 1 David Walser 2021-02-26 19:43:37 CET 
Created attachment 12400 [details]
Privoxy 3.0.32 ChangeLog
David Walser 2021-02-26 19:43:51 CET

Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 2 Lewis Smith 2021-02-27 09:57:50 CET 
Various packagers have dealt with this in the past, so having to assign this bug globally.

Assignee: bugsquad => pkg-bugs

Comment 4 Nicolas Lécureuil 2021-02-28 22:16:30 CET 
fixed in cauldron : privoxy-3.0.32-1.mga9

src for mga 7/8:
            - privoxy-3.0.32-1.mga7
            - privoxy-3.0.32-1.mga8

CC: (none) => mageia
Version: Cauldron => 8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Assignee: pkg-bugs => qa-bugs

Comment 5 David Walser 2021-03-03 01:55:48 CET 
Advisory:
========================

Updated privoxy package fixes security vulnerabilities:

The privoxy package has been updated to version 3.0.32, fixing five security
issues and several other bugs.

References:
https://lists.privoxy.org/pipermail/privoxy-announce/2021-February/000007.html
Comment 6 David Walser 2021-03-06 17:47:36 CET 
CVEs assigned:
https://www.openwall.com/lists/oss-security/2021/03/06/2

Summary: privoxy 3.0.32 fixes security issues => privoxy 3.0.32 fixes security issues (CVE-2021-2027[2-6])

Comment 7 Herman Viaene 2021-03-23 11:08:49 CET 
MGA7-64 MATE on PeaqC1011
No installation issues. 
Followed tests  as in bug 28281 Comment 10, all worked OK.

Side note: could you provide the exact rpm names, as QARepo is a very usefull tool, but  quite picky on names.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
CC: (none) => herman.viaene

Comment 8 David Walser 2021-03-23 11:31:33 CET 
He actually did, there are no subpackages for this one.  Qarepo is overkill for a single package update too.
Comment 9 Herman Viaene 2021-03-23 11:35:17 CET 
Yes, sorry, I overlooked a typo I made myself.
Comment 10 Thomas Andrews 2021-04-02 00:33:49 CEST 
MGA8-64 Plasma on AMD Phenom II. Using qarepo here may be "overkill," but it doesn't require activating the updates_testing repos, so it is simpler.

No installation issues. Tried following the tests in bug 28281 Comment 10. Started the service, checked status, but fumbled configuring the firewall and Firefox. Firefox wouldn't connect to anything. Removed all of the attempted changes, stopped the privoxy service, and Firefox was working again.

Going to OK this for MGA8, based on a clean install and being able to start and stop the service. Since the same version is being used on MGA7, chances are it would also work correctly on MGA8, if someone who knew what he was doing attempted to use it.

Validating. Advisory in Comment 5.

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-04-02 10:52:17 CEST

Keywords: (none) => advisory

Comment 11 Mageia Robot 2021-04-02 12:17:56 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0166.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 12 David Walser 2021-05-28 00:22:46 CEST 
Debian-LTS has issued an advisory for this on March 9:
https://www.debian.org/lts/security/2021/dla-2587