The release announcement for privoxy 3.0.22 lists two security issues fixed: http://www.privoxy.org/announce.txt We could update it or backport the fixes (if the patches can be located). Mageia 4 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
CC: (none) => cjw
Which are the security issues, CID 66382 and CID 66394 ?
Also 66391 and 66376, yes
I've updated cauldron svn with latest upstream version, 3.0.22. But I have to disable "make dok" to make it build. Would that be a problem? If not, I can commit that also, and ask for a freeze push.
I have 3.0.22 ready for cauldron, but with docs, I'll see if I can merge that fix.
It would also seem that something is playing with me. I thought the IPv4 force patch was merged upstream, as it failed, and when I inspected it, the changes where merged. But now I can't find it. So the IPv4-only patch needs to be rediffed, and I don't thinkl I'm the one to do it.
Yep I re-added it, should be ready for freeze push but I have not done a new local test build (yet). I'll submit the mga4 update to updates_testing.
And I've narrowed down the problem with the patch. I splitted them up into four patches, as opposed to all in one patch. It's the bottom part that patches the file «project.h» that doesn't work. They have removed the «RUNTIME_FEATURE_» lines from the file «project.h».
Your patches works. Now it builds on cauldron.
updated packages are ready for testing: MGA4: Source RPM: privoxy-3.0.21-2.2.mga4.src.rpm Binary RPMs: privoxy-3.0.21-2.2.mga4.i586.rpm privoxy-3.0.21-2.2.mga4.x86_64.rpm Proposed test procedure (updated from https://bugs.mageia.org/show_bug.cgi?id=13785#c6 ): 1. install privoxy 2. start it (apparently not done on package install): systemctl start privoxy.service 3. set your favorite browser to use this proxy host: localhost port: 8118 Some browsers can be configured with an env var when started from the command line: export http_proxy=localhost:8118 4. browse to a non-existent host, e.g. http://www.n.zz/ You should see a privoxy page saying "No such domain". 5. browse to one or two web sites to check that the proxy works properly 6. browse to http://ad.example.com/ You should see a privoxy page saying "Request for blocked URL" with reason "Host matches generic block pattern". 7. After testing, change back the browser settings (and remove the privoxy package). Proposed advisory: Updated privoxy packages fix security issues: A memory leak occurred in privoxy 3.0.21 compiled with IPv6 support when rejecting client connections due to the socket limit being reached. (CID 66382) A use-after-free bug was found in privoxy 3.0.21 and two additional potential use-after-free issues were detected by Coverity scan. (CID 66394, CID 66376, CID 66391) Also fixed is a file descriptor leak in an error path in jbsockets.c. (CID 66368) References: http://www.privoxy.org/announce.txt
Version: Cauldron => 4Assignee: cooker => qa-bugsWhiteboard: MGA4TOO => has_procedure
CC: (none) => cooker
Testing on Mageia4 x 32 real hardware using procedure from Comment 9 From current package : -------------------- privoxy-3.0.21-2.1.mga4 # systemctl start privoxy.service # systemctl status -l privoxy.service privoxy.service - Privacy enhancing HTTP Proxy Loaded: loaded (/usr/lib/systemd/system/privoxy.service; enabled) Active: active (running) After setting firefox to use proxy localhost:8118 Browsed to http://www.n.zz/ 404 This is Privoxy 3.0.21 on localhost (127.0.0.1), port 8118, enabled No such domain Browsed to http://ad.example.com/ BLOCKED This is Privoxy 3.0.21 on localhost (127.0.0.1), port 8118, enabled Request for blocked URL Your request for http://ad.example.com/ was blocked. Block reason: Host matches generic block pattern. # systemctl stop privoxy.service # systemctl disable privoxy.service Updated to testing package : -------------------------- privoxy-3.0.21-2.2.mga4 # systemctl start privoxy.service [root@localhost zitounu]# systemctl status privoxy.service privoxy.service - Privacy enhancing HTTP Proxy Loaded: loaded (/usr/lib/systemd/system/privoxy.service; disabled) Active: active (running) Browsed to previous adresses, gave same messages. All OK here.
CC: (none) => olchalWhiteboard: has_procedure => has_procedure MGA4-32-OK
MGA-4-64 on HP Probook 6555b KDE. No installation issues. Confirm results as per Comment 10 using Firefox. Note: I also tried this with Konqueror as browser. Specifying localhost 8118 as proxy resulted in Time outs. When I changed the proxy setting to 127.0.0.1 8118, then I got the same results as with Firefox above
CC: (none) => herman.viaeneWhiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
Are there any relevant CVE's for this update please? David, anything you'd like to add to the advisory? (comment 9)
I'm not aware of any CVEs. The advisory is fine
Thanks. Validating. Advisory uploaded. Please push to 4 updates
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0003.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/628618/
CVE request: http://openwall.com/lists/oss-security/2015/01/08/1
CVE-2015-1030 and CVE-2015-1031 assigned: http://openwall.com/lists/oss-security/2015/01/11/1
Summary: privoxy new security issues fixed upstream in 3.0.22 => privoxy new security issues fixed upstream in 3.0.22 (CVE-2015-103[01])
LWN reference for CVE-2015-1031: http://lwn.net/Vulnerabilities/630217/