CVEs have been requested for a couple of security issues fixed in privoxy: http://openwall.com/lists/oss-security/2016/01/21/4 The issues are fixed in version 3.0.24. Reproducible: Steps to Reproduce:
CC: (none) => cookerWhiteboard: (none) => MGA5TOO
CVEs have been assigned: http://openwall.com/lists/oss-security/2016/01/22/3
Summary: privoxy new security issues fixed upstream in 3.0.24 => privoxy new security issues fixed upstream in 3.0.24 (CVE-2016-1982 and CVE-2016-1983)
Debian-LTS has issued an advisory for this on January 23: http://lwn.net/Vulnerabilities/673455/
URL: (none) => http://lwn.net/Vulnerabilities/673455/
privoxy-3.0.24-1.mga6 uploaded for Cauldron by Christiaan.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Updated packages are ready for testing: MGA5 SRPM: privoxy-3.0.23-1.1.mga5.src.rpm RPMS: privoxy-3.0.23-1.1.mga5.i586.rpm privoxy-3.0.23-1.1.mga5.x86_64 A test procedure can be found in https://bugs.mageia.org/show_bug.cgi?id=14892#c9 Proposed advisory: This update fixes two denial-of-service vulnerabilities that have been discovered in privoxy 3.0.23: The remove_chunked_transfer_coding function in filters.c in Privoxy before 3.0.24 allows remote attackers to cause a denial of service (invalid read and crash) via crafted chunk-encoded content. (CVE-2016-1982) The client_host function in parsers.c in Privoxy before 3.0.24 allows remote attackers to cause a denial of service (invalid read and crash) via an empty HTTP Host header. (CVE-2016-1983) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1982 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1983
CC: (none) => cjwAssignee: cjw => qa-bugs
Testing complete mga5 64 using procedure mentioned to get the blocked page. Also viewed proxy settings from the link there.
Whiteboard: (none) => has_procedure mga5-64-ok
Validating. Advisory uploaded. Please push to 5 updates, thanks.
Keywords: (none) => validated_updateWhiteboard: has_procedure mga5-64-ok => has_procedure advisory mga5-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0055.html
Status: NEW => RESOLVEDResolution: (none) => FIXED