Privoxy 3.0.31 has been announced on January 31, fixing two security issues: http://www.privoxy.org/announce.txt Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
freeze push asked
CC: (none) => mageia
Various packages for this, so assigning it globally.
Assignee: bugsquad => pkg-bugs
fixed on cauldron
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
(In reply to Nicolas Lécureuil from comment #3) > fixed on cauldron nope https://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20210203114820.tmb.duvel.40052/log/privoxy-3.0.31-1.mga8/build.x86_64.0.20210203114910.log
you are right :) thanks this is now fixed privoxy-3.0.31-1.mga8
CVEs have been issued: https://www.openwall.com/lists/oss-security/2021/02/04/4
Status comment: (none) => Fixed upstream in 3.0.31Summary: privoxy 3.0.31 fixes security issues => privoxy 3.0.31 fixes security issues (CVE-2021-20216 and CVE-2021-20217)
openSUSE has issued an advisory for this on February 8: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LYXYETZZHYGLBE3WLXSZCYBO5VDRKFDT/
Suggested advisory: ======================== The updated package fixes security vulnerabilities: Fixed a memory leak when decompression fails "unexpectedly". (CVE-2021-20216) Prevent an assertion from getting triggered by a crafted CGI request. (CVE-2021-20217) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20216 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20217 http://www.privoxy.org/announce.txt https://www.openwall.com/lists/oss-security/2021/02/04/4 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LYXYETZZHYGLBE3WLXSZCYBO5VDRKFDT/ ======================== Updated package in core/updates_testing: ======================== privoxy-3.0.31-1.mga7 from SRPM: privoxy-3.0.31-1.mga7.src.rpm
Status: NEW => ASSIGNEDStatus comment: Fixed upstream in 3.0.31 => (none)Assignee: pkg-bugs => qa-bugsCVE: (none) => CVE-2021-20216, CVE-2021-20217CC: (none) => nicolas.salguero
mga7, x64 Installed privoxy-3.0.29-1 Set the network settings for privoxy to default values in firefox and cleared the cache. Enabled and started the privoxy daemon. Checked the /etc/privoxy/config file and left it with default settings. Confirmed that there was a /var/log/privoxy directory. No PoC for the CVEs at this time. Updated to the candidate package. Restarted the privoxy service. # systemctl status privoxy ● privoxy.service - Privacy enhancing HTTP Proxy Loaded: loaded (/usr/lib/systemd/system/privoxy.service; enabled; vendor pre> Active: active (running) since Sun 2021-02-14 14:04:03 GMT; 9s ago Process: 15967 ExecStart=/usr/sbin/privoxy --pidfile /run/privoxy.pid --user > Main PID: 15968 (privoxy) Tasks: 1 (limit: 4915) Memory: 1.1M CGroup: /system.slice/privoxy.service └─15968 /usr/sbin/privoxy --pidfile /run/privoxy.pid --user daemon.d> Feb 14 14:04:02 difda systemd[1]: Starting Privacy enhancing HTTP Proxy... Feb 14 14:04:03 difda systemd[1]: Started Privacy enhancing HTTP Proxy. Browsed a bit - Radio Times, Youtube, tried searches (DuckDuckGo), online newspaper. /var/log/privoxy logfile remained empty. Unsure if this suffices as a test but the daemon runs and nothing unusual happens in firefox. Reeserving judgement - awaiting comments.
CC: (none) => tarazed25
MGA7-64 MATE on Peaq C1011 No installatioin issues Ref bug 27678 for testing. # systemctl -l status privoxy ● privoxy.service - Privacy enhancing HTTP Proxy Loaded: loaded (/usr/lib/systemd/system/privoxy.service; disabled; vendor preset: disabled) Active: inactive (dead) # systemctl start privoxy # systemctl -l status privoxy ● privoxy.service - Privacy enhancing HTTP Proxy Loaded: loaded (/usr/lib/systemd/system/privoxy.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2021-02-16 14:38:30 CET; 5s ago Process: 18540 ExecStart=/usr/sbin/privoxy --pidfile /run/privoxy.pid --user daemon.daemon /etc/privoxy/config (code=exited, status=0/SUCCESS) Main PID: 18541 (privoxy) Tasks: 1 (limit: 2285) Memory: 1.8M CGroup: /system.slice/privoxy.service └─18541 /usr/sbin/privoxy --pidfile /run/privoxy.pid --user daemon.daemon /etc/privoxy/config Feb 16 14:38:29 mach7.hviaene.thuis systemd[1]: Starting Privacy enhancing HTTP Proxy... Feb 16 14:38:30 mach7.hviaene.thuis systemd[1]: Started Privacy enhancing HTTP Proxy. Opened port 8118/tcp on firewall, changed firefox network settings to proxy localhost port 8118 Refreshed open tabs in Firefox: allk OK Browse to a non-existent host, e.g. http://www.n.zz/ And I see a privoxy page saying "No such domain". OK Browse to http://ad.example.com/ And I see a privoxy page saying "Request for blocked URL" with reason "Host matches generic block pattern". Revert Firefox network to system-wide, stop privoxy, all active tabs in Firefox OK Good to go.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Thanks again, guys. Herman, good to see you back. Validating. Advisory in Comment 8.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Advisory commited to SVN.
Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0089.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED