Bug 29745 - privoxy 3.0.33 fixes security issues (CVE-2021-4454[0-3])
Summary: privoxy 3.0.33 fixes security issues (CVE-2021-4454[0-3])
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-12-08 17:32 CET by David Walser
Modified: 2021-12-19 17:14 CET (History)
4 users (show)

See Also:
Source RPM: privoxy-3.0.32-2.mga9.src.rpm
CVE:
Status comment:

Attachments
Privoxy 3.0.33 ChangeLog (14.02 KB, text/plain)
2021-12-08 17:32 CET, David Walser 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-12-08 17:32:16 CET 
Privoxy 3.0.33 has been released today (December 8).

The announcement will end up here, but is only on SourceForge for now:
http://www.privoxy.org/announce.txt

It lists 4 security fixes.

Mageia 8 is also affected.

I updated it in Cauldron but please review it before pushing to the build system.
Comment 1 David Walser 2021-12-08 17:32:48 CET 
Created attachment 13027 [details]
Privoxy 3.0.33 ChangeLog
David Walser 2021-12-08 17:33:03 CET

Whiteboard: (none) => MGA8TOO

Comment 2 David Walser 2021-12-09 17:04:18 CET 
Announcement/ChangeLog is now posted at the URL in Comment 0.
Comment 3 David Walser 2021-12-11 21:55:06 CET 
Christiaan uploaded the 3.0.33 I committed and patched 3.0.32 for Mageia 8.

privoxy-3.0.32-1.1.mga8

from privoxy-3.0.32-1.1.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
CC: (none) => cjw
Assignee: cjw => qa-bugs
Version: Cauldron => 8

Comment 4 Herman Viaene 2021-12-14 15:03:38 CET 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues
Followed procedure from bug 28281 Comment 10
# systemctl  start privoxy
[root@mach5 ~]#  systemctl -l status privoxy
● privoxy.service - Privacy enhancing HTTP Proxy
     Loaded: loaded (/usr/lib/systemd/system/privoxy.service; disabled; vendor preset: disabled)
     Active: active (running) since Tue 2021-12-14 14:51:57 CET; 3s ago
    Process: 5168 ExecStart=/usr/sbin/privoxy --pidfile /run/privoxy.pid --user daemon.daemon /etc/privoxy/config (code=exited, status=0/SUCCESS)
   Main PID: 5169 (privoxy)
      Tasks: 1 (limit: 9396)
     Memory: 1.1M
        CPU: 9ms
     CGroup: /system.slice/privoxy.service
             └─5169 /usr/sbin/privoxy --pidfile /run/privoxy.pid --user daemon.daemon /etc/privoxy/config

dec 14 14:51:56 mach5.hviaene.thuis systemd[1]: Starting Privacy enhancing HTTP Proxy...
dec 14 14:51:57 mach5.hviaene.thuis systemd[1]: Started Privacy enhancing HTTP Proxy.
Opened port 8118/tcp on firewall, changed firefox network settings to proxy localhost port 8118 and and set "Use this proxy for https" on.
Refreshed open tabs in Firefox: allk OK
Browse to a non-existent host, e.g. http://www.n.zz/
And I see a privoxy page saying "No such domain". OK

Browse to http://ad.example.com/
And I see a privoxy page saying "Request for blocked URL" with reason "Host matches generic block pattern".
Revert Firefox network to system-wide, stop privoxy, all active tabs in Firefox OK
Good to go.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2021-12-15 14:21:06 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-12-19 16:15:33 CET

Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-12-19 17:14:55 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0570.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.