Description of problem: Vulnerable Version(s): 3.0.20 (and possibly prior) Tested Version: 3.0.20-1 (tested using Debian Sid) Vulnerability Type: Insufficiently Protected Credentials [CWE-522] CVE Reference: CVE-2013-2503 Risk Level: Medium https://groups.google.com/forum/?hl=en&fromgroups=#!topic/mailing.unix.bugtraq/C4AJAi3CxgY Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: Proof of Concept: http://c22.cc/POC/c22-2013-01.php Reproducible: Steps to Reproduce:
CC: (none) => johnny, luigiwalserAssignee: bugsquad => johnny
Whiteboard: (none) => MGA2TOO
Version 3.0.21 pushed to Cauldron.
Status: NEW => ASSIGNED
(In reply to Johnny A. Solbu from comment #1) > Version 3.0.21 pushed to Cauldron. Good news, It seems to be working. Bad news, no signature. :( I am going to create a new bug report about no signatures.
Version: Cauldron => 2Whiteboard: MGA2TOO => (none)
Fedora has issued an advisory for this on March 12: http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100822.html
URL: (none) => http://lwn.net/Vulnerabilities/543956/
Summary: 3_b2: privoxy CVE-2013-2503 => privoxy new security issue CVE-2013-2503
I have uploaded a updated package for Mageia 2 in core/updates_testing. Suggested advisory: ======================== Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Authorization headers in the client-server data stream, which makes it easier for remote HTTP servers to spoof the intended proxy service via a 407 (aka Proxy Authentication Required) HTTP status code. (CVE-2013-2503) This update fixes this. ======================== Updated packages in core/updates_testing: ======================== privoxy-3.0.21-1.mga2 Source RPM: privoxy-3.0.21-1.mga2
CC: (none) => sysadmin-bugsAssignee: johnny => qa-bugs
References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2503 https://groups.google.com/forum/?hl=en&fromgroups=#!topic/mailing.unix.bugtraq/C4AJAi3CxgY http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100822.html
Testing complete on Mageia 2 i586 and x86_64. Could someone from the sysadmin team push the srpm privoxy-3.0.21-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Authorization headers in the client-server data stream, which makes it easier for remote HTTP servers to spoof the intended proxy service via a 407 (aka Proxy Authentication Required) HTTP status code. (CVE-2013-2503) Fixed in i 3.0.21-1. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2503 https://groups.google.com/forum/?hl=en&fromgroups=#!topic/mailing.unix.bugtraq/C4AJAi3CxgY http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100822.html https://bugs.mageia.org/show_bug.cgi?id=9335
Keywords: (none) => validated_updateCC: (none) => davidwhodginsWhiteboard: (none) => MGA2-64-OK MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0103
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED