Bug 9335 - privoxy new security issue CVE-2013-2503
: privoxy new security issue CVE-2013-2503
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/543956/
: MGA2-64-OK MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-03-11 16:36 CET by Bit Twister
Modified: 2013-04-02 22:09 CEST (History)
5 users (show)

See Also:
Source RPM: privoxy-3.0.19-4.mga3.src.rpm
CVE:


Attachments

Description Bit Twister 2013-03-11 16:36:08 CET
Description of problem:

Vulnerable Version(s): 3.0.20 (and possibly prior)
Tested Version: 3.0.20-1 (tested using Debian Sid)
Vulnerability Type: Insufficiently Protected Credentials [CWE-522]
CVE Reference: CVE-2013-2503
Risk Level: Medium

https://groups.google.com/forum/?hl=en&fromgroups=#!topic/mailing.unix.bugtraq/C4AJAi3CxgY
Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:

Proof of Concept:
http://c22.cc/POC/c22-2013-01.php


Reproducible: 

Steps to Reproduce:
Comment 1 Johnny A. Solbu 2013-03-14 10:41:06 CET
Version 3.0.21 pushed to Cauldron.
Comment 2 Bit Twister 2013-03-14 14:29:45 CET
(In reply to Johnny A. Solbu from comment #1)
> Version 3.0.21 pushed to Cauldron.

Good news, It seems to be working.
Bad news, no signature.  :(
I am going to create a new bug report about no signatures.
Comment 3 David Walser 2013-03-22 17:18:56 CET
Fedora has issued an advisory for this on March 12:
http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100822.html
Comment 4 Johnny A. Solbu 2013-03-28 19:57:25 CET
I have uploaded a updated package for Mageia 2 in core/updates_testing.

Suggested advisory:
========================
Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Authorization headers in the client-server data stream, which makes it easier for remote HTTP servers to spoof the intended proxy service via a 407 (aka Proxy Authentication Required) HTTP status code. (CVE-2013-2503)

This update fixes this.

========================


Updated packages in core/updates_testing:
========================
privoxy-3.0.21-1.mga2

Source RPM:
privoxy-3.0.21-1.mga2
Comment 6 Dave Hodgins 2013-04-01 21:36:51 CEST
Testing complete on Mageia 2 i586 and x86_64.

Could someone from the sysadmin team push the srpm
privoxy-3.0.21-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Authorization headers in the client-server data stream, which makes it easier for remote HTTP servers to spoof the intended proxy service via a 407 (aka Proxy Authentication Required) HTTP status code. (CVE-2013-2503)

Fixed in i 3.0.21-1.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2503
https://groups.google.com/forum/?hl=en&fromgroups=#!topic/mailing.unix.bugtraq/C4AJAi3CxgY
http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100822.html

https://bugs.mageia.org/show_bug.cgi?id=9335
Comment 7 Thomas Backlund 2013-04-02 22:09:47 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0103

Note You need to log in before you can comment on or make changes to this bug.