Bug 9335 - privoxy new security issue CVE-2013-2503
Summary: privoxy new security issue CVE-2013-2503
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/543956/
Whiteboard: MGA2-64-OK MGA2-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-03-11 16:36 CET by Bit Twister
Modified: 2013-04-02 22:09 CEST (History)
5 users (show)

See Also:
Source RPM: privoxy-3.0.19-4.mga3.src.rpm
CVE:
Status comment:


Attachments

Description Bit Twister 2013-03-11 16:36:08 CET
Description of problem:

Vulnerable Version(s): 3.0.20 (and possibly prior)
Tested Version: 3.0.20-1 (tested using Debian Sid)
Vulnerability Type: Insufficiently Protected Credentials [CWE-522]
CVE Reference: CVE-2013-2503
Risk Level: Medium

https://groups.google.com/forum/?hl=en&fromgroups=#!topic/mailing.unix.bugtraq/C4AJAi3CxgY
Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:

Proof of Concept:
http://c22.cc/POC/c22-2013-01.php


Reproducible: 

Steps to Reproduce:
David Walser 2013-03-11 17:40:03 CET

CC: (none) => johnny, luigiwalser
Assignee: bugsquad => johnny

Johnny A. Solbu 2013-03-12 10:44:47 CET

Whiteboard: (none) => MGA2TOO

Comment 1 Johnny A. Solbu 2013-03-14 10:41:06 CET
Version 3.0.21 pushed to Cauldron.

Status: NEW => ASSIGNED

Comment 2 Bit Twister 2013-03-14 14:29:45 CET
(In reply to Johnny A. Solbu from comment #1)
> Version 3.0.21 pushed to Cauldron.

Good news, It seems to be working.
Bad news, no signature.  :(
I am going to create a new bug report about no signatures.
David Walser 2013-03-14 16:33:52 CET

Version: Cauldron => 2
Whiteboard: MGA2TOO => (none)

Comment 3 David Walser 2013-03-22 17:18:56 CET
Fedora has issued an advisory for this on March 12:
http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100822.html

URL: (none) => http://lwn.net/Vulnerabilities/543956/

David Walser 2013-03-22 17:19:09 CET

Summary: 3_b2: privoxy CVE-2013-2503 => privoxy new security issue CVE-2013-2503

Comment 4 Johnny A. Solbu 2013-03-28 19:57:25 CET
I have uploaded a updated package for Mageia 2 in core/updates_testing.

Suggested advisory:
========================
Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Authorization headers in the client-server data stream, which makes it easier for remote HTTP servers to spoof the intended proxy service via a 407 (aka Proxy Authentication Required) HTTP status code. (CVE-2013-2503)

This update fixes this.

========================


Updated packages in core/updates_testing:
========================
privoxy-3.0.21-1.mga2

Source RPM:
privoxy-3.0.21-1.mga2

CC: (none) => sysadmin-bugs
Assignee: johnny => qa-bugs

Comment 6 Dave Hodgins 2013-04-01 21:36:51 CEST
Testing complete on Mageia 2 i586 and x86_64.

Could someone from the sysadmin team push the srpm
privoxy-3.0.21-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Authorization headers in the client-server data stream, which makes it easier for remote HTTP servers to spoof the intended proxy service via a 407 (aka Proxy Authentication Required) HTTP status code. (CVE-2013-2503)

Fixed in i 3.0.21-1.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2503
https://groups.google.com/forum/?hl=en&fromgroups=#!topic/mailing.unix.bugtraq/C4AJAi3CxgY
http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100822.html

https://bugs.mageia.org/show_bug.cgi?id=9335

Keywords: (none) => validated_update
CC: (none) => davidwhodgins
Whiteboard: (none) => MGA2-64-OK MGA2-32-OK

Comment 7 Thomas Backlund 2013-04-02 22:09:47 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0103

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.