Summary: | <net-proxy/privoxy-3.0.21: Proxy-Authentication response spoofing (CVE-2013-2503) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | net-proxy+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=920643 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-03-12 14:29:29 UTC
net-proxy, is =net-proxy/privoxy-3.0.21 ready for stabilization? This was just added yesterday so this has not been tested thoroughly yet. We might want to wait a minimal amount of days to see if no bugs arise, let's wait until the start of next week at least before stabilizing this version. (In reply to comment #2) > This was just added yesterday so this has not been tested thoroughly yet. We > might want to wait a minimal amount of days to see if no bugs arise, let's > wait until the start of next week at least before stabilizing this version. Thanks, Tom. We will follow-up the beginning of next week then. With the ok from the maintainer on irc: Arches, please test and mark stable: =net-proxy/privoxy-3.0.21 Target keywords : "alpha amd64 arm ppc ppc64 sparc x86" amd64 stable x86 stable ppc stable ppc64 stable arm stable alpha stable sparc stable Old version has been removed, please vote. GLSA vote: no CVE-2013-2503 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2503): Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Authorization headers in the client-server data stream, which makes it easier for remote HTTP servers to spoof the intended proxy service via a 407 (aka Proxy Authentication Required) HTTP status code. NO too, closing. |