Summary: | <net-proxy/privoxy-3.0.31: Multiple vulnerabilities (CVE-2021-{20216,20217}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | bircoph |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.privoxy.org/announce.txt | ||
Whiteboard: | B3 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 758428 |
Description
John Helmert III
![]() ![]() ![]() ![]() (In reply to John Helmert III (ajak) from comment #0) > Please bump to 3.0.31. ??? 3.0.31 is already in the tree. Please fix your scripts. (In reply to Andrew Savchenko from comment #1) > (In reply to John Helmert III (ajak) from comment #0) > > Please bump to 3.0.31. > > ??? > 3.0.31 is already in the tree. Please fix your scripts. Obviously it was a mistake. I've updated the bug accordingly already. Could you please remember to file security bugs if you notice an issue in your package (or other's)? (In reply to Sam James from comment #2) > (In reply to Andrew Savchenko from comment #1) > > (In reply to John Helmert III (ajak) from comment #0) > > > Please bump to 3.0.31. > > > > ??? > > 3.0.31 is already in the tree. Please fix your scripts. > > Obviously it was a mistake. I've updated the bug accordingly already. Yep, sorry about that, I filed the bug before doing my morning sync and skim of #gentoo-commits, so I missed that it was already added. (In reply to Sam James from comment #2) > Could you please remember to file security bugs if you notice an issue in > your package (or other's)? I thought this should be done only if problem is not yet fixed. Looks like I misunderstood current policy. Just to avoid misunderstanding: should bugs be filed about any security-related issue (e.g. invalid memory access) or only about those with CVE / OVE assigned to them? (In reply to Andrew Savchenko from comment #4) > (In reply to Sam James from comment #2) > > Could you please remember to file security bugs if you notice an issue in > > your package (or other's)? > > I thought this should be done only if problem is not yet fixed. Looks like I > misunderstood current policy. > > Just to avoid misunderstanding: should bugs be filed about any > security-related issue (e.g. invalid memory access) or only about those with > CVE / OVE assigned to them? If there are security issues in a package in tree, it can't hurt to file a bug for it. If a problem is not fixed upstream it is still good for us to keep track of it so we can remember to check for a fix. Or we can decide the package needs to be treecleaned, if it is vulnerable and no one is fixing it. Arch teams, please proceed with net-proxy/privoxy-3.0.31 stabilization. sparc stable. Build errors will be reported separately. amd64 done x86 done ppc done ppc64 stable arm looks good USE tests started on Sat Feb 13 02:57:20 -00 2021 FEATURES=' test' USE='' succeeded for =net-proxy/privoxy-3.0.31 USE='acl -brotli client-tags -compression editor -extended-host-patterns -extended-statistics -external-filters fast-redirects -force -fuzz -graceful-termination image-blocking ipv6 lfs mbedtls -openssl png-images -ssl stats threads -toggle -tools whitelists -zlib' succeeded for =net-proxy/privoxy-3.0.31 USE='-acl brotli -client-tags -compression -editor -extended-host-patterns -extended-statistics -external-filters -fast-redirects force -fuzz -graceful-termination image-blocking -ipv6 lfs -mbedtls openssl png-images -ssl -stats threads -toggle -tools -whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31 USE='acl -brotli client-tags -compression -editor extended-host-patterns -extended-statistics -external-filters fast-redirects force -fuzz graceful-termination image-blocking ipv6 lfs -mbedtls openssl png-images -ssl stats threads -toggle -tools -whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31 USE='acl -brotli -client-tags -compression editor extended-host-patterns -extended-statistics external-filters fast-redirects force fuzz graceful-termination -image-blocking -ipv6 -lfs -mbedtls openssl -png-images -ssl -stats threads toggle -tools -whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31 USE='acl brotli -client-tags -compression editor extended-host-patterns extended-statistics -external-filters -fast-redirects -force -fuzz -graceful-termination image-blocking ipv6 lfs -mbedtls openssl png-images ssl -stats threads toggle -tools -whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31 USE='acl -brotli client-tags compression editor -extended-host-patterns -extended-statistics external-filters -fast-redirects force fuzz graceful-termination image-blocking ipv6 lfs -mbedtls -openssl -png-images -ssl stats threads toggle -tools -whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31 USE='-acl brotli -client-tags compression editor -extended-host-patterns extended-statistics external-filters -fast-redirects force fuzz -graceful-termination image-blocking ipv6 lfs mbedtls -openssl -png-images -ssl stats threads -toggle tools -whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31 USE='-acl brotli -client-tags compression editor -extended-host-patterns -extended-statistics -external-filters fast-redirects force fuzz graceful-termination image-blocking ipv6 lfs -mbedtls openssl -png-images ssl -stats threads toggle tools -whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31 USE='acl -brotli -client-tags -compression editor extended-host-patterns extended-statistics external-filters fast-redirects -force -fuzz graceful-termination -image-blocking -ipv6 lfs mbedtls -openssl png-images ssl stats threads -toggle -tools whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31 USE='-acl -brotli -client-tags -compression editor extended-host-patterns extended-statistics external-filters fast-redirects force -fuzz graceful-termination -image-blocking -ipv6 lfs mbedtls -openssl png-images ssl stats threads toggle -tools whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31 USE='-acl -brotli -client-tags compression -editor extended-host-patterns extended-statistics -external-filters fast-redirects force fuzz -graceful-termination image-blocking ipv6 lfs mbedtls -openssl png-images -ssl -stats threads -toggle tools whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31 USE='acl brotli client-tags compression editor -extended-host-patterns -extended-statistics external-filters fast-redirects -force fuzz -graceful-termination -image-blocking ipv6 -lfs -mbedtls -openssl -png-images -ssl stats threads toggle tools whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31 arm done all arches done Please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bd0a1cca8d26af615e8554e6da1582cc082c038 commit 8bd0a1cca8d26af615e8554e6da1582cc082c038 Author: Andrew Savchenko <bircoph@gentoo.org> AuthorDate: 2021-02-14 14:16:25 +0000 Commit: Andrew Savchenko <bircoph@gentoo.org> CommitDate: 2021-02-14 14:45:22 +0000 net-proxy/privoxy: remove old and vulnerable versions Bug: https://bugs.gentoo.org/768096 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Andrew Savchenko <bircoph@gentoo.org> net-proxy/privoxy/Manifest | 2 - .../privoxy/files/privoxy-3.0.19-gentoo.patch | 114 ---------------- net-proxy/privoxy/files/privoxy-3.0.28-chdir.patch | 15 --- .../files/privoxy-3.0.28-null-termination.patch | 13 -- .../privoxy/files/privoxy-3.0.29-pthread.patch | 21 --- net-proxy/privoxy/privoxy-3.0.28-r1.ebuild | 133 ------------------ net-proxy/privoxy/privoxy-3.0.29.ebuild | 150 --------------------- 7 files changed, 448 deletions(-) Added to an existing GLSA request. This issue was resolved and addressed in GLSA 202107-16 at https://security.gentoo.org/glsa/202107-16 by GLSA coordinator John Helmert III (ajak). |