Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 771960 (CVE-2021-20272, CVE-2021-20273, CVE-2021-20274, CVE-2021-20275, CVE-2021-20276)

Summary: <net-proxy/privoxy-3.0.32: multiple DoS (CVE-2021-{20272,20273,20274,20275,20276})
Product: Gentoo Security Reporter: Andrew Savchenko <bircoph>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa+ cve]
Package list:
Runtime testing required: ---

Description Andrew Savchenko gentoo-dev 2021-02-21 17:32:42 UTC
Several DoS will be fixed in the upcoming privoxy 3.0.32 release:
https://lists.privoxy.org/pipermail/privoxy-devel/2021-February/000475.html

Patches are not yet published, release is planned on Thursday:
https://lists.privoxy.org/pipermail/privoxy-devel/2021-February/000480.html

I plan to update privoxy next weekend or in a forthnight.
Comment 1 John Helmert III gentoo-dev Security 2021-02-21 22:34:18 UTC
Thank you for the report! We typically don't add a version until a fix is in-tree, though.
Comment 2 Larry the Git Cow gentoo-dev 2021-02-27 16:21:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e03f00b6df257facc1c17b38b84a87f23d22aae

commit 3e03f00b6df257facc1c17b38b84a87f23d22aae
Author:     Andrew Savchenko <bircoph@gentoo.org>
AuthorDate: 2021-02-27 16:14:53 +0000
Commit:     Andrew Savchenko <bircoph@gentoo.org>
CommitDate: 2021-02-27 16:21:17 +0000

    net-proxy/privoxy: version bump
    
    Update to version 3.0.32
    
    Fixes: OVE-20210203-0001, OVE-20210205-0001, OVE-20210206-0001,
           OVE-20210207-0001, OVE-20210222-0001.
    
    Bug: https://bugs.gentoo.org/771960
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Andrew Savchenko <bircoph@gentoo.org>

 net-proxy/privoxy/Manifest                         |   1 +
 .../privoxy/files/privoxy-3.0.32-gentoo.patch      | 121 +++++++++++++++++
 net-proxy/privoxy/privoxy-3.0.32.ebuild            | 148 +++++++++++++++++++++
 3 files changed, 270 insertions(+)
Comment 3 John Helmert III gentoo-dev Security 2021-02-27 20:08:48 UTC
Thank you! Please stabilize when ready.
Comment 4 John Helmert III gentoo-dev Security 2021-03-06 15:20:05 UTC
(In reply to John Helmert III from comment #3)
> Thank you! Please stabilize when ready.

Ping. Ready?
Comment 5 Andrew Savchenko gentoo-dev 2021-03-07 09:07:49 UTC
(In reply to John Helmert III from comment #4)
> (In reply to John Helmert III from comment #3)
> > Thank you! Please stabilize when ready.
> 
> Ping. Ready?

Yes. Arch teams, please proceed with stabilization.
Comment 6 Rolf Eike Beer archtester 2021-03-07 19:50:28 UTC
sparc stable
Comment 7 Sam James archtester gentoo-dev Security 2021-03-07 23:05:21 UTC
ppc done
Comment 8 Sam James archtester gentoo-dev Security 2021-03-07 23:06:52 UTC
ppc64 done
Comment 9 John Helmert III gentoo-dev Security 2021-03-08 02:54:48 UTC
arm done
Comment 10 Sam James archtester gentoo-dev Security 2021-03-08 10:25:36 UTC
amd64 done
Comment 11 Sam James archtester gentoo-dev Security 2021-03-08 10:27:02 UTC
x86 done

all arches done
Comment 12 John Helmert III gentoo-dev Security 2021-03-08 13:36:37 UTC
Please cleanup.
Comment 13 Larry the Git Cow gentoo-dev 2021-04-03 15:36:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=321320060479e4a9d76ff5a79ce56ba860972c67

commit 321320060479e4a9d76ff5a79ce56ba860972c67
Author:     Andrew Savchenko <bircoph@gentoo.org>
AuthorDate: 2021-04-03 15:31:00 +0000
Commit:     Andrew Savchenko <bircoph@gentoo.org>
CommitDate: 2021-04-03 15:31:00 +0000

    net-proxy/privoxy: remove old version
    
    Bug: https://bugs.gentoo.org/771960
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Andrew Savchenko <bircoph@gentoo.org>

 net-proxy/privoxy/Manifest                         |   1 -
 .../privoxy/files/privoxy-3.0.29-gentoo.patch      | 118 -----------------
 net-proxy/privoxy/privoxy-3.0.31.ebuild            | 147 ---------------------
 3 files changed, 266 deletions(-)
Comment 14 John Helmert III gentoo-dev Security 2021-04-04 22:48:51 UTC
Thanks!
Comment 15 Thomas Deutschmann gentoo-dev Security 2021-05-31 21:50:36 UTC
Added to an existing GLSA request.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2021-07-08 03:38:23 UTC
This issue was resolved and addressed in
 GLSA 202107-16 at https://security.gentoo.org/glsa/202107-16
by GLSA coordinator John Helmert III (ajak).