From URL: -------------------------------------------------------------------- ChangeLog for Privoxy 3.0.31 -------------------------------------------------------------------- - Security/Reliability: - Prevent an assertion from getting triggered by a crafted CGI request. Commit 5bba5b89193fa. OVE-20210130-0001. Reported by: Joshua Rogers (Opera) - Fixed a memory leak when decompression fails "unexpectedly". Commit f431d61740cc0. OVE-20210128-0001. Please bump to 3.0.31.
(In reply to John Helmert III (ajak) from comment #0) > Please bump to 3.0.31. ??? 3.0.31 is already in the tree. Please fix your scripts.
(In reply to Andrew Savchenko from comment #1) > (In reply to John Helmert III (ajak) from comment #0) > > Please bump to 3.0.31. > > ??? > 3.0.31 is already in the tree. Please fix your scripts. Obviously it was a mistake. I've updated the bug accordingly already. Could you please remember to file security bugs if you notice an issue in your package (or other's)?
(In reply to Sam James from comment #2) > (In reply to Andrew Savchenko from comment #1) > > (In reply to John Helmert III (ajak) from comment #0) > > > Please bump to 3.0.31. > > > > ??? > > 3.0.31 is already in the tree. Please fix your scripts. > > Obviously it was a mistake. I've updated the bug accordingly already. Yep, sorry about that, I filed the bug before doing my morning sync and skim of #gentoo-commits, so I missed that it was already added.
(In reply to Sam James from comment #2) > Could you please remember to file security bugs if you notice an issue in > your package (or other's)? I thought this should be done only if problem is not yet fixed. Looks like I misunderstood current policy. Just to avoid misunderstanding: should bugs be filed about any security-related issue (e.g. invalid memory access) or only about those with CVE / OVE assigned to them?
(In reply to Andrew Savchenko from comment #4) > (In reply to Sam James from comment #2) > > Could you please remember to file security bugs if you notice an issue in > > your package (or other's)? > > I thought this should be done only if problem is not yet fixed. Looks like I > misunderstood current policy. > > Just to avoid misunderstanding: should bugs be filed about any > security-related issue (e.g. invalid memory access) or only about those with > CVE / OVE assigned to them? If there are security issues in a package in tree, it can't hurt to file a bug for it. If a problem is not fixed upstream it is still good for us to keep track of it so we can remember to check for a fix. Or we can decide the package needs to be treecleaned, if it is vulnerable and no one is fixing it.
Arch teams, please proceed with net-proxy/privoxy-3.0.31 stabilization.
sparc stable. Build errors will be reported separately.
amd64 done
x86 done
ppc done
ppc64 stable
arm looks good USE tests started on Sat Feb 13 02:57:20 -00 2021 FEATURES=' test' USE='' succeeded for =net-proxy/privoxy-3.0.31 USE='acl -brotli client-tags -compression editor -extended-host-patterns -extended-statistics -external-filters fast-redirects -force -fuzz -graceful-termination image-blocking ipv6 lfs mbedtls -openssl png-images -ssl stats threads -toggle -tools whitelists -zlib' succeeded for =net-proxy/privoxy-3.0.31 USE='-acl brotli -client-tags -compression -editor -extended-host-patterns -extended-statistics -external-filters -fast-redirects force -fuzz -graceful-termination image-blocking -ipv6 lfs -mbedtls openssl png-images -ssl -stats threads -toggle -tools -whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31 USE='acl -brotli client-tags -compression -editor extended-host-patterns -extended-statistics -external-filters fast-redirects force -fuzz graceful-termination image-blocking ipv6 lfs -mbedtls openssl png-images -ssl stats threads -toggle -tools -whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31 USE='acl -brotli -client-tags -compression editor extended-host-patterns -extended-statistics external-filters fast-redirects force fuzz graceful-termination -image-blocking -ipv6 -lfs -mbedtls openssl -png-images -ssl -stats threads toggle -tools -whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31 USE='acl brotli -client-tags -compression editor extended-host-patterns extended-statistics -external-filters -fast-redirects -force -fuzz -graceful-termination image-blocking ipv6 lfs -mbedtls openssl png-images ssl -stats threads toggle -tools -whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31 USE='acl -brotli client-tags compression editor -extended-host-patterns -extended-statistics external-filters -fast-redirects force fuzz graceful-termination image-blocking ipv6 lfs -mbedtls -openssl -png-images -ssl stats threads toggle -tools -whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31 USE='-acl brotli -client-tags compression editor -extended-host-patterns extended-statistics external-filters -fast-redirects force fuzz -graceful-termination image-blocking ipv6 lfs mbedtls -openssl -png-images -ssl stats threads -toggle tools -whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31 USE='-acl brotli -client-tags compression editor -extended-host-patterns -extended-statistics -external-filters fast-redirects force fuzz graceful-termination image-blocking ipv6 lfs -mbedtls openssl -png-images ssl -stats threads toggle tools -whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31 USE='acl -brotli -client-tags -compression editor extended-host-patterns extended-statistics external-filters fast-redirects -force -fuzz graceful-termination -image-blocking -ipv6 lfs mbedtls -openssl png-images ssl stats threads -toggle -tools whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31 USE='-acl -brotli -client-tags -compression editor extended-host-patterns extended-statistics external-filters fast-redirects force -fuzz graceful-termination -image-blocking -ipv6 lfs mbedtls -openssl png-images ssl stats threads toggle -tools whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31 USE='-acl -brotli -client-tags compression -editor extended-host-patterns extended-statistics -external-filters fast-redirects force fuzz -graceful-termination image-blocking ipv6 lfs mbedtls -openssl png-images -ssl -stats threads -toggle tools whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31 USE='acl brotli client-tags compression editor -extended-host-patterns -extended-statistics external-filters fast-redirects -force fuzz -graceful-termination -image-blocking ipv6 -lfs -mbedtls -openssl -png-images -ssl stats threads toggle tools whitelists zlib' succeeded for =net-proxy/privoxy-3.0.31
arm done all arches done
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bd0a1cca8d26af615e8554e6da1582cc082c038 commit 8bd0a1cca8d26af615e8554e6da1582cc082c038 Author: Andrew Savchenko <bircoph@gentoo.org> AuthorDate: 2021-02-14 14:16:25 +0000 Commit: Andrew Savchenko <bircoph@gentoo.org> CommitDate: 2021-02-14 14:45:22 +0000 net-proxy/privoxy: remove old and vulnerable versions Bug: https://bugs.gentoo.org/768096 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Andrew Savchenko <bircoph@gentoo.org> net-proxy/privoxy/Manifest | 2 - .../privoxy/files/privoxy-3.0.19-gentoo.patch | 114 ---------------- net-proxy/privoxy/files/privoxy-3.0.28-chdir.patch | 15 --- .../files/privoxy-3.0.28-null-termination.patch | 13 -- .../privoxy/files/privoxy-3.0.29-pthread.patch | 21 --- net-proxy/privoxy/privoxy-3.0.28-r1.ebuild | 133 ------------------ net-proxy/privoxy/privoxy-3.0.29.ebuild | 150 --------------------- 7 files changed, 448 deletions(-)
Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 202107-16 at https://security.gentoo.org/glsa/202107-16 by GLSA coordinator John Helmert III (ajak).