From ${URL} : Common Vulnerabilities and Exposures assigned an identifier CVE-2013-2503 to the following vulnerability: Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Authorization headers in the client-server data stream, which makes it easier for remote HTTP servers to spoof the intended proxy service via a 407 (aka Proxy Authentication Required) HTTP status code. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2503 [2] http://blog.c22.cc/2013/03/11/privoxy-proxy-authentication-credential-exposure-cve-2013-2503/ [3] http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/ChangeLog?revision=1.188&view=markup
net-proxy, is =net-proxy/privoxy-3.0.21 ready for stabilization?
This was just added yesterday so this has not been tested thoroughly yet. We might want to wait a minimal amount of days to see if no bugs arise, let's wait until the start of next week at least before stabilizing this version.
(In reply to comment #2) > This was just added yesterday so this has not been tested thoroughly yet. We > might want to wait a minimal amount of days to see if no bugs arise, let's > wait until the start of next week at least before stabilizing this version. Thanks, Tom. We will follow-up the beginning of next week then.
With the ok from the maintainer on irc: Arches, please test and mark stable: =net-proxy/privoxy-3.0.21 Target keywords : "alpha amd64 arm ppc ppc64 sparc x86"
amd64 stable
x86 stable
ppc stable
ppc64 stable
arm stable
alpha stable
sparc stable
Old version has been removed, please vote.
GLSA vote: no
CVE-2013-2503 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2503): Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Authorization headers in the client-server data stream, which makes it easier for remote HTTP servers to spoof the intended proxy service via a 407 (aka Proxy Authentication Required) HTTP status code.
NO too, closing.