From ${URL} : The 3.0.22 release of Privoxy fixes the following potential flaws: "" Fixed a memory leak when rejecting client connections due to the socket limit being reached (CID 66382). This affected Privoxy 3.0.21 when compiled with IPv6 support (on most platforms this is the default). Fixed an immediate-use-after-free bug (CID 66394) and two additional unconfirmed use-after-free complaints made by Coverity scan (CID 66391, CID 66376). "" @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Copying over "privoxy-3.0.21-r2.ebuild" to "privoxy-3.0.22.ebuild" already seems to allow building new v3.0.22.
In contact with upstream about CVE, if not requested will request one.
Privoxy-3.0.22 is in tree now.
(In reply to Andrew Savchenko from comment #3) > Privoxy-3.0.22 is in tree now. Does this mean version 3.0.22 fixes the issue? If so, are all vulnerable unstable ebuilds dropped? Do we need to stabilize any version?
(In reply to Justin Lecher from comment #4) > (In reply to Andrew Savchenko from comment #3) > > Privoxy-3.0.22 is in tree now. > > Does this mean version 3.0.22 fixes the issue? > > If so, are all vulnerable unstable ebuilds dropped? Do we need to stabilize > any version? we should mark 3.0.22 stable and then drop all ebuilds prior 3.0.22.
(In reply to Justin Lecher from comment #4) > (In reply to Andrew Savchenko from comment #3) > > Privoxy-3.0.22 is in tree now. > > Does this mean version 3.0.22 fixes the issue? Yes, it fixes. See comment 1 (a snippet from 3.0.22 changelog). > If so, are all vulnerable unstable ebuilds dropped? Yes. (In reply to Mikle Kolyada from comment #5) > we should mark 3.0.22 stable and then drop all ebuilds prior 3.0.22. Ok.
* Applying privoxy-3.0.19-gentoo.patch ... [ ok ] * Applying privoxy-3.0.22-force.patch ... * Failed Patch: privoxy-3.0.22-force.patch ! * ( /portage/net-proxy/privoxy/files/privoxy-3.0.22-force.patch ) * * Include in your bugreport the contents of: * * /var/tmp/portage/net-proxy/privoxy-3.0.22/temp/privoxy-3.0.22-force.patch.out * ERROR: net-proxy/privoxy-3.0.22::gentoo failed (prepare phase): * Failed Patch: privoxy-3.0.22-force.patch! x4 ~ # cat /var/tmp/portage/net-proxy/privoxy-3.0.22/temp/privoxy-3.0.22-force.patch.out ***** privoxy-3.0.22-force.patch ***** PWD: /var/tmp/portage/net-proxy/privoxy-3.0.22/work/privoxy-3.0.22-stable ====================================== PATCH COMMAND: patch -p0 -g0 -E --no-backup-if-mismatch < '/portage/net-proxy/privoxy/files/privoxy-3.0.22-force.patch' ====================================== checking file project.h Hunk #1 FAILED at 1. 1 out of 2 hunks FAILED ...
patch failed! the version string should be the source file (project.h), not the patch file name (privoxy-3.0.22-force.patch). you diffed on the patch...
(In reply to vintniv from comment #8) > you diffed on the patch... No, this issue was more delicate: CVS mangled patch, because it contained CVS header, here is original upstream patch: http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/project.h?r1=1.208&r2=1.209&view=patch First chunk is removed now, as it is unneeded to fix --disable-force issue.
x86 done.
amd64 stable
sparc stable
ppc64 stable
ppc stable
alpha stable
CVE-2015-1201 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1201): Privoxy before 3.0.22 allows remote attackers to cause a denial of service (file descriptor consumption) via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. CVE-2015-1031 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1031): Multiple use-after-free vulnerabilities in Privoxy before 3.0.22 allow remote attackers to have unspecified impact via vectors related to (1) the unmap function in list.c or (2) "two additional unconfirmed use-after-free complaints made by Coverity scan." NOTE: some of these details are obtained from third party information. CVE-2015-1030 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1030): Memory leak in the rfc2553_connect_to function in jbsocket.c in Privoxy before 3.0.22 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests that are rejected because the socket limit is reached.
arm still pending stabilization. New security bug is being stabilized as part of Bug 537884, setting dependency.
arm stable, all arches done.
All vulnerable versions are removed from tree, including 3.0.22 (see bug 537884).
Arches, thank you for your work. GLSA Vote: No
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No