Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package privoxy for openSUSE:Factory checked in at 2021-03-10 08:56:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/privoxy (Old) and /work/SRC/openSUSE:Factory/.privoxy.new.2378 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "privoxy" Wed Mar 10 08:56:46 2021 rev:51 rq:877778 version:3.0.32 Changes: -------- --- /work/SRC/openSUSE:Factory/privoxy/privoxy.changes 2021-02-03 19:55:38.061668203 +0100 +++ /work/SRC/openSUSE:Factory/.privoxy.new.2378/privoxy.changes 2021-03-10 08:58:22.834958674 +0100 @@ -1,0 +2,104 @@ +Sat Mar 6 18:33:24 UTC 2021 - Carsten Ziepke <kiel...@gmail.com> + +- Update to version 3.0.32: + - Security/Reliability (boo#1183129) + - ssplit(): Remove an assertion that could be triggered with a + crafted CGI request. + Commit 2256d7b4d67. OVE-20210203-0001. CVE-2021-20272 + Reported by: Joshua Rogers (Opera) + - cgi_send_banner(): Overrule invalid image types. Prevents a + crash with a crafted CGI request if Privoxy is toggled off. + Commit e711c505c48. OVE-20210206-0001. CVE-2021-20273 + Reported by: Joshua Rogers (Opera) + - socks5_connect(): Don't try to send credentials when none are + configured. Fixes a crash due to a NULL-pointer dereference + when the socks server misbehaves. + Commit 85817cc55b9. OVE-20210207-0001. CVE-2021-20274 + Reported by: Joshua Rogers (Opera) + - chunked_body_is_complete(): Prevent an invalid read of size + two. + Commit a912ba7bc9c. OVE-20210205-0001. CVE-2021-20275 + Reported by: Joshua Rogers (Opera) + - Obsolete pcre: Prevent invalid memory accesses with an invalid + pattern passed to pcre_compile(). Note that the obsolete pcre + code is scheduled to be removed before the 3.0.33 release. + There has been a warning since 2008 already. + Commit 28512e5b624. OVE-20210222-0001. CVE-2021-20276 + Reported by: Joshua Rogers (Opera) + - Bug fixes: + - Properly parse the client-tag-lifetime directive. Previously it was + not accepted as an obsolete hash value was being used. + Reported by: Joshua Rogers (Opera) + - decompress_iob(): Prevent reading of uninitialized data. + Reported by: Joshua Rogers (Opera). + - decompress_iob(): Don't advance cur past eod when looking + for the end of the file name and comment. + - decompress_iob(): Cast value to unsigned char before shifting. + Prevents a left-shift of a negative value which is undefined behaviour. + Reported by: Joshua Rogers (Opera) + - gif_deanimate(): Confirm that that we have enough data before doing + any work. Fixes a crash when fuzzing with an empty document. + Reported by: Joshua Rogers (Opera). + - buf_copy(): Fail if there's no data to write or nothing to do. + Prevents undefined behaviour "applying zero offset to null pointer". + Reported by: Joshua Rogers (Opera) + - log_error(): Treat LOG_LEVEL_FATAL as fatal even when --stfu is + being used while fuzzing. + Reported by: Joshua Rogers (Opera). + - Respect DESTDIR when considering whether or not to install + config files with ".new" extension. + - OpenSSL ssl_store_cert(): Fix two error messages. + - Fix a couple of format specifiers. + - Silence compiler warnings when compiling with NDEBUG. + - fuzz_server_header(): Fix compiler warning. + - fuzz_client_header(): Fix compiler warning. + - cgi_send_user_manual(): Also reject requests if the user-manual + directive specifies a https:// URL. Previously Privoxy would try and + fail to open a local file. + - General improvements: + - Log the TLS version and the the cipher when debug 2 is enabled. + - ssl_send_certificate_error(): Respect HEAD requests by not sending a body. + - ssl_send_certificate_error(): End the body with a single new line. + - serve(): Increase the chances that the host is logged when closing + a server socket. + - handle_established_connection(): Add parentheses to clarify an expression + Suggested by: David Binderman + - continue_https_chat(): Explicitly unset CSP_FLAG_CLIENT_CONNECTION_KEEP_ALIVE + if process_encrypted_request() fails. This makes it more obvious that the + connection will not be reused. Previously serve() relied on + CSP_FLAG_SERVER_CONTENT_LENGTH_SET and CSP_FLAG_CHUNKED being unset. + Inspired by a patch from Joshua Rogers (Opera). + - decompress_iob(): Add periods to a couple of log messages + - Terminate the body of the HTTP snipplets with a single new line + instead of "\r\n". + - configure: Add --with-assertions option and only enable assertions + when it is used + - windows build: Use --with-brotli and --with-mbedtls by default and + enable dynamic error checking. + - gif_deanimate(): Confirm we've got an image before trying to write it + Saves a pointless buf_copy() call. + - OpenSSL ssl_store_cert(): Remove a superfluous space before the serial number. + - Action file improvements: + - Disable fast-redirects for .golem.de/ + - Unblock requests to adri*. + - Block requests for trc*.taboola.com/ + - Disable fast-redirects for .linkedin.com/ + - Filter file improvements: + - Make the second pcrs job of the img-reorder filter greedy again. + The ungreedy version broke the img tags on: + https://bulk.fefe.de/scalability/. + - Privoxy-Log-Parser: + - Highlight a few more messages. + - Clarify the --statistics output. The shown "Reused connections" + are server connections so name them appropriately. + - Bump version to 0.9.3. + - Privoxy-Regression-Test: + - Add the --check-bad-ssl option to the --help output. + - Bump version to 0.7.3. + - Documentation: + - Add pushing the created tag to the release steps in the developer manual. + - Clarify that 'debug 32768' should be used in addition to the other debug + directives when reporting problems. + - Add a 'Third-party licenses and copyrights' section to the user manual. + +------------------------------------------------------------------- Old: ---- privoxy-3.0.31-stable-src.tar.gz privoxy-3.0.31-stable-src.tar.gz.asc New: ---- privoxy-3.0.32-stable-src.tar.gz privoxy-3.0.32-stable-src.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ privoxy.spec ++++++ --- /var/tmp/diff_new_pack.LFdvZc/_old 2021-03-10 08:58:23.406959264 +0100 +++ /var/tmp/diff_new_pack.LFdvZc/_new 2021-03-10 08:58:23.410959268 +0100 @@ -18,7 +18,7 @@ %define chroot %{_localstatedir}/lib/privoxy Name: privoxy -Version: 3.0.31 +Version: 3.0.32 Release: 0 Summary: The Internet Junkbuster - HTTP Proxy Server License: GPL-3.0-or-later ++++++ privoxy-3.0.31-stable-src.tar.gz -> privoxy-3.0.32-stable-src.tar.gz ++++++ ++++ 4614 lines of diff (skipped)
