subject:"privoxy stretch package 3.0.26\-3\+deb9u2 prepared"

Re: privoxy stretch package 3.0.26-3+deb9u2 prepared

2021-03-09 Thread Abhijith PA

On 09/03/21 10:47 AM, Roland Rosenfeld wrote:
> Hi Abhijith!
> 
> On Di, 09 Mär 2021, Abhijith PA wrote:
> 
> > Roland, thanks again for the patch. I can see that last LTS update
> > (3.0.26-3+deb9u1) done by you. Hope you can upload this time as
> > well. If not, let me know. I am happy to help. Once uploaded to
> > archive I will take care of DLA and announcements.
> 
> Thanks for your support.
> 
> I just uploaded privoxy_3.0.26-3+deb9u2_source.changes to
> security-master.
> 
> Once it is installed, it would be great if you could do DLA etc.

DLA 2587-1. This is done. Thanks

--abhijith

Re: privoxy stretch package 3.0.26-3+deb9u2 prepared

2021-03-09 Thread Roland Rosenfeld

Hi Abhijith!

On Di, 09 Mär 2021, Abhijith PA wrote:

> Roland, thanks again for the patch. I can see that last LTS update
> (3.0.26-3+deb9u1) done by you. Hope you can upload this time as
> well. If not, let me know. I am happy to help. Once uploaded to
> archive I will take care of DLA and announcements.

Thanks for your support.

I just uploaded privoxy_3.0.26-3+deb9u2_source.changes to
security-master.

Once it is installed, it would be great if you could do DLA etc.

Greetings
Roland

signature.asc
Description: PGP signature

Re: privoxy stretch package 3.0.26-3+deb9u2 prepared

2021-03-08 Thread Abhijith PA

Hello

On 08/03/21 05:16 PM, Sylvain Beucler wrote:
> Hi!
> 
> Thanks for preparing a LTS fix for privoxy.
> 
> For reference, our full procedure is documented at:
> https://wiki.debian.org/LTS/Development
> 
> To answer your points:
> 
> - The debdiff looks good to me
> 
> - Salvatore updated the CVE-2021-20274 status accordingly
> 
> - 'minor issue' means there is not immediate urgency, so the buster/stable
> fixes may be delayed to a point release.
> LTS does not have a point release system so an LTS upload sounds good.
> 
> - Abhijith (in Cc:) announced his intention to work on the package yesterday
> [1], you probably can coordinate with him for the next steps, in particular
> who will take care of sending the e-mail and website announcements.
> [1] 
> https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/dla-needed.txt

Roland, thanks again for the patch. I can see that last LTS update 
(3.0.26-3+deb9u1) done by you. Hope you can upload this time as well. 
If not, let me know. I am happy to help. Once uploaded to archive I 
will take care of DLA and announcements.

--abhijith

Re: privoxy stretch package 3.0.26-3+deb9u2 prepared

2021-03-08 Thread Sylvain Beucler


Hi!

Thanks for preparing a LTS fix for privoxy.

For reference, our full procedure is documented at:
https://wiki.debian.org/LTS/Development

To answer your points:

- The debdiff looks good to me

- Salvatore updated the CVE-2021-20274 status accordingly

- 'minor issue' means there is not immediate urgency, so the 
buster/stable fixes may be delayed to a point release.

LTS does not have a point release system so an LTS upload sounds good.

- Abhijith (in Cc:) announced his intention to work on the package 
yesterday [1], you probably can coordinate with him for the next steps, 
in particular who will take care of sending the e-mail and website 
announcements.
[1] 
https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/dla-needed.txt


- If you plan to work on future LTS updates of privoxy and would like to 
be contacted before the LTS team starts working on an update, let us 
know and we'll add you in [2]
[2] 
https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/packages/lts-do-call-me


Cheers!
Sylvain

On 08/03/2021 14:38, Roland Rosenfeld wrote:

Hi!

(please Cc: me in reply, since I'm not subscribed to debian-lts)

Privoxy upstream just released version 3.0.32, which fixes five new
CVEs, which are also reported at security-tracker.

I prepared a package that fixes CVE-2021-20272, CVE-2021-20273,
CVE-2021-20275, and CVE-2021-20276.

CVE-2021-20274 is missing, since this affects code, that was
introduced in 3.0.29, so stretch package is not affected, since we
shipped 3.0.26 in stretch.  I requested on IRC #debian-security to
tag stretch and buster as not affected for this CVE.

Since all other CVEs are tagged "minor issue" on security-tracker, I'm
not sure whether it's worth doing a LTS upload for this.

If you think so, feel free to use it or tell me, what I have to do to
upload it...

A patch agains 3.0.26-3+deb9u1 is attached.

Salsa pipeline was successful with this:
https://salsa.debian.org/debian/privoxy/-/pipelines/237014 including
the testsuite.

Greetings
Roland

privoxy stretch package 3.0.26-3+deb9u2 prepared

2021-03-08 Thread Roland Rosenfeld

Hi!

(please Cc: me in reply, since I'm not subscribed to debian-lts)

Privoxy upstream just released version 3.0.32, which fixes five new
CVEs, which are also reported at security-tracker.

I prepared a package that fixes CVE-2021-20272, CVE-2021-20273,
CVE-2021-20275, and CVE-2021-20276.

CVE-2021-20274 is missing, since this affects code, that was
introduced in 3.0.29, so stretch package is not affected, since we
shipped 3.0.26 in stretch.  I requested on IRC #debian-security to
tag stretch and buster as not affected for this CVE.

Since all other CVEs are tagged "minor issue" on security-tracker, I'm
not sure whether it's worth doing a LTS upload for this.

If you think so, feel free to use it or tell me, what I have to do to
upload it...

A patch agains 3.0.26-3+deb9u1 is attached.

Salsa pipeline was successful with this:
https://salsa.debian.org/debian/privoxy/-/pipelines/237014 including
the testsuite.

Greetings
Roland
diff -Nru privoxy-3.0.26/debian/changelog privoxy-3.0.26/debian/changelog
--- privoxy-3.0.26/debian/changelog	2021-02-06 21:42:01.0 +0100
+++ privoxy-3.0.26/debian/changelog	2021-03-08 14:11:04.0 +0100
@@ -1,3 +1,17 @@
+privoxy (3.0.26-3+deb9u2) stretch-security; urgency=medium
+
+  * 49_CVE-2021-20272: ssplit(): Remove an assertion that could be
+triggered with a crafted CGI request (CVE-2021-20272).
+  * 50_CVE-2021-20273: cgi_send_banner(): Overrule invalid image types.
+Prevents a crash with a crafted CGI request if Privoxy is toggled off
+(CVE-2021-20273).
+  * 51_CVE-2021-20275: chunked_body_is_complete(): Prevent invalid read of
+size two (CVE-2021-20275).
+  * 52_CVE-2021-20276: Obsolete pcre: Prevent invalid memory accesses
+(CVE-2021-20276).
+
+ -- Roland Rosenfeld   Mon, 08 Mar 2021 14:11:04 +0100
+
 privoxy (3.0.26-3+deb9u1) stretch-security; urgency=medium
 
   * 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request
diff -Nru privoxy-3.0.26/debian/patches/49_CVE-2021-20272.patch privoxy-3.0.26/debian/patches/49_CVE-2021-20272.patch
--- privoxy-3.0.26/debian/patches/49_CVE-2021-20272.patch	1970-01-01 01:00:00.0 +0100
+++ privoxy-3.0.26/debian/patches/49_CVE-2021-20272.patch	2021-03-08 14:11:04.0 +0100
@@ -0,0 +1,32 @@
+commit 2256d7b4d67dd9c364386877d5af59943433458b
+Author: Fabian Keil 
+Date:   Wed Feb 3 19:08:20 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=2256d7b4d67
+Subject: ssplit(): Remove an assertion that could be triggered with a crafted
+ CGI request (CVE-2021-20272).
+
+This reverts dc4e311bcf.
+
+OVE-20210203-0001.
+
+Reported by: Joshua Rogers (Opera)
+
+--- a/ssplit.c
 b/ssplit.c
+@@ -37,7 +37,6 @@ const char ssplit_rcs[] = "$Id: ssplit.c
+ 
+ #include 
+ #include 
+-#include 
+ 
+ #include "ssplit.h"
+ #include "miscutil.h"
+@@ -153,8 +152,6 @@ int ssplit(char *str, const char *delim,
+   }
+}
+/* null terminate the substring */
+-   /* XXX: this shouldn't be necessary, so assert that it isn't. */
+-   assert(*str == '\0');
+*str = '\0';
+ 
+return(vec_count);
diff -Nru privoxy-3.0.26/debian/patches/50_CVE-2021-20273.patch privoxy-3.0.26/debian/patches/50_CVE-2021-20273.patch
--- privoxy-3.0.26/debian/patches/50_CVE-2021-20273.patch	1970-01-01 01:00:00.0 +0100
+++ privoxy-3.0.26/debian/patches/50_CVE-2021-20273.patch	2021-03-08 14:11:04.0 +0100
@@ -0,0 +1,28 @@
+commit e711c505c4830ab271938d61af90a2075523f058
+Author: Fabian Keil 
+Date:   Sat Feb 6 20:43:06 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=e711c505c48
+Subject: cgi_send_banner(): Overrule invalid image types.  Prevents a crash with
+ a crafted CGI request if Privoxy is toggled off.(CVE-2021-20273).
+
+OVE-20210206-0001.
+
+Reported by: Joshua Rogers (Opera)
+
+--- a/cgisimple.c
 b/cgisimple.c
+@@ -468,6 +468,14 @@ jb_err cgi_send_banner(struct client_sta
+ {
+char imagetype = lookup(parameters, "type")[0];
+ 
++   if (imagetype != 'a' && imagetype != 'b' &&
++   imagetype != 'p' && imagetype != 't')
++   {
++  log_error(LOG_LEVEL_ERROR, "Overruling invalid image type '%c'.",
++ imagetype);
++  imagetype = 'p';
++   }
++
+/*
+ * If type is auto, then determine the right thing
+ * to do from the set-image-blocker action
diff -Nru privoxy-3.0.26/debian/patches/51_CVE-2021-20275.patch privoxy-3.0.26/debian/patches/51_CVE-2021-20275.patch
--- privoxy-3.0.26/debian/patches/51_CVE-2021-20275.patch	1970-01-01 01:00:00.0 +0100
+++ privoxy-3.0.26/debian/patches/51_CVE-2021-20275.patch	2021-03-08 14:11:04.0 +0100
@@ -0,0 +1,26 @@
+commit a912ba7bc9ce5855a810d09332e9d94566ce1521
+Author: Fabian Keil 
+Date:   Fri Feb 5 05:06:56 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=a912ba7bc9c
+Subject: chunked_body_is_complete(): Prevent invalid read of size two
+

Re: privoxy stretch package 3.0.26-3+deb9u2 prepared

Re: privoxy stretch package 3.0.26-3+deb9u2 prepared

Re: privoxy stretch package 3.0.26-3+deb9u2 prepared

Re: privoxy stretch package 3.0.26-3+deb9u2 prepared

privoxy stretch package 3.0.26-3+deb9u2 prepared

5 matches

Site Navigation

Mail list logo

Footer information