Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package privoxy.17332 for openSUSE:Leap:15.2:Update checked in at 2021-12-30 23:33:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2:Update/privoxy.17332 (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.privoxy.17332.new.1896 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "privoxy.17332" Thu Dec 30 23:33:05 2021 rev:1 rq:943046 version:3.0.33 Changes: -------- New Changes file: --- /dev/null 2021-12-30 11:57:43.217130414 +0100 +++ /work/SRC/openSUSE:Leap:15.2:Update/.privoxy.17332.new.1896/privoxy.changes 2021-12-30 23:33:06.429030927 +0100 @@ -0,0 +1,1870 @@ +------------------------------------------------------------------- +Fri Dec 10 19:50:34 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> + +- privoxy 3.0.33 (boo#1183584): + * CVE-2021-44543: Encode the template name to prevent XSS + (cross-side scripting) when Privoxy is configured to servce + the user-manual itself + * CVE-2021-44540: Free memory of compiled pattern spec + before bailing + * CVE-2021-44541: Free header memory when failing to get the + request destination. + * CVE-2021-44542: Prevent memory leaks when handling errors + * Disable fast-redirects for a number of domains + * Update default block lists + * Many bug fixes and minor enhancements + +------------------------------------------------------------------- +Sat Mar 6 18:33:24 UTC 2021 - Carsten Ziepke <kieltux@gmail.com> + +- Update to version 3.0.32: + - Security/Reliability (boo#1183129) + - ssplit(): Remove an assertion that could be triggered with a + crafted CGI request. + Commit 2256d7b4d67. OVE-20210203-0001. CVE-2021-20272 + Reported by: Joshua Rogers (Opera) + - cgi_send_banner(): Overrule invalid image types. Prevents a + crash with a crafted CGI request if Privoxy is toggled off. + Commit e711c505c48. OVE-20210206-0001. CVE-2021-20273 + Reported by: Joshua Rogers (Opera) + - socks5_connect(): Don't try to send credentials when none are + configured. Fixes a crash due to a NULL-pointer dereference + when the socks server misbehaves. + Commit 85817cc55b9. OVE-20210207-0001. CVE-2021-20274 + Reported by: Joshua Rogers (Opera) + - chunked_body_is_complete(): Prevent an invalid read of size + two. + Commit a912ba7bc9c. OVE-20210205-0001. CVE-2021-20275 + Reported by: Joshua Rogers (Opera) + - Obsolete pcre: Prevent invalid memory accesses with an invalid + pattern passed to pcre_compile(). Note that the obsolete pcre + code is scheduled to be removed before the 3.0.33 release. + There has been a warning since 2008 already. + Commit 28512e5b624. OVE-20210222-0001. CVE-2021-20276 + Reported by: Joshua Rogers (Opera) + - Bug fixes: + - Properly parse the client-tag-lifetime directive. Previously it was + not accepted as an obsolete hash value was being used. + Reported by: Joshua Rogers (Opera) + - decompress_iob(): Prevent reading of uninitialized data. + Reported by: Joshua Rogers (Opera). + - decompress_iob(): Don't advance cur past eod when looking + for the end of the file name and comment. + - decompress_iob(): Cast value to unsigned char before shifting. + Prevents a left-shift of a negative value which is undefined behaviour. + Reported by: Joshua Rogers (Opera) + - gif_deanimate(): Confirm that that we have enough data before doing + any work. Fixes a crash when fuzzing with an empty document. + Reported by: Joshua Rogers (Opera). + - buf_copy(): Fail if there's no data to write or nothing to do. + Prevents undefined behaviour "applying zero offset to null pointer". + Reported by: Joshua Rogers (Opera) + - log_error(): Treat LOG_LEVEL_FATAL as fatal even when --stfu is + being used while fuzzing. + Reported by: Joshua Rogers (Opera). + - Respect DESTDIR when considering whether or not to install + config files with ".new" extension. + - OpenSSL ssl_store_cert(): Fix two error messages. + - Fix a couple of format specifiers. + - Silence compiler warnings when compiling with NDEBUG. + - fuzz_server_header(): Fix compiler warning. + - fuzz_client_header(): Fix compiler warning. + - cgi_send_user_manual(): Also reject requests if the user-manual + directive specifies a https:// URL. Previously Privoxy would try and + fail to open a local file. + - General improvements: + - Log the TLS version and the the cipher when debug 2 is enabled. + - ssl_send_certificate_error(): Respect HEAD requests by not sending a body. + - ssl_send_certificate_error(): End the body with a single new line. + - serve(): Increase the chances that the host is logged when closing + a server socket. + - handle_established_connection(): Add parentheses to clarify an expression + Suggested by: David Binderman + - continue_https_chat(): Explicitly unset CSP_FLAG_CLIENT_CONNECTION_KEEP_ALIVE + if process_encrypted_request() fails. This makes it more obvious that the + connection will not be reused. Previously serve() relied on + CSP_FLAG_SERVER_CONTENT_LENGTH_SET and CSP_FLAG_CHUNKED being unset. + Inspired by a patch from Joshua Rogers (Opera). + - decompress_iob(): Add periods to a couple of log messages + - Terminate the body of the HTTP snipplets with a single new line + instead of "\r\n". + - configure: Add --with-assertions option and only enable assertions + when it is used + - windows build: Use --with-brotli and --with-mbedtls by default and + enable dynamic error checking. + - gif_deanimate(): Confirm we've got an image before trying to write it + Saves a pointless buf_copy() call. + - OpenSSL ssl_store_cert(): Remove a superfluous space before the serial number. + - Action file improvements: + - Disable fast-redirects for .golem.de/ + - Unblock requests to adri*. + - Block requests for trc*.taboola.com/ + - Disable fast-redirects for .linkedin.com/ + - Filter file improvements: + - Make the second pcrs job of the img-reorder filter greedy again. + The ungreedy version broke the img tags on: + https://bulk.fefe.de/scalability/. + - Privoxy-Log-Parser: + - Highlight a few more messages. + - Clarify the --statistics output. The shown "Reused connections" + are server connections so name them appropriately. + - Bump version to 0.9.3. + - Privoxy-Regression-Test: + - Add the --check-bad-ssl option to the --help output. + - Bump version to 0.7.3. + - Documentation: + - Add pushing the created tag to the release steps in the developer manual. + - Clarify that 'debug 32768' should be used in addition to the other debug + directives when reporting problems. + - Add a 'Third-party licenses and copyrights' section to the user manual. + +------------------------------------------------------------------- +Mon Feb 1 19:51:51 UTC 2021 - Carsten Ziepke <kieltux@gmail.com> + +- Update to version 3.0.31: + - Security/Reliability (boo#1181650) + - Prevent an assertion from getting triggered by a crafted + CGI request. + Commit 5bba5b89193fa. OVE-20210130-0001. CVE-2021-20217 + Reported by: Joshua Rogers (Opera) + - Fixed a memory leak when decompression fails "unexpectedly". + Commit f431d61740cc0. OVE-20210128-0001. CVE-2021-20216 + - Bug fixes: + - Fixed detection of insufficient data for decompression. + Previously Privoxy could try to decompress a partly + uninitialized buffer. +- Update to version 3.0.30: + - Bug fixes: + - Check the actual URL for redirects when https inspecting requests. + Previously Privoxy would only check the path which resulted in + rewrite results being rejected as invalid URLs. + Reported by withoutname in #1736. + - Let the hide-referrer code tolerate Referer headers with https:// URLs. + Previously they would always be treated like a changed host. + - Use the https headers if the show-request handler is reached through + https://. Previously Privoxy would use the http headers which + may be empty on a reused connection. + - Make CGI_PREFIX protocol-relative when building with FEATURE_HTTPS_INSPECTION. + This unbreaks (at least) https://config.privoxy.org/client-tags whose + buttons would previously use a http:// URL resulting in browser warnings. + - Support using https-inspection and client-header-order at the same time. + Previously Privoxy would crash. + Reported by: Kai Raven + - Properly reject rewrites from http to https as they currently + aren't supported. Previously Privoxy would wait for the client + to establish an encrypted connection which obviously would not happen. + - When https inspection is enabled and Privoxy has been compiled with + FEATURE_GRACEFUL_TERMINATION (not recommended for production builds), + the TLS backend resources are free'd later on and only if no active + connections are left. Prevents crashes when exiting "gracefully" at the + wrong time. + - Let the uninstall target remove the config file even if DESTDIR + is set and properly announce the deletion of the configuration files. + - General improvements: + - Allow to rewrite the request destination for https-inspected + requests behind the client's back. The documentation already sort + of claimed that it was supported by not especially mentioning that + it didn't work for https-inspected requests. + Fixes SF bug #923 reported by withoutname. + - Add support for filtering client request bodies by using + CLIENT-BODY-FILTER filters which can be enabled with the + client-body-filter action. + Patch submitted by Maxim Antonov. + Sponsored by: Robert Klemme + - Add the new action suppress-tag{} which can be used to prevent + a tagger from adding a tag. Patch submitted by Maxim Antonov. + Sponsored by: Robert Klemme + - Gracefully handle existing website keys without matching certificates. + This can happen if Privoxy was previously running with an invalid + TLS configuration that didn't allow it to create a certificate. + - Recycle debug bit 4 for Tagging-related messages. + - Improve the message shown when the client-tags CGI page + is requested with no tags configured. + - Shorten the 'donate' and 'participate' links used by templates + using redirects. Currently the redirects lead to the FAQ entries + but in the future we may want to relocate the content and using + redirects makes this more convenient. + - Log an error when a PCRE-HOST-PATTERN is used with + FEATURE_PCRE_HOST_PATTERNS disabled. Don't treat this a + fatal error so the regression tests can be used with and + without FEATURE_PCRE_HOST_PATTERNS. + - The code compiles with older C compilers again. + - The chdir() return code is checked to fix a compiler warning. + - The packages feed has been removed from the source tarball. + It's usually out of date when the source tarball is generated + for the release. + - Fixed harmless compiler warnings from GCC9 with -D_FORTIFY_SOURCE=2. + - windows: Remove obsolete '$(DEST)/doc/images' target. ++++ 1673 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.2:Update/.privoxy.17332.new.1896/privoxy.changes New: ---- privoxy-3.0.16-networkmanager.systemd.patch privoxy-3.0.17-utf8.patch privoxy-3.0.21-config.patch privoxy-3.0.33-stable-src.tar.gz privoxy-3.0.33-stable-src.tar.gz.asc privoxy.changes privoxy.keyring privoxy.logrotate.systemd privoxy.service privoxy.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ privoxy.spec ++++++ # # spec file for package privoxy # # Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define chroot %{_localstatedir}/lib/privoxy Name: privoxy Version: 3.0.33 Release: 0 Summary: The Internet Junkbuster - HTTP Proxy Server License: GPL-3.0-or-later Group: Productivity/Networking/Web/Proxy URL: https://www.privoxy.org/ Source: https://www.privoxy.org/sf-download-mirror/Sources/%{version}%%20%%28stable%%29/%{name}-%{version}-stable-src.tar.gz Source2: https://www.privoxy.org/sf-download-mirror/Sources/%{version}%%20%%28stable%%29/%{name}-%{version}-stable-src.tar.gz.asc Source3: %{name}.service Source4: %{name}.logrotate.systemd Source5: https://www.fabiankeil.de/gpg-keys/fk-8BA2371C.asc#/%{name}.keyring Patch1: %{name}-3.0.21-config.patch Patch2: %{name}-3.0.17-utf8.patch Patch3: %{name}-3.0.16-networkmanager.systemd.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: pkgconfig BuildRequires: w3m BuildRequires: pkgconfig(libbrotlicommon) BuildRequires: pkgconfig(libcrypto) BuildRequires: pkgconfig(libpcre) BuildRequires: pkgconfig(libssl) BuildRequires: pkgconfig(systemd) BuildRequires: pkgconfig(zlib) Requires: logrotate Requires(pre): %{_sbindir}/groupadd Requires(pre): %{_sbindir}/useradd %{?systemd_ordering} %description The Internet Junkbuster - HTTP Proxy Server: A non-caching HTTP proxy server that runs between a web browser and a web server and filters contents as described in the configuration files. %package doc Summary: The documentation of Privoxy Group: Productivity/Networking/Web/Proxy Requires: %{name} = %{version} BuildArch: noarch %description doc Documentation files for the Privoxy: The Internet Junkbuster - HTTP Proxy Server. A non-caching HTTP proxy server that runs between a web browser and a web server and filters contents as described in the configuration files. %prep %setup -q -n privoxy-%{version}-stable %patch1 -p1 %patch2 %patch3 %build autoreconf -fiv %configure \ --enable-compression \ --with-openssl\ --with-brotli \ --enable-extended-statistics \ --enable-pcre-host-patterns %make_build %install mkdir -p %{buildroot}/%{_unitdir} mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d mkdir -p %{buildroot}/%{chroot}%{_sysconfdir} mkdir -p %{buildroot}%{_sbindir} mkdir -p %{buildroot}/%{chroot}/log mkdir -p %{buildroot}/%{chroot}%{_localstatedir}/log mkdir -p %{buildroot}/%{chroot}%{_localstatedir}/run mkdir -p %{buildroot}/%{chroot}/%{_lib} mkdir -p %{buildroot}%{_mandir}/man8 mkdir -p %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d cp -a templates %{buildroot}/%{chroot}%{_sysconfdir} install -m 644 config *.action *.filter trust %{buildroot}/%{chroot}%{_sysconfdir} sed -e 's/@lib@/%{_lib}/g' %{SOURCE3} > %{buildroot}/%{_unitdir}/%{name}.service ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} install -m 755 privoxy %{buildroot}%{_sbindir} install -m 755 privoxy_nm %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d/privoxyd install -m 644 privoxy.8 %{buildroot}%{_mandir}/man8 install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/logrotate.d/privoxy ln -s ../../log %{buildroot}/%{chroot}%{_localstatedir}/log/privoxy ln -sf %{chroot}%{_sysconfdir}/ %{buildroot}%{_sysconfdir}/privoxy %pre %service_add_pre %{name}.service %{_sbindir}/groupadd -r privoxy 2> /dev/null ||: %{_sbindir}/useradd -r -g privoxy -s /bin/false -c "Daemon user for privoxy" \ -d %{_localstatedir}/lib/privoxy privoxy 2> /dev/null ||: exit 0 %post %service_add_post %{name}.service %preun %service_del_preun %{name}.service %postun %service_del_postun %{name}.service %files %license LICENSE %doc AUTHORS README ChangeLog %{_sbindir}/privoxy %{_sysconfdir}/NetworkManager/dispatcher.d/privoxyd %dir %{_sysconfdir}/NetworkManager %dir %{_sysconfdir}/NetworkManager/dispatcher.d %{_mandir}/man8/privoxy.8%{?ext_man} %config(noreplace) %{_sysconfdir}/logrotate.d/privoxy %dir /%{chroot}%{_sysconfdir} %config(noreplace) /%{chroot}%{_sysconfdir}/config %config(noreplace) /%{chroot}%{_sysconfdir}/trust %config /%{chroot}%{_sysconfdir}/match-all.action %config %attr(640,privoxy,root) /%{chroot}%{_sysconfdir}/default.action %config(noreplace) %attr(640,privoxy,root) /%{chroot}%{_sysconfdir}/user.action %config(noreplace) /%{chroot}%{_sysconfdir}/*.filter %dir %{chroot} %{chroot}%{_sysconfdir}/templates %dir %attr(770,root,privoxy) %{chroot}/log %{chroot}%{_localstatedir} %{chroot}/%{_lib} %{chroot}%{_sysconfdir}/regression-tests.action %{_unitdir}/%{name}.service %{_sbindir}/rcprivoxy %{_sysconfdir}/privoxy %files doc %license LICENSE %doc doc/source %changelog ++++++ privoxy-3.0.16-networkmanager.systemd.patch ++++++ --- privoxy_nm +++ privoxy_nm @@ -0,0 +1,18 @@ +#! /bin/sh +# +# privoxy - rerun privoxy in response to interface change +# +# Wagner Thomas <wagner-thomas@gmx.at> +# Place this script in the /etc/NetworkManager/dispatcher.d/ directory. + +case "$2" in + up) + /usr/bin/systemctl reload privoxy + ;; + down) + /usr/bin/systemctl reload privoxy + ;; + *) + exit 0 + ;; +esac + ++++++ privoxy-3.0.17-utf8.patch ++++++ --- default.filter +++ default.filter @@ -375,7 +375,7 @@ s/\x84/,,/g s/\x85/.../g #s/\x88/^/g -#s-\x89- �/��-g +#s-\x89- ��/����-g s/\x8B/</g s/\x8C/Oe/g s/\x91/`/g ++++++ privoxy-3.0.21-config.patch ++++++ --- config | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: privoxy-3.0.22-stable/config =================================================================== --- privoxy-3.0.22-stable.orig/config 2014-11-14 11:31:53.000000000 +0000 +++ privoxy-3.0.22-stable/config 2014-11-28 22:59:49.000000000 +0000 @@ -260,7 +260,7 @@ # # No trailing "/", please. # -confdir . +confdir /etc # # 2.2. templdir # ============== @@ -345,7 +345,7 @@ confdir . # # No trailing "/", please. # -logdir . +logdir /log # # 2.5. actionsfile # ================= ++++++ privoxy.logrotate.systemd ++++++ /var/lib/privoxy/log/logfile { compress dateext notifempty create 640 privoxy root su privoxy privoxy rotate 99 size 4M #maxage 365 postrotate /usr/bin/systemctl reload privoxy endscript } /var/lib/privoxy/log/jarfile { compress dateext notifempty create 640 privoxy root su privoxy privoxy rotate 99 size 4M #maxage 365 postrotate /usr/bin/systemctl reload privoxy endscript } ++++++ privoxy.service ++++++ [Unit] Description=Privoxy Web Proxy With Advanced Filtering Capabilities After=network.target [Service] Type=forking PIDFile=/run/privoxy.pid ExecStartPre=-/usr/bin/cp -upf /etc/resolv.conf /etc/host.conf /etc/hosts /etc/localtime /var/lib/privoxy/etc/ ExecStartPre=-/usr/bin/cp -upf /@lib@/libresolv.so.2 /@lib@/libnss_dns.so.2 /var/lib/privoxy/@lib@/ ExecStart=/usr/sbin/privoxy --chroot --pidfile /run/privoxy.pid --user privoxy /etc/config ExecReload=/bin/kill -HUP $MAINPID [Install] WantedBy=multi-user.target