Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package privoxy.17332 for openSUSE:Leap:15.2:Update checked in at 2021-12-30 23:33:05
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2:Update/privoxy.17332 (Old)
and /work/SRC/openSUSE:Leap:15.2:Update/.privoxy.17332.new.1896 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "privoxy.17332"
Thu Dec 30 23:33:05 2021 rev:1 rq:943046 version:3.0.33
Changes:
--------
New Changes file:
--- /dev/null 2021-12-30 11:57:43.217130414 +0100
+++ /work/SRC/openSUSE:Leap:15.2:Update/.privoxy.17332.new.1896/privoxy.changes 2021-12-30 23:33:06.429030927 +0100
@@ -0,0 +1,1870 @@
+-------------------------------------------------------------------
+Fri Dec 10 19:50:34 UTC 2021 - Andreas Stieger
+
+- privoxy 3.0.33 (boo#1183584):
+ * CVE-2021-44543: Encode the template name to prevent XSS
+ (cross-side scripting) when Privoxy is configured to servce
+ the user-manual itself
+ * CVE-2021-44540: Free memory of compiled pattern spec
+ before bailing
+ * CVE-2021-44541: Free header memory when failing to get the
+ request destination.
+ * CVE-2021-44542: Prevent memory leaks when handling errors
+ * Disable fast-redirects for a number of domains
+ * Update default block lists
+ * Many bug fixes and minor enhancements
+
+-------------------------------------------------------------------
+Sat Mar 6 18:33:24 UTC 2021 - Carsten Ziepke
+
+- Update to version 3.0.32:
+ - Security/Reliability (boo#1183129)
+ - ssplit(): Remove an assertion that could be triggered with a
+ crafted CGI request.
+ Commit 2256d7b4d67. OVE-20210203-0001. CVE-2021-20272
+ Reported by: Joshua Rogers (Opera)
+ - cgi_send_banner(): Overrule invalid image types. Prevents a
+ crash with a crafted CGI request if Privoxy is toggled off.
+ Commit e711c505c48. OVE-20210206-0001. CVE-2021-20273
+ Reported by: Joshua Rogers (Opera)
+ - socks5_connect(): Don't try to send credentials when none are
+ configured. Fixes a crash due to a NULL-pointer dereference
+ when the socks server misbehaves.
+ Commit 85817cc55b9. OVE-20210207-0001. CVE-2021-20274
+ Reported by: Joshua Rogers (Opera)
+ - chunked_body_is_complete(): Prevent an invalid read of size
+ two.
+ Commit a912ba7bc9c. OVE-20210205-0001. CVE-2021-20275
+ Reported by: Joshua Rogers (Opera)
+ - Obsolete pcre: Prevent invalid memory accesses with an invalid
+ pattern passed to pcre_compile(). Note that the obsolete pcre
+ code is scheduled to be removed before the 3.0.33 release.
+ There has been a warning since 2008 already.
+ Commit 28512e5b624. OVE-20210222-0001. CVE-2021-20276
+ Reported by: Joshua Rogers (Opera)
+ - Bug fixes:
+ - Properly parse the client-tag-lifetime directive. Previously it was
+ not accepted as an obsolete hash value was being used.
+ Reported by: Joshua Rogers (Opera)
+ - decompress_iob(): Prevent reading of uninitialized data.
+ Reported by: Joshua Rogers (Opera).
+ - decompress_iob(): Don't advance cur past eod when looking
+ for the end of the file name and comment.
+ - decompress_iob(): Cast value to unsigned char before shifting.
+ Prevents a left-shift of a negative value which is undefined behaviour.
+ Reported by: Joshua Rogers (Opera)
+ - gif_deanimate(): Confirm that that we have enough data before doing
+ any work. Fixes a crash when fuzzing with an empty document.
+ Reported by: Joshua Rogers (Opera).
+ - buf_copy(): Fail if there's no data to write or nothing to do.
+ Prevents undefined behaviour "applying zero offset to null pointer".
+ Reported by: Joshua Rogers (Opera)
+ - log_error(): Treat LOG_LEVEL_FATAL as fatal even when --stfu is
+ being used while fuzzing.
+ Reported by: Joshua Rogers (Opera).
+ - Respect DESTDIR when considering whether or not to install
+ config files with ".new" extension.
+ - OpenSSL ssl_store_cert(): Fix two error messages.
+ - Fix a couple of format specifiers.
+ - Silence compiler warnings when compiling with NDEBUG.
+ - fuzz_server_header(): Fix compiler warning.
+ - fuzz_client_header(): Fix compiler warning.
+ - cgi_send_user_manual(): Also reject requests if the user-manual
+ directive specifies a https:// URL. Previously Privoxy would try and
+ fail to open a local file.
+ - General improvements:
+ - Log the TLS version and the the cipher when debug 2 is enabled.
+ - ssl_send_certificate_error(): Respect HEAD requests by not sending a body.
+ - ssl_send_certificate_error(): End the body with a single new line.
+ - serve(): Increase the chances that the host is logged when closing
+ a server socket.
+ - handle_established_connection(): Add parentheses to clarify an expression
+ Suggested by: David Binderman
+ - continue_https_chat(): Explicitly unset CSP_FLAG_CLIENT_CONNECTION_KEEP_ALIVE
+ if process_encrypted_request() fails. This makes it more obvious that the
+ connection will not be reused. Previously serve() relied on
+ CSP_FLAG_SERVER_CONTENT_LENGTH_SET and CSP_FLAG_CHUNKED being unset.
+ Inspired by a patch from Joshua Rogers (Opera).
+ - decompress_iob(): Add periods to a couple of log messages
+ - Terminate the body of the HTTP snipplets with a single new line
+ instead of "\r\n".
+ - configure: Add --with-assertions option and only enable assertions
+ when it is used
+ - windows build: Use --with-brotli and --with-mbedtls by default and
+ enable dynamic error checking.
+ - gif_deanimate(): Confirm we've got an image before trying to write it
+ Saves a pointless buf_copy() call.
+ - OpenSSL ssl_store_cert(): Remove a superfluous space before the serial number.
+ - Action file improvements:
+ - Disable fast-redirects for .golem.de/
+ - Unblock requests to adri*.
+ - Block requests for trc*.taboola.com/
+ - Disable fast-redirects for .linkedin.com/
+ - Filter file improvements:
+ - Make the second pcrs job of the img-reorder filter greedy again.
+ The ungreedy version broke the img tags on:
+ https://bulk.fefe.de/scalability/.
+ - Privoxy-Log-Parser:
+ - Highlight a few more messages.
+ - Clarify the --statistics output. The shown "Reused connections"
+ are server connections so name them appropriately.
+ - Bump version to 0.9.3.
+ - Privoxy-Regression-Test:
+ - Add the --check-bad-ssl option to the --help output.
+ - Bump version to 0.7.3.
+ - Documentation:
+ - Add pushing the created tag to the release steps in the developer manual.
+ - Clarify that 'debug 32768' should be used in addition to the other debug
+ directives when reporting problems.
+ - Add a 'Third-party licenses and copyrights' section to the user manual.
+
+-------------------------------------------------------------------
+Mon Feb 1 19:51:51 UTC 2021 - Carsten Ziepke
+
+- Update to version 3.0.31:
+ - Security/Reliability (boo#1181650)
+ - Prevent an assertion from getting triggered by a crafted
+ CGI request.
+ Commit 5bba5b89193fa. OVE-20210130-0001. CVE-2021-20217
+ Reported by: Joshua Rogers (Opera)
+ - Fixed a memory leak when decompression fails "unexpectedly".
+ Commit f431d61740cc0. OVE-20210128-0001. CVE-2021-20216
+ - Bug fixes:
+ - Fixed detection of insufficient data for decompression.
+ Previously Privoxy could try to decompress a partly
+ uninitialized buffer.
+- Update to version 3.0.30:
+ - Bug fixes:
+ - Check the actual URL for redirects when https inspecting requests.
+ Previously Privoxy would only check the path which resulted in
+ rewrite results being rejected as invalid URLs.
+ Reported by withoutname in #1736.
+ - Let the hide-referrer code tolerate Referer headers with https:// URLs.
+ Previously they would always be treated like a changed host.
+ - Use the https headers if the show-request handler is reached through
+ https://. Previously Privoxy would use the http headers which
+ may be empty on a reused connection.
+ - Make CGI_PREFIX protocol-relative when building with FEATURE_HTTPS_INSPECTION.
+ This unbreaks (at least) https://config.privoxy.org/client-tags whose
+ buttons would previously use a http:// URL resulting in browser warnings.
+ - Support using https-inspection and client-header-order at the same time.
+ Previously Privoxy would crash.
+ Reported by: Kai Raven
+ - Properly reject rewrites from http to https as they currently
+ aren't supported. Previously Privoxy would wait for the client
+ to establish an encrypted connection which obviously would not happen.
+ - When https inspection is enabled and Privoxy has been compiled with
+ FEATURE_GRACEFUL_TERMINATION (not recommended for production builds),
+ the TLS backend resources are free'd later on and only if no active
+ connections are left. Prevents crashes when exiting "gracefully" at the
+ wrong time.
+ - Let the uninstall target remove the config file even if DESTDIR
+ is set and properly announce the deletion of the configuration files.
+ - General improvements:
+ - Allow to rewrite the request destination for https-inspected
+ requests behind the client's back. The documentation already sort
+ of claimed that it was supported by not especially mentioning that
+ it didn't work for https-inspected requests.
+ Fixes SF bug #923 reported by withoutname.
+ - Add support for filtering client request bodies by using
+ CLIENT-BODY-FILTER filters which can be enabled with the
+ client-body-filter action.
+ Patch submitted by Maxim Antonov.
+ Sponsored by: Robert Klemme
+ - Add the new action suppress-tag{} which can be used to prevent
+ a tagger from adding a tag. Patch submitted by Maxim Antonov.
+ Sponsored by: Robert Klemme
+ - Gracefully handle existing website keys without matching certificates.
+ This can happen if Privoxy was previously running with an invalid
+ TLS configuration that didn't allow it to create a certificate.
+ - Recycle debug bit 4 for Tagging-related messages.
+ - Improve the message shown when the client-tags CGI page
+ is requested with no tags configured.
+ - Shorten the 'donate' and 'participate' links used by templates
+ using redirects. Currently the redirects lead to the FAQ entries
+ but in the future we may want to relocate the content and using
+ redirects makes this more convenient.
+ - Log an error when a PCRE-HOST-PATTERN is used with
+ FEATURE_PCRE_HOST_PATTERNS disabled. Don't treat this a
+ fatal error so the regression tests can be used with and
+ without FEATURE_PCRE_HOST_PATTERNS.
+ - The code compiles with older C compilers again.
+ - The chdir() return code is checked to fix a compiler warning.
+ - The packages feed has been removed from the source tarball.
+ It's usually out of date when the source tarball is generated
+ for the release.
+ - Fixed harmless compiler warnings from GCC9 with -D_FORTIFY_SOURCE=2.
+ - windows: Remove obsolete '$(DEST)/doc/images' target.
++++ 1673 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:Leap:15.2:Update/.privoxy.17332.new.1896/privoxy.changes
New:
----
privoxy-3.0.16-networkmanager.systemd.patch
privoxy-3.0.17-utf8.patch
privoxy-3.0.21-config.patch
privoxy-3.0.33-stable-src.tar.gz
privoxy-3.0.33-stable-src.tar.gz.asc
privoxy.changes
privoxy.keyring
privoxy.logrotate.systemd
privoxy.service
privoxy.spec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ privoxy.spec ++++++
#
# spec file for package privoxy
#
# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define chroot %{_localstatedir}/lib/privoxy
Name: privoxy
Version: 3.0.33
Release: 0
Summary: The Internet Junkbuster - HTTP Proxy Server
License: GPL-3.0-or-later
Group: Productivity/Networking/Web/Proxy
URL: https://www.privoxy.org/
Source: https://www.privoxy.org/sf-download-mirror/Sources/%{version}%%20%%28stable%%29/%{name}-%{version}-stable-src.tar.gz
Source2: https://www.privoxy.org/sf-download-mirror/Sources/%{version}%%20%%28stable%%29/%{name}-%{version}-stable-src.tar.gz.asc
Source3: %{name}.service
Source4: %{name}.logrotate.systemd
Source5: https://www.fabiankeil.de/gpg-keys/fk-8BA2371C.asc#/%{name}.keyring
Patch1: %{name}-3.0.21-config.patch
Patch2: %{name}-3.0.17-utf8.patch
Patch3: %{name}-3.0.16-networkmanager.systemd.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: pkgconfig
BuildRequires: w3m
BuildRequires: pkgconfig(libbrotlicommon)
BuildRequires: pkgconfig(libcrypto)
BuildRequires: pkgconfig(libpcre)
BuildRequires: pkgconfig(libssl)
BuildRequires: pkgconfig(systemd)
BuildRequires: pkgconfig(zlib)
Requires: logrotate
Requires(pre): %{_sbindir}/groupadd
Requires(pre): %{_sbindir}/useradd
%{?systemd_ordering}
%description
The Internet Junkbuster - HTTP Proxy Server: A non-caching HTTP proxy
server that runs between a web browser and a web server and filters
contents as described in the configuration files.
%package doc
Summary: The documentation of Privoxy
Group: Productivity/Networking/Web/Proxy
Requires: %{name} = %{version}
BuildArch: noarch
%description doc
Documentation files for the Privoxy: The Internet Junkbuster - HTTP
Proxy Server. A non-caching HTTP proxy server that runs between a web
browser and a web server and filters contents as described in the
configuration files.
%prep
%setup -q -n privoxy-%{version}-stable
%patch1 -p1
%patch2
%patch3
%build
autoreconf -fiv
%configure \
--enable-compression \
--with-openssl\
--with-brotli \
--enable-extended-statistics \
--enable-pcre-host-patterns
%make_build
%install
mkdir -p %{buildroot}/%{_unitdir}
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
mkdir -p %{buildroot}/%{chroot}%{_sysconfdir}
mkdir -p %{buildroot}%{_sbindir}
mkdir -p %{buildroot}/%{chroot}/log
mkdir -p %{buildroot}/%{chroot}%{_localstatedir}/log
mkdir -p %{buildroot}/%{chroot}%{_localstatedir}/run
mkdir -p %{buildroot}/%{chroot}/%{_lib}
mkdir -p %{buildroot}%{_mandir}/man8
mkdir -p %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d
cp -a templates %{buildroot}/%{chroot}%{_sysconfdir}
install -m 644 config *.action *.filter trust %{buildroot}/%{chroot}%{_sysconfdir}
sed -e 's/@lib@/%{_lib}/g' %{SOURCE3} > %{buildroot}/%{_unitdir}/%{name}.service
ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
install -m 755 privoxy %{buildroot}%{_sbindir}
install -m 755 privoxy_nm %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d/privoxyd
install -m 644 privoxy.8 %{buildroot}%{_mandir}/man8
install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/logrotate.d/privoxy
ln -s ../../log %{buildroot}/%{chroot}%{_localstatedir}/log/privoxy
ln -sf %{chroot}%{_sysconfdir}/ %{buildroot}%{_sysconfdir}/privoxy
%pre
%service_add_pre %{name}.service
%{_sbindir}/groupadd -r privoxy 2> /dev/null ||:
%{_sbindir}/useradd -r -g privoxy -s /bin/false -c "Daemon user for privoxy" \
-d %{_localstatedir}/lib/privoxy privoxy 2> /dev/null ||:
exit 0
%post
%service_add_post %{name}.service
%preun
%service_del_preun %{name}.service
%postun
%service_del_postun %{name}.service
%files
%license LICENSE
%doc AUTHORS README ChangeLog
%{_sbindir}/privoxy
%{_sysconfdir}/NetworkManager/dispatcher.d/privoxyd
%dir %{_sysconfdir}/NetworkManager
%dir %{_sysconfdir}/NetworkManager/dispatcher.d
%{_mandir}/man8/privoxy.8%{?ext_man}
%config(noreplace) %{_sysconfdir}/logrotate.d/privoxy
%dir /%{chroot}%{_sysconfdir}
%config(noreplace) /%{chroot}%{_sysconfdir}/config
%config(noreplace) /%{chroot}%{_sysconfdir}/trust
%config /%{chroot}%{_sysconfdir}/match-all.action
%config %attr(640,privoxy,root) /%{chroot}%{_sysconfdir}/default.action
%config(noreplace) %attr(640,privoxy,root) /%{chroot}%{_sysconfdir}/user.action
%config(noreplace) /%{chroot}%{_sysconfdir}/*.filter
%dir %{chroot}
%{chroot}%{_sysconfdir}/templates
%dir %attr(770,root,privoxy) %{chroot}/log
%{chroot}%{_localstatedir}
%{chroot}/%{_lib}
%{chroot}%{_sysconfdir}/regression-tests.action
%{_unitdir}/%{name}.service
%{_sbindir}/rcprivoxy
%{_sysconfdir}/privoxy
%files doc
%license LICENSE
%doc doc/source
%changelog
++++++ privoxy-3.0.16-networkmanager.systemd.patch ++++++
--- privoxy_nm
+++ privoxy_nm
@@ -0,0 +1,18 @@
+#! /bin/sh
+#
+# privoxy - rerun privoxy in response to interface change
+#
+# Wagner Thomas
+# Place this script in the /etc/NetworkManager/dispatcher.d/ directory.
+
+case "$2" in
+ up)
+ /usr/bin/systemctl reload privoxy
+ ;;
+ down)
+ /usr/bin/systemctl reload privoxy
+ ;;
+ *)
+ exit 0
+ ;;
+esac
+
++++++ privoxy-3.0.17-utf8.patch ++++++
--- default.filter
+++ default.filter
@@ -375,7 +375,7 @@
s/\x84/,,/g
s/\x85/.../g
#s/\x88/^/g
-#s-\x89- �/��-g
+#s-\x89- ��/����-g
s/\x8B/