commit privoxy.17332 for openSUSE:Leap:15.2:Update

30 Dec 2021

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package privoxy.17332 for openSUSE:Leap:15.2:Update checked in at 2021-12-30 23:33:05
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2:Update/privoxy.17332 (Old)
 and      /work/SRC/openSUSE:Leap:15.2:Update/.privoxy.17332.new.1896 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "privoxy.17332"

Thu Dec 30 23:33:05 2021 rev:1 rq:943046 version:3.0.33

Changes:
--------
New Changes file:

--- /dev/null	2021-12-30 11:57:43.217130414 +0100
+++ /work/SRC/openSUSE:Leap:15.2:Update/.privoxy.17332.new.1896/privoxy.changes	2021-12-30 23:33:06.429030927 +0100
@@ -0,0 +1,1870 @@
+-------------------------------------------------------------------
+Fri Dec 10 19:50:34 UTC 2021 - Andreas Stieger 
+
+- privoxy 3.0.33 (boo#1183584):
+  * CVE-2021-44543: Encode the template name to prevent XSS
+    (cross-side scripting) when Privoxy is configured to servce
+    the user-manual itself
+  * CVE-2021-44540: Free memory of compiled pattern spec
+    before bailing
+  * CVE-2021-44541: Free header memory when failing to get the
+    request destination.
+  * CVE-2021-44542: Prevent memory leaks when handling errors
+  * Disable fast-redirects for a number of domains
+  * Update default block lists
+  * Many bug fixes and minor enhancements
+
+-------------------------------------------------------------------
+Sat Mar  6 18:33:24 UTC 2021 - Carsten Ziepke 
+
+- Update to version 3.0.32:
+  - Security/Reliability (boo#1183129)
+    - ssplit(): Remove an assertion that could be triggered with a
+      crafted CGI request.
+      Commit 2256d7b4d67. OVE-20210203-0001. CVE-2021-20272
+      Reported by: Joshua Rogers (Opera)
+    - cgi_send_banner(): Overrule invalid image types. Prevents a
+      crash with a crafted CGI request if Privoxy is toggled off.
+      Commit e711c505c48. OVE-20210206-0001. CVE-2021-20273
+      Reported by: Joshua Rogers (Opera)
+    - socks5_connect(): Don't try to send credentials when none are
+      configured. Fixes a crash due to a NULL-pointer dereference
+      when the socks server misbehaves.
+      Commit 85817cc55b9. OVE-20210207-0001. CVE-2021-20274
+      Reported by: Joshua Rogers (Opera)
+    - chunked_body_is_complete(): Prevent an invalid read of size
+      two.
+      Commit a912ba7bc9c. OVE-20210205-0001. CVE-2021-20275
+      Reported by: Joshua Rogers (Opera)
+    - Obsolete pcre: Prevent invalid memory accesses with an invalid
+      pattern passed to pcre_compile(). Note that the obsolete pcre
+      code is scheduled to be removed before the 3.0.33 release.
+      There has been a warning since 2008 already.
+      Commit 28512e5b624. OVE-20210222-0001. CVE-2021-20276
+      Reported by: Joshua Rogers (Opera)
+  - Bug fixes:
+    - Properly parse the client-tag-lifetime directive. Previously it was
+      not accepted as an obsolete hash value was being used.
+      Reported by: Joshua Rogers (Opera)
+    - decompress_iob(): Prevent reading of uninitialized data.
+      Reported by: Joshua Rogers (Opera).
+    - decompress_iob(): Don't advance cur past eod when looking
+      for the end of the file name and comment.
+    - decompress_iob(): Cast value to unsigned char before shifting.
+      Prevents a left-shift of a negative value which is undefined behaviour.
+      Reported by: Joshua Rogers (Opera)
+    - gif_deanimate(): Confirm that that we have enough data before doing
+      any work. Fixes a crash when fuzzing with an empty document.
+      Reported by: Joshua Rogers (Opera).
+    - buf_copy(): Fail if there's no data to write or nothing to do.
+      Prevents undefined behaviour "applying zero offset to null pointer".
+      Reported by: Joshua Rogers (Opera)
+    - log_error(): Treat LOG_LEVEL_FATAL as fatal even when --stfu is
+      being used while fuzzing.
+      Reported by: Joshua Rogers (Opera).
+    - Respect DESTDIR when considering whether or not to install
+      config files with ".new" extension.
+    - OpenSSL ssl_store_cert(): Fix two error messages.
+    - Fix a couple of format specifiers.
+    - Silence compiler warnings when compiling with NDEBUG.
+    - fuzz_server_header(): Fix compiler warning.
+    - fuzz_client_header(): Fix compiler warning.
+    - cgi_send_user_manual(): Also reject requests if the user-manual
+      directive specifies a https:// URL. Previously Privoxy would try and
+      fail to open a local file.
+  - General improvements:
+    - Log the TLS version and the the cipher when debug 2 is enabled.
+    - ssl_send_certificate_error(): Respect HEAD requests by not sending a body.
+    - ssl_send_certificate_error(): End the body with a single new line.
+    - serve(): Increase the chances that the host is logged when closing
+      a server socket.
+    - handle_established_connection(): Add parentheses to clarify an expression
+      Suggested by: David Binderman
+    - continue_https_chat(): Explicitly unset CSP_FLAG_CLIENT_CONNECTION_KEEP_ALIVE
+      if process_encrypted_request() fails. This makes it more obvious that the
+      connection will not be reused. Previously serve() relied on
+      CSP_FLAG_SERVER_CONTENT_LENGTH_SET and CSP_FLAG_CHUNKED being unset.
+      Inspired by a patch from Joshua Rogers (Opera).
+    - decompress_iob(): Add periods to a couple of log messages
+    - Terminate the body of the HTTP snipplets with a single new line
+      instead of "\r\n".
+    - configure: Add --with-assertions option and only enable assertions
+      when it is used
+    - windows build: Use --with-brotli and --with-mbedtls by default and
+      enable dynamic error checking.
+    - gif_deanimate(): Confirm we've got an image before trying to write it
+      Saves a pointless buf_copy() call.
+    - OpenSSL ssl_store_cert(): Remove a superfluous space before the serial number.
+  - Action file improvements:
+    - Disable fast-redirects for .golem.de/
+    - Unblock requests to adri*.
+    - Block requests for trc*.taboola.com/
+    - Disable fast-redirects for .linkedin.com/
+  - Filter file improvements:
+    - Make the second pcrs job of the img-reorder filter greedy again.
+      The ungreedy version broke the img tags on:
+      https://bulk.fefe.de/scalability/.
+  - Privoxy-Log-Parser:
+    - Highlight a few more messages.
+    - Clarify the --statistics output. The shown "Reused connections"
+      are server connections so name them appropriately.
+    - Bump version to 0.9.3.
+  - Privoxy-Regression-Test:
+    - Add the --check-bad-ssl option to the --help output.
+    - Bump version to 0.7.3.
+  - Documentation:
+    - Add pushing the created tag to the release steps in the developer manual.
+    - Clarify that 'debug 32768' should be used in addition to the other debug
+      directives when reporting problems.
+    - Add a 'Third-party licenses and copyrights' section to the user manual.
+
+-------------------------------------------------------------------
+Mon Feb  1 19:51:51 UTC 2021 - Carsten Ziepke 
+
+- Update to version 3.0.31:
+  - Security/Reliability (boo#1181650)
+    - Prevent an assertion from getting triggered by a crafted
+      CGI request.
+      Commit 5bba5b89193fa. OVE-20210130-0001. CVE-2021-20217
+      Reported by: Joshua Rogers (Opera)
+    - Fixed a memory leak when decompression fails "unexpectedly".
+      Commit f431d61740cc0. OVE-20210128-0001. CVE-2021-20216
+  - Bug fixes:
+    - Fixed detection of insufficient data for decompression.
+      Previously Privoxy could try to decompress a partly
+      uninitialized buffer.
+- Update to version 3.0.30:
+  - Bug fixes:
+    - Check the actual URL for redirects when https inspecting requests.
+      Previously Privoxy would only check the path which resulted in
+      rewrite results being rejected as invalid URLs.
+      Reported by withoutname in #1736.
+    - Let the hide-referrer code tolerate Referer headers with https:// URLs.
+      Previously they would always be treated like a changed host.
+    - Use the https headers if the show-request handler is reached through
+      https://. Previously Privoxy would use the http headers which
+      may be empty on a reused connection.
+    - Make CGI_PREFIX protocol-relative when building with FEATURE_HTTPS_INSPECTION.
+      This unbreaks (at least) https://config.privoxy.org/client-tags whose
+      buttons would previously use a http:// URL resulting in browser warnings.
+    - Support using https-inspection and client-header-order at the same time.
+      Previously Privoxy would crash.
+      Reported by: Kai Raven
+    - Properly reject rewrites from http to https as they currently
+      aren't supported. Previously Privoxy would wait for the client
+      to establish an encrypted connection which obviously would not happen.
+    - When https inspection is enabled and Privoxy has been compiled with
+      FEATURE_GRACEFUL_TERMINATION (not recommended for production builds),
+      the TLS backend resources are free'd later on and only if no active
+      connections are left. Prevents crashes when exiting "gracefully" at the
+      wrong time.
+    - Let the uninstall target remove the config file even if DESTDIR
+      is set and properly announce the deletion of the configuration files.
+  - General improvements:
+    - Allow to rewrite the request destination for https-inspected
+      requests behind the client's back. The documentation already sort
+      of claimed that it was supported by not especially mentioning that
+      it didn't work for https-inspected requests.
+      Fixes SF bug #923 reported by withoutname.
+    - Add support for filtering client request bodies by using
+      CLIENT-BODY-FILTER filters which can be enabled with the
+      client-body-filter action.
+      Patch submitted by Maxim Antonov.
+      Sponsored by: Robert Klemme
+    - Add the new action suppress-tag{} which can be used to prevent
+      a tagger from adding a tag. Patch submitted by Maxim Antonov.
+      Sponsored by: Robert Klemme
+    - Gracefully handle existing website keys without matching certificates.
+      This can happen if Privoxy was previously running with an invalid
+      TLS configuration that didn't allow it to create a certificate.
+    - Recycle debug bit 4 for Tagging-related messages.
+    - Improve the message shown when the client-tags CGI page
+      is requested with no tags configured.
+    - Shorten the 'donate' and 'participate' links used by templates
+      using redirects. Currently the redirects lead to the FAQ entries
+      but in the future we may want to relocate the content and using
+      redirects makes this more convenient.
+    - Log an error when a PCRE-HOST-PATTERN is used with
+      FEATURE_PCRE_HOST_PATTERNS disabled. Don't treat this a
+      fatal error so the regression tests can be used with and
+      without FEATURE_PCRE_HOST_PATTERNS.
+    - The code compiles with older C compilers again.
+    - The chdir() return code is checked to fix a compiler warning.
+    - The packages feed has been removed from the source tarball.
+      It's usually out of date when the source tarball is generated
+      for the release.
+    - Fixed harmless compiler warnings from GCC9 with -D_FORTIFY_SOURCE=2.
+    - windows: Remove obsolete '$(DEST)/doc/images' target.
++++ 1673 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:Leap:15.2:Update/.privoxy.17332.new.1896/privoxy.changes

New:
----
  privoxy-3.0.16-networkmanager.systemd.patch
  privoxy-3.0.17-utf8.patch
  privoxy-3.0.21-config.patch
  privoxy-3.0.33-stable-src.tar.gz
  privoxy-3.0.33-stable-src.tar.gz.asc
  privoxy.changes
  privoxy.keyring
  privoxy.logrotate.systemd
  privoxy.service
  privoxy.spec

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ privoxy.spec ++++++
#
# spec file for package privoxy
#
# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via https://bugs.opensuse.org/
#


%define chroot %{_localstatedir}/lib/privoxy
Name:           privoxy
Version:        3.0.33
Release:        0
Summary:        The Internet Junkbuster - HTTP Proxy Server
License:        GPL-3.0-or-later
Group:          Productivity/Networking/Web/Proxy
URL:            https://www.privoxy.org/
Source:         https://www.privoxy.org/sf-download-mirror/Sources/%{version}%%20%%28stable%%29/%{name}-%{version}-stable-src.tar.gz
Source2:        https://www.privoxy.org/sf-download-mirror/Sources/%{version}%%20%%28stable%%29/%{name}-%{version}-stable-src.tar.gz.asc
Source3:        %{name}.service
Source4:        %{name}.logrotate.systemd
Source5:        https://www.fabiankeil.de/gpg-keys/fk-8BA2371C.asc#/%{name}.keyring
Patch1:         %{name}-3.0.21-config.patch
Patch2:         %{name}-3.0.17-utf8.patch
Patch3:         %{name}-3.0.16-networkmanager.systemd.patch
BuildRequires:  autoconf
BuildRequires:  automake
BuildRequires:  pkgconfig
BuildRequires:  w3m
BuildRequires:  pkgconfig(libbrotlicommon)
BuildRequires:  pkgconfig(libcrypto)
BuildRequires:  pkgconfig(libpcre)
BuildRequires:  pkgconfig(libssl)
BuildRequires:  pkgconfig(systemd)
BuildRequires:  pkgconfig(zlib)
Requires:       logrotate
Requires(pre):  %{_sbindir}/groupadd
Requires(pre):  %{_sbindir}/useradd
%{?systemd_ordering}

%description
The Internet Junkbuster - HTTP Proxy Server: A non-caching HTTP proxy
server that runs between a web browser and a web server and filters
contents as described in the configuration files.

%package doc
Summary:        The documentation of Privoxy
Group:          Productivity/Networking/Web/Proxy
Requires:       %{name} = %{version}
BuildArch:      noarch

%description doc
Documentation files for the Privoxy: The Internet Junkbuster - HTTP
Proxy Server. A non-caching HTTP proxy server that runs between a web
browser and a web server and filters contents as described in the
configuration files.

%prep
%setup -q -n privoxy-%{version}-stable
%patch1 -p1
%patch2
%patch3

%build
autoreconf -fiv
%configure \
	--enable-compression \
	--with-openssl\
	--with-brotli \
	--enable-extended-statistics \
	--enable-pcre-host-patterns

%make_build

%install
mkdir -p %{buildroot}/%{_unitdir}
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
mkdir -p %{buildroot}/%{chroot}%{_sysconfdir}
mkdir -p %{buildroot}%{_sbindir}
mkdir -p %{buildroot}/%{chroot}/log
mkdir -p %{buildroot}/%{chroot}%{_localstatedir}/log
mkdir -p %{buildroot}/%{chroot}%{_localstatedir}/run
mkdir -p %{buildroot}/%{chroot}/%{_lib}
mkdir -p %{buildroot}%{_mandir}/man8
mkdir -p %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d
cp -a templates %{buildroot}/%{chroot}%{_sysconfdir}
install -m 644 config *.action *.filter trust %{buildroot}/%{chroot}%{_sysconfdir}
sed -e 's/@lib@/%{_lib}/g' %{SOURCE3} > %{buildroot}/%{_unitdir}/%{name}.service
ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
install -m 755 privoxy %{buildroot}%{_sbindir}
install -m 755 privoxy_nm %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d/privoxyd
install -m 644 privoxy.8 %{buildroot}%{_mandir}/man8
install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/logrotate.d/privoxy
ln -s ../../log %{buildroot}/%{chroot}%{_localstatedir}/log/privoxy
ln -sf %{chroot}%{_sysconfdir}/ %{buildroot}%{_sysconfdir}/privoxy

%pre
%service_add_pre %{name}.service
%{_sbindir}/groupadd -r privoxy 2> /dev/null ||:
%{_sbindir}/useradd -r -g privoxy -s /bin/false -c "Daemon user for privoxy" \
 -d %{_localstatedir}/lib/privoxy privoxy 2> /dev/null ||:
exit 0

%post
%service_add_post %{name}.service

%preun
%service_del_preun %{name}.service

%postun
%service_del_postun %{name}.service

%files
%license LICENSE
%doc AUTHORS README ChangeLog
%{_sbindir}/privoxy
%{_sysconfdir}/NetworkManager/dispatcher.d/privoxyd
%dir %{_sysconfdir}/NetworkManager
%dir %{_sysconfdir}/NetworkManager/dispatcher.d
%{_mandir}/man8/privoxy.8%{?ext_man}
%config(noreplace) %{_sysconfdir}/logrotate.d/privoxy
%dir /%{chroot}%{_sysconfdir}
%config(noreplace) /%{chroot}%{_sysconfdir}/config
%config(noreplace) /%{chroot}%{_sysconfdir}/trust
%config /%{chroot}%{_sysconfdir}/match-all.action
%config %attr(640,privoxy,root) /%{chroot}%{_sysconfdir}/default.action
%config(noreplace) %attr(640,privoxy,root) /%{chroot}%{_sysconfdir}/user.action
%config(noreplace) /%{chroot}%{_sysconfdir}/*.filter
%dir %{chroot}
%{chroot}%{_sysconfdir}/templates
%dir %attr(770,root,privoxy) %{chroot}/log
%{chroot}%{_localstatedir}
%{chroot}/%{_lib}
%{chroot}%{_sysconfdir}/regression-tests.action
%{_unitdir}/%{name}.service
%{_sbindir}/rcprivoxy
%{_sysconfdir}/privoxy

%files doc
%license LICENSE
%doc doc/source

%changelog

++++++ privoxy-3.0.16-networkmanager.systemd.patch ++++++
--- privoxy_nm
+++ privoxy_nm
@@ -0,0 +1,18 @@
+#! /bin/sh
+#
+# privoxy - rerun privoxy in response to interface change
+#
+# Wagner Thomas 
+# Place this script in the /etc/NetworkManager/dispatcher.d/ directory.
+
+case "$2" in
+    up)
+        /usr/bin/systemctl reload privoxy
+        ;;
+    down)
+        /usr/bin/systemctl reload privoxy
+        ;;
+    *)
+        exit 0
+        ;;
+esac
+

++++++ privoxy-3.0.17-utf8.patch ++++++
--- default.filter
+++ default.filter
@@ -375,7 +375,7 @@
 s/\x84/,,/g
 s/\x85/.../g
 #s/\x88/^/g
-#s-\x89- �/��-g
+#s-\x89- ��/����-g
 s/\x8B/

    

Source-Sync

tags

participants (1)