SUSE 5136 Published by

A privoxy security update has been released for openSUSE Leap 15.1 and openSUSE Leap 15.2.



openSUSE-SU-2021:0006-1: moderate: Security update for privoxy


openSUSE Security Update: Security update for privoxy
______________________________________________________________________________

Announcement ID: openSUSE-SU-2021:0006-1
Rating: moderate
References: #1157449
Affected Products:
openSUSE Leap 15.2
openSUSE Leap 15.1
______________________________________________________________________________

An update that contains security fixes can now be installed.

Description:

This update for privoxy fixes the following issues:

privoxy was updated to 3.0.29:

* Fixed memory leaks when a response is buffered and the buffer limit is
reached or Privoxy is running out of memory. OVE-20201118-0001
* Fixed a memory leak in the show-status CGI handler when no action files
are configured OVE-20201118-0002
* Fixed a memory leak in the show-status CGI handler when no filter files
are configured OVE-20201118-0003
* Fixes a memory leak when client tags are active OVE-20201118-0004
* Fixed a memory leak if multiple filters are executed and the last one is
skipped due to a pcre error OVE-20201118-0005
* Prevent an unlikely dereference of a NULL-pointer that could result in a
crash if accept-intercepted-requests was enabled, Privoxy failed to get
the request destination from the Host header and a memory allocation
failed. OVE-20201118-0006
* Fixed memory leaks in the client-tags CGI handler when client tags are
configured and memory allocations fail. OVE-20201118-0007
* Fixed memory leaks in the show-status CGI handler when memory
allocations fail OVE-20201118-0008
* Add experimental https inspection support
* Use JIT compilation for static filtering for speedup
* Add support for Brotli decompression, add 'no-brotli-accepted' filter
which prevents the use of Brotli compression
* Add feature to gather exended statistics
* Use IP_FREEBIND socket option to help with failover
* Allow to use extended host patterns and vanilla host patterns at the
same time by prefixing extended host patterns with "PCRE-HOST-PATTERN:"
* Added "Cross-origin resource sharing" (CORS) support
* Add SOCKS5 username/password support
* Bump the maximum number of action and filter files to 100 each
* Fixed handling of filters with "split-large-forms 1" when using the CGI
editor.
* Better detect a mismatch of connection details when figuring out whether
or not a connection can be reused
* Don't send a "Connection failure" message instead of the "DNS failure"
message
* Let LOG_LEVEL_REQUEST log all requests
* Improvements to default Action file

License changed to GPLv3.

- remove packaging vulnerability boo#1157449

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.2:

zypper in -t patch openSUSE-2021-6=1

- openSUSE Leap 15.1:

zypper in -t patch openSUSE-2021-6=1


Package List:

- openSUSE Leap 15.2 (noarch):

privoxy-doc-3.0.29-lp152.3.3.1

- openSUSE Leap 15.2 (x86_64):

privoxy-3.0.29-lp152.3.3.1
privoxy-debuginfo-3.0.29-lp152.3.3.1
privoxy-debugsource-3.0.29-lp152.3.3.1

- openSUSE Leap 15.1 (noarch):

privoxy-doc-3.0.29-lp151.2.3.1

- openSUSE Leap 15.1 (x86_64):

privoxy-3.0.29-lp151.2.3.1
privoxy-debuginfo-3.0.29-lp151.2.3.1
privoxy-debugsource-3.0.29-lp151.2.3.1

References:

  https://bugzilla.suse.com/1157449