openSUSE Security Update : privoxy (openSUSE-2021-443)

high Nessus Plugin ID 147925

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for privoxy fixes the following issues :

Update to version 3.0.32 :

- Security/Reliability (boo#1183129)

- ssplit(): Remove an assertion that could be triggered with a crafted CGI request. Commit 2256d7b4d67.
OVE-20210203-0001. CVE-2021-20272 Reported by: Joshua Rogers (Opera)

- cgi_send_banner(): Overrule invalid image types.
Prevents a crash with a crafted CGI request if Privoxy is toggled off. Commit e711c505c48. OVE-20210206-0001.
CVE-2021-20273 Reported by: Joshua Rogers (Opera)

- socks5_connect(): Don't try to send credentials when none are configured. Fixes a crash due to a NULL pointer dereference when the socks server misbehaves. Commit 85817cc55b9. OVE-20210207-0001. CVE-2021-20274 Reported by: Joshua Rogers (Opera)

- chunked_body_is_complete(): Prevent an invalid read of size two. Commit a912ba7bc9c. OVE-20210205-0001.
CVE-2021-20275 Reported by: Joshua Rogers (Opera)

- Obsolete pcre: Prevent invalid memory accesses with an invalid pattern passed to pcre_compile(). Note that the obsolete pcre code is scheduled to be removed before the 3.0.33 release. There has been a warning since 2008 already. Commit 28512e5b624. OVE-20210222-0001.
CVE-2021-20276 Reported by: Joshua Rogers (Opera)

- Bug fixes :

- Properly parse the client-tag-lifetime directive.
Previously it was not accepted as an obsolete hash value was being used. Reported by: Joshua Rogers (Opera)

- decompress_iob(): Prevent reading of uninitialized data.
Reported by: Joshua Rogers (Opera).

- decompress_iob(): Don't advance cur past eod when looking for the end of the file name and comment.

- decompress_iob(): Cast value to unsigned char before shifting. Prevents a left-shift of a negative value which is undefined behaviour. Reported by: Joshua Rogers (Opera)

- gif_deanimate(): Confirm that that we have enough data before doing any work. Fixes a crash when fuzzing with an empty document. Reported by: Joshua Rogers (Opera).

- buf_copy(): Fail if there's no data to write or nothing to do. Prevents undefined behaviour 'applying zero offset to NULL pointer'. Reported by: Joshua Rogers (Opera)

- log_error(): Treat LOG_LEVEL_FATAL as fatal even when
--stfu is being used while fuzzing. Reported by: Joshua Rogers (Opera).

- Respect DESTDIR when considering whether or not to install config files with '.new' extension.

- OpenSSL ssl_store_cert(): Fix two error messages.

- Fix a couple of format specifiers.

- Silence compiler warnings when compiling with NDEBUG.

- fuzz_server_header(): Fix compiler warning.

- fuzz_client_header(): Fix compiler warning.

- cgi_send_user_manual(): Also reject requests if the user-manual directive specifies a https:// URL.
Previously Privoxy would try and fail to open a local file.

- General improvements :

- Log the TLS version and the the cipher when debug 2 is enabled.

- ssl_send_certificate_error(): Respect HEAD requests by not sending a body.

- ssl_send_certificate_error(): End the body with a single new line.

- serve(): Increase the chances that the host is logged when closing a server socket.

- handle_established_connection(): Add parentheses to clarify an expression Suggested by: David Binderman

- continue_https_chat(): Explicitly unset CSP_FLAG_CLIENT_CONNECTION_KEEP_ALIVE if process_encrypted_request() fails. This makes it more obvious that the connection will not be reused.
Previously serve() relied on CSP_FLAG_SERVER_CONTENT_LENGTH_SET and CSP_FLAG_CHUNKED being unset. Inspired by a patch from Joshua Rogers (Opera).

- decompress_iob(): Add periods to a couple of log messages

- Terminate the body of the HTTP snipplets with a single new line instead of '\r\n'.

- configure: Add --with-assertions option and only enable assertions when it is used

- windows build: Use --with-brotli and --with-mbedtls by default and enable dynamic error checking.

- gif_deanimate(): Confirm we've got an image before trying to write it Saves a pointless buf_copy() call.

- OpenSSL ssl_store_cert(): Remove a superfluous space before the serial number.

- Action file improvements :

- Disable fast-redirects for .golem.de/

- Unblock requests to adri*.

- Block requests for trc*.taboola.com/

- Disable fast-redirects for .linkedin.com/

- Filter file improvements :

- Make the second pcrs job of the img-reorder filter greedy again. The ungreedy version broke the img tags on: https://bulk.fefe.de/scalability/.

- Privoxy-Log-Parser :

- Highlight a few more messages.

- Clarify the --statistics output. The shown 'Reused connections' are server connections so name them appropriately.

- Bump version to 0.9.3.

- Privoxy-Regression-Test :

- Add the --check-bad-ssl option to the --help output.

- Bump version to 0.7.3.

- Documentation :

- Add pushing the created tag to the release steps in the developer manual.

- Clarify that 'debug 32768' should be used in addition to the other debug directives when reporting problems.

- Add a 'Third-party licenses and copyrights' section to the user manual.

Solution

Update the affected privoxy packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1183129

https://bulk.fefe.de/scalability/.

Plugin Details

Severity: High

ID: 147925

File Name: openSUSE-2021-443.nasl

Version: 1.3

Type: local

Agent: unix

Published: 3/22/2021

Updated: 1/9/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2021-20276

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:privoxy, p-cpe:/a:novell:opensuse:privoxy-debuginfo, p-cpe:/a:novell:opensuse:privoxy-debugsource, cpe:/o:novell:opensuse:15.2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 3/18/2021

Vulnerability Publication Date: 3/9/2021

Reference Information

CVE: CVE-2021-20272, CVE-2021-20273, CVE-2021-20274, CVE-2021-20275, CVE-2021-20276