Overview Details

File _patchinfo of Package patchinfo

<patchinfo>
  <packager>wrosenauer</packager>
  <issue id="809123" tracker="bnc">VUL-0: CVE-2013-2503: privoxy: proxy spoofing by malicious servers</issue>
  <issue id="CVE-2013-2503" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <summary>privoxy: update to 3.0.21 to fix security issues and bugs</summary>
  <description>
privoxy was updated to 3.0.21 stable fo fix CVE-2013-2503 (bnc#809123)
- changes in 3.0.21
 * On POSIX-like platforms, network sockets with file descriptor
    values above FD_SETSIZE are properly rejected. Previously they
    could cause memory corruption in configurations that allowed
    the limit to be reached.
 * Proxy authentication headers are removed unless the new directive
    enable-proxy-authentication-forwarding is used. Forwarding the
    headers potentionally allows malicious sites to trick the user
    into providing them with login information.
    Reported by Chris John Riley.
 * Compiles on OS/2 again now that unistd.h is only included
    on platforms that have it.
 * The show-status page shows the FEATURE_STRPTIME_SANITY_CHECKS status.
 * A couple of assert()s that could theoretically dereference
    NULL pointers in debug builds have been relocated.
 * Added an LSB info block to the generic start script.
    Based on a patch from Natxo Asenjo.
 * The max-client-connections default has been changed to 128
    which should be more than enough for most setups.
 * Block rover.ebay./ar.*\&amp;adtype= instead of "/.*\&amp;adtype=" which
    caused too man false positives.
    Reported by u302320 in #360284, additional feedback from Adam Piggott.
 * Unblock '.advrider.com/' and '/.*ADVrider'.
    Anonymously reported in #3603636.
 * Stop blocking '/js/slider\.js'.
    Reported by Adam Piggott in #3606635 and _lvm in #2791160.
 * Added an iframes filter.
 * The whole GPLv2 text is included in the user manual now,
    so Privoxy can serve it itself and the user can read it
    without having to wade through GPLv3 ads first.
 * Properly numbered and underlined a couple of section titles
    in the config that where previously overlooked due to a flaw
    in the conversion script. Reported by Ralf Jungblut.
 * Improved the support instruction to hopefully make it harder to
    unintentionally provide insufficient information when requesting
    support. Previously it wasn't obvious that the information we need
    in bug reports is usually also required in support requests.
 * Removed documentation about packages that haven't been provided
    in years.
 * Only log the test number when not running in verbose mode
    The position of the test is rarely relevant and it previously
- for full list of changes see ChangeLog file shipped together with
  this package
</description>

</patchinfo>
openSUSE Build Service is sponsored by
Places