openSUSE Security Update : privoxy (openSUSE-2013-242)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

privoxy was updated to 3.0.21 stable fo fix CVE-2013-2503 (bnc#809123)

- changes in 3.0.21

- On POSIX-like platforms, network sockets with file
descriptor values above FD_SETSIZE are properly
rejected. Previously they could cause memory corruption
in configurations that allowed the limit to be reached.

- Proxy authentication headers are removed unless the new
directive enable-proxy-authentication-forwarding is
used. Forwarding the headers potentionally allows
malicious sites to trick the user into providing them
with login information. Reported by Chris John Riley.

- Compiles on OS/2 again now that unistd.h is only
included on platforms that have it.

- The show-status page shows the
FEATURE_STRPTIME_SANITY_CHECKS status.

- A couple of assert()s that could theoretically
dereference NULL pointers in debug builds have been
relocated.

- Added an LSB info block to the generic start script.
Based on a patch from Natxo Asenjo.

- The max-client-connections default has been changed to
128 which should be more than enough for most setups.

- Block rover.ebay./ar.*\&adtype= instead of
'/.*\&adtype=' which caused too man false positives.
Reported by u302320 in #360284, additional feedback from
Adam Piggott.

- Unblock '.advrider.com/' and '/.*ADVrider'. Anonymously
reported in #3603636.

- Stop blocking '/js/slider\.js'. Reported by Adam Piggott
in #3606635 and _lvm in #2791160.

- Added an iframes filter.

- The whole GPLv2 text is included in the user manual now,
so Privoxy can serve it itself and the user can read it
without having to wade through GPLv3 ads first.

- Properly numbered and underlined a couple of section
titles in the config that where previously overlooked
due to a flaw in the conversion script. Reported by Ralf
Jungblut.

- Improved the support instruction to hopefully make it
harder to unintentionally provide insufficient
information when requesting support. Previously it
wasn't obvious that the information we need in bug
reports is usually also required in support requests.

- Removed documentation about packages that haven't been
provided in years.

- Only log the test number when not running in verbose
mode The position of the test is rarely relevant and it
previously

- for full list of changes see ChangeLog file shipped
together with this package

See also :

https://bugzilla.novell.com/show_bug.cgi?id=809123

Solution :

Update the affected privoxy packages.

Risk factor :

Medium / CVSS Base Score : 5.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N)

Family: SuSE Local Security Checks

Nessus Plugin ID: 74941 ()

Bugtraq ID:

CVE ID: CVE-2013-2503

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now