[Bug 260290] www/privoxy: Update to 3.0.33 stable

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 260290] www/privoxy: Update to 3.0.33 stable"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 260290] www/privoxy: Update to 3.0.33 stable"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 09 Dec 2021 12:15:14 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260290

            Bug ID: 260290
           Summary: www/privoxy: Update to 3.0.33 stable
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: fk@fabiankeil.de

Created attachment 229993
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=229993&action=edit
www/privoxy: Update to 3.0.33 stable

The attached patch updates www/privoxy to 3.0.33
which fixes multiple security issues.

Quoting the announcement:

        - Security/Reliability:
          - cgi_error_no_template(): Encode the template name to prevent
            XSS (cross-side scripting) when Privoxy is configured to servce
            the user-manual itself.
            Commit 0e668e9409c. OVE-20211102-0001. CVE-2021-44543.
            Reported by: Artem Ivanov
          - get_url_spec_param(): Free memory of compiled pattern spec
            before bailing.
            Reported by Joshua Rogers (Opera) who also provided the fix.
            Commit 652b4b7cb0. OVE-20211201-0003. CVE-2021-44540.
          - process_encrypted_request_headers(): Free header memory when
            failing to get the request destination.
            Reported by Joshua Rogers (Opera) who also provided the fix.
            Commit 0509c58045. OVE-20211201-0002. CVE-2021-44541.
          - send_http_request(): Prevent memory leaks when handling errors
            Reported by Joshua Rogers (Opera) who also provided the fix.
            Commit c48d1d6d08. OVE-20211201-0001. CVE-2021-44542.

The complete announcement is available at:
https://lists.privoxy.org/pipermail/privoxy-announce/2021-December/000009.html

Tested with "poudriere testport" on 12.3-STABLE.

I'm intentionally not using the "License framework" which
results in a portlint warning.

Additionally portlint warns that
'"BROKEN_STRPTIME_DESC" has to appear earlier.' and that
"BROKEN messages should begin with a lowercase letter and end without a
period."
but both messages seem to be the false positives.

The warnings aren't new, either.

-- 
You are receiving this mail because:
You are the assignee for the bug.