Security update for libproxy SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:1676-1 Final 1 1 2020-10-16T18:23:16Z current 2020-10-16T18:23:16Z 2020-10-16T18:23:16Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libproxy This update for libproxy fixes the following issues: - CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410). - CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-1676 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/J7JDZHUFWENH4VEXEW5NBCIYIE2TGV4R/ E-Mail link for openSUSE-SU-2020:1676-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1176410 SUSE Bug 1176410 https://bugzilla.suse.com/1177143 SUSE Bug 1177143 https://www.suse.com/security/cve/CVE-2020-25219/ SUSE CVE CVE-2020-25219 page https://www.suse.com/security/cve/CVE-2020-26154/ SUSE CVE CVE-2020-26154 page openSUSE Leap 15.1 libproxy-devel-0.4.15-lp151.4.3.1 libproxy-sharp-0.4.15-lp151.4.3.1 libproxy-tools-0.4.15-lp151.4.3.1 libproxy1-0.4.15-lp151.4.3.1 libproxy1-32bit-0.4.15-lp151.4.3.1 libproxy1-config-gnome3-0.4.15-lp151.4.3.1 libproxy1-config-kde-0.4.15-lp151.4.3.1 libproxy1-networkmanager-0.4.15-lp151.4.3.1 libproxy1-pacrunner-webkit-0.4.15-lp151.4.3.1 perl-Net-Libproxy-0.4.15-lp151.4.3.1 python-libproxy-0.4.15-lp151.4.3.1 python3-libproxy-0.4.15-lp151.4.3.1 libproxy-devel-0.4.15-lp151.4.3.1 as a component of openSUSE Leap 15.1 libproxy-sharp-0.4.15-lp151.4.3.1 as a component of openSUSE Leap 15.1 libproxy-tools-0.4.15-lp151.4.3.1 as a component of openSUSE Leap 15.1 libproxy1-0.4.15-lp151.4.3.1 as a component of openSUSE Leap 15.1 libproxy1-32bit-0.4.15-lp151.4.3.1 as a component of openSUSE Leap 15.1 libproxy1-config-gnome3-0.4.15-lp151.4.3.1 as a component of openSUSE Leap 15.1 libproxy1-config-kde-0.4.15-lp151.4.3.1 as a component of openSUSE Leap 15.1 libproxy1-networkmanager-0.4.15-lp151.4.3.1 as a component of openSUSE Leap 15.1 libproxy1-pacrunner-webkit-0.4.15-lp151.4.3.1 as a component of openSUSE Leap 15.1 perl-Net-Libproxy-0.4.15-lp151.4.3.1 as a component of openSUSE Leap 15.1 python-libproxy-0.4.15-lp151.4.3.1 as a component of openSUSE Leap 15.1 python3-libproxy-0.4.15-lp151.4.3.1 as a component of openSUSE Leap 15.1 url::recvline in url.cpp in libproxy 0.4.x through 0.4.15 allows a remote HTTP server to trigger uncontrolled recursion via a response composed of an infinite stream that lacks a newline character. This leads to stack exhaustion. CVE-2020-25219 openSUSE Leap 15.1:libproxy-devel-0.4.15-lp151.4.3.1 openSUSE Leap 15.1:libproxy-sharp-0.4.15-lp151.4.3.1 openSUSE Leap 15.1:libproxy-tools-0.4.15-lp151.4.3.1 openSUSE Leap 15.1:libproxy1-0.4.15-lp151.4.3.1 openSUSE Leap 15.1:libproxy1-32bit-0.4.15-lp151.4.3.1 openSUSE Leap 15.1:libproxy1-config-gnome3-0.4.15-lp151.4.3.1 openSUSE Leap 15.1:libproxy1-config-kde-0.4.15-lp151.4.3.1 openSUSE Leap 15.1:libproxy1-networkmanager-0.4.15-lp151.4.3.1 openSUSE Leap 15.1:libproxy1-pacrunner-webkit-0.4.15-lp151.4.3.1 openSUSE Leap 15.1:perl-Net-Libproxy-0.4.15-lp151.4.3.1 openSUSE Leap 15.1:python-libproxy-0.4.15-lp151.4.3.1 openSUSE Leap 15.1:python3-libproxy-0.4.15-lp151.4.3.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/J7JDZHUFWENH4VEXEW5NBCIYIE2TGV4R/ https://www.suse.com/security/cve/CVE-2020-25219.html CVE-2020-25219 https://bugzilla.suse.com/1176410 SUSE Bug 1176410 url.cpp in libproxy through 0.4.15 is prone to a buffer overflow when PAC is enabled, as demonstrated by a large PAC file that is delivered without a Content-length header. CVE-2020-26154 openSUSE Leap 15.1:libproxy-devel-0.4.15-lp151.4.3.1 openSUSE Leap 15.1:libproxy-sharp-0.4.15-lp151.4.3.1 openSUSE Leap 15.1:libproxy-tools-0.4.15-lp151.4.3.1 openSUSE Leap 15.1:libproxy1-0.4.15-lp151.4.3.1 openSUSE Leap 15.1:libproxy1-32bit-0.4.15-lp151.4.3.1 openSUSE Leap 15.1:libproxy1-config-gnome3-0.4.15-lp151.4.3.1 openSUSE Leap 15.1:libproxy1-config-kde-0.4.15-lp151.4.3.1 openSUSE Leap 15.1:libproxy1-networkmanager-0.4.15-lp151.4.3.1 openSUSE Leap 15.1:libproxy1-pacrunner-webkit-0.4.15-lp151.4.3.1 openSUSE Leap 15.1:perl-Net-Libproxy-0.4.15-lp151.4.3.1 openSUSE Leap 15.1:python-libproxy-0.4.15-lp151.4.3.1 openSUSE Leap 15.1:python3-libproxy-0.4.15-lp151.4.3.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/J7JDZHUFWENH4VEXEW5NBCIYIE2TGV4R/ https://www.suse.com/security/cve/CVE-2020-26154.html CVE-2020-26154 https://bugzilla.suse.com/1177143 SUSE Bug 1177143