Security update for privoxy (moderate)

An update that fixes 5 vulnerabilities is now available.

Description:

This update for privoxy fixes the following issues:

Update to version 3.0.32:

 - Security/Reliability (boo#1183129)

   - ssplit(): Remove an assertion that could be triggered with a crafted
     CGI request. Commit 2256d7b4d67. OVE-20210203-0001. CVE-2021-20272
     Reported by: Joshua Rogers (Opera)
   - cgi_send_banner(): Overrule invalid image types. Prevents a crash
     with a crafted CGI request if Privoxy is toggled off. Commit
     e711c505c48. OVE-20210206-0001. CVE-2021-20273 Reported by: Joshua
     Rogers (Opera)
   - socks5_connect(): Don't try to send credentials when none are
     configured. Fixes a crash due to a NULL-pointer dereference when the
     socks server misbehaves. Commit 85817cc55b9. OVE-20210207-0001.
     CVE-2021-20274 Reported by: Joshua Rogers (Opera)
   - chunked_body_is_complete(): Prevent an invalid read of size two.
     Commit a912ba7bc9c. OVE-20210205-0001. CVE-2021-20275 Reported by:
     Joshua Rogers (Opera)
   - Obsolete pcre: Prevent invalid memory accesses with an invalid
     pattern passed to pcre_compile(). Note that the obsolete pcre code
     is scheduled to be removed before the 3.0.33 release. There has been
     a warning since 2008 already. Commit 28512e5b624. OVE-20210222-0001.
     CVE-2021-20276 Reported by: Joshua Rogers (Opera)

 - Bug fixes:

   - Properly parse the client-tag-lifetime directive. Previously it was
     not accepted as an obsolete hash value was being used. Reported by:
     Joshua Rogers (Opera)
   - decompress_iob(): Prevent reading of uninitialized data. Reported
     by: Joshua Rogers (Opera).
   - decompress_iob(): Don't advance cur past eod when looking for the
     end of the file name and comment.
   - decompress_iob(): Cast value to unsigned char before shifting.
     Prevents a left-shift of a negative value which is undefined
     behaviour. Reported by: Joshua Rogers (Opera)
   - gif_deanimate(): Confirm that that we have enough data before doing
     any work. Fixes a crash when fuzzing with an empty document.
     Reported by: Joshua Rogers (Opera).
   - buf_copy(): Fail if there's no data to write or nothing to do.
     Prevents undefined behaviour "applying zero offset to null pointer".
     Reported by: Joshua Rogers (Opera)
   - log_error(): Treat LOG_LEVEL_FATAL as fatal even when --stfu is
     being used while fuzzing. Reported by: Joshua Rogers (Opera).
   - Respect DESTDIR when considering whether or not to install config
     files with ".new" extension.
   - OpenSSL ssl_store_cert(): Fix two error messages.
   - Fix a couple of format specifiers.
   - Silence compiler warnings when compiling with NDEBUG.
   - fuzz_server_header(): Fix compiler warning.
   - fuzz_client_header(): Fix compiler warning.
   - cgi_send_user_manual(): Also reject requests if the user-manual
     directive specifies a https:// URL. Previously Privoxy would try and
     fail to open a local file.

 - General improvements:

   - Log the TLS version and the the cipher when debug 2 is enabled.
   - ssl_send_certificate_error(): Respect HEAD requests by not sending a
     body.
   - ssl_send_certificate_error(): End the body with a single new line.
   - serve(): Increase the chances that the host is logged when closing a
     server socket.
   - handle_established_connection(): Add parentheses to clarify an
     expression Suggested by: David Binderman
   - continue_https_chat(): Explicitly unset
     CSP_FLAG_CLIENT_CONNECTION_KEEP_ALIVE if process_encrypted_request()
     fails. This makes it more obvious that the connection will not be
     reused. Previously serve() relied on
     CSP_FLAG_SERVER_CONTENT_LENGTH_SET and CSP_FLAG_CHUNKED being unset.
     Inspired by a patch from Joshua Rogers (Opera).
   - decompress_iob(): Add periods to a couple of log messages
   - Terminate the body of the HTTP snipplets with a single new line
     instead of "\r\n".
   - configure: Add --with-assertions option and only enable assertions
     when it is used
   - windows build: Use --with-brotli and --with-mbedtls by default and
     enable dynamic error checking.
   - gif_deanimate(): Confirm we've got an image before trying to write
     it Saves a pointless buf_copy() call.
   - OpenSSL ssl_store_cert(): Remove a superfluous space before the
     serial number.

 - Action file improvements:

   - Disable fast-redirects for .golem.de/
   - Unblock requests to adri*.
   - Block requests for trc*.taboola.com/
   - Disable fast-redirects for .linkedin.com/

 - Filter file improvements:

   - Make the second pcrs job of the img-reorder filter greedy again. The
     ungreedy version broke the img tags on:
     https://bulk.fefe.de/scalability/.

 - Privoxy-Log-Parser:

   - Highlight a few more messages.
   - Clarify the --statistics output. The shown "Reused connections" are
     server connections so name them appropriately.
   - Bump version to 0.9.3.

 - Privoxy-Regression-Test:

   - Add the --check-bad-ssl option to the --help output.
   - Bump version to 0.7.3.

 - Documentation:

   - Add pushing the created tag to the release steps in the developer
     manual.
   - Clarify that 'debug 32768' should be used in addition to the other
     debug directives when reporting problems.
   - Add a 'Third-party licenses and copyrights' section to the user
     manual.

This update was imported from the openSUSE:Leap:15.2:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Backports SLE-15-SP2:

  zypper in -t patch openSUSE-2021-460=1