Bug 920643 - (CVE-2013-2503) CVE-2013-2503 privoxy: Proxy-Authentication response spoofing
CVE-2013-2503 privoxy: Proxy-Authentication response spoofing
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 920645 920647
Blocks: 920654
  Show dependency treegraph
Reported: 2013-03-12 09:35 EDT by Jan Lieskovsky
Modified: 2015-07-31 03:00 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2013-03-12 09:35:16 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-2503 to the following vulnerability:

Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Authorization headers in the client-server data stream, which makes it easier for remote HTTP servers to spoof the intended proxy service via a 407 (aka Proxy Authentication Required) HTTP status code.

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2503
[2] http://blog.c22.cc/2013/03/11/privoxy-proxy-authentication-credential-exposure-cve-2013-2503/
[3] http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/ChangeLog?revision=1.188&view=markup
Comment 1 Jan Lieskovsky 2013-03-12 09:37:01 EDT
This issue affects the version of the privoxy package, as shipped with Red Hat Enterprise Linux 5.


This issue affects the versions of the privoxy package, as shipped with Fedora release of 17, 18, and with Fedora EPEL-6. Please schedule an update.
Comment 2 Jan Lieskovsky 2013-03-12 09:38:39 EDT
Created privoxy tracking bugs for this issue

Affects: fedora-all [bug 920645]
Affects: epel-6 [bug 920647]
Comment 3 Jan Lieskovsky 2013-03-12 09:40:51 EDT

Vulnerable. This issue affects the version of privoxy as shipped with Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this issue as having low security impact. A future update may address this flaw. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.