From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] privoxy: Update to 3.0.24 Date: Tue, 29 Mar 2016 15:04:46 +0100 Message-ID: <1459260286.30749.203.camel@ipfire.org> In-Reply-To: <56A684BB.40809@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4110948028860007860==" List-Id: --===============4110948028860007860== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, indeed. Never bundle a library. Never. Never. Never. PCRE had some severe security issues recently and I assume that these are not fixed in the privoxy release tarball. If we fix the issues in pcre it will automatically be fixed in privoxy too when dynamically linked. If pcre is statically linked we usually wouldn't know that a vulnerable version of pcre = is in there and even if we would this would create extra work to fix the same is= sue there, too. So just don't do it. They should actually remove the bundled version upstream. -Michael On Mon, 2016-01-25 at 21:25 +0100, Matthias Fischer wrote: > Hi, >=20 > I got some short questions about using the feature > "FEATURE_DYNAMIC_PCRE" in privoxy and would be grateful if someone could > give me some shorts hint or explanations. >=20 > In the past this feature was always disabled through the > configure-option "--disable-dynamic-pcre". The only explanation > 'privoxy' gives is the 'configure --help' text: >=20 > "--disable-dynamic-pcre=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0Use the bu= ilt-in, static pcre, even if > libpcre is available". >=20 > The 'privoxy' status tells me: > "FEATURE_DYNAMIC_PCRE =3D> Dynamically link to the PCRE library. This is > set automatically by ./configure if you do not have libpcre installed. > Dynamically linking to an external libpcre is recommended as the one > that is distributed with Privoxy itself is outdated and lacks various > features and bug-fixes you may be interested in." >=20 > So for testing purposes - being curious - I enabled this feature by > deleting "--disable-dynamic-pcre" from 'privoxy'-lfs-file. Everything > was built, everything seems to be running fine. But although I searched > for a better statement what this option really does I didn't find some > and now I would like to know what are the dis/advantages of this option. >=20 > Disable or enable dynamic PCRE - what is better for 'privoxy' and > IPFire? And what does it do? Some short statements or hints would be > sufficient! >=20 > Sorry, if this seems to be some dumb question, but I want to be sure... >=20 > Best, > Matthias >=20 >=20 --===============4110948028860007860== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUFC Q2dBR0JRSlcrb3QrQUFvSkVJQjU4UDl2a0FrSDVrOFAvM0Z6LzY1RzdNdXpSNG56QzFUVXhJNVQK RStDVGlZcjlXb2JmM0hzUXRxamFPeTd0cXFWM3NyU3N3cFBzdkl6VkVpUGkxbHE3aEM0aVhmRzlC eDRGTkdncwoycXpBOHZNUXZWYTIwMm9MU1dJL2pKRFBoWGxoaEEvaGhqNllORFIzNmhKSVRXeEtJ VVhIL21OUzFON0g5aytDCkpPR3lhc3pLT0pSYkFzVW5IS05XWUcySVVxS1QzT3NINmlQaUdjRWhw Uko4aEc1Y2VjMDZlRUhIV1JzWXZvYnAKWGQzUXlGa0o1QXQ0bldtdm1obEdWK05DQ3hmei9icHcx UUhGbTFWQkoyYmhYa3pvU2hIQnprUE54VllvMzN3ZApaOHVwZHgrNVpwZFNqemI0bGx3eDBVc0cr SXVOQk9hTnlqQklwbktzRmIyMmpJNTRYVlYzTjFLbUUrUXorNWJHCmtjVFE2SGQ5Y21ZcGhEN29v U1dvR1dQbTk5M2IwaTkyK1F5MGcwclBrMnlMWGdCYi9QYTlGVVA0Rk5xSm9hZEsKbTVQNG5ZOTVu dmg3elBMR1hrL0pTd1RHSVZFS2Y1NERKVk9NcTNjMG1FT3h6WEVCOHJUMWwvb2xSUDdjK3NzWApx VVZaMS95Nm1kbk9acVpIOWMxUG43dEtycE9DeFdsa0dBSkVqaE1ITTRFaTdBNklnQmRrN0o2RU5F TElJV04wCk9xR2VHbE5qMTkwRFQ5Z1NlN1VlUi9YTHdzN1IxZEE2TzJiN04yZ0NseFZNZFVRbTZv eGdIeGZQNnhmTVB3aUYKU3RCc3F5Rm9tRFpvVnNuRHowUVIwQjdDVGR0Q2s1UXZqSWMxMk5rRkdG WHA0SHIrcFExcW04ZzhCcExGcXVaVApJV2ZzUnlRMUhMM1V1dGsvUFJZQgo9Vk9xeQotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============4110948028860007860==--