Feature #5769: Applications audit
A bunch of anonymity, privacy and security issues in Polipo were fixed in Christopher Davis' branch (git://repo.or.cz/polipo.git) and never merged upstream.
Christopher added the
dontIdentifyToClients option (commits: 80b45940, be116b5, c78beb81) to fix bug #1082 on Tor Project's Trac. When set to true, "Polipo tries to avoid transmitting local host name, port, and time zone".
- hostname and port: Tails sets
proxyName = "localhost"and
proxyPort = 8118just like the Tor Browser Bundle does => nothing critical could be leaked - at worse, leaking this information restricts the practical anonymity set to the best one Tails can try putting its users into => non-issue.
Tails Git devel branch sets UTC timezone for everybody, so the timezone leaking issue becomes much less relevant.
Security issues that were not privacy-related have supposedly already been applied to the 220.127.116.11-1.1 polipo package shipped in Debian Squeeze. This should be double-checked, though => research.