--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: (pre-approval) unblock: apt-cacher-ng/2-2
- From: Eduard Bloch <edi@gmx.de>
- Date: Thu, 13 Apr 2017 20:42:50 +0200
- Message-id: <20170413184250.35wwnz2iklwn4pgn@rotes76.wohnheim.uni-kl.de>
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please approve the upload of new version of apt-cacher-ng. See #860243
for details. Here is a minimum viable patch included below.
This is made under protest because I still consider the "reasons" for
rejecting #860243 specious and unfair. But anyhow, this changeset should
do the job for a (short) while.
unblock apt-cacher-ng/2-2
diff -Nru apt-cacher-ng-2/debian/changelog apt-cacher-ng-2/debian/changelog
--- apt-cacher-ng-2/debian/changelog 2016-11-22 21:39:43.000000000 +0100
+++ apt-cacher-ng-2/debian/changelog 2017-04-13 18:11:17.000000000 +0200
@@ -1,3 +1,17 @@
+apt-cacher-ng (2-2) testing; urgency=high
+
+ * Special version only for Debian Stretch, solving moderate security issues:
+ + hardening against HTTP header splitting attack (no user input printed in
+ the HTTP headers anymore; backport from Sid, related to CVE-2017-7443)
+ + hardening against unintended or malicious triggering of hidden space
+ allocation, by disabling the fallocate completely. This is ultima ratio,
+ trading code simplicity for fragmentation avoiding efforts; a smarter
+ solution is found in upstream version 3; closes: #856635)
+ + handle a corner case of bad TLS handshake with invalid certificate
+ (related to #839751)
+
+ -- Eduard Bloch <blade@debian.org> Thu, 13 Apr 2017 18:11:17 +0200
+
apt-cacher-ng (2-1) unstable; urgency=low
* New upstream version
diff -Nru apt-cacher-ng-2/debian/patches/debian-changes apt-cacher-ng-2/debian/patches/debian-changes
--- apt-cacher-ng-2/debian/patches/debian-changes 1970-01-01 01:00:00.000000000 +0100
+++ apt-cacher-ng-2/debian/patches/debian-changes 2017-04-13 18:11:17.000000000 +0200
@@ -0,0 +1,81 @@
+Description: <short summary of the patch>
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ apt-cacher-ng (2-2) testing; urgency=high
+ .
+ * Special version only for Debian Stretch, solving moderate security issues:
+ + hardening against HTTP header splitting attack (no user input printed in
+ the HTTP headers anymore; backport from Sid, related to CVE-2017-7443)
+ + hardening against unintended or malicious triggering of hidden space
+ allocation, by disabling the fallocate completely. This is ultima ratio,
+ trading code simplicity for fragmentation avoiding efforts; a smarter
+ solution is found in upstream version 3; closes: #856635)
+ + handle a corner case of bad TLS handshake with invalid certificate
+ (related to #839751)
+Author: Eduard Bloch <blade@debian.org>
+Bug-Debian: https://bugs.debian.org/856635
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: https://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: 2017-04-13
+
+--- apt-cacher-ng-2.orig/source/fileio.cc
++++ apt-cacher-ng-2/source/fileio.cc
+@@ -17,7 +17,7 @@ using namespace std;
+ namespace acng
+ {
+
+-#ifdef HAVE_LINUX_FALLOCATE
++#ifdef DISABLED_FOR_NOW
+
+ int falloc_helper(int fd, off_t start, off_t len)
+ {
+--- apt-cacher-ng-2.orig/source/job.cc
++++ apt-cacher-ng-2/source/job.cc
+@@ -712,9 +712,7 @@ report_overload:
+ return ;
+
+ report_notallowed:
+- SetErrorResponse((tSS() << "403 Forbidden file type or location: " << sReqPath).c_str(),
+- nullptr, "403 Forbidden file type or location");
+-// USRDBG( sRawUriPath + " -- ACCESS FORBIDDEN");
++ SetErrorResponse("403 Forbidden file type or location");
+ return ;
+
+ report_offlineconf:
+--- apt-cacher-ng-2.orig/source/tcpconnect.cc
++++ apt-cacher-ng-2/source/tcpconnect.cc
+@@ -585,11 +585,19 @@ bool tcpconnect::SSLinit(mstring &sErr,
+ if(!cfg::nsafriendly)
+ {
+ hret=SSL_get_verify_result(ssl);
+- if( hret != X509_V_OK)
++ if(hret != X509_V_OK)
+ {
+ perr=X509_verify_cert_error_string(hret);
+ goto ssl_init_fail;
+ }
++ auto server_cert = SSL_get_peer_certificate(ssl);
++ if(server_cert)
++ X509_free(server_cert);
++ else
++ {
++ perr="Incompatible remote certificate";
++ goto ssl_init_fail;
++ }
+ }
+
+ return true;
diff -Nru apt-cacher-ng-2/debian/patches/series apt-cacher-ng-2/debian/patches/series
--- apt-cacher-ng-2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ apt-cacher-ng-2/debian/patches/series 2017-04-13 18:11:17.000000000 +0200
@@ -0,0 +1 @@
+debian-changes
--- End Message ---
--- Begin Message ---
- To: Eduard Bloch <edi@gmx.de>, 860265-done@bugs.debian.org
- Subject: Re: Bug#860265: (pre-approval) unblock: apt-cacher-ng/2-2
- From: Niels Thykier <niels@thykier.net>
- Date: Fri, 12 May 2017 12:05:00 +0000
- Message-id: <edc38202-ae9f-cec3-38e1-8b41dfe8a1b4@thykier.net>
- In-reply-to: <c29c6cc6-0e51-4fcc-b93b-f80cac1f7e84@thykier.net>
- References: <20170413184250.35wwnz2iklwn4pgn@rotes76.wohnheim.uni-kl.de> <c29c6cc6-0e51-4fcc-b93b-f80cac1f7e84@thykier.net>
Niels Thykier:
> Control: tags -1 confirmed moreinfo
>
> Eduard Bloch:
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian.org@packages.debian.org
>> Usertags: unblock
>>
>> Please approve the upload of new version of apt-cacher-ng. See #860243
>> for details. Here is a minimum viable patch included below.
>>
>> [...]
>>
>> unblock apt-cacher-ng/2-2
>>
>> [...]
>>
>
> Ack, please go ahead and remove the moreinfo tag once the upload has
> been done.
>
> Thanks,
> ~Niels
>
Upload has happened and I have unblocked it.
Thanks,
~Niels
--- End Message ---