Bug#860265: marked as done ((pre-approval) unblock: apt-cacher-ng/2-2)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Fri, 12 May 2017 12:05:00 +0000
with message-id <edc38202-ae9f-cec3-38e1-8b41dfe8a1b4@thykier.net>
and subject line Re: Bug#860265: (pre-approval) unblock: apt-cacher-ng/2-2
has caused the Debian Bug report #860265,
regarding (pre-approval) unblock: apt-cacher-ng/2-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
860265: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860265
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: (pre-approval) unblock: apt-cacher-ng/2-2
• From: Eduard Bloch <edi@gmx.de>
• Date: Thu, 13 Apr 2017 20:42:50 +0200
• Message-id: <20170413184250.35wwnz2iklwn4pgn@rotes76.wohnheim.uni-kl.de>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please approve the upload of new version of apt-cacher-ng. See #860243
for details. Here is a minimum viable patch included below.

This is made under protest because I still consider the "reasons" for
rejecting #860243 specious and unfair. But anyhow, this changeset should
do the job for a (short) while.

unblock apt-cacher-ng/2-2

diff -Nru apt-cacher-ng-2/debian/changelog apt-cacher-ng-2/debian/changelog
--- apt-cacher-ng-2/debian/changelog	2016-11-22 21:39:43.000000000 +0100
+++ apt-cacher-ng-2/debian/changelog	2017-04-13 18:11:17.000000000 +0200
@@ -1,3 +1,17 @@
+apt-cacher-ng (2-2) testing; urgency=high
+
+  * Special version only for Debian Stretch, solving moderate security issues:
+    + hardening against HTTP header splitting attack (no user input printed in
+      the HTTP headers anymore; backport from Sid, related to CVE-2017-7443)
+    + hardening against unintended or malicious triggering of hidden space
+      allocation, by disabling the fallocate completely. This is ultima ratio,
+      trading code simplicity for fragmentation avoiding efforts; a smarter
+      solution is found in upstream version 3; closes: #856635)
+    + handle a corner case of bad TLS handshake with invalid certificate
+      (related to #839751)
+
+ -- Eduard Bloch <blade@debian.org>  Thu, 13 Apr 2017 18:11:17 +0200
+
 apt-cacher-ng (2-1) unstable; urgency=low
 
   * New upstream version
diff -Nru apt-cacher-ng-2/debian/patches/debian-changes apt-cacher-ng-2/debian/patches/debian-changes
--- apt-cacher-ng-2/debian/patches/debian-changes	1970-01-01 01:00:00.000000000 +0100
+++ apt-cacher-ng-2/debian/patches/debian-changes	2017-04-13 18:11:17.000000000 +0200
@@ -0,0 +1,81 @@
+Description: <short summary of the patch>
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ apt-cacher-ng (2-2) testing; urgency=high
+ .
+   * Special version only for Debian Stretch, solving moderate security issues:
+     + hardening against HTTP header splitting attack (no user input printed in
+       the HTTP headers anymore; backport from Sid, related to CVE-2017-7443)
+     + hardening against unintended or malicious triggering of hidden space
+       allocation, by disabling the fallocate completely. This is ultima ratio,
+       trading code simplicity for fragmentation avoiding efforts; a smarter
+       solution is found in upstream version 3; closes: #856635)
+     + handle a corner case of bad TLS handshake with invalid certificate
+       (related to #839751)
+Author: Eduard Bloch <blade@debian.org>
+Bug-Debian: https://bugs.debian.org/856635
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: https://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: 2017-04-13
+
+--- apt-cacher-ng-2.orig/source/fileio.cc
++++ apt-cacher-ng-2/source/fileio.cc
+@@ -17,7 +17,7 @@ using namespace std;
+ namespace acng
+ {
+ 
+-#ifdef HAVE_LINUX_FALLOCATE
++#ifdef DISABLED_FOR_NOW
+ 
+ int falloc_helper(int fd, off_t start, off_t len)
+ {
+--- apt-cacher-ng-2.orig/source/job.cc
++++ apt-cacher-ng-2/source/job.cc
+@@ -712,9 +712,7 @@ report_overload:
+     return ;
+ 
+ report_notallowed:
+-	SetErrorResponse((tSS() << "403 Forbidden file type or location: " << sReqPath).c_str(),
+-			nullptr, "403 Forbidden file type or location");
+-//    USRDBG( sRawUriPath + " -- ACCESS FORBIDDEN");
++	SetErrorResponse("403 Forbidden file type or location");
+     return ;
+ 
+ report_offlineconf:
+--- apt-cacher-ng-2.orig/source/tcpconnect.cc
++++ apt-cacher-ng-2/source/tcpconnect.cc
+@@ -585,11 +585,19 @@ bool tcpconnect::SSLinit(mstring &sErr,
+ 	if(!cfg::nsafriendly)
+ 	{
+ 		hret=SSL_get_verify_result(ssl);
+-		if( hret != X509_V_OK)
++		if(hret != X509_V_OK)
+ 		{
+ 			perr=X509_verify_cert_error_string(hret);
+ 			goto ssl_init_fail;
+ 		}
++		auto server_cert = SSL_get_peer_certificate(ssl);
++		if(server_cert)
++			X509_free(server_cert);
++		else
++		{
++			perr="Incompatible remote certificate";
++			goto ssl_init_fail;
++		}
+ 	}
+ 
+ 	return true;
diff -Nru apt-cacher-ng-2/debian/patches/series apt-cacher-ng-2/debian/patches/series
--- apt-cacher-ng-2/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ apt-cacher-ng-2/debian/patches/series	2017-04-13 18:11:17.000000000 +0200
@@ -0,0 +1 @@
+debian-changes

--- End Message ---

--- Begin Message ---

• To: Eduard Bloch <edi@gmx.de>, 860265-done@bugs.debian.org
• Subject: Re: Bug#860265: (pre-approval) unblock: apt-cacher-ng/2-2
• From: Niels Thykier <niels@thykier.net>
• Date: Fri, 12 May 2017 12:05:00 +0000
• Message-id: <edc38202-ae9f-cec3-38e1-8b41dfe8a1b4@thykier.net>
• In-reply-to: <c29c6cc6-0e51-4fcc-b93b-f80cac1f7e84@thykier.net>
• References: <20170413184250.35wwnz2iklwn4pgn@rotes76.wohnheim.uni-kl.de> <c29c6cc6-0e51-4fcc-b93b-f80cac1f7e84@thykier.net>

Niels Thykier:
> Control: tags -1 confirmed moreinfo
> 
> Eduard Bloch:
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian.org@packages.debian.org
>> Usertags: unblock
>>
>> Please approve the upload of new version of apt-cacher-ng. See #860243
>> for details. Here is a minimum viable patch included below.
>>
>> [...]
>>
>> unblock apt-cacher-ng/2-2
>>
>> [...]
>>
> 
> Ack, please go ahead and remove the moreinfo tag once the upload has
> been done.
> 
> Thanks,
> ~Niels
> 

Upload has happened and I have unblocked it.

Thanks,
~Niels

--- End Message ---