Bug#776325: wheezy-pu: package pound/2.6-2+deb7u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#776325: wheezy-pu: package pound/2.6-2+deb7u1
From: Antonio Terceiro <terceiro@debian.org>
Date: Mon, 26 Jan 2015 18:48:22 -0200
Message-id: <[🔎] 20150126204822.GA18168@debian.org>
Reply-to: Antonio Terceiro <terceiro@debian.org>, 776325@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Hello release team, and pound maintainers (copied via X-Debbugs-Cc).

The wheezy version of pound has a nasty bug that breaks HTTP → HTTPS
redirects for URL's that contain the '=' character , what is arguably
quite common.

I would like to fix this with the attached debdiff.

-- System Information:
Debian Release: 8.0
  APT prefers buildd-unstable
  APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
Antonio Terceiro <terceiro@debian.org>

diff -Nru pound-2.6/debian/changelog pound-2.6/debian/changelog
--- pound-2.6/debian/changelog	2015-01-26 18:29:53.000000000 -0200
+++ pound-2.6/debian/changelog	2012-02-03 07:50:41.000000000 -0200
@@ -1,12 +1,3 @@
-pound (2.6-2+deb7u1) stable; urgency=medium
-
-  * Non-maintainer upload.
-  * Update XSS redirect vulnerability patch to not break with '=' in the URL.
-    Both the original patch and this update have already been applied
-    upstream. Closes: #723731
-
- -- Antonio Terceiro <terceiro@debian.org>  Mon, 26 Jan 2015 18:26:09 -0200
-
 pound (2.6-2) unstable; urgency=low
 
   * Update anti_beast patch
diff -Nru pound-2.6/debian/patches/xss_redirect_fix.patch pound-2.6/debian/patches/xss_redirect_fix.patch
--- pound-2.6/debian/patches/xss_redirect_fix.patch	2015-01-26 18:33:01.000000000 -0200
+++ pound-2.6/debian/patches/xss_redirect_fix.patch	2012-02-03 07:46:07.000000000 -0200
@@ -43,7 +43,7 @@
 +	    (ch>= 'A' && ch <='Z') ||
 +	    (ch>= 'a' && ch <='z') ||
 +	    (ch>= '0' && ch <='9') ||
-+            ch == '-' || ch == '_' || ch == '.' || ch == ':' || ch == '/' || ch == '?' || ch == '&' || ch == ';' || ch == '=') {
++            ch == '-' || ch == '_' || ch == '.' || ch == ':' || ch == '/' || ch == '?' || ch == '&' || ch == ';') {
 +
 +	    urlbuf[j++] = ch;
 +	    continue;

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Bug#776321: unblock: wv/1.2.9-4.1
Next by Date: Bug#776325: wheezy-pu: package pound/2.6-2+deb7u1
Previous by thread: Bug#776321: marked as done (unblock: wv/1.2.9-4.1)
Next by thread: Bug#776325: wheezy-pu: package pound/2.6-2+deb7u1
Index(es):
- Date
- Thread