[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#776325: marked as done (wheezy-pu: package pound/2.6-2+deb7u1)

Your message dated Mon, 2 Feb 2015 18:19:38 -0200
with message-id <20150202201938.GA27122@debian.org>
and subject line Re: Bug#776325: wheezy-pu: package pound/2.6-2+deb7u1
has caused the Debian Bug report #776325,
regarding wheezy-pu: package pound/2.6-2+deb7u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
776325: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776325
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Hello release team, and pound maintainers (copied via X-Debbugs-Cc).

The wheezy version of pound has a nasty bug that breaks HTTP → HTTPS
redirects for URL's that contain the '=' character , what is arguably
quite common.

I would like to fix this with the attached debdiff.

-- System Information:
Debian Release: 8.0
  APT prefers buildd-unstable
  APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
Antonio Terceiro <terceiro@debian.org>

diff -Nru pound-2.6/debian/changelog pound-2.6/debian/changelog
--- pound-2.6/debian/changelog	2015-01-26 18:29:53.000000000 -0200
+++ pound-2.6/debian/changelog	2012-02-03 07:50:41.000000000 -0200
@@ -1,12 +1,3 @@
-pound (2.6-2+deb7u1) stable; urgency=medium
-
-  * Non-maintainer upload.
-  * Update XSS redirect vulnerability patch to not break with '=' in the URL.
-    Both the original patch and this update have already been applied
-    upstream. Closes: #723731
-
- -- Antonio Terceiro <terceiro@debian.org>  Mon, 26 Jan 2015 18:26:09 -0200
-
 pound (2.6-2) unstable; urgency=low
 
   * Update anti_beast patch
diff -Nru pound-2.6/debian/patches/xss_redirect_fix.patch pound-2.6/debian/patches/xss_redirect_fix.patch
--- pound-2.6/debian/patches/xss_redirect_fix.patch	2015-01-26 18:33:01.000000000 -0200
+++ pound-2.6/debian/patches/xss_redirect_fix.patch	2012-02-03 07:46:07.000000000 -0200
@@ -43,7 +43,7 @@
 +	    (ch>= 'A' && ch <='Z') ||
 +	    (ch>= 'a' && ch <='z') ||
 +	    (ch>= '0' && ch <='9') ||
-+            ch == '-' || ch == '_' || ch == '.' || ch == ':' || ch == '/' || ch == '?' || ch == '&' || ch == ';' || ch == '=') {
++            ch == '-' || ch == '_' || ch == '.' || ch == ':' || ch == '/' || ch == '?' || ch == '&' || ch == ';') {
 +
 +	    urlbuf[j++] = ch;
 +	    continue;

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
Hello Thijs,

On Mon, Feb 02, 2015 at 04:16:07PM +0100, Thijs Kinkhorst wrote:
> Hi Antonio,
> 
> On Mon, February 2, 2015 15:34, Antonio Terceiro wrote:
> > ping :)
> 
> As a heads up, we're currently preparing a upload for stable-security
> where this patch will most likely be included.

Ah, cool. There is no point in me uploading it, in that case.

Thanks!

-- 
Antonio Terceiro <terceiro@debian.org>

Attachment: signature.asc
Description: Digital signature


--- End Message ---
Reply to: