--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package yaws/1.98-4+deb8u1
- From: Sergei Golovan <sgolovan@nes.ru>
- Date: Tue, 26 Jul 2016 14:14:41 +0300
- Message-id: <20160726111441.25331.71066.reportbug@jupiter.golovan.home>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi release team!
I'd like to upload stable update for the YAWS web server which would
fix #832433 (see [1] for details). It's a vulnerability found in quite
a few products, YAWS passes the HTTP_PROXY environment variable to its
CGI scripts and takes the value for it from the Proxy: HTTP header
(see [2]).
The patch for this bug is taken from upstream. The diff is attached.
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832433
[2] http://httpoxy.org/
-- System Information:
Debian Release: 8.5
APT prefers proposed-updates
APT policy: (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru yaws-1.98/debian/changelog yaws-1.98/debian/changelog
--- yaws-1.98/debian/changelog 2014-08-18 08:49:39.000000000 +0400
+++ yaws-1.98/debian/changelog 2016-07-26 07:48:48.000000000 +0300
@@ -1,3 +1,10 @@
+yaws (1.98-4+deb8u1) stable; urgency=low
+
+ * Applied a patch from upstream to fix CVE-2016-1000108 (passing HTTP_PROXY
+ to CGI scripts). Closes: #832433.
+
+ -- Sergei Golovan <sgolovan@debian.org> Tue, 26 Jul 2016 07:47:24 +0300
+
yaws (1.98-4) unstable; urgency=low
* Switched to the well-known logrotate tool to rotate the YAWS log files
diff -Nru yaws-1.98/debian/patches/CVE-2016-1000108.diff yaws-1.98/debian/patches/CVE-2016-1000108.diff
--- yaws-1.98/debian/patches/CVE-2016-1000108.diff 1970-01-01 03:00:00.000000000 +0300
+++ yaws-1.98/debian/patches/CVE-2016-1000108.diff 2016-07-26 07:46:29.000000000 +0300
@@ -0,0 +1,34 @@
+From: Klacke Wikstrom <cwikstro@cisco.com>
+Date: Mon, 25 Jul 2016 12:46:30 +0200
+Subject: [PATCH] Security flaw http://httpoxy.org/ fixed A security flaw with
+ HTTP_PROXY fixed. When we now construct the cgi env variables, we just skip
+ the Proxy header. Reported by dominic@varspool.com.
+ CVE-2016-1000108
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832433
+
+--- a/src/yaws_cgi.erl
++++ b/src/yaws_cgi.erl
+@@ -368,11 +368,21 @@ build_env(Arg, Scriptfilename, Pathinfo, ExtraEnv, SC) ->
+ {"HTTP_IF_NONE_MATCH", H#headers.if_none_match},
+ {"HTTP_IF_UNMODIFIED_SINCE", H#headers.if_unmodified_since},
+ {"HTTP_COOKIE", flatten_val(make_cookie_val(H#headers.cookie))}
+- ]++lists:map(fun({http_header,_,Var,_,Val})->{tohttp(Var),Val} end,
+- H#headers.other)
++ ]++ other_headers(H#headers.other)
+ )) ++
+ Extra_CGI_Vars.
+
++other_headers(Headers) ->
++ lists:zf(fun({http_header,_,Var,_,Val}) ->
++ case tohttp(Var) of
++ "HTTP_PROXY" ->
++ %% See http://httpoxy.org/
++ false;
++ HTTP ->
++ {true, {HTTP,Val}}
++ end
++ end, Headers).
++
+ tohttp(X) ->
+ "HTTP_"++lists:map(fun tohttp_c/1, yaws:to_list(X)).
+
diff -Nru yaws-1.98/debian/patches/series yaws-1.98/debian/patches/series
--- yaws-1.98/debian/patches/series 2013-10-19 17:40:03.000000000 +0400
+++ yaws-1.98/debian/patches/series 2016-07-26 07:46:53.000000000 +0300
@@ -2,3 +2,4 @@
gnu.diff
docs.diff
m32m64.diff
+CVE-2016-1000108.diff
--- End Message ---