Bug#858846: jessie-pu: package apt-cacher/1.7.10
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
I would like to arrange update of apt-cacher 1.7.10 in Jessie to fix the HTTP
splitting issue tracked in #858739 (no CVE allocated).
I have prepared 1.7.10+deb8u1 which is available from http://hindley.org.uk/~mark/debian
Alternatively, as this is a native package you may prefer me to package it as
1.7.10.1. Please advise.
debdiff:
Changes from debian/1.7.10 to debian/1.7.10+deb8u1
Modified apt-cacher
diff --git a/apt-cacher b/apt-cacher
index 668b2d8..5bde2e7 100755
--- a/apt-cacher
+++ b/apt-cacher
@@ -2093,8 +2093,8 @@ sub get_request {
$request->protocol($3||'HTTP/1.0');
clean_uri($request->uri);
- if($request->uri =~ m#(?:^|/)\.{2}/#) { # Reject ../ or /../
- sendrsp(HTTP::Response->new(403, 'Forbidden: Invalid URI ' . $request->uri));
+ if($request->uri =~ m#(?:^|/)\.{2}/|%0[ad]#i) { # Reject ../, /../ or encoded new lines
+ sendrsp(HTTP::Response->new(403, 'Forbidden: Insecure URI ' . $request->uri));
return 1; # next REQUEST
}
return $request if $mode && $mode eq 'cgi'; # Not going to get anything else
Modified debian/changelog
diff --git a/debian/changelog b/debian/changelog
index 43310cd..d8946f6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+apt-cacher (1.7.10+deb8u1) jessie-security; urgency=medium
+
+ * Prevent HTTP response splitting with encoded newlines in
+ request. Backport of fix for #858739.
+
+ -- Mark Hindley <mark@hindley.org.uk> Sun, 26 Mar 2017 18:25:21 +0100
+
apt-cacher (1.7.10) unstable; urgency=low
* Internally store http_proxy as URI object which can include
Many thanks.
Mark
Reply to: