Bug#860243: jessie-pu: package apt-cacher-ng/0.8.0-3
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
I would like to upgrade the apt-cacher-ng version in Stable ASAP.
See attachment for the overview of the proposed changes. Please note
that it does not fully resolve #839751, only a minor change was included
(extra certificate check for the weakest/obvious attacks).
Adding a complete solution requires either an update of openssl in
Stable or including a local implementation (can be cherry-picked from
Sid) which is likely to be rejected by you (because of "meh meh meeh
SOOOO MANY CHANGES", considering how #857752 was dealt with).
+ apt-cacher-ng (0.8.0-4) stable; urgency=high
+ .
+ * Including some security related fixes from upstream version 3 (simplified
+ versions considered appropriate for Stable, related to #856635 and #839751
+ and CVE-2017-7443)
+Author: Eduard Bloch <blade@debian.org>
Regards,
Eduard.
--
Das gestern und das heute unterscheiden sich nur durch das hier.
diff -Nru apt-cacher-ng-0.8.0/debian/changelog apt-cacher-ng-0.8.0/debian/changelog
--- apt-cacher-ng-0.8.0/debian/changelog 2014-11-28 21:09:34.000000000 +0100
+++ apt-cacher-ng-0.8.0/debian/changelog 2017-04-12 22:07:16.000000000 +0200
@@ -1,3 +1,11 @@
+apt-cacher-ng (0.8.0-4) stable; urgency=high
+
+ * Including some security related fixes from upstream version 3 (simplified
+ versions considered appropriate for Stable, related to #856635 and #839751
+ and CVE-2017-7443)
+
+ -- Eduard Bloch <blade@debian.org> Wed, 12 Apr 2017 22:07:16 +0200
+
apt-cacher-ng (0.8.0-3) unstable; urgency=medium
* Restored build-dependency on libsystemd-daemond-dev since upstream source
diff -Nru apt-cacher-ng-0.8.0/debian/patches/debian-changes apt-cacher-ng-0.8.0/debian/patches/debian-changes
--- apt-cacher-ng-0.8.0/debian/patches/debian-changes 1970-01-01 01:00:00.000000000 +0100
+++ apt-cacher-ng-0.8.0/debian/patches/debian-changes 2017-04-12 22:07:16.000000000 +0200
@@ -0,0 +1,80 @@
+Description: <short summary of the patch>
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ apt-cacher-ng (0.8.0-4) stable; urgency=high
+ .
+ * Including some security related fixes from upstream version 3 (simplified
+ versions considered appropriate for Stable, related to #856635 and #839751
+ and CVE-2017-7443)
+Author: Eduard Bloch <blade@debian.org>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: https://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: 2017-04-13
+
+--- apt-cacher-ng-0.8.0.orig/source/fileio.cc
++++ apt-cacher-ng-0.8.0/source/fileio.cc
+@@ -13,7 +13,8 @@
+
+ int falloc_helper(int fd, off_t start, off_t len)
+ {
+- return fallocate(fd, FALLOC_FL_KEEP_SIZE, start, len);
++ // disabled due to #856635
++ return 0; // fallocate(fd, FALLOC_FL_KEEP_SIZE, start, len);
+ }
+ #else
+ int falloc_helper(int, off_t, off_t)
+--- apt-cacher-ng-0.8.0.orig/source/job.cc
++++ apt-cacher-ng-0.8.0/source/job.cc
+@@ -731,8 +731,9 @@ report_overload:
+ return ;
+
+ report_notallowed:
+- SetErrorResponse((tSS() << "403 Forbidden file type or location: " << sReqPath).c_str(),
+- NULL, "403 Forbidden file type or location");
++// disabled in Debian Stable, see CVE-2017-7443 for details
++ SetErrorResponse(/* (tSS() << "403 Forbidden file type or location: " << sReqPath).c_str(),
++ NULL, */ "403 Forbidden file type or location");
+ // USRDBG( sRawUriPath + " -- ACCESS FORBIDDEN");
+ return ;
+
+--- apt-cacher-ng-0.8.0.orig/source/tcpconnect.cc
++++ apt-cacher-ng-0.8.0/source/tcpconnect.cc
+@@ -522,7 +522,7 @@ bool tcpconnect::SSLinit(mstring &sErr,
+ while(true)
+ {
+ hret=SSL_connect(ssl);
+- if(hret == 1 )
++ if(hret == 1)
+ break;
+ if(hret == 0)
+ goto ssl_init_fail_retcode;
+@@ -583,7 +583,14 @@ bool tcpconnect::SSLinit(mstring &sErr,
+ perr=X509_verify_cert_error_string(hret);
+ goto ssl_init_fail;
+ }
+-
++ {
++ auto server_cert = SSL_get_peer_certificate(ssl);
++ if (server_cert)
++ X509_free(server_cert);
++ else
++ // Although looking successful the server did not provide a valid certificate
++ goto ssl_init_fail;
++ }
+ return true;
+
+ ssl_init_fail_retcode:
diff -Nru apt-cacher-ng-0.8.0/debian/patches/series apt-cacher-ng-0.8.0/debian/patches/series
--- apt-cacher-ng-0.8.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ apt-cacher-ng-0.8.0/debian/patches/series 2017-04-12 22:07:16.000000000 +0200
@@ -0,0 +1 @@
+debian-changes
diff -Nru apt-cacher-ng-0.8.0/debian/source/options apt-cacher-ng-0.8.0/debian/source/options
--- apt-cacher-ng-0.8.0/debian/source/options 2014-11-28 21:09:34.000000000 +0100
+++ apt-cacher-ng-0.8.0/debian/source/options 2017-04-12 22:07:16.000000000 +0200
@@ -1 +1,2 @@
compression=xz
+single-debian-patch
Reply to: