--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: pre-approval: security update of apt-cacher/1.7.13
- From: Mark Hindley <mark@hindley.org.uk>
- Date: Mon, 24 Apr 2017 20:04:30 +0100
- Message-id: <20170424190430.27486.98110.reportbug@apollo>
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
As the maintainer of apt-cacher I would like to seek pre-approval for an update
to apt-cacher/1.7.13 in testing to fix a security issue.
CVE-2017-7443 identified a HTTP splitting security issue (#858739) in
apt-cacher. This was fixed in unstable with upload of version 1.7.15 on 25th
March with no regressions reported since. Targeted updates have already been
made to wheezy and approved for jessie (with upload pending).
apt-cacher 1.7.13 in testing is still vulnerable. I have packaged 1.7.13+debu9u1
with a targeted backport of the fix. I would like to seek pre-approval of upload
to testing.
The debdiff against 1.7.13 is:
Changes at debian/1.7.13
Modified apt-cacher
diff --git a/apt-cacher b/apt-cacher
index 7dc1aa2..6100075 100755
--- a/apt-cacher
+++ b/apt-cacher
@@ -2095,8 +2095,8 @@ sub get_request {
$request->protocol($3||'HTTP/1.0');
clean_uri($request->uri);
- if($request->uri =~ m#(?:^|/)\.{2}/#) { # Reject ../ or /../
- sendrsp(HTTP::Response->new(403, 'Forbidden: Invalid URI ' . $request->uri));
+ if($request->uri =~ m#(?:^|/)\.{2}/|%0[ad]#i) { # Reject ../, /../ or encoded new lines
+ sendrsp(HTTP::Response->new(403, 'Forbidden: Insecure URI ' . $request->uri));
return 1; # next REQUEST
}
return $request if $mode && $mode eq 'cgi'; # Not going to get anything else
Modified debian/changelog
diff --git a/debian/changelog b/debian/changelog
index 1319f34..c3adcf6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+apt-cacher (1.7.13+deb9u1) stretch; urgency=medium
+
+ * Backport fix for CVE-2017-7443: Prevent HTTP response splitting with
+ encoded newlines in request. (closes: #858739)
+
+ -- Mark Hindley <mark@hindley.org.uk> Mon, 24 Apr 2017 19:38:26 +0100
+
apt-cacher (1.7.13) unstable; urgency=medium
* Bump Standards Version to 3.9.8 (no changes).
Thanks,
Mark
-- System Information:
Debian Release: 8.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---