Bug#864770: jessie-pu: package libapache2-mod-perl2/2.0.9~1624218-2+deb8u2
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libapache2-mod-perl2@packages.debian.org
The changes in apache2_2.4.10-10+deb8u8 related to CVE-2016-8743
caused libapache2-mod-perl2 to start failing its test suite, as
seen in #864316.
The attached debdiff fixes this by amending the test suite.
The changes are identical to those we made in stretch/sid for #849082.
Please let me know if it's OK to upload to jessie.
Thanks for your work,
--
Niko Tyni ntyni@debian.org
diff -Nru libapache2-mod-perl2-2.0.9~1624218/debian/changelog libapache2-mod-perl2-2.0.9~1624218/debian/changelog
--- libapache2-mod-perl2-2.0.9~1624218/debian/changelog 2015-11-15 20:42:37.000000000 +0200
+++ libapache2-mod-perl2-2.0.9~1624218/debian/changelog 2017-06-14 14:39:56.000000000 +0300
@@ -1,3 +1,10 @@
+libapache2-mod-perl2 (2.0.9~1624218-2+deb8u2) jessie; urgency=medium
+
+ * Patch the test suite for apache2_2.4.10-10+deb8u8 compatibility.
+ (Closes: #864316)
+
+ -- Niko Tyni <ntyni@debian.org> Wed, 14 Jun 2017 14:39:56 +0300
+
libapache2-mod-perl2 (2.0.9~1624218-2+deb8u1) jessie; urgency=medium
* Apply upstream 2.0.9 patches fixing crashes in
diff -Nru libapache2-mod-perl2-2.0.9~1624218/debian/patches/440_http_syntax.patch libapache2-mod-perl2-2.0.9~1624218/debian/patches/440_http_syntax.patch
--- libapache2-mod-perl2-2.0.9~1624218/debian/patches/440_http_syntax.patch 1970-01-01 02:00:00.000000000 +0200
+++ libapache2-mod-perl2-2.0.9~1624218/debian/patches/440_http_syntax.patch 2017-06-14 14:34:26.000000000 +0300
@@ -0,0 +1,33 @@
+From 4a803fdb4c9eae8538293fe31c9222eecb6465be Mon Sep 17 00:00:00 2001
+From: Niko Tyni <ntyni@debian.org>
+Date: Fri, 23 Dec 2016 18:27:23 +0200
+Subject: [PATCH 1/2] Fix t/apache/read.t HTTP syntax for Apache 2.4.24
+ compatibility
+
+HTTP/1.1 RFC 7230, section 2.6. "Protocol Versioning" says the HTTP name
+is case sensitive. Starting with Apache 2.4.24, using lower case will
+make the server issue a 400 Bad request response, causing a test failure.
+
+https://tools.ietf.org/html/rfc7230#section-2.6
+
+Bug-Debian: https://bugs.debian.org/849082
+---
+ t/apache/read.t | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/t/apache/read.t b/t/apache/read.t
+index 83670c9..9f7f504 100644
+--- a/t/apache/read.t
++++ b/t/apache/read.t
+@@ -24,7 +24,7 @@ close $fh;
+
+ my $size = length $data;
+
+-for my $string ("POST $location http/1.0",
++for my $string ("POST $location HTTP/1.0",
+ "Content-length: $size",
+ "") {
+ my $line = "$string\r\n";
+--
+2.11.0
+
diff -Nru libapache2-mod-perl2-2.0.9~1624218/debian/patches/450_inject_header_line_terminators.patch libapache2-mod-perl2-2.0.9~1624218/debian/patches/450_inject_header_line_terminators.patch
--- libapache2-mod-perl2-2.0.9~1624218/debian/patches/450_inject_header_line_terminators.patch 1970-01-01 02:00:00.000000000 +0200
+++ libapache2-mod-perl2-2.0.9~1624218/debian/patches/450_inject_header_line_terminators.patch 2017-06-14 14:34:34.000000000 +0300
@@ -0,0 +1,45 @@
+From d59229cf4f5b91ed58e25e27977e76f59096b72d Mon Sep 17 00:00:00 2001
+From: Niko Tyni <ntyni@debian.org>
+Date: Sat, 24 Dec 2016 23:07:28 +0200
+Subject: [PATCH 2/2] Fix in_bbs_inject_header line terminators for Apache
+ 2.4.24 compatibility
+
+rfc7230 3.5 says:
+
+ Although the line terminator for the start-line and header fields is
+ the sequence CRLF, a recipient MAY recognize a single LF as a line
+ terminator and ignore any preceding CR.
+
+Apache with strict enabled chooses not to implement the MAY.
+
+Author: Stefan Fritsch <sf@sfritsch.de>
+Bug-Debian: https://bugs.debian.org/849082
+---
+ t/filter/TestFilter/in_bbs_inject_header.pm | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/t/filter/TestFilter/in_bbs_inject_header.pm b/t/filter/TestFilter/in_bbs_inject_header.pm
+index b09d6f9..5380c65 100644
+--- a/t/filter/TestFilter/in_bbs_inject_header.pm
++++ b/t/filter/TestFilter/in_bbs_inject_header.pm
+@@ -181,7 +181,7 @@ sub handler : FilterConnectionHandler {
+
+ if ($data and $data =~ /^POST/) {
+ # demonstrate how to add a header while processing other headers
+- my $header = "$header1_key: $header1_val\n";
++ my $header = "$header1_key: $header1_val\r\n";
+ push @{ $ctx->{buckets} }, APR::Bucket->new($c->bucket_alloc, $header);
+ debug "queued header [$header]";
+ }
+@@ -199,7 +199,7 @@ sub handler : FilterConnectionHandler {
+ # we hit the headers and body separator, which is a good
+ # time to add extra headers:
+ for my $key (keys %headers) {
+- my $header = "$key: $headers{$key}\n";
++ my $header = "$key: $headers{$key}\r\n";
+ push @{ $ctx->{buckets} }, APR::Bucket->new($c->bucket_alloc, $header);
+ debug "queued header [$header]";
+ }
+--
+2.11.0
+
diff -Nru libapache2-mod-perl2-2.0.9~1624218/debian/patches/series libapache2-mod-perl2-2.0.9~1624218/debian/patches/series
--- libapache2-mod-perl2-2.0.9~1624218/debian/patches/series 2015-11-15 20:36:06.000000000 +0200
+++ libapache2-mod-perl2-2.0.9~1624218/debian/patches/series 2017-06-14 14:35:04.000000000 +0300
@@ -17,3 +17,5 @@
430-Don-t-call-modperl_threaded_mpm-et-al.-from-XS-code.patch
0001-Decrement-interp-refcnt-when-freeing-interpreter-in-.patch
0002-Initialize-interp-refcnt-to-1-in-modperl_interp_sele.patch
+440_http_syntax.patch
+450_inject_header_line_terminators.patch
Reply to: