[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#858846: marked as done (jessie-pu: package apt-cacher/1.7.10)



Your message dated Sat, 22 Jul 2017 13:18:56 +0100
with message-id <1500725936.14212.4.camel@adam-barratt.org.uk>
and subject line Closing bugs for 8.9 fixes
has caused the Debian Bug report #858846,
regarding jessie-pu: package apt-cacher/1.7.10
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
858846: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858846
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

I would like to arrange update of apt-cacher 1.7.10 in Jessie to fix the HTTP
splitting issue tracked in #858739 (no CVE allocated).

I have prepared 1.7.10+deb8u1 which is available from http://hindley.org.uk/~mark/debian

Alternatively, as this is a native package you may prefer me to package it as
1.7.10.1. Please advise.

debdiff:

Changes from debian/1.7.10 to debian/1.7.10+deb8u1
	Modified   apt-cacher
diff --git a/apt-cacher b/apt-cacher
index 668b2d8..5bde2e7 100755
--- a/apt-cacher
+++ b/apt-cacher
@@ -2093,8 +2093,8 @@ sub get_request {
 		    $request->protocol($3||'HTTP/1.0');
 
 		    clean_uri($request->uri);
-		    if($request->uri =~ m#(?:^|/)\.{2}/#) { # Reject ../ or /../
-			sendrsp(HTTP::Response->new(403, 'Forbidden: Invalid URI ' . $request->uri));
+		    if($request->uri =~ m#(?:^|/)\.{2}/|%0[ad]#i) { # Reject ../, /../ or encoded new lines
+			sendrsp(HTTP::Response->new(403, 'Forbidden: Insecure URI ' . $request->uri));
 			return 1; # next REQUEST
 		    }
 		    return $request if $mode && $mode eq 'cgi'; # Not going to get anything else
	Modified   debian/changelog
diff --git a/debian/changelog b/debian/changelog
index 43310cd..d8946f6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+apt-cacher (1.7.10+deb8u1) jessie-security; urgency=medium
+
+  * Prevent HTTP response splitting with encoded newlines in
+    request. Backport of fix for #858739.
+
+ -- Mark Hindley <mark@hindley.org.uk>  Sun, 26 Mar 2017 18:25:21 +0100
+
 apt-cacher (1.7.10) unstable; urgency=low
 
   * Internally store http_proxy as URI object which can include

Many thanks.

Mark

--- End Message ---
--- Begin Message ---
Version: 8.9

Hi,

These bugs all relate for updates which were included in today's jessie
point release.

Regards,

Adam

--- End Message ---

Reply to: