[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#864770: marked as done (jessie-pu: package libapache2-mod-perl2/2.0.9~1624218-2+deb8u2)

Your message dated Sat, 22 Jul 2017 13:18:56 +0100
with message-id <1500725936.14212.4.camel@adam-barratt.org.uk>
and subject line Closing bugs for 8.9 fixes
has caused the Debian Bug report #864770,
regarding jessie-pu: package libapache2-mod-perl2/2.0.9~1624218-2+deb8u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
864770: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864770
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libapache2-mod-perl2@packages.debian.org

The changes in apache2_2.4.10-10+deb8u8 related to CVE-2016-8743
caused libapache2-mod-perl2 to start failing its test suite, as
seen in #864316.

The attached debdiff fixes this by amending the test suite.
The changes are identical to those we made in stretch/sid for #849082.

Please let me know if it's OK to upload to jessie.

Thanks for your work,
-- 
Niko Tyni   ntyni@debian.org

diff -Nru libapache2-mod-perl2-2.0.9~1624218/debian/changelog libapache2-mod-perl2-2.0.9~1624218/debian/changelog
--- libapache2-mod-perl2-2.0.9~1624218/debian/changelog	2015-11-15 20:42:37.000000000 +0200
+++ libapache2-mod-perl2-2.0.9~1624218/debian/changelog	2017-06-14 14:39:56.000000000 +0300
@@ -1,3 +1,10 @@
+libapache2-mod-perl2 (2.0.9~1624218-2+deb8u2) jessie; urgency=medium
+
+  * Patch the test suite for apache2_2.4.10-10+deb8u8 compatibility.
+    (Closes: #864316)
+
+ -- Niko Tyni <ntyni@debian.org>  Wed, 14 Jun 2017 14:39:56 +0300
+
 libapache2-mod-perl2 (2.0.9~1624218-2+deb8u1) jessie; urgency=medium
 
   * Apply upstream 2.0.9 patches fixing crashes in
diff -Nru libapache2-mod-perl2-2.0.9~1624218/debian/patches/440_http_syntax.patch libapache2-mod-perl2-2.0.9~1624218/debian/patches/440_http_syntax.patch
--- libapache2-mod-perl2-2.0.9~1624218/debian/patches/440_http_syntax.patch	1970-01-01 02:00:00.000000000 +0200
+++ libapache2-mod-perl2-2.0.9~1624218/debian/patches/440_http_syntax.patch	2017-06-14 14:34:26.000000000 +0300
@@ -0,0 +1,33 @@
+From 4a803fdb4c9eae8538293fe31c9222eecb6465be Mon Sep 17 00:00:00 2001
+From: Niko Tyni <ntyni@debian.org>
+Date: Fri, 23 Dec 2016 18:27:23 +0200
+Subject: [PATCH 1/2] Fix t/apache/read.t HTTP syntax for Apache 2.4.24
+ compatibility
+
+HTTP/1.1 RFC 7230, section 2.6. "Protocol Versioning" says the HTTP name
+is case sensitive. Starting with Apache 2.4.24, using lower case will
+make the server issue a 400 Bad request response, causing a test failure.
+
+https://tools.ietf.org/html/rfc7230#section-2.6
+
+Bug-Debian: https://bugs.debian.org/849082
+---
+ t/apache/read.t | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/t/apache/read.t b/t/apache/read.t
+index 83670c9..9f7f504 100644
+--- a/t/apache/read.t
++++ b/t/apache/read.t
+@@ -24,7 +24,7 @@ close $fh;
+ 
+ my $size = length $data;
+ 
+-for my $string ("POST $location http/1.0",
++for my $string ("POST $location HTTP/1.0",
+                 "Content-length: $size",
+                 "") {
+     my $line = "$string\r\n";
+-- 
+2.11.0
+
diff -Nru libapache2-mod-perl2-2.0.9~1624218/debian/patches/450_inject_header_line_terminators.patch libapache2-mod-perl2-2.0.9~1624218/debian/patches/450_inject_header_line_terminators.patch
--- libapache2-mod-perl2-2.0.9~1624218/debian/patches/450_inject_header_line_terminators.patch	1970-01-01 02:00:00.000000000 +0200
+++ libapache2-mod-perl2-2.0.9~1624218/debian/patches/450_inject_header_line_terminators.patch	2017-06-14 14:34:34.000000000 +0300
@@ -0,0 +1,45 @@
+From d59229cf4f5b91ed58e25e27977e76f59096b72d Mon Sep 17 00:00:00 2001
+From: Niko Tyni <ntyni@debian.org>
+Date: Sat, 24 Dec 2016 23:07:28 +0200
+Subject: [PATCH 2/2] Fix in_bbs_inject_header line terminators for Apache
+ 2.4.24 compatibility
+
+rfc7230 3.5 says:
+
+  Although the line terminator for the start-line and header fields is
+   the sequence CRLF, a recipient MAY recognize a single LF as a line
+   terminator and ignore any preceding CR.
+
+Apache with strict enabled chooses not to implement the MAY.
+
+Author: Stefan Fritsch <sf@sfritsch.de>
+Bug-Debian: https://bugs.debian.org/849082
+---
+ t/filter/TestFilter/in_bbs_inject_header.pm | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/t/filter/TestFilter/in_bbs_inject_header.pm b/t/filter/TestFilter/in_bbs_inject_header.pm
+index b09d6f9..5380c65 100644
+--- a/t/filter/TestFilter/in_bbs_inject_header.pm
++++ b/t/filter/TestFilter/in_bbs_inject_header.pm
+@@ -181,7 +181,7 @@ sub handler : FilterConnectionHandler {
+ 
+         if ($data and $data =~ /^POST/) {
+             # demonstrate how to add a header while processing other headers
+-            my $header = "$header1_key: $header1_val\n";
++            my $header = "$header1_key: $header1_val\r\n";
+             push @{ $ctx->{buckets} }, APR::Bucket->new($c->bucket_alloc, $header);
+             debug "queued header [$header]";
+         }
+@@ -199,7 +199,7 @@ sub handler : FilterConnectionHandler {
+             # we hit the headers and body separator, which is a good
+             # time to add extra headers:
+             for my $key (keys %headers) {
+-                my $header = "$key: $headers{$key}\n";
++                my $header = "$key: $headers{$key}\r\n";
+                 push @{ $ctx->{buckets} }, APR::Bucket->new($c->bucket_alloc, $header);
+                 debug "queued header [$header]";
+             }
+-- 
+2.11.0
+
diff -Nru libapache2-mod-perl2-2.0.9~1624218/debian/patches/series libapache2-mod-perl2-2.0.9~1624218/debian/patches/series
--- libapache2-mod-perl2-2.0.9~1624218/debian/patches/series	2015-11-15 20:36:06.000000000 +0200
+++ libapache2-mod-perl2-2.0.9~1624218/debian/patches/series	2017-06-14 14:35:04.000000000 +0300
@@ -17,3 +17,5 @@
 430-Don-t-call-modperl_threaded_mpm-et-al.-from-XS-code.patch
 0001-Decrement-interp-refcnt-when-freeing-interpreter-in-.patch
 0002-Initialize-interp-refcnt-to-1-in-modperl_interp_sele.patch
+440_http_syntax.patch
+450_inject_header_line_terminators.patch

--- End Message ---
--- Begin Message --- 
Version: 8.9

Hi,

These bugs all relate for updates which were included in today's jessie
point release.

Regards,

Adam

--- End Message ---
Reply to: