Bug#860243: marked as done (jessie-pu: package apt-cacher-ng/0.8.0-3)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 17 Jun 2018 19:04:26 +0100
with message-id <20180617180426.nxuwmlbbp3c2qklh@powdarrmonkey.net>
and subject line Re: Bug#860243: jessie-pu: package apt-cacher-ng/0.8.0-3
has caused the Debian Bug report #860243,
regarding jessie-pu: package apt-cacher-ng/0.8.0-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
860243: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860243
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: jessie-pu: package apt-cacher-ng/0.8.0-3
• From: Eduard Bloch <edi@gmx.de>
• Date: Thu, 13 Apr 2017 14:33:58 +0200
• Message-id: <20170413123358.2qgh3qntarqwg2yq@rotes76.wohnheim.uni-kl.de>

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

I would like to upgrade the apt-cacher-ng version in Stable ASAP.

See attachment for the overview of the proposed changes.  Please note
that it does not fully resolve #839751, only a minor change was included
(extra certificate check for the weakest/obvious attacks).

Adding a complete solution requires either an update of openssl in
Stable or including a local implementation (can be cherry-picked from
Sid) which is likely to be rejected by you (because of "meh meh meeh
SOOOO MANY CHANGES", considering how #857752 was dealt with).

+ apt-cacher-ng (0.8.0-4) stable; urgency=high
+ .
+   * Including some security related fixes from upstream version 3 (simplified
+     versions considered appropriate for Stable, related to #856635 and #839751
+     and CVE-2017-7443)
+Author: Eduard Bloch <blade@debian.org>

Regards,
Eduard.

-- 
Das gestern und das heute unterscheiden sich nur durch das hier.

diff -Nru apt-cacher-ng-0.8.0/debian/changelog apt-cacher-ng-0.8.0/debian/changelog
--- apt-cacher-ng-0.8.0/debian/changelog	2014-11-28 21:09:34.000000000 +0100
+++ apt-cacher-ng-0.8.0/debian/changelog	2017-04-12 22:07:16.000000000 +0200
@@ -1,3 +1,11 @@
+apt-cacher-ng (0.8.0-4) stable; urgency=high
+
+  * Including some security related fixes from upstream version 3 (simplified
+    versions considered appropriate for Stable, related to #856635 and #839751
+    and CVE-2017-7443)
+
+ -- Eduard Bloch <blade@debian.org>  Wed, 12 Apr 2017 22:07:16 +0200
+
 apt-cacher-ng (0.8.0-3) unstable; urgency=medium
 
   * Restored build-dependency on libsystemd-daemond-dev since upstream source
diff -Nru apt-cacher-ng-0.8.0/debian/patches/debian-changes apt-cacher-ng-0.8.0/debian/patches/debian-changes
--- apt-cacher-ng-0.8.0/debian/patches/debian-changes	1970-01-01 01:00:00.000000000 +0100
+++ apt-cacher-ng-0.8.0/debian/patches/debian-changes	2017-04-12 22:07:16.000000000 +0200
@@ -0,0 +1,80 @@
+Description: <short summary of the patch>
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ apt-cacher-ng (0.8.0-4) stable; urgency=high
+ .
+   * Including some security related fixes from upstream version 3 (simplified
+     versions considered appropriate for Stable, related to #856635 and #839751
+     and CVE-2017-7443)
+Author: Eduard Bloch <blade@debian.org>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: https://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: 2017-04-13
+
+--- apt-cacher-ng-0.8.0.orig/source/fileio.cc
++++ apt-cacher-ng-0.8.0/source/fileio.cc
+@@ -13,7 +13,8 @@
+ 
+ int falloc_helper(int fd, off_t start, off_t len)
+ {
+-   return fallocate(fd, FALLOC_FL_KEEP_SIZE, start, len);
++	// disabled due to #856635
++   return 0; // fallocate(fd, FALLOC_FL_KEEP_SIZE, start, len);
+ }
+ #else
+ int falloc_helper(int, off_t, off_t)
+--- apt-cacher-ng-0.8.0.orig/source/job.cc
++++ apt-cacher-ng-0.8.0/source/job.cc
+@@ -731,8 +731,9 @@ report_overload:
+     return ;
+ 
+ report_notallowed:
+-	SetErrorResponse((tSS() << "403 Forbidden file type or location: " << sReqPath).c_str(),
+-			NULL, "403 Forbidden file type or location");
++// disabled in Debian Stable, see CVE-2017-7443 for details
++	SetErrorResponse(/* (tSS() << "403 Forbidden file type or location: " << sReqPath).c_str(),
++			NULL, */ "403 Forbidden file type or location");
+ //    USRDBG( sRawUriPath + " -- ACCESS FORBIDDEN");
+     return ;
+ 
+--- apt-cacher-ng-0.8.0.orig/source/tcpconnect.cc
++++ apt-cacher-ng-0.8.0/source/tcpconnect.cc
+@@ -522,7 +522,7 @@ bool tcpconnect::SSLinit(mstring &sErr,
+  	while(true)
+  	{
+  		hret=SSL_connect(ssl);
+- 		if(hret == 1 )
++		if(hret == 1)
+  			break;
+  		if(hret == 0)
+  			goto ssl_init_fail_retcode;
+@@ -583,7 +583,14 @@ bool tcpconnect::SSLinit(mstring &sErr,
+ 		perr=X509_verify_cert_error_string(hret);
+ 		goto ssl_init_fail;
+ 	}
+-
++	{
++		auto server_cert = SSL_get_peer_certificate(ssl);
++		if (server_cert)
++			X509_free(server_cert);
++		else
++			// Although looking successful the server did not provide a valid certificate
++			goto ssl_init_fail;
++	}
+ 	return true;
+ 
+ 	ssl_init_fail_retcode:
diff -Nru apt-cacher-ng-0.8.0/debian/patches/series apt-cacher-ng-0.8.0/debian/patches/series
--- apt-cacher-ng-0.8.0/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ apt-cacher-ng-0.8.0/debian/patches/series	2017-04-12 22:07:16.000000000 +0200
@@ -0,0 +1 @@
+debian-changes
diff -Nru apt-cacher-ng-0.8.0/debian/source/options apt-cacher-ng-0.8.0/debian/source/options
--- apt-cacher-ng-0.8.0/debian/source/options	2014-11-28 21:09:34.000000000 +0100
+++ apt-cacher-ng-0.8.0/debian/source/options	2017-04-12 22:07:16.000000000 +0200
@@ -1 +1,2 @@
 compression=xz
+single-debian-patch

--- End Message ---

--- Begin Message ---

• To: Eduard Bloch <edi@gmx.de>, 860243-done@bugs.debian.org
• Subject: Re: Bug#860243: jessie-pu: package apt-cacher-ng/0.8.0-3
• From: Jonathan Wiltshire <jmw@debian.org>
• Date: Sun, 17 Jun 2018 19:04:26 +0100
• Message-id: <20180617180426.nxuwmlbbp3c2qklh@powdarrmonkey.net>
• In-reply-to: <20170413123358.2qgh3qntarqwg2yq@rotes76.wohnheim.uni-kl.de>
• References: <20170413123358.2qgh3qntarqwg2yq@rotes76.wohnheim.uni-kl.de>

Control: tag -1 wontfix

Hi,

This request was approved and tagged 'confirmed', but no upload was
subsequently made. With the final point release for Jessie now being
prepared, it's unfortunately too late for this package to be updated.

Thanks,

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

--- End Message ---