Bug#934300: buster-pu: package apt/1.8.3~deb10u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#934300: buster-pu: package apt/1.8.3~deb10u1
From: Julian Andres Klode <jak@debian.org>
Date: Fri, 9 Aug 2019 11:50:52 +0200
Message-id: <[🔎] 20190809113803.GA25467@debian.org>
Reply-to: Julian Andres Klode <jak@debian.org>, 934300@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

(sorry, no fix for the allow-releaseinfo-change stuff yet!)

I just uploaded 1.8.3 to unstable which includes a fix for HTTPS
proxying - when using the CONNECT method, we were sending the proxy's
host name in the Host header, where we should have sent the destination
host name.

This breaks ACLs on proxies that filter on that field and might thus
prevent access to HTTPS repositories over such proxies.

A test case has been included that can be run with autopkgtest, and is
running on CI.

The 1.8.3 also includes a change to the apport hook to exclude squashfs
file systems in the output (to hide installed snaps) - this only affects
Ubuntu, though. I'd prefer to keep one 1.8.y branch rather than have a
1.8.2.z for buster, if possible, so I'd love if we could get it in like
this (the 1.8.y branch currently covers unstable, stable, and ubuntu
disco, but the ubuntu one will be gone in a few months, so it's likely
a one,two time thing).

The attached diff is the 1.8.3 uploaded to unstable. The stable upload
would have the version and upload target replaced in the changelog to
read "1.8.3~deb10u1) buster" instead of "1.8.3) unstable". I'd expect
buster to eventually take over 1.8.y properly and then we'd get 1.8.4
for buster instead of 1.8.4~deb10u1 for example.

-- System Information:
Debian Release: buster/sid
  APT prefers eoan
  APT policy: (991, 'eoan'), (500, 'eoan'), (500, 'cosmic-security')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.2.0-9-generic (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

diff -Nru apt-1.8.2/apt-pkg/deb/dpkgpm.cc apt-1.8.3/apt-pkg/deb/dpkgpm.cc
--- apt-1.8.2/apt-pkg/deb/dpkgpm.cc	2019-05-28 16:40:29.000000000 +0200
+++ apt-1.8.3/apt-pkg/deb/dpkgpm.cc	2019-08-09 11:16:15.000000000 +0200
@@ -2475,7 +2475,7 @@
    {
 
       fprintf(report, "Df:\n");
-      FILE *log = popen("/bin/df -l","r");
+      FILE *log = popen("/bin/df -l -x squashfs","r");
       if(log != NULL)
       {
 	 char buf[1024];
diff -Nru apt-1.8.2/CMakeLists.txt apt-1.8.3/CMakeLists.txt
--- apt-1.8.2/CMakeLists.txt	2019-05-28 16:40:29.000000000 +0200
+++ apt-1.8.3/CMakeLists.txt	2019-08-09 11:16:15.000000000 +0200
@@ -193,7 +193,7 @@
 # Configure some variables like package, version and architecture.
 set(PACKAGE ${PROJECT_NAME})
 set(PACKAGE_MAIL "APT Development Team <deity@lists.debian.org>")
-set(PACKAGE_VERSION "1.8.2")
+set(PACKAGE_VERSION "1.8.3")
 
 if (NOT DEFINED DPKG_DATADIR)
   execute_process(COMMAND ${PERL_EXECUTABLE} -MDpkg -e "print $Dpkg::DATADIR;"
diff -Nru apt-1.8.2/debian/changelog apt-1.8.3/debian/changelog
--- apt-1.8.2/debian/changelog	2019-05-28 16:40:29.000000000 +0200
+++ apt-1.8.3/debian/changelog	2019-08-09 11:16:15.000000000 +0200
@@ -1,3 +1,13 @@
+apt (1.8.3) unstable; urgency=medium
+
+  [ Simon Körner ]
+  * http: Fix Host header in proxied https connections (LP: #1838771)
+
+  [ Brian Murray ]
+  * Do not include squashfs file systems in df output. (LP: #1756595)
+
+ -- Julian Andres Klode <jak@debian.org>  Fri, 09 Aug 2019 11:16:15 +0200
+
 apt (1.8.2) unstable; urgency=medium
 
   [ Alwin Henseler ]
diff -Nru apt-1.8.2/doc/apt-verbatim.ent apt-1.8.3/doc/apt-verbatim.ent
--- apt-1.8.2/doc/apt-verbatim.ent	2019-05-28 16:40:29.000000000 +0200
+++ apt-1.8.3/doc/apt-verbatim.ent	2019-08-09 11:16:15.000000000 +0200
@@ -268,7 +268,7 @@
 ">
 
 <!-- this will be updated by 'prepare-release' -->
-<!ENTITY apt-product-version "1.8.2">
+<!ENTITY apt-product-version "1.8.3">
 
 <!-- (Code)names for various things used all over the place -->
 <!ENTITY debian-oldstable-codename "stretch">
diff -Nru apt-1.8.2/doc/po/apt-doc.pot apt-1.8.3/doc/po/apt-doc.pot
--- apt-1.8.2/doc/po/apt-doc.pot	2019-05-28 16:40:29.000000000 +0200
+++ apt-1.8.3/doc/po/apt-doc.pot	2019-08-09 11:16:15.000000000 +0200
@@ -5,9 +5,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: apt-doc 1.8.2\n"
+"Project-Id-Version: apt-doc 1.8.3\n"
 "Report-Msgid-Bugs-To: APT Development Team <deity@lists.debian.org>\n"
-"POT-Creation-Date: 2019-05-28 16:41+0200\n"
+"POT-Creation-Date: 2019-08-09 11:16+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
diff -Nru apt-1.8.2/methods/http.cc apt-1.8.3/methods/http.cc
--- apt-1.8.2/methods/http.cc	2019-05-28 16:40:29.000000000 +0200
+++ apt-1.8.3/methods/http.cc	2019-08-09 11:16:15.000000000 +0200
@@ -320,14 +320,14 @@
    std::string ProperHost;
 
    if (Host.find(':') != std::string::npos)
-      ProperHost = '[' + Proxy.Host + ']';
+      ProperHost = '[' + Host + ']';
    else
-      ProperHost = Proxy.Host;
+      ProperHost = Host;
 
    // Build the connect
    Req << "CONNECT " << Host << ":" << std::to_string(Port) << " HTTP/1.1\r\n";
    if (Proxy.Port != 0)
-      Req << "Host: " << ProperHost << ":" << std::to_string(Proxy.Port) << "\r\n";
+      Req << "Host: " << ProperHost << ":" << std::to_string(Port) << "\r\n";
    else
       Req << "Host: " << ProperHost << "\r\n";
 
diff -Nru apt-1.8.2/po/apt-all.pot apt-1.8.3/po/apt-all.pot
--- apt-1.8.2/po/apt-all.pot	2019-05-28 16:40:29.000000000 +0200
+++ apt-1.8.3/po/apt-all.pot	2019-08-09 11:16:15.000000000 +0200
@@ -5,9 +5,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: apt 1.8.2\n"
+"Project-Id-Version: apt 1.8.3\n"
 "Report-Msgid-Bugs-To: APT Development Team <deity@lists.debian.org>\n"
-"POT-Creation-Date: 2019-05-28 16:41+0200\n"
+"POT-Creation-Date: 2019-08-09 11:16+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
diff -Nru apt-1.8.2/test/integration/test-proxy-connect apt-1.8.3/test/integration/test-proxy-connect
--- apt-1.8.2/test/integration/test-proxy-connect	1970-01-01 01:00:00.000000000 +0100
+++ apt-1.8.3/test/integration/test-proxy-connect	2019-08-09 11:16:15.000000000 +0200
@@ -0,0 +1,22 @@
+#!/bin/sh
+set -e
+
+TESTDIR="$(readlink -f "$(dirname "$0")")"
+. "$TESTDIR/framework"
+setupenvironment
+configarchitecture 'amd64'
+
+buildsimplenativepackage 'unrelated' 'all' '0.5~squeeze1' 'unstable'
+
+setupaptarchive
+changetowebserver --request-absolute='uri'
+
+
+msgmsg 'Check that host header we send for CONNECT is for target, not proxy'
+echo "deb https://example.example/ example example" > rootdir/etc/apt/sources.list
+rm -f rootdir/etc/apt/sources.list.d/*
+echo "Acquire::http::Proxy \"http://localhost:${APTHTTPPORT}\";"; > rootdir/etc/apt/apt.conf.d/99proxy
+
+aptget update >/dev/null 2>&1
+testsuccessequal "CONNECT example.example:443 HTTP/1.1\r
+Host: example.example:443\r" grep -A1 "^CONNECT" aptarchive/webserver.log

Reply to:

Follow-Ups:
- Bug#934300: buster-pu: package apt/1.8.3~deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#934300: buster-pu: package apt/1.8.3~deb10u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Re: Bits from the Release Team: ride like the wind, Bullseye!
Next by Date: Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1
Previous by thread: Re: Bypassing the 2/3/4GB virtual memory space on 32-bit ports
Next by thread: Bug#934300: buster-pu: package apt/1.8.3~deb10u1
Index(es):
- Date
- Thread