Your message dated Sat, 10 Sep 2022 13:36:19 +0100 with message-id <92fe43e7805e82e43100a6471ccbf91cd9a12944.camel@adam-barratt.org.uk> and subject line Closing requests for updates in 11.5 has caused the Debian Bug report #1017502, regarding bullseye-pu: package http-parser/2.9.4-4+deb11u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1017502: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017502 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package http-parser/2.9.4-4+deb11u1
- From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
- Date: Wed, 17 Aug 2022 08:35:02 +0200
- Message-id: <1660717380@msgid.manchmal.in-ulm.de>
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian.org@packages.debian.org Usertags: pu Hello stable release team, for the next upcoming bullseye stable point release, I've just uploaded src:http-parser ("parser for HTTP messages written in C") as version 2.9.4-4+deb11u1. This fixes a "no-dsa" security issue. * Handle duplicate "Transfer-Encoding" header properly Type: upstream bug Debian bug: https://bugs.debian.org/1016690 Security tracker: https://security-tracker.debian.org/tracker/CVE-2020-8287 Fixed in in unstable and testing in 2.9.4-5 around ten days ago. Regards, Christophdiff -Nru http-parser-2.9.4/debian/changelog http-parser-2.9.4/debian/changelog --- http-parser-2.9.4/debian/changelog 2021-01-02 17:07:49.000000000 +0100 +++ http-parser-2.9.4/debian/changelog 2022-08-05 20:33:28.000000000 +0200 @@ -1,3 +1,10 @@ +http-parser (2.9.4-4+deb11u1) bullseye; urgency=medium + + * unset F_CHUNKED on new Transfer-Encoding. + Closes: #1016690 [CVE-2020-8287] + + -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de> Fri, 05 Aug 2022 20:33:28 +0200 + http-parser (2.9.4-4) unstable; urgency=medium * Packaging cleanup diff -Nru http-parser-2.9.4/debian/patches/CVE-2020-8287.patch http-parser-2.9.4/debian/patches/CVE-2020-8287.patch --- http-parser-2.9.4/debian/patches/CVE-2020-8287.patch 1970-01-01 01:00:00.000000000 +0100 +++ http-parser-2.9.4/debian/patches/CVE-2020-8287.patch 2022-08-05 20:33:28.000000000 +0200 @@ -0,0 +1,67 @@ +Subject: [PATCH] http: unset `F_CHUNKED` on new `Transfer-Encoding` +Origin: Upstream PR (from nodejs) https://github.com/nodejs/http-parser/pull/530 +From: Fedor Indutny <fedor@indutny.com> +Date: Wed, 18 Nov 2020 20:50:21 -0800 +Date: 2022-08-05 + +Duplicate `Transfer-Encoding` header should be a treated as a single, +but with original header values concatenated with a comma separator. In +the light of this, even if the past `Transfer-Encoding` ended with +`chunked`, we should be not let the `F_CHUNKED` to leak into the next +header, because mere presence of another header indicates that `chunked` +is not the last transfer-encoding token. + +CVE-ID: CVE-2020-8287 +PR-URL: https://github.com/nodejs-private/node-private/pull/235 +Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> +--- a/http_parser.c ++++ b/http_parser.c +@@ -1344,6 +1344,13 @@ + } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) { + parser->header_state = h_transfer_encoding; + parser->uses_transfer_encoding = 1; ++ ++ /* Multiple `Transfer-Encoding` headers should be treated as ++ * one, but with values separate by a comma. ++ * ++ * See: https://tools.ietf.org/html/rfc7230#section-3.2.2 ++ */ ++ parser->flags &= ~F_CHUNKED; + } + break; + +--- a/test.c ++++ b/test.c +@@ -2154,6 +2154,32 @@ + ,.body= "2\r\nOK\r\n0\r\n\r\n" + ,.num_chunks_complete= 0 + } ++#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30 ++, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding" ++ ,.type= HTTP_RESPONSE ++ ,.raw= "HTTP/1.1 200 OK\r\n" ++ "Transfer-Encoding: chunked\r\n" ++ "Transfer-Encoding: identity\r\n" ++ "\r\n" ++ "2\r\n" ++ "OK\r\n" ++ "0\r\n" ++ "\r\n" ++ ,.should_keep_alive= FALSE ++ ,.message_complete_on_eof= TRUE ++ ,.http_major= 1 ++ ,.http_minor= 1 ++ ,.status_code= 200 ++ ,.response_status= "OK" ++ ,.content_length= -1 ++ ,.num_headers= 2 ++ ,.headers= ++ { { "Transfer-Encoding", "chunked" } ++ , { "Transfer-Encoding", "identity" } ++ } ++ ,.body= "2\r\nOK\r\n0\r\n\r\n" ++ ,.num_chunks_complete= 0 ++ } + }; + + /* strnlen() is a POSIX.2008 addition. Can't rely on it being available so diff -Nru http-parser-2.9.4/debian/patches/series http-parser-2.9.4/debian/patches/series --- http-parser-2.9.4/debian/patches/series 2020-12-20 10:29:46.000000000 +0100 +++ http-parser-2.9.4/debian/patches/series 2022-08-05 20:33:28.000000000 +0200 @@ -4,6 +4,7 @@ cherry-pick.v2.9.4-7-g4b99e42.test-content-length-header-parsing.patch cherry-pick.v2.9.4-8-ge13b274.allow-content-length-and-transfer-encoding-chunked.patch cherry-pick.v2.9.4-9-g4f15b7d.fix-sizeof-http-parser-assert.patch +CVE-2020-8287.patch # Debian-specific debian.improve-installation.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 1013744-done@bugs.debian.org, 1014308-done@bugs.debian.org, 1014315-done@bugs.debian.org, 1014324-done@bugs.debian.org, 1014326-done@bugs.debian.org, 1014327-done@bugs.debian.org, 1014447-done@bugs.debian.org, 1014571-done@bugs.debian.org, 1014705-done@bugs.debian.org, 1014900-done@bugs.debian.org, 1015244-done@bugs.debian.org, 1016037-done@bugs.debian.org, 1016168-done@bugs.debian.org, 1016177-done@bugs.debian.org, 1016199-done@bugs.debian.org, 1016374-done@bugs.debian.org, 1016391-done@bugs.debian.org, 1016413-done@bugs.debian.org, 1016458-done@bugs.debian.org, 1016655-done@bugs.debian.org, 1016672-done@bugs.debian.org, 1016734-done@bugs.debian.org, 1016786-done@bugs.debian.org, 1016837-done@bugs.debian.org, 1017054-done@bugs.debian.org, 1017502-done@bugs.debian.org, 1017777-done@bugs.debian.org, 1017841-done@bugs.debian.org, 1017987-done@bugs.debian.org, 1017999-done@bugs.debian.org, 1018045-done@bugs.debian.org, 1018082-done@bugs.debian.org, 1018098-done@bugs.debian.org, 1018162-done@bugs.debian.org, 1018214-done@bugs.debian.org, 1018226-done@bugs.debian.org, 1018227-done@bugs.debian.org, 1018698-done@bugs.debian.org, 1018699-done@bugs.debian.org, 1018702-done@bugs.debian.org, 1018704-done@bugs.debian.org, 1018705-done@bugs.debian.org, 1018744-done@bugs.debian.org, 1018845-done@bugs.debian.org, 1018857-done@bugs.debian.org, 1018904-done@bugs.debian.org, 1019052-done@bugs.debian.org, 1019243-done@bugs.debian.org
- Subject: Closing requests for updates in 11.5
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 10 Sep 2022 13:36:19 +0100
- Message-id: <92fe43e7805e82e43100a6471ccbf91cd9a12944.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 11.5 Hi, The updates referred to in each of these bugs were included in today's 11.5 point release. Regards, Adam
--- End Message ---