[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#623443: marked as done (Please do not use $http_proxy if its protocol part is nonsense)



Your message dated Thu, 11 Aug 2016 12:33:36 +0000
with message-id <E1bXpB2-0006Bz-Vv@franck.debian.org>
and subject line Bug#623443: fixed in apt 1.3~rc1
has caused the Debian Bug report #623443,
regarding Please do not use $http_proxy if its protocol part is nonsense
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
623443: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=623443
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: apt
Version: 0.8.13.1
Severity: minor

Hello,

thank you for your work on apt!

I stumbled on a little annoyance with proxy settings. Given this:
  
  # export http_proxy=enrico:password@proxy-cache.localnet:3128
  # aptitude

I see that aptitude tries to resolve "password@proxy-cache.localnet",
which leaks my password in cleartext through the local network. I reckon
this is because "enrico:" is taken as the protocol part.

I accept this is an error in setting up the http_proxy variable; on the
other hand, many programs work without the "http://"; part, making the
misconfiguration hard to notice, and the consequences of the error are
quite dire and (in theory) easily prevented.


Ciao,

Enrico

-- Package-specific info:

-- (no /etc/apt/preferences present) --


-- (/etc/apt/sources.list present, but not submitted) --


-- System Information:
Debian Release: wheezy/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apt depends on:
ii  debian-archive-keyring  2010.08.28       GnuPG archive keys of the Debian a
ii  gnupg                   1.4.11-3         GNU privacy guard - a free PGP rep
ii  libc6                   2.11.2-11        Embedded GNU C Library: Shared lib
ii  libgcc1                 1:4.6.0-2        GCC support library
ii  libstdc++6              4.6.0-2          The GNU Standard C++ Library v3
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

apt recommends no packages.

Versions of packages apt suggests:
pn  apt-doc                     <none>       (no description available)
ii  aptitude                    0.6.3-4      terminal-based package manager (te
ii  bzip2                       1.0.5-6      high-quality block-sorting file co
ii  dpkg-dev                    1.16.0.2     Debian package development tools
ii  lzma                        4.43-14      Compression method of 7z format in
ii  python-apt                  0.7.100.3+b1 Python interface to libapt-pkg
ii  synaptic                    0.75.1       Graphical package manager

-- no debconf information



--- End Message ---
--- Begin Message ---
Source: apt
Source-Version: 1.3~rc1

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 623443@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julian Andres Klode <jak@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 11 Aug 2016 14:10:22 +0200
Source: apt
Binary: apt libapt-pkg5.0 libapt-inst2.0 apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https
Architecture: source
Version: 1.3~rc1
Distribution: unstable
Urgency: medium
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Julian Andres Klode <jak@debian.org>
Description:
 apt        - commandline package manager
 apt-doc    - documentation for APT
 apt-transport-https - https download transport for APT
 apt-utils  - package management related utility programs
 libapt-inst2.0 - deb package format runtime library
 libapt-pkg-dev - development files for APT's libapt-pkg and libapt-inst
 libapt-pkg-doc - documentation for APT development
 libapt-pkg5.0 - package management runtime library
Closes: 623443 626599 744934 832593 833674
Changes:
 apt (1.3~rc1) unstable; urgency=medium
 .
   * Summary: CMake branch merged, socks5h (and tor) support, and fancy
     installation ordering changes.
 .
   [ Julian Andres Klode ]
   * Handle interrupt when running Pre-Install hooks (Closes: #832593)
   * CMake: po: Add mirror method
   * CMake: Translations: Add support for shell scripts
   * debian: make autopkgtest run with CMake build dir
   * CMake: Bump minimum required version to 3.4.0
   * CMake: Check for ptsname_r() again (Closes: #833674)
   * CMake: Rewrite existing Documentation support and add doxygen
   * apt-private: Do not include apti18n.h in headers
   * Get rid of the old buildsystem
   * Fix some indentation issues in README.md
 .
   [ David Kalnischkies ]
   * pass --force-remove-essential to dpkg only if needed
   * use dpkg --unpack --recursive to avoid long cmdlines
   * save and restore selection states before/after calling dpkg
   * select remove/purge packages early on for dpkg
   * call dpkg with --no-triggers by default (Closes: #626599)
   * don't purge directly, but remove and do purge at the end
   * ensure all configures are reported to hook scripts
   * ensure all removes are reported to hook scripts
   * support all socks-proxy known to curl in https method
   * suggest transport-packages based on established namescheme
   * fail on unsupported http/https proxy settings (Closes: #623443)
   * detect redirection loops in acquire instead of workers
   * use the same redirection handling for http and https
   * implement generic config fallback for methods
   * implement socks5h proxy support for http method (Closes: 744934)
   * allow methods to be disabled and redirected via config
   * allow user@host (aka: no password) in URI parsing
   * try to avoid removal of crossgraded packages
   * simulate all package manager actions explicitly
   * disable explicit configuration of all packages at the end
   * block direct connections to .onion domains (RFC7687)
   * http: auto-configure for local Tor proxy if called as 'tor'
Checksums-Sha1:
 0dfe2ddca883649f6d7e849021e51fe9f878a5f6 2495 apt_1.3~rc1.dsc
 b296a9eb83357d5c34c4ff280fe3f6a30077b0dc 2030880 apt_1.3~rc1.tar.xz
Checksums-Sha256:
 89ead0ca98e71934f9b90072410a56f5ef102e748f76515ef45f9a81b94ced4c 2495 apt_1.3~rc1.dsc
 c27540cbc9cde77bf9ea8e2a587469545344839af3ba9ee2ea6a5590003c78ff 2030880 apt_1.3~rc1.tar.xz
Files:
 6e5b7cdd1c5b6773cfcfeab6b571c841 2495 admin important apt_1.3~rc1.dsc
 018706eb08d4d70368064d086d5d9a99 2030880 admin important apt_1.3~rc1.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXrGtSAAoJENc8OeVlgLOGbRIP/igXZsJbAcWIq5RX4i6yAo9U
iowAvLOjB/evbPv63kds4mGHBqKx0CxD6e7o3Vr3EDS7aBarBUOMJtDRKgiymQYK
yBtfl2KvllCiqckZUoTJiGncDm/VBJO/PFwXno4wfA1l/HRzK3V92kUEmAgN2b4Y
AfvTGwyfJm9z3B6l3SFoXE6pt6sLrYdsf8U9owgHXDVXDhOWt/iwOFOReZC2yQ/u
SOOodlZ1OBADY/ocX6cJdkGoQc9uvSrrTIGQbq8FsF3nPm9a9H9b2yWWMj0OtJqk
R6+Z8DJcfphZH60aPMqHjD/OdxkzMk/XqxTvPpDaYT/0+RSasjH4c1nTLvQakfLQ
NYtUklPef25KeyBmKVkXyYSt1kBes6JOPGKK+A4NO2gDujP6EMWrfbV1i23nVoIP
FSHXcIku+6fq6CzPtOkyB4q6NKUSm27wCnNfXu+Qr9So1kUXJtQWJQPsRzWzqbxd
QLL/AfWdGNPNxDVfW+IqzBLQV66bZV0sf5ER0n8MDNSKipbi/XfTtUfDiSRxhPLH
ziv/MwKDKh8kiXNSTpdlWsTJpD23mPHrxHOblet5CpWPwFWItc7QQgVslMAa4v0z
FwooKbK+s9foLBLyHMk/aX20qrTho0/CYw+NWYboC4B5LestCfOdHHg2y48tp7Rt
vubI42SLGc3+zkOkP/l+
=FUwX
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: