Bug#623443: marked as done (Please do not use $http_proxy if its protocol part is nonsense)
Your message dated Thu, 11 Aug 2016 12:33:36 +0000
with message-id <E1bXpB2-0006Bz-Vv@franck.debian.org>
and subject line Bug#623443: fixed in apt 1.3~rc1
has caused the Debian Bug report #623443,
regarding Please do not use $http_proxy if its protocol part is nonsense
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
623443: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=623443
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: Please do not use $http_proxy if its protocol part is nonsense
- From: Enrico Zini <enrico@debian.org>
- Date: Wed, 20 Apr 2011 11:44:36 +0200
- Message-id: <20110420094436.7645.2000.reportbug@viaza.enricozini.org>
Package: apt
Version: 0.8.13.1
Severity: minor
Hello,
thank you for your work on apt!
I stumbled on a little annoyance with proxy settings. Given this:
# export http_proxy=enrico:password@proxy-cache.localnet:3128
# aptitude
I see that aptitude tries to resolve "password@proxy-cache.localnet",
which leaks my password in cleartext through the local network. I reckon
this is because "enrico:" is taken as the protocol part.
I accept this is an error in setting up the http_proxy variable; on the
other hand, many programs work without the "http://" part, making the
misconfiguration hard to notice, and the consequences of the error are
quite dire and (in theory) easily prevented.
Ciao,
Enrico
-- Package-specific info:
-- (no /etc/apt/preferences present) --
-- (/etc/apt/sources.list present, but not submitted) --
-- System Information:
Debian Release: wheezy/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages apt depends on:
ii debian-archive-keyring 2010.08.28 GnuPG archive keys of the Debian a
ii gnupg 1.4.11-3 GNU privacy guard - a free PGP rep
ii libc6 2.11.2-11 Embedded GNU C Library: Shared lib
ii libgcc1 1:4.6.0-2 GCC support library
ii libstdc++6 4.6.0-2 The GNU Standard C++ Library v3
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
apt recommends no packages.
Versions of packages apt suggests:
pn apt-doc <none> (no description available)
ii aptitude 0.6.3-4 terminal-based package manager (te
ii bzip2 1.0.5-6 high-quality block-sorting file co
ii dpkg-dev 1.16.0.2 Debian package development tools
ii lzma 4.43-14 Compression method of 7z format in
ii python-apt 0.7.100.3+b1 Python interface to libapt-pkg
ii synaptic 0.75.1 Graphical package manager
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: apt
Source-Version: 1.3~rc1
We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 623443@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Julian Andres Klode <jak@debian.org> (supplier of updated apt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 11 Aug 2016 14:10:22 +0200
Source: apt
Binary: apt libapt-pkg5.0 libapt-inst2.0 apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https
Architecture: source
Version: 1.3~rc1
Distribution: unstable
Urgency: medium
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Julian Andres Klode <jak@debian.org>
Description:
apt - commandline package manager
apt-doc - documentation for APT
apt-transport-https - https download transport for APT
apt-utils - package management related utility programs
libapt-inst2.0 - deb package format runtime library
libapt-pkg-dev - development files for APT's libapt-pkg and libapt-inst
libapt-pkg-doc - documentation for APT development
libapt-pkg5.0 - package management runtime library
Closes: 623443 626599 744934 832593 833674
Changes:
apt (1.3~rc1) unstable; urgency=medium
.
* Summary: CMake branch merged, socks5h (and tor) support, and fancy
installation ordering changes.
.
[ Julian Andres Klode ]
* Handle interrupt when running Pre-Install hooks (Closes: #832593)
* CMake: po: Add mirror method
* CMake: Translations: Add support for shell scripts
* debian: make autopkgtest run with CMake build dir
* CMake: Bump minimum required version to 3.4.0
* CMake: Check for ptsname_r() again (Closes: #833674)
* CMake: Rewrite existing Documentation support and add doxygen
* apt-private: Do not include apti18n.h in headers
* Get rid of the old buildsystem
* Fix some indentation issues in README.md
.
[ David Kalnischkies ]
* pass --force-remove-essential to dpkg only if needed
* use dpkg --unpack --recursive to avoid long cmdlines
* save and restore selection states before/after calling dpkg
* select remove/purge packages early on for dpkg
* call dpkg with --no-triggers by default (Closes: #626599)
* don't purge directly, but remove and do purge at the end
* ensure all configures are reported to hook scripts
* ensure all removes are reported to hook scripts
* support all socks-proxy known to curl in https method
* suggest transport-packages based on established namescheme
* fail on unsupported http/https proxy settings (Closes: #623443)
* detect redirection loops in acquire instead of workers
* use the same redirection handling for http and https
* implement generic config fallback for methods
* implement socks5h proxy support for http method (Closes: 744934)
* allow methods to be disabled and redirected via config
* allow user@host (aka: no password) in URI parsing
* try to avoid removal of crossgraded packages
* simulate all package manager actions explicitly
* disable explicit configuration of all packages at the end
* block direct connections to .onion domains (RFC7687)
* http: auto-configure for local Tor proxy if called as 'tor'
Checksums-Sha1:
0dfe2ddca883649f6d7e849021e51fe9f878a5f6 2495 apt_1.3~rc1.dsc
b296a9eb83357d5c34c4ff280fe3f6a30077b0dc 2030880 apt_1.3~rc1.tar.xz
Checksums-Sha256:
89ead0ca98e71934f9b90072410a56f5ef102e748f76515ef45f9a81b94ced4c 2495 apt_1.3~rc1.dsc
c27540cbc9cde77bf9ea8e2a587469545344839af3ba9ee2ea6a5590003c78ff 2030880 apt_1.3~rc1.tar.xz
Files:
6e5b7cdd1c5b6773cfcfeab6b571c841 2495 admin important apt_1.3~rc1.dsc
018706eb08d4d70368064d086d5d9a99 2030880 admin important apt_1.3~rc1.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXrGtSAAoJENc8OeVlgLOGbRIP/igXZsJbAcWIq5RX4i6yAo9U
iowAvLOjB/evbPv63kds4mGHBqKx0CxD6e7o3Vr3EDS7aBarBUOMJtDRKgiymQYK
yBtfl2KvllCiqckZUoTJiGncDm/VBJO/PFwXno4wfA1l/HRzK3V92kUEmAgN2b4Y
AfvTGwyfJm9z3B6l3SFoXE6pt6sLrYdsf8U9owgHXDVXDhOWt/iwOFOReZC2yQ/u
SOOodlZ1OBADY/ocX6cJdkGoQc9uvSrrTIGQbq8FsF3nPm9a9H9b2yWWMj0OtJqk
R6+Z8DJcfphZH60aPMqHjD/OdxkzMk/XqxTvPpDaYT/0+RSasjH4c1nTLvQakfLQ
NYtUklPef25KeyBmKVkXyYSt1kBes6JOPGKK+A4NO2gDujP6EMWrfbV1i23nVoIP
FSHXcIku+6fq6CzPtOkyB4q6NKUSm27wCnNfXu+Qr9So1kUXJtQWJQPsRzWzqbxd
QLL/AfWdGNPNxDVfW+IqzBLQV66bZV0sf5ER0n8MDNSKipbi/XfTtUfDiSRxhPLH
ziv/MwKDKh8kiXNSTpdlWsTJpD23mPHrxHOblet5CpWPwFWItc7QQgVslMAa4v0z
FwooKbK+s9foLBLyHMk/aX20qrTho0/CYw+NWYboC4B5LestCfOdHHg2y48tp7Rt
vubI42SLGc3+zkOkP/l+
=FUwX
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: