Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hello, I would like to arrange update of apt-cacher 1.7.10 in Jessie to fix the HTTP splitting issue tracked in #858739 (no CVE allocated). I have prepared 1.7.10+deb8u1 which is available from http://hindley.org.uk/~mark/debian Alternatively, as this is a native package you may prefer me to package it as 1.7.10.1. Please advise. debdiff: Changes from debian/1.7.10 to debian/1.7.10+deb8u1 Modified apt-cacher diff --git a/apt-cacher b/apt-cacher index 668b2d8..5bde2e7 100755 --- a/apt-cacher +++ b/apt-cacher @@ -2093,8 +2093,8 @@ sub get_request { $request->protocol($3||'HTTP/1.0'); clean_uri($request->uri); - if($request->uri =~ m#(?:^|/)\.{2}/#) { # Reject ../ or /../ - sendrsp(HTTP::Response->new(403, 'Forbidden: Invalid URI ' . $request->uri)); + if($request->uri =~ m#(?:^|/)\.{2}/|%0[ad]#i) { # Reject ../, /../ or encoded new lines + sendrsp(HTTP::Response->new(403, 'Forbidden: Insecure URI ' . $request->uri)); return 1; # next REQUEST } return $request if $mode && $mode eq 'cgi'; # Not going to get anything else Modified debian/changelog diff --git a/debian/changelog b/debian/changelog index 43310cd..d8946f6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +apt-cacher (1.7.10+deb8u1) jessie-security; urgency=medium + + * Prevent HTTP response splitting with encoded newlines in + request. Backport of fix for #858739. + + -- Mark Hindley <m...@hindley.org.uk> Sun, 26 Mar 2017 18:25:21 +0100 + apt-cacher (1.7.10) unstable; urgency=low * Internally store http_proxy as URI object which can include Many thanks. Mark
