Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: libapache2-mod-pe...@packages.debian.org
The changes in apache2_2.4.10-10+deb8u8 related to CVE-2016-8743 caused libapache2-mod-perl2 to start failing its test suite, as seen in #864316. The attached debdiff fixes this by amending the test suite. The changes are identical to those we made in stretch/sid for #849082. Please let me know if it's OK to upload to jessie. Thanks for your work, -- Niko Tyni nt...@debian.org
diff -Nru libapache2-mod-perl2-2.0.9~1624218/debian/changelog libapache2-mod-perl2-2.0.9~1624218/debian/changelog --- libapache2-mod-perl2-2.0.9~1624218/debian/changelog 2015-11-15 20:42:37.000000000 +0200 +++ libapache2-mod-perl2-2.0.9~1624218/debian/changelog 2017-06-14 14:39:56.000000000 +0300 @@ -1,3 +1,10 @@ +libapache2-mod-perl2 (2.0.9~1624218-2+deb8u2) jessie; urgency=medium + + * Patch the test suite for apache2_2.4.10-10+deb8u8 compatibility. + (Closes: #864316) + + -- Niko Tyni <nt...@debian.org> Wed, 14 Jun 2017 14:39:56 +0300 + libapache2-mod-perl2 (2.0.9~1624218-2+deb8u1) jessie; urgency=medium * Apply upstream 2.0.9 patches fixing crashes in diff -Nru libapache2-mod-perl2-2.0.9~1624218/debian/patches/440_http_syntax.patch libapache2-mod-perl2-2.0.9~1624218/debian/patches/440_http_syntax.patch --- libapache2-mod-perl2-2.0.9~1624218/debian/patches/440_http_syntax.patch 1970-01-01 02:00:00.000000000 +0200 +++ libapache2-mod-perl2-2.0.9~1624218/debian/patches/440_http_syntax.patch 2017-06-14 14:34:26.000000000 +0300 @@ -0,0 +1,33 @@ +From 4a803fdb4c9eae8538293fe31c9222eecb6465be Mon Sep 17 00:00:00 2001 +From: Niko Tyni <nt...@debian.org> +Date: Fri, 23 Dec 2016 18:27:23 +0200 +Subject: [PATCH 1/2] Fix t/apache/read.t HTTP syntax for Apache 2.4.24 + compatibility + +HTTP/1.1 RFC 7230, section 2.6. "Protocol Versioning" says the HTTP name +is case sensitive. Starting with Apache 2.4.24, using lower case will +make the server issue a 400 Bad request response, causing a test failure. + +https://tools.ietf.org/html/rfc7230#section-2.6 + +Bug-Debian: https://bugs.debian.org/849082 +--- + t/apache/read.t | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/t/apache/read.t b/t/apache/read.t +index 83670c9..9f7f504 100644 +--- a/t/apache/read.t ++++ b/t/apache/read.t +@@ -24,7 +24,7 @@ close $fh; + + my $size = length $data; + +-for my $string ("POST $location http/1.0", ++for my $string ("POST $location HTTP/1.0", + "Content-length: $size", + "") { + my $line = "$string\r\n"; +-- +2.11.0 + diff -Nru libapache2-mod-perl2-2.0.9~1624218/debian/patches/450_inject_header_line_terminators.patch libapache2-mod-perl2-2.0.9~1624218/debian/patches/450_inject_header_line_terminators.patch --- libapache2-mod-perl2-2.0.9~1624218/debian/patches/450_inject_header_line_terminators.patch 1970-01-01 02:00:00.000000000 +0200 +++ libapache2-mod-perl2-2.0.9~1624218/debian/patches/450_inject_header_line_terminators.patch 2017-06-14 14:34:34.000000000 +0300 @@ -0,0 +1,45 @@ +From d59229cf4f5b91ed58e25e27977e76f59096b72d Mon Sep 17 00:00:00 2001 +From: Niko Tyni <nt...@debian.org> +Date: Sat, 24 Dec 2016 23:07:28 +0200 +Subject: [PATCH 2/2] Fix in_bbs_inject_header line terminators for Apache + 2.4.24 compatibility + +rfc7230 3.5 says: + + Although the line terminator for the start-line and header fields is + the sequence CRLF, a recipient MAY recognize a single LF as a line + terminator and ignore any preceding CR. + +Apache with strict enabled chooses not to implement the MAY. + +Author: Stefan Fritsch <s...@sfritsch.de> +Bug-Debian: https://bugs.debian.org/849082 +--- + t/filter/TestFilter/in_bbs_inject_header.pm | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/t/filter/TestFilter/in_bbs_inject_header.pm b/t/filter/TestFilter/in_bbs_inject_header.pm +index b09d6f9..5380c65 100644 +--- a/t/filter/TestFilter/in_bbs_inject_header.pm ++++ b/t/filter/TestFilter/in_bbs_inject_header.pm +@@ -181,7 +181,7 @@ sub handler : FilterConnectionHandler { + + if ($data and $data =~ /^POST/) { + # demonstrate how to add a header while processing other headers +- my $header = "$header1_key: $header1_val\n"; ++ my $header = "$header1_key: $header1_val\r\n"; + push @{ $ctx->{buckets} }, APR::Bucket->new($c->bucket_alloc, $header); + debug "queued header [$header]"; + } +@@ -199,7 +199,7 @@ sub handler : FilterConnectionHandler { + # we hit the headers and body separator, which is a good + # time to add extra headers: + for my $key (keys %headers) { +- my $header = "$key: $headers{$key}\n"; ++ my $header = "$key: $headers{$key}\r\n"; + push @{ $ctx->{buckets} }, APR::Bucket->new($c->bucket_alloc, $header); + debug "queued header [$header]"; + } +-- +2.11.0 + diff -Nru libapache2-mod-perl2-2.0.9~1624218/debian/patches/series libapache2-mod-perl2-2.0.9~1624218/debian/patches/series --- libapache2-mod-perl2-2.0.9~1624218/debian/patches/series 2015-11-15 20:36:06.000000000 +0200 +++ libapache2-mod-perl2-2.0.9~1624218/debian/patches/series 2017-06-14 14:35:04.000000000 +0300 @@ -17,3 +17,5 @@ 430-Don-t-call-modperl_threaded_mpm-et-al.-from-XS-code.patch 0001-Decrement-interp-refcnt-when-freeing-interpreter-in-.patch 0002-Initialize-interp-refcnt-to-1-in-modperl_interp_sele.patch +440_http_syntax.patch +450_inject_header_line_terminators.patch
