Your message dated Sat, 22 Jul 2017 13:18:56 +0100
with message-id <[email protected]>
and subject line Closing bugs for 8.9 fixes
has caused the Debian Bug report #858846,
regarding jessie-pu: package apt-cacher/1.7.10
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
858846: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858846
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu
Hello,
I would like to arrange update of apt-cacher 1.7.10 in Jessie to fix the HTTP
splitting issue tracked in #858739 (no CVE allocated).
I have prepared 1.7.10+deb8u1 which is available from
http://hindley.org.uk/~mark/debian
Alternatively, as this is a native package you may prefer me to package it as
1.7.10.1. Please advise.
debdiff:
Changes from debian/1.7.10 to debian/1.7.10+deb8u1
Modified apt-cacher
diff --git a/apt-cacher b/apt-cacher
index 668b2d8..5bde2e7 100755
--- a/apt-cacher
+++ b/apt-cacher
@@ -2093,8 +2093,8 @@ sub get_request {
$request->protocol($3||'HTTP/1.0');
clean_uri($request->uri);
- if($request->uri =~ m#(?:^|/)\.{2}/#) { # Reject ../ or /../
- sendrsp(HTTP::Response->new(403, 'Forbidden: Invalid
URI ' . $request->uri));
+ if($request->uri =~ m#(?:^|/)\.{2}/|%0[ad]#i) { # Reject
../, /../ or encoded new lines
+ sendrsp(HTTP::Response->new(403, 'Forbidden: Insecure
URI ' . $request->uri));
return 1; # next REQUEST
}
return $request if $mode && $mode eq 'cgi'; # Not going to
get anything else
Modified debian/changelog
diff --git a/debian/changelog b/debian/changelog
index 43310cd..d8946f6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+apt-cacher (1.7.10+deb8u1) jessie-security; urgency=medium
+
+ * Prevent HTTP response splitting with encoded newlines in
+ request. Backport of fix for #858739.
+
+ -- Mark Hindley <[email protected]> Sun, 26 Mar 2017 18:25:21 +0100
+
apt-cacher (1.7.10) unstable; urgency=low
* Internally store http_proxy as URI object which can include
Many thanks.
Mark
--- End Message ---
--- Begin Message ---
Version: 8.9
Hi,
These bugs all relate for updates which were included in today's jessie
point release.
Regards,
Adam
--- End Message ---
