Bug#864770: marked as done (jessie-pu: package libapache2-mod-perl2/2.0.9~1624218-2+deb8u2)

Debian Bug Tracking System Sat, 22 Jul 2017 05:26:41 -0700

Your message dated Sat, 22 Jul 2017 13:18:56 +0100
with message-id <1500725936.14212.4.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 8.9 fixes
has caused the Debian Bug report #864770,
regarding jessie-pu: package libapache2-mod-perl2/2.0.9~1624218-2+deb8u2
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864770: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864770
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libapache2-mod-pe...@packages.debian.org

The changes in apache2_2.4.10-10+deb8u8 related to CVE-2016-8743
caused libapache2-mod-perl2 to start failing its test suite, as
seen in #864316.

The attached debdiff fixes this by amending the test suite.
The changes are identical to those we made in stretch/sid for #849082.

Please let me know if it's OK to upload to jessie.

Thanks for your work,
-- 
Niko Tyni   nt...@debian.org

diff -Nru libapache2-mod-perl2-2.0.9~1624218/debian/changelog 
libapache2-mod-perl2-2.0.9~1624218/debian/changelog
--- libapache2-mod-perl2-2.0.9~1624218/debian/changelog 2015-11-15 
20:42:37.000000000 +0200
+++ libapache2-mod-perl2-2.0.9~1624218/debian/changelog 2017-06-14 
14:39:56.000000000 +0300
@@ -1,3 +1,10 @@
+libapache2-mod-perl2 (2.0.9~1624218-2+deb8u2) jessie; urgency=medium
+
+  * Patch the test suite for apache2_2.4.10-10+deb8u8 compatibility.
+    (Closes: #864316)
+
+ -- Niko Tyni <nt...@debian.org>  Wed, 14 Jun 2017 14:39:56 +0300
+
 libapache2-mod-perl2 (2.0.9~1624218-2+deb8u1) jessie; urgency=medium
 
   * Apply upstream 2.0.9 patches fixing crashes in
diff -Nru 
libapache2-mod-perl2-2.0.9~1624218/debian/patches/440_http_syntax.patch 
libapache2-mod-perl2-2.0.9~1624218/debian/patches/440_http_syntax.patch
--- libapache2-mod-perl2-2.0.9~1624218/debian/patches/440_http_syntax.patch     
1970-01-01 02:00:00.000000000 +0200
+++ libapache2-mod-perl2-2.0.9~1624218/debian/patches/440_http_syntax.patch     
2017-06-14 14:34:26.000000000 +0300
@@ -0,0 +1,33 @@
+From 4a803fdb4c9eae8538293fe31c9222eecb6465be Mon Sep 17 00:00:00 2001
+From: Niko Tyni <nt...@debian.org>
+Date: Fri, 23 Dec 2016 18:27:23 +0200
+Subject: [PATCH 1/2] Fix t/apache/read.t HTTP syntax for Apache 2.4.24
+ compatibility
+
+HTTP/1.1 RFC 7230, section 2.6. "Protocol Versioning" says the HTTP name
+is case sensitive. Starting with Apache 2.4.24, using lower case will
+make the server issue a 400 Bad request response, causing a test failure.
+
+https://tools.ietf.org/html/rfc7230#section-2.6
+
+Bug-Debian: https://bugs.debian.org/849082
+---
+ t/apache/read.t | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/t/apache/read.t b/t/apache/read.t
+index 83670c9..9f7f504 100644
+--- a/t/apache/read.t
++++ b/t/apache/read.t
+@@ -24,7 +24,7 @@ close $fh;
+ 
+ my $size = length $data;
+ 
+-for my $string ("POST $location http/1.0",
++for my $string ("POST $location HTTP/1.0",
+                 "Content-length: $size",
+                 "") {
+     my $line = "$string\r\n";
+-- 
+2.11.0
+
diff -Nru 
libapache2-mod-perl2-2.0.9~1624218/debian/patches/450_inject_header_line_terminators.patch
 
libapache2-mod-perl2-2.0.9~1624218/debian/patches/450_inject_header_line_terminators.patch
--- 
libapache2-mod-perl2-2.0.9~1624218/debian/patches/450_inject_header_line_terminators.patch
  1970-01-01 02:00:00.000000000 +0200
+++ 
libapache2-mod-perl2-2.0.9~1624218/debian/patches/450_inject_header_line_terminators.patch
  2017-06-14 14:34:34.000000000 +0300
@@ -0,0 +1,45 @@
+From d59229cf4f5b91ed58e25e27977e76f59096b72d Mon Sep 17 00:00:00 2001
+From: Niko Tyni <nt...@debian.org>
+Date: Sat, 24 Dec 2016 23:07:28 +0200
+Subject: [PATCH 2/2] Fix in_bbs_inject_header line terminators for Apache
+ 2.4.24 compatibility
+
+rfc7230 3.5 says:
+
+  Although the line terminator for the start-line and header fields is
+   the sequence CRLF, a recipient MAY recognize a single LF as a line
+   terminator and ignore any preceding CR.
+
+Apache with strict enabled chooses not to implement the MAY.
+
+Author: Stefan Fritsch <s...@sfritsch.de>
+Bug-Debian: https://bugs.debian.org/849082
+---
+ t/filter/TestFilter/in_bbs_inject_header.pm | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/t/filter/TestFilter/in_bbs_inject_header.pm 
b/t/filter/TestFilter/in_bbs_inject_header.pm
+index b09d6f9..5380c65 100644
+--- a/t/filter/TestFilter/in_bbs_inject_header.pm
++++ b/t/filter/TestFilter/in_bbs_inject_header.pm
+@@ -181,7 +181,7 @@ sub handler : FilterConnectionHandler {
+ 
+         if ($data and $data =~ /^POST/) {
+             # demonstrate how to add a header while processing other headers
+-            my $header = "$header1_key: $header1_val\n";
++            my $header = "$header1_key: $header1_val\r\n";
+             push @{ $ctx->{buckets} }, APR::Bucket->new($c->bucket_alloc, 
$header);
+             debug "queued header [$header]";
+         }
+@@ -199,7 +199,7 @@ sub handler : FilterConnectionHandler {
+             # we hit the headers and body separator, which is a good
+             # time to add extra headers:
+             for my $key (keys %headers) {
+-                my $header = "$key: $headers{$key}\n";
++                my $header = "$key: $headers{$key}\r\n";
+                 push @{ $ctx->{buckets} }, APR::Bucket->new($c->bucket_alloc, 
$header);
+                 debug "queued header [$header]";
+             }
+-- 
+2.11.0
+
diff -Nru libapache2-mod-perl2-2.0.9~1624218/debian/patches/series 
libapache2-mod-perl2-2.0.9~1624218/debian/patches/series
--- libapache2-mod-perl2-2.0.9~1624218/debian/patches/series    2015-11-15 
20:36:06.000000000 +0200
+++ libapache2-mod-perl2-2.0.9~1624218/debian/patches/series    2017-06-14 
14:35:04.000000000 +0300
@@ -17,3 +17,5 @@
 430-Don-t-call-modperl_threaded_mpm-et-al.-from-XS-code.patch
 0001-Decrement-interp-refcnt-when-freeing-interpreter-in-.patch
 0002-Initialize-interp-refcnt-to-1-in-modperl_interp_sele.patch
+440_http_syntax.patch
+450_inject_header_line_terminators.patch

--- End Message ---

--- Begin Message ---

Version: 8.9

Hi,

These bugs all relate for updates which were included in today's jessie
point release.

Regards,

Adam

--- End Message ---

Bug#864770: marked as done (jessie-pu: package libapache2-mod-perl2/2.0.9~1624218-2+deb8u2)

Reply via email to