Bug#522161: marked as done (apt-cacher: [security] /etc/apt-cacher/apt-cacher.conf allowed_hosts=*)

[Debian Bug Tracking System]

Your message dated Thu, 27 Oct 2011 18:17:09 +0000
with message-id <e1rjuvp-0001or...@franck.debian.org>
and subject line Bug#522161: fixed in apt-cacher 1.7.1
has caused the Debian Bug report #522161,
regarding apt-cacher: [security] /etc/apt-cacher/apt-cacher.conf allowed_hosts=*
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
522161: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=522161
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: apt-cacher
Version: 1.6.8
Severity: normal


The default installation of /etc/apt-cacher/apt-cacher.conf contains
line:

    allowed_hosts=*

Which:

    # Localhost (127.0.0.1) is always allowed. Other addresses must be matched
    # by allowed_hosts and not by denied_hosts to be permitted to use the cache.
    # Setting allowed_hosts to "*" means "allow all".

Please consider security and allow only localhost or some 192.168.*.*
value in default installation.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apt-cacher depends on:
ii  bzip2                         1.0.5-1    high-quality block-sorting file co
ii  ed                            0.7-3      The classic unix line editor
ii  libdigest-sha1-perl           2.11-2+b1  NIST SHA-1 message digest algorith
ii  libfreezethaw-perl            0.45-1     converting Perl structures to stri
ii  libwww-curl-perl              4.05-1     Perl bindings to libcurl
ii  libwww-perl                   5.820-1    WWW client/server library for Perl
ii  perl                          5.10.0-19  Larry Wall's Practical Extraction 

Versions of packages apt-cacher recommends:
ii  libberkeleydb-perl            0.38-1     use Berkeley DB 4 databases from P

Versions of packages apt-cacher suggests:
ii  libio-socket-inet6-perl       2.54-1     Object interface for AF_INET6 doma

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: apt-cacher
Source-Version: 1.7.1

We believe that the bug you reported is fixed in the latest version of
apt-cacher, which is due to be installed in the Debian FTP archive:

apt-cacher_1.7.1.dsc
  to main/a/apt-cacher/apt-cacher_1.7.1.dsc
apt-cacher_1.7.1.tar.gz
  to main/a/apt-cacher/apt-cacher_1.7.1.tar.gz
apt-cacher_1.7.1_all.deb
  to main/a/apt-cacher/apt-cacher_1.7.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 522...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Hindley <m...@hindley.org.uk> (supplier of updated apt-cacher package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 26 Oct 2011 07:31:13 +0100
Source: apt-cacher
Binary: apt-cacher
Architecture: source all
Version: 1.7.1
Distribution: unstable
Urgency: low
Maintainer: Mark Hindley <m...@hindley.org.uk>
Changed-By: Mark Hindley <m...@hindley.org.uk>
Description: 
 apt-cacher - Caching proxy for Debian package and source files
Closes: 418170 507794 522161 541618 547308 593227 600893 611526 614615 618996 
624568 631616 631705 631962 631972 632156 632524 632622 632625 632646 632796 
636623
Changes: 
 apt-cacher (1.7.1) unstable; urgency=low
 .
   * Support multiple import directories for apt-cacher-import.pl.
   * Add Precise Pangolin to list of Ubuntu releases.
   * Workaround missing \K regexp escape in perl versions < 5.10.
   * Bugfix: ensure headers are always sent.
   * Bugfix changelog expiry in apt-cacher-cleanup.pl.
   * Don't overwrite existing files when importing packages.
   * Specifically depend on libberkeleydb-perl >= 0.34 for failchk().
 .
 apt-cacher (1.7.0) unstable; urgency=low
 .
   * Rework revalidation -- done for all files apart from package files.
   * Internal path_map for Debian and Ubuntu changelog servers.
   * Cleanup handling of binary/decimal byte units.
   * Fix apt-cacher-cleanup.pl database multiple commands.
   * Cleanup conf.d file handling and documentation.
   * Set Connection: close correctly.
   * Refresh Release file if index file checksum fails.
   * Support namespace import by MD5 digest and URL.
   * Rename CGI wrapper.
   * Fix age calculation for max-age handling.
   * Fix finding correct Release file for Packages/Sources in
     apt-cacher-cleanup.pl.
   * Move manpage to section 8.
   * Support for UBUNTU_RELEASE_NAMES expansion in installer_files_regexp.
   * Return 504 (rather then 404) if connect to host fails.
   * Use NetAddr::IP for {allowed,denied}_hosts.
   * Support PATH_MAP shorthand in allowed_locations.
   * Rework install scripts.
   * Allow access to URL root for Ubuntu changelogs.
   * Document in NEWS rejection of '/../' in URLs and provide link to
     current configuration for accessing experimental. (Closes: #636623)
   * Terminate libcurl process on dpkg configure or reconfigure.
   * Refresh Release file if checksum fails for index files.
   * Rewrite return_file() including fix finding EOF with buffered read.
   * Share DNS cache with WWW::Curl::Share.
   * Reverse map hostnames to path_map keys to reduce cached file duplication.
   * Fix namespace handling for path_mapped URLs.
   * Add Portuguese debconf translation thanks to 'Traduz' - Portuguese
     Translation Team. (Closes: #632156)
   * Add Czech translation of debconf messages thanks to Miroslav Kure.
     (Closes: #632524)
   * Add Dutch debconf translation, thanks to Jeroen Schot. (Closes: #632625)
   * Add Spanish debconf translation, thanks to Omar Campagne. (Closes: #632646)
   * Don't use $ENV{SERVER_NAME} in CGI mode: Fixes bug: "doesn't work in
     apache mode from a virtualbox guest". (Closes: #632622)
   * Add French debconf templates translation, thanks to Jean-Baka
     Domelevo-Entfellner. (Closes: #632796)
   * Add Russian debconf translation, thanks to Yuri Kozlov. (Closes: #631962)
   * Add Swedish debconf translation, thanks to Martin Bagge. (Closes: #631972)
   * Add simplified Chinese (zh_CN) translation of apt-cacher
     debconf, thanks to YunQiang Su. (Closes: #631616)
   * Add Danish translation of the debconf template, thanks to Joe Dalton.
     (Closes: #631705)
 .
 apt-cacher (1.7.0~rc1) experimental; urgency=low
 .
   * Remove apache specific CGI installation (which was broken) and
     deprecate CGI mode (closes: #593227)
   * Try to ensure cache_dir and subdirs are owned by the correct user
     (closes: #611526)
   * Add changelog and NEWS.Debian to installer_files_regexp (closes: #600893)
   * Fix error: Can't use an undefined value as a HASH reference at
     apt-cacher-lib.pl line 249. (closes: #614615)
   * Check validity of cached HTTP status (closes: #618996)
   * Set CURLOPT_FOLLOWLOCATION to follow redirects correctly (closes: #618996)
   * Fix error: Can't use an undefined value as a HASH reference at
     apt-cacher-lib.pl line 249.
   * Use SHA rather than MD5 for checksumming.
   * Use Digest::SHA rather than Digest::SHA1 (closes: #624568)
   * Checksum database compaction is now recursive until there is nothing
     left to do.
   * Basic SOAP proxying which enables support for apt-listbugs (Closes: 
#547308)
   * Support separate namespaces to allow multi-distro support (e.g. Debian
     + Ubuntu). (Closes: #541618)
   * Configuration option disk_usage_limit to limit disk usage (Closes: #418170)
   * Make cache only accessible from localhost by default. See allowed_hosts
     and allowed_hosts_6 if you need to relax this (Closes: #522161)
   * Option to limit libcurl rate overall. This is not well supported by libcurl
     so this just uses a simple fraction per download (Closes: #507794)
   * Upgrade to Standards version 3.9.2 (no changes required)
Checksums-Sha1: 
 d6416d83676d8b2dc5cc40dad8f1a6c8e1185ed8 852 apt-cacher_1.7.1.dsc
 4ae0a9fc8e1922d59016cb4422bf4be6e65eefe1 132423 apt-cacher_1.7.1.tar.gz
 6212154f4453d4438584821321e29868a9c6ce6c 96340 apt-cacher_1.7.1_all.deb
Checksums-Sha256: 
 ae06bd951cd124a63fada469907276ea888960c8b8ef63282a97f62be93ad3b7 852 
apt-cacher_1.7.1.dsc
 86a8ed63a5c89057eb721c60b1f071f147f93c51117a40fcdaf88b839b72b4d0 132423 
apt-cacher_1.7.1.tar.gz
 5b46df6e340c6373ff04da45ecd5e97bb467dcecfe925cc8ea395b73c7f2cdf0 96340 
apt-cacher_1.7.1_all.deb
Files: 
 1db95321b008a25e11cc137f5ef7fb8d 852 net optional apt-cacher_1.7.1.dsc
 38fa5f1d2d9e95ad87e0820eda5e5bb1 132423 net optional apt-cacher_1.7.1.tar.gz
 87ea62382af1a0c065006216cb70437c 96340 net optional apt-cacher_1.7.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFOqZwU4QZIHu3wCMURAo64AJ9+IibE2r9nGyAzzY5gX1PxFVnWmQCfWWYx
RoxDEhFlKYussteTnNCzj7A=
=uNDx
-----END PGP SIGNATURE-----

--- End Message ---