Package: apt-cacher-ng Version: 3-5 Severity: normal apt-cacher-ng's default PassThroughPattern is ^bugs.debian.org:443$ the dots in this regex can match any character, most notably bugsodebian.org:443, bugs4debian.org:443, bugs-debian.org:443. It may also match bugs.debianzorg, but such domain names are less likely to be resolved.
No such domain names appear to be registered. This could be used by a client to bypass a firewall that would authorize any traffic from the apt-cacher-ng host to pass through, but would refuse any traffic from the client. This may be a security vulnerability, but not a critical one, considering that e.g. #814359 requests PassThroughPattern's default to be .* -- Package-specific info: -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages apt-cacher-ng depends on: ii adduser 3.116 ii debconf 1.5.63 ii dpkg 1.18.24 ii init-system-helpers 1.49 ii libbz2-1.0 1.0.6-8.1 ii libc6 2.24-17 ii libgcc1 1:7.2.0-1 ii liblzma5 5.2.2-1.3 ii libssl1.1 1.1.0f-5 ii libstdc++6 7.2.0-1 ii libsystemd0 234-2.3 ii libwrap0 7.6.q-26 ii lsb-base 9.20170808 ii zlib1g 1:1.2.8.dfsg-5 apt-cacher-ng recommends no packages. Versions of packages apt-cacher-ng suggests: ii avahi-daemon 0.6.32-2 ii doc-base 0.10.7 ii libfuse2 2.9.7-1 -- Configuration Files: /etc/apt-cacher-ng/acng.conf changed [not included] /etc/apt-cacher-ng/security.conf [Errno 13] Permission non accordée: '/etc/apt-cacher-ng/security.conf' -- debconf information: apt-cacher-ng/cachedir: /var/cache/apt-cacher-ng apt-cacher-ng/gentargetmode: No automated setup apt-cacher-ng/proxy: apt-cacher-ng/bindaddress: apt-cacher-ng/tunnelenable: false apt-cacher-ng/port: 3142
