Package: libapache2-mod-perl2
Version: 2.0.9~1624218-2+deb8u1
Severity: serious

As per

 
http://perl.debian.net/rebuild-logs/jessie/libapache2-mod-perl2_2.0.9~1624218-2+deb8u1/libapache2-mod-perl2_2.0.9~1624218-2+deb8u1_amd64-2017-06-05T19:42:17Z.build

this package currently fails to build in jessie.

  Test Summary Report
  -------------------
  t/apache/read.t                       (Wstat: 0 Tests: 1 Failed: 1)
    Failed test:  1
  t/filter/in_bbs_inject_header.t       (Wstat: 512 Tests: 0 Failed: 0)
    Non-zero exit status: 2
    Parse errors: Bad plan.  You planned 36 tests but ran 0.
 
This is very similar to #849082 and was most probably caused by 

 apache2 (2.4.10-10+deb8u8) jessie-security; urgency=medium
 .
   * CVE-2016-8743: Enforce more HTTP conformance for request lines and
     request headers, to prevent response splitting and cache pollution
     by malicious clients or downstream proxies.
     If this causes problems with non-conforming clients, some checks can
     be relaxed by adding the new directive 'HttpProtocolOptions unsafe'
     to the configuration.
     Differently than the upstream 2.4.25 release which will also be in the
     Debian 9 (stretch) release, this update for Debian 8 (jessie) accepts
     underscores in host and domain names even while 'HttpProtocolOptions
     strict' is in effect.
     More information is available at
     http://httpd.apache.org/docs/2.4/mod/core.html#httpprotocoloptions

so 370_http_syntax.patch and 380_inject_header_line_terminators.patch
from stretch/sid should help (untested).
-- 
Niko Tyni   nt...@debian.org

Reply via email to