Package: release.debian.org Severity: normal Tags: jessie User: [email protected] Usertags: pu
Hello, I would like to upgrade the apt-cacher-ng version in Stable ASAP. See attachment for the overview of the proposed changes. Please note that it does not fully resolve #839751, only a minor change was included (extra certificate check for the weakest/obvious attacks). Adding a complete solution requires either an update of openssl in Stable or including a local implementation (can be cherry-picked from Sid) which is likely to be rejected by you (because of "meh meh meeh SOOOO MANY CHANGES", considering how #857752 was dealt with). + apt-cacher-ng (0.8.0-4) stable; urgency=high + . + * Including some security related fixes from upstream version 3 (simplified + versions considered appropriate for Stable, related to #856635 and #839751 + and CVE-2017-7443) +Author: Eduard Bloch <[email protected]> Regards, Eduard. -- Das gestern und das heute unterscheiden sich nur durch das hier.
diff -Nru apt-cacher-ng-0.8.0/debian/changelog apt-cacher-ng-0.8.0/debian/changelog --- apt-cacher-ng-0.8.0/debian/changelog 2014-11-28 21:09:34.000000000 +0100 +++ apt-cacher-ng-0.8.0/debian/changelog 2017-04-12 22:07:16.000000000 +0200 @@ -1,3 +1,11 @@ +apt-cacher-ng (0.8.0-4) stable; urgency=high + + * Including some security related fixes from upstream version 3 (simplified + versions considered appropriate for Stable, related to #856635 and #839751 + and CVE-2017-7443) + + -- Eduard Bloch <[email protected]> Wed, 12 Apr 2017 22:07:16 +0200 + apt-cacher-ng (0.8.0-3) unstable; urgency=medium * Restored build-dependency on libsystemd-daemond-dev since upstream source diff -Nru apt-cacher-ng-0.8.0/debian/patches/debian-changes apt-cacher-ng-0.8.0/debian/patches/debian-changes --- apt-cacher-ng-0.8.0/debian/patches/debian-changes 1970-01-01 01:00:00.000000000 +0100 +++ apt-cacher-ng-0.8.0/debian/patches/debian-changes 2017-04-12 22:07:16.000000000 +0200 @@ -0,0 +1,80 @@ +Description: <short summary of the patch> + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + apt-cacher-ng (0.8.0-4) stable; urgency=high + . + * Including some security related fixes from upstream version 3 (simplified + versions considered appropriate for Stable, related to #856635 and #839751 + and CVE-2017-7443) +Author: Eduard Bloch <[email protected]> + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: <vendor|upstream|other>, <url of original patch> +Bug: <url in upstream bugtracker> +Bug-Debian: https://bugs.debian.org/<bugnumber> +Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber> +Forwarded: <no|not-needed|url proving that it has been forwarded> +Reviewed-By: <name and email of someone who approved the patch> +Last-Update: 2017-04-13 + +--- apt-cacher-ng-0.8.0.orig/source/fileio.cc ++++ apt-cacher-ng-0.8.0/source/fileio.cc +@@ -13,7 +13,8 @@ + + int falloc_helper(int fd, off_t start, off_t len) + { +- return fallocate(fd, FALLOC_FL_KEEP_SIZE, start, len); ++ // disabled due to #856635 ++ return 0; // fallocate(fd, FALLOC_FL_KEEP_SIZE, start, len); + } + #else + int falloc_helper(int, off_t, off_t) +--- apt-cacher-ng-0.8.0.orig/source/job.cc ++++ apt-cacher-ng-0.8.0/source/job.cc +@@ -731,8 +731,9 @@ report_overload: + return ; + + report_notallowed: +- SetErrorResponse((tSS() << "403 Forbidden file type or location: " << sReqPath).c_str(), +- NULL, "403 Forbidden file type or location"); ++// disabled in Debian Stable, see CVE-2017-7443 for details ++ SetErrorResponse(/* (tSS() << "403 Forbidden file type or location: " << sReqPath).c_str(), ++ NULL, */ "403 Forbidden file type or location"); + // USRDBG( sRawUriPath + " -- ACCESS FORBIDDEN"); + return ; + +--- apt-cacher-ng-0.8.0.orig/source/tcpconnect.cc ++++ apt-cacher-ng-0.8.0/source/tcpconnect.cc +@@ -522,7 +522,7 @@ bool tcpconnect::SSLinit(mstring &sErr, + while(true) + { + hret=SSL_connect(ssl); +- if(hret == 1 ) ++ if(hret == 1) + break; + if(hret == 0) + goto ssl_init_fail_retcode; +@@ -583,7 +583,14 @@ bool tcpconnect::SSLinit(mstring &sErr, + perr=X509_verify_cert_error_string(hret); + goto ssl_init_fail; + } +- ++ { ++ auto server_cert = SSL_get_peer_certificate(ssl); ++ if (server_cert) ++ X509_free(server_cert); ++ else ++ // Although looking successful the server did not provide a valid certificate ++ goto ssl_init_fail; ++ } + return true; + + ssl_init_fail_retcode: diff -Nru apt-cacher-ng-0.8.0/debian/patches/series apt-cacher-ng-0.8.0/debian/patches/series --- apt-cacher-ng-0.8.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ apt-cacher-ng-0.8.0/debian/patches/series 2017-04-12 22:07:16.000000000 +0200 @@ -0,0 +1 @@ +debian-changes diff -Nru apt-cacher-ng-0.8.0/debian/source/options apt-cacher-ng-0.8.0/debian/source/options --- apt-cacher-ng-0.8.0/debian/source/options 2014-11-28 21:09:34.000000000 +0100 +++ apt-cacher-ng-0.8.0/debian/source/options 2017-04-12 22:07:16.000000000 +0200 @@ -1 +1,2 @@ compression=xz +single-debian-patch
