Bug#861120: pre-approval: security update of apt-cacher/1.7.13

Mon, 24 Apr 2017 12:07:04 -0700 

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock

As the maintainer of apt-cacher I would like to seek pre-approval for an update
to apt-cacher/1.7.13 in testing to fix a security issue.

CVE-2017-7443 identified a HTTP splitting security issue (#858739) in
apt-cacher. This was fixed in unstable with upload of version 1.7.15 on 25th
March with no regressions reported since. Targeted updates have already been
made to wheezy and approved for jessie (with upload pending).

apt-cacher 1.7.13 in testing is still vulnerable. I have packaged 1.7.13+debu9u1
with a targeted backport of the fix. I would like to seek pre-approval of upload
to testing.

The debdiff against 1.7.13 is:

Changes at debian/1.7.13
        Modified   apt-cacher
diff --git a/apt-cacher b/apt-cacher
index 7dc1aa2..6100075 100755
--- a/apt-cacher
+++ b/apt-cacher
@@ -2095,8 +2095,8 @@ sub get_request {
                    $request->protocol($3||'HTTP/1.0');
 
                    clean_uri($request->uri);
-                   if($request->uri =~ m#(?:^|/)\.{2}/#) { # Reject ../ or /../
-                       sendrsp(HTTP::Response->new(403, 'Forbidden: Invalid 
URI ' . $request->uri));
+                   if($request->uri =~ m#(?:^|/)\.{2}/|%0[ad]#i) { # Reject 
../, /../ or encoded new lines
+                       sendrsp(HTTP::Response->new(403, 'Forbidden: Insecure 
URI ' . $request->uri));
                        return 1; # next REQUEST
                    }
                    return $request if $mode && $mode eq 'cgi'; # Not going to 
get anything else
        Modified   debian/changelog
diff --git a/debian/changelog b/debian/changelog
index 1319f34..c3adcf6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+apt-cacher (1.7.13+deb9u1) stretch; urgency=medium
+
+  * Backport fix for CVE-2017-7443: Prevent HTTP response splitting with
+    encoded newlines in request.  (closes: #858739)
+
+ -- Mark Hindley <[email protected]>  Mon, 24 Apr 2017 19:38:26 +0100
+
 apt-cacher (1.7.13) unstable; urgency=medium
 
   * Bump Standards Version to 3.9.8 (no changes).


Thanks,

Mark

-- System Information:
Debian Release: 8.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Reply via email to