Your message dated Fri, 12 May 2017 12:03:00 +0000 with message-id <ee10755c-3333-a4ac-df0a-356e43e74...@thykier.net> and subject line Re: Bug#861120: pre-approval: security update of apt-cacher/1.7.13 has caused the Debian Bug report #861120, regarding pre-approval: security update of apt-cacher/1.7.13 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 861120: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861120 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock As the maintainer of apt-cacher I would like to seek pre-approval for an update to apt-cacher/1.7.13 in testing to fix a security issue. CVE-2017-7443 identified a HTTP splitting security issue (#858739) in apt-cacher. This was fixed in unstable with upload of version 1.7.15 on 25th March with no regressions reported since. Targeted updates have already been made to wheezy and approved for jessie (with upload pending). apt-cacher 1.7.13 in testing is still vulnerable. I have packaged 1.7.13+debu9u1 with a targeted backport of the fix. I would like to seek pre-approval of upload to testing. The debdiff against 1.7.13 is: Changes at debian/1.7.13 Modified apt-cacher diff --git a/apt-cacher b/apt-cacher index 7dc1aa2..6100075 100755 --- a/apt-cacher +++ b/apt-cacher @@ -2095,8 +2095,8 @@ sub get_request { $request->protocol($3||'HTTP/1.0'); clean_uri($request->uri); - if($request->uri =~ m#(?:^|/)\.{2}/#) { # Reject ../ or /../ - sendrsp(HTTP::Response->new(403, 'Forbidden: Invalid URI ' . $request->uri)); + if($request->uri =~ m#(?:^|/)\.{2}/|%0[ad]#i) { # Reject ../, /../ or encoded new lines + sendrsp(HTTP::Response->new(403, 'Forbidden: Insecure URI ' . $request->uri)); return 1; # next REQUEST } return $request if $mode && $mode eq 'cgi'; # Not going to get anything else Modified debian/changelog diff --git a/debian/changelog b/debian/changelog index 1319f34..c3adcf6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +apt-cacher (1.7.13+deb9u1) stretch; urgency=medium + + * Backport fix for CVE-2017-7443: Prevent HTTP response splitting with + encoded newlines in request. (closes: #858739) + + -- Mark Hindley <m...@hindley.org.uk> Mon, 24 Apr 2017 19:38:26 +0100 + apt-cacher (1.7.13) unstable; urgency=medium * Bump Standards Version to 3.9.8 (no changes). Thanks, Mark -- System Information: Debian Release: 8.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Mark Hindley: > Control: tags -moreinfo > > On Tue, May 02, 2017 at 05:31:00AM +0000, Niels Thykier wrote: >> Ack, please go ahead and remove the "moreinfo" tag once the upload has >> been carried it out. > > Thanks. Done. > > Mark > Approved, thanks. ~Niels
--- End Message ---
