Your message dated Mon, 27 Mar 2017 10:14:53 +0100 with message-id <[email protected]> and subject line apt-cacher_1.7.6+deb7u1_amd64.changes ACCEPTED into oldstable has caused the Debian Bug report #858739, regarding apt-cacher: HTTP response splitting to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 858739: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858739 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Source: apt-cacher Version: 1.7.13 Severity: important Tags: security This is to have a BTS reference, since no CVE has been assigned. Patch: diff -Nru apt-cacher-1.7.14/apt-cacher apt-cacher-1.7.15/apt-cacher --- apt-cacher-1.7.14/apt-cacher 2017-01-08 11:29:03.000000000 +0100 +++ apt-cacher-1.7.15/apt-cacher 2017-03-14 17:55:18.000000000 +0100 @@ -2090,8 +2090,8 @@ $request->protocol($3||'HTTP/1.0'); clean_uri($request->uri); - if($request->uri =~ m#(?:^|/)\.{2}/#) { # Reject ../ or /../ - sendrsp(HTTP::Response->new(403, 'Forbidden: Invalid URI ' . $request->uri)); + if($request->uri =~ m#(?:^|/)\.{2}/|%0[ad]#i) { # Reject ../, /../ or encoded new lines + sendrsp(HTTP::Response->new(403, 'Forbidden: Insecure URI ' . $request->uri)); return 1; # next REQUEST } return $request if $mode && $mode eq 'cgi'; # Not going to get anything else diff -Nru apt-cacher-1.7.14/debian/changelog apt-cacher-1.7.15/debian/changelog --- apt-cacher-1.7.14/debian/changelog 2017-01-08 11:37:20.000000000 +0100 +++ apt-cacher-1.7.15/debian/changelog 2017-03-21 10:52:04.000000000 +0100 @@ -1,3 +1,9 @@ +apt-cacher (1.7.15) unstable; urgency=medium + + * Prevent HTTP response splitting with encoded newlines in request. + + -- Mark Hindley <[email protected]> Tue, 21 Mar 2017 09:52:04 +0000 + apt-cacher (1.7.14) unstable; urgency=medium * Update to debhelper compatibility 9.
--- End Message ---
--- Begin Message ---Version: 1.7.6+deb7u1 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 26 Mar 2017 22:05:16 +0100 Source: apt-cacher Binary: apt-cacher Architecture: source all Version: 1.7.6+deb7u1 Distribution: wheezy-security Urgency: medium Maintainer: Mark Hindley <[email protected]> Changed-By: Mark Hindley <[email protected]> Description: apt-cacher - Caching proxy for Debian package and source files Changes: apt-cacher (1.7.6+deb7u1) wheezy-security; urgency=medium . * Prevent HTTP response splitting with encoded newlines in request. Backport of fix for #858739. Checksums-Sha1: 48a8eca61f4dd8d2defc44def155a3bc9c954158 1530 apt-cacher_1.7.6+deb7u1.dsc d697951df00ef5a50b84edde0292aae55b657974 119849 apt-cacher_1.7.6+deb7u1.tar.gz 3d1546fc1c7dc7a15bfc6f54b05edd8e62ce4830 106052 apt-cacher_1.7.6+deb7u1_all.deb Checksums-Sha256: 631a29a83eb6d77d335e0806b9317e61e6c140b7f841899b4ab9b9b822a3b7fe 1530 apt-cacher_1.7.6+deb7u1.dsc eb8803be076eb7d28d0a00b98028eecace50d8c8a094c71fc454ae1efec85679 119849 apt-cacher_1.7.6+deb7u1.tar.gz 262d5abf5329bce62003c286f100f400fc9f96f39f3f75a817a9fb54159ffaf5 106052 apt-cacher_1.7.6+deb7u1_all.deb Files: 6eeacf10989e8b7f851101397b6f86be 1530 net optional apt-cacher_1.7.6+deb7u1.dsc f02cd8676e60b0c2c4efd8a3a672be9c 119849 net optional apt-cacher_1.7.6+deb7u1.tar.gz d19727961f4ac4cdf3e6e3888a9b2293 106052 net optional apt-cacher_1.7.6+deb7u1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAljYzoQACgkQHpU+J9Qx HliKhw/6AmZfnNK+aaobthqVDKKoEUDOMEXl/QCpTwtw9tP25WcAYGtPM4En9kAU g/gUychSh3RyzEB8pG7Eqot8LGASigl2thtzDEdh8L8dkEDYp5irnCdFUg+chmV2 Oe6syqm4DLaTyP+QCQxkfqjM5ebwNedbUnRRmhm5BJzz6xkk/0m2YlYCQtXRA3f+ nGnav76RwTNxeXLl/BxaGg6zpf0+cJt4ug/58TEAY5J3MtnFvRWB26hptW9/uYwp mlwTxWhxlp966b1D4cxfgZ4KEJWIJxY3Wq4OaDZ16oyqS/2T14jbLbSRqy/EsXv9 uguyBOgZrkdgRuUxmcfONf04+AjofGso/ORljeAsHfU7pttjs0ItpmYQgJ5bYWIZ W7M8tgltPCphfJGLO3BPUQ4RJqJMGF6iFavmrF4e1KUv8CqaEG45euvv0SBJK3xN kAQkm6umD5KBfUf/l+MHwA+255fQqb+9FUUg9nPLDudVa6xLtxOuGGhkpRvQexSO mmlMwhgyYCTDd8yKHOggXpqFgrJzqqihdh7TyxONSX/aorY+7EBfjDHG1yKVIFTr 5gGp9qZd+fqPYP3h4FY6pqwM+P+nDOd/CqZLq4dfrkCBfItoCGX0FJlghemPItVP 2470Uudsae6CIveGDcCv70AyAY8nmXHLJkki3OiD06fGxhO4lNA= =uNJZ -----END PGP SIGNATURE----- Regards, -- ,''`. : :' : Chris Lamb `. `'` [email protected] / chris-lamb.co.uk `-
--- End Message ---
