Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hi release team! I'd like to upload stable update for the YAWS web server which would fix #832433 (see [1] for details). It's a vulnerability found in quite a few products, YAWS passes the HTTP_PROXY environment variable to its CGI scripts and takes the value for it from the Proxy: HTTP header (see [2]). The patch for this bug is taken from upstream. The diff is attached. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832433 [2] http://httpoxy.org/ -- System Information: Debian Release: 8.5 APT prefers proposed-updates APT policy: (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru yaws-1.98/debian/changelog yaws-1.98/debian/changelog --- yaws-1.98/debian/changelog 2014-08-18 08:49:39.000000000 +0400 +++ yaws-1.98/debian/changelog 2016-07-26 07:48:48.000000000 +0300 @@ -1,3 +1,10 @@ +yaws (1.98-4+deb8u1) stable; urgency=low + + * Applied a patch from upstream to fix CVE-2016-1000108 (passing HTTP_PROXY + to CGI scripts). Closes: #832433. + + -- Sergei Golovan <sgolo...@debian.org> Tue, 26 Jul 2016 07:47:24 +0300 + yaws (1.98-4) unstable; urgency=low * Switched to the well-known logrotate tool to rotate the YAWS log files diff -Nru yaws-1.98/debian/patches/CVE-2016-1000108.diff yaws-1.98/debian/patches/CVE-2016-1000108.diff --- yaws-1.98/debian/patches/CVE-2016-1000108.diff 1970-01-01 03:00:00.000000000 +0300 +++ yaws-1.98/debian/patches/CVE-2016-1000108.diff 2016-07-26 07:46:29.000000000 +0300 @@ -0,0 +1,34 @@ +From: Klacke Wikstrom <cwiks...@cisco.com> +Date: Mon, 25 Jul 2016 12:46:30 +0200 +Subject: [PATCH] Security flaw http://httpoxy.org/ fixed A security flaw with + HTTP_PROXY fixed. When we now construct the cgi env variables, we just skip + the Proxy header. Reported by domi...@varspool.com. + CVE-2016-1000108 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832433 + +--- a/src/yaws_cgi.erl ++++ b/src/yaws_cgi.erl +@@ -368,11 +368,21 @@ build_env(Arg, Scriptfilename, Pathinfo, ExtraEnv, SC) -> + {"HTTP_IF_NONE_MATCH", H#headers.if_none_match}, + {"HTTP_IF_UNMODIFIED_SINCE", H#headers.if_unmodified_since}, + {"HTTP_COOKIE", flatten_val(make_cookie_val(H#headers.cookie))} +- ]++lists:map(fun({http_header,_,Var,_,Val})->{tohttp(Var),Val} end, +- H#headers.other) ++ ]++ other_headers(H#headers.other) + )) ++ + Extra_CGI_Vars. + ++other_headers(Headers) -> ++ lists:zf(fun({http_header,_,Var,_,Val}) -> ++ case tohttp(Var) of ++ "HTTP_PROXY" -> ++ %% See http://httpoxy.org/ ++ false; ++ HTTP -> ++ {true, {HTTP,Val}} ++ end ++ end, Headers). ++ + tohttp(X) -> + "HTTP_"++lists:map(fun tohttp_c/1, yaws:to_list(X)). + diff -Nru yaws-1.98/debian/patches/series yaws-1.98/debian/patches/series --- yaws-1.98/debian/patches/series 2013-10-19 17:40:03.000000000 +0400 +++ yaws-1.98/debian/patches/series 2016-07-26 07:46:53.000000000 +0300 @@ -2,3 +2,4 @@ gnu.diff docs.diff m32m64.diff +CVE-2016-1000108.diff
