Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Hello, I would like to create a new upstream version and soon a Debian revision of apt-cacher-ng, with a short cycle through experimental to make sure not to run into any platform build issues. It fixes three nasty issues that some users might consider security related bugs. Changelogs for upstream and debian attached below. Particular commits to see at https://anonscm.debian.org/cgit/apt-cacher-ng/apt-cacher-ng.git/log/?h=upstream%2Fsid https://anonscm.debian.org/cgit/apt-cacher-ng/apt-cacher-ng.git/log/?h=debian%2Fexperimental or in the attached diff file. While not released yet, the work is basically finished. The only remaining bug I intend to fix in addition is https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855618 but this will be done with care. Although the changes might looks scarry, I have actually postponed all major changes and kept only: - update of volatile file (mirror database) - security related improvements, including better SSL host checks - also including alternative SSL host validation code which should allow proper backports to Debian LTS and Ubuntu LTS - and harmless/cosmetic changes like clang warning workarounds I would like to hear your opinion ASAP. I can imagine to extract the most critical changes to make an intermediate release but the result would be harder to validate and maintain and I (although biased) would not like to throw those changes away for a version which is supposed to stay around for a while. apt-cacher-ng (3-1) UNRELEASED; urgency=medium * New upstream version + fixes hidden space allocation issue (closes: #856635) * Spanish translation update (by MatÃas A. Bellone, closes: #853105) * Instructions on how to work around cron job execution and "special needs" of some users to disable the admin page (closes: #855996) -- apt-cacher-ng (3) THIS-IS-NOT-THE-END; urgency=medium * NOTE: this release tackles multiple issues that might be considered security related in certain environments. * FIX: Making sure to truncate the file in case its download is aborted. This is needed in order to avoid hidden filesystem space allocation (Debian bug #856635). Also more delicate use of fallocate calls on Linux due to the potentially syscall execution delay. By default, limit the requested size to the first megabyte of a file. * FIX: detection of incorrectly allocated files and automated trimming in expiration run * FIX: compilation with GCC7, also warning fixes with Clang4 * FIX: better checking of possibly invalid remote certificate configuration in SSL client code * FIX: added workaround code for OpenSSL certificate validation even with ancient SSL versions like the one found in Ubuntu 14 LTS; borrowed from libevent examples (originally from ssl-conservatory and cURL) * FIX: no printing of requested file name in the 403 HTTP status line * FIX: typo/wording in manual, iptables examples * Database update -- Eduard Bloch <bl...@debian.org> Tue, 14 Mar 2017 16:23:20 +0100 CMakeLists.txt | 123 +++++++++----- COPYING | 62 ++++++- ChangeLog | 23 +++ TODO | 26 +-- VERSION | 2 +- client/CMakeLists.txt | 2 +- conf/acng.conf.in | 14 +- conf/deb_mirrors.gz | Bin 3697 -> 4095 bytes conf/epel_mirrors | 45 +++-- conf/fedora_mirrors | 16 +- conf/gentoo_mirrors.gz | Bin 2603 -> 2588 bytes conf/sl_mirrors | 2 + conf/ubuntu_mirrors | 57 +++++-- dbgen/sig-debian | 2 +- dbgen/sig-fsnap | 2 +- dbgen/sig-slsnap | 2 +- dbgen/sig-ubuntu | 2 +- debian/README.Debian | 23 +++ debian/apt-cacher-ng.cron.daily | 12 ++ debian/apt-cacher-ng.default | 10 +- debian/changelog | 10 ++ debian/po/es.po | 33 ++-- doc/README | 4 +- doc/apt-cacher-ng.pdf | 178 +++++++++---------- doc/html/secure.html | 4 +- doc/src/README.but | 4 +- fs/CMakeLists.txt | 34 ++-- fs/httpfs.cc | 4 +- include/acfg.h | 7 +- include/acsyscap.h.in | 1 + include/conn.h | 14 +- include/dlcon.h | 3 +- include/expiration.h | 2 + include/fileitem.h | 4 +- include/job.h | 6 +- include/meta.h | 8 + oldssl-workaround/CMakeLists.txt | 9 + oldssl-workaround/hostcheck.c | 217 ++++++++++++++++++++++++ oldssl-workaround/hostcheck.h | 30 ++++ oldssl-workaround/openssl_hostname_validation.c | 177 +++++++++++++++++++ oldssl-workaround/openssl_hostname_validation.h | 56 ++++++ source/CMakeLists.txt | 47 +---- source/acfg.cc | 6 +- source/acfg_defaults.cc | 2 + source/acngtool.cc | 2 +- source/apt-cacher.cc | 2 +- source/cacheman.cc | 26 ++- source/cleaner.cc | 2 +- source/conn.cc | 12 +- source/conserver.cc | 12 +- source/dlcon.cc | 10 +- source/expiration.cc | 45 +++++ source/fileitem.cc | 153 +++++++++-------- source/job.cc | 65 ++----- source/tcpconnect.cc | 91 +++++----- 55 files changed, 1202 insertions(+), 503 deletions(-) Best regards, Eduard.
signature.asc
Description: PGP signature
