Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please approve the upload of new version of apt-cacher-ng. See #860243 for details. Here is a minimum viable patch included below. This is made under protest because I still consider the "reasons" for rejecting #860243 specious and unfair. But anyhow, this changeset should do the job for a (short) while. unblock apt-cacher-ng/2-2 diff -Nru apt-cacher-ng-2/debian/changelog apt-cacher-ng-2/debian/changelog --- apt-cacher-ng-2/debian/changelog 2016-11-22 21:39:43.000000000 +0100 +++ apt-cacher-ng-2/debian/changelog 2017-04-13 18:11:17.000000000 +0200 @@ -1,3 +1,17 @@ +apt-cacher-ng (2-2) testing; urgency=high + + * Special version only for Debian Stretch, solving moderate security issues: + + hardening against HTTP header splitting attack (no user input printed in + the HTTP headers anymore; backport from Sid, related to CVE-2017-7443) + + hardening against unintended or malicious triggering of hidden space + allocation, by disabling the fallocate completely. This is ultima ratio, + trading code simplicity for fragmentation avoiding efforts; a smarter + solution is found in upstream version 3; closes: #856635) + + handle a corner case of bad TLS handshake with invalid certificate + (related to #839751) + + -- Eduard Bloch <bl...@debian.org> Thu, 13 Apr 2017 18:11:17 +0200 + apt-cacher-ng (2-1) unstable; urgency=low * New upstream version diff -Nru apt-cacher-ng-2/debian/patches/debian-changes apt-cacher-ng-2/debian/patches/debian-changes --- apt-cacher-ng-2/debian/patches/debian-changes 1970-01-01 01:00:00.000000000 +0100 +++ apt-cacher-ng-2/debian/patches/debian-changes 2017-04-13 18:11:17.000000000 +0200 @@ -0,0 +1,81 @@ +Description: <short summary of the patch> + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + apt-cacher-ng (2-2) testing; urgency=high + . + * Special version only for Debian Stretch, solving moderate security issues: + + hardening against HTTP header splitting attack (no user input printed in + the HTTP headers anymore; backport from Sid, related to CVE-2017-7443) + + hardening against unintended or malicious triggering of hidden space + allocation, by disabling the fallocate completely. This is ultima ratio, + trading code simplicity for fragmentation avoiding efforts; a smarter + solution is found in upstream version 3; closes: #856635) + + handle a corner case of bad TLS handshake with invalid certificate + (related to #839751) +Author: Eduard Bloch <bl...@debian.org> +Bug-Debian: https://bugs.debian.org/856635 + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: <vendor|upstream|other>, <url of original patch> +Bug: <url in upstream bugtracker> +Bug-Debian: https://bugs.debian.org/<bugnumber> +Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber> +Forwarded: <no|not-needed|url proving that it has been forwarded> +Reviewed-By: <name and email of someone who approved the patch> +Last-Update: 2017-04-13 + +--- apt-cacher-ng-2.orig/source/fileio.cc ++++ apt-cacher-ng-2/source/fileio.cc +@@ -17,7 +17,7 @@ using namespace std; + namespace acng + { + +-#ifdef HAVE_LINUX_FALLOCATE ++#ifdef DISABLED_FOR_NOW + + int falloc_helper(int fd, off_t start, off_t len) + { +--- apt-cacher-ng-2.orig/source/job.cc ++++ apt-cacher-ng-2/source/job.cc +@@ -712,9 +712,7 @@ report_overload: + return ; + + report_notallowed: +- SetErrorResponse((tSS() << "403 Forbidden file type or location: " << sReqPath).c_str(), +- nullptr, "403 Forbidden file type or location"); +-// USRDBG( sRawUriPath + " -- ACCESS FORBIDDEN"); ++ SetErrorResponse("403 Forbidden file type or location"); + return ; + + report_offlineconf: +--- apt-cacher-ng-2.orig/source/tcpconnect.cc ++++ apt-cacher-ng-2/source/tcpconnect.cc +@@ -585,11 +585,19 @@ bool tcpconnect::SSLinit(mstring &sErr, + if(!cfg::nsafriendly) + { + hret=SSL_get_verify_result(ssl); +- if( hret != X509_V_OK) ++ if(hret != X509_V_OK) + { + perr=X509_verify_cert_error_string(hret); + goto ssl_init_fail; + } ++ auto server_cert = SSL_get_peer_certificate(ssl); ++ if(server_cert) ++ X509_free(server_cert); ++ else ++ { ++ perr="Incompatible remote certificate"; ++ goto ssl_init_fail; ++ } + } + + return true; diff -Nru apt-cacher-ng-2/debian/patches/series apt-cacher-ng-2/debian/patches/series --- apt-cacher-ng-2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ apt-cacher-ng-2/debian/patches/series 2017-04-13 18:11:17.000000000 +0200 @@ -0,0 +1 @@ +debian-changes
