Package: sslsniff Version: 0.8-8+b1 Severity: important Tags: patch Dear Maintainer,
sslsniff incorrectly uses case sensitive comparisons when parsing HTTP headers, for example "Accept-Encoding", "Connection", "Keep-Alive" etc. Servers can and do send headers with different capitalization (for example Oracle-iPlanet-Web-Server is known to do this). If such unusual capitalization is used by the server, sslsniff doesn't work right since it fails to detect the header. I except sslsniff to function even though headers of unusual capitalization are met. Patch fixing this issue has been merged to HEAD in 2011 already: https://github.com/moxie0/sslsniff/pull/3/commits/f8c4274d1bfc3c2eca241d65f96de746bb0065e0 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.18.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages sslsniff depends on: ii libboost-filesystem1.67.0 1.67.0-10 ii libboost-system1.67.0 1.67.0-10 ii libboost-thread1.67.0 1.67.0-10 ii libc6 2.27-8 ii libgcc1 1:8.2.0-9 ii liblog4cpp5v5 1.1.3-1 ii libssl1.1 1.1.1-2 ii libstdc++6 8.2.0-9 sslsniff recommends no packages. sslsniff suggests no packages. -- no debconf information