Le mardi 30 avril 2024, 14:56:07 UTC Barak A. Pearlmutter a écrit : > I've uploaded a package with this fixed to unstable, 1:2.24-5, and > it's been autobuilt and pushed out. Seems to work okay, and can be > co-installed with apache2/sid. > > Just uploaded 1:2.24-6 that adds Breaks: apach2-bin per your recent message. > > Honestly, I'm not confident in my ability to properly back-port > security-related patches to old versions of fossil. It's a big > network-facing program with a large number of moving parts and a > substantial attack surface, all written in C. It uses its own sqlite3 > copy when the shared library in Debian isn't a high enough version or > doesn't have the right options enabled (currently Debian sqlite3 is > compiled without SQLITE_ENABLE_JSON1 so the internal version is used.) > All this means it would be super easy for me to miss some issue and > introduce a vulnerability if I try to back-port a security patch, > > particularly without myself deeply understanding the security issue. > > Stable has 1:2.21-1. > > I just made a debian-bookworm-proposed-updates branch rooted there and > tried to cherry-pick the fix, > https://fossil-scm.org/home/info/f4ffefe708793b03 but it does not > apply cleanly. Obviously I can do it manually though, however there > have been changes in the neighborhood. > > Also, are you *sure* I shouldn't also be applying > https://fossil-scm.org/home/info/71919ad1b542832c to the fixed > versions? Because I'm not! I'd be most comfortable if upstream simply > made a proper release with this fixed (which I bet they'd do upon > request), and I uploaded that with the appropriate "Breaks: > apache2-bin (<<...)", and did the (trivial) backport of that package > to bookworm and bullseye, with the "breaks:" modified to the > appropriate version.
I agree with you, may be a fullbackport is better for bookworm see changes here
(line with * are interesting commit to backport)
Yadd do you have a piece of advice ?
Bastien
2024-04-22
*16:29
cgi.md: be less specific about the Apache version in which the
Content-Length change happened because a new forum post reports that it happens
at least as far back as 2.4.41. ...
2024-04-21
18:51
Merge the update to zLib-1.3.1. ...
18:46
Improvements to comments in graph.c. No changes to actual code. ...
*16:20
Fix parsing of the argument to the "Connection:" header of HTTP reply
messages to deal with unusual arguments added by Apache mod_cgi. See forum
thread ca6fc85c80f4704f. ...
*15:37
Simplify parsing of the Connection: header in HTTP replies. ...
*06:15
Only accept commas as separators for multiple values in "Connection:"
HTTP headers, and ignore any white space surrounding (but not embedded into)
values. The previous method would fall for (fictional) HTTP header values
containing spaces, like "Connection: don't close", and recognize a value of
"close". ...
2024-04-20
21:58
In /chat preview mode, apply the click handlers to pikchrs in the
preview. ...
*14:42
Fix parsing of "Connection:" HTTP headers with multiple values. ...
2024-04-19
16:08
Fix a minor problem in graph layout for timelines that made use of the
offset-merge-riser enhancement. Problem originally seen on the bottom node of
/timeline?p=6da255034b30b4b4&bt=47362306a7dd7c6f. ...
*13:11
More change-log enhancements: More details about the work-around for
the Apache mod_cgi breakage, and put that work-around first on the change log
since it seems to be important to people. ...
12:59
Formatting enhancements to the change log for the upcoming 2.24
release. ...
2024-04-18
17:14
Update the built-in SQLite to the latest pre-release of version 3.46.0,
including the bug fix for the use of VALUES-as-coroutine with an OUTER JOIN. ...
17:00
Typo fix and add specific Apache version number to the notes about the
Content-Length change. ...
2024-04-17
17:59
Change log updates. ...
*15:30 • Edit [18d76fff]: Edit check-in comment. ...
*14:02
Output a warning if a client sync or clone gets back a keep-alive HTTP
reply that lacks a content-length header. ...
*13:27
Only process HTTP replies that lack a Content-Length header if the
connection is set to be closed. Suggested by
https://bz.apache.org/bugzilla/show_bug.cgi?id=68905. ...
*13:21
Update the change log in order to mention the Apache
mod_cgi/Content-Length fix. ...
*13:14
Update Apache mod_cgi/Content-Length documentation. ...
*12:58
Fix the HTTP-reply parser so that it is able to deal with replies that
lack a Content-Length header field. This resolves the issue reported by forum
post 12ac403fd29cfc89. Also in this merge: (1) Add the --xverbose option to
"fossil clone". (2) Improved error messages when web servers misbehave. See
also my misguided and incorrect Apache bug 68905. Special thanks to Apache devs
for setting me straight. ...
12:49
Fix ssh: clones, broken by the previous check-in. ...
*12:18
Arrange for the HTTP reply parser to be able to deal with a missing
Content-Length header. Add the --xverbose option to the "fossil clone" command.
...
2024-04-16
*22:55
Attempt to provide more useful error messages when an intermediate
server (such as Apache) does something wrong and messes up an HTTP request. ...
*13:50
Improvements to the /test_env page that can be used to help diagnose
problems such as missing CONTENT_LENGTH CGI parameters. ...
>
signature.asc
Description: This is a digitally signed message part.
