Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
(sorry, no fix for the allow-releaseinfo-change stuff yet!) I just uploaded 1.8.3 to unstable which includes a fix for HTTPS proxying - when using the CONNECT method, we were sending the proxy's host name in the Host header, where we should have sent the destination host name. This breaks ACLs on proxies that filter on that field and might thus prevent access to HTTPS repositories over such proxies. A test case has been included that can be run with autopkgtest, and is running on CI. The 1.8.3 also includes a change to the apport hook to exclude squashfs file systems in the output (to hide installed snaps) - this only affects Ubuntu, though. I'd prefer to keep one 1.8.y branch rather than have a 1.8.2.z for buster, if possible, so I'd love if we could get it in like this (the 1.8.y branch currently covers unstable, stable, and ubuntu disco, but the ubuntu one will be gone in a few months, so it's likely a one,two time thing). The attached diff is the 1.8.3 uploaded to unstable. The stable upload would have the version and upload target replaced in the changelog to read "1.8.3~deb10u1) buster" instead of "1.8.3) unstable". I'd expect buster to eventually take over 1.8.y properly and then we'd get 1.8.4 for buster instead of 1.8.4~deb10u1 for example. -- System Information: Debian Release: buster/sid APT prefers eoan APT policy: (991, 'eoan'), (500, 'eoan'), (500, 'cosmic-security') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.2.0-9-generic (SMP w/8 CPU cores) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
diff -Nru apt-1.8.2/apt-pkg/deb/dpkgpm.cc apt-1.8.3/apt-pkg/deb/dpkgpm.cc --- apt-1.8.2/apt-pkg/deb/dpkgpm.cc 2019-05-28 16:40:29.000000000 +0200 +++ apt-1.8.3/apt-pkg/deb/dpkgpm.cc 2019-08-09 11:16:15.000000000 +0200 @@ -2475,7 +2475,7 @@ { fprintf(report, "Df:\n"); - FILE *log = popen("/bin/df -l","r"); + FILE *log = popen("/bin/df -l -x squashfs","r"); if(log != NULL) { char buf[1024]; diff -Nru apt-1.8.2/CMakeLists.txt apt-1.8.3/CMakeLists.txt --- apt-1.8.2/CMakeLists.txt 2019-05-28 16:40:29.000000000 +0200 +++ apt-1.8.3/CMakeLists.txt 2019-08-09 11:16:15.000000000 +0200 @@ -193,7 +193,7 @@ # Configure some variables like package, version and architecture. set(PACKAGE ${PROJECT_NAME}) set(PACKAGE_MAIL "APT Development Team <de...@lists.debian.org>") -set(PACKAGE_VERSION "1.8.2") +set(PACKAGE_VERSION "1.8.3") if (NOT DEFINED DPKG_DATADIR) execute_process(COMMAND ${PERL_EXECUTABLE} -MDpkg -e "print $Dpkg::DATADIR;" diff -Nru apt-1.8.2/debian/changelog apt-1.8.3/debian/changelog --- apt-1.8.2/debian/changelog 2019-05-28 16:40:29.000000000 +0200 +++ apt-1.8.3/debian/changelog 2019-08-09 11:16:15.000000000 +0200 @@ -1,3 +1,13 @@ +apt (1.8.3) unstable; urgency=medium + + [ Simon Körner ] + * http: Fix Host header in proxied https connections (LP: #1838771) + + [ Brian Murray ] + * Do not include squashfs file systems in df output. (LP: #1756595) + + -- Julian Andres Klode <j...@debian.org> Fri, 09 Aug 2019 11:16:15 +0200 + apt (1.8.2) unstable; urgency=medium [ Alwin Henseler ] diff -Nru apt-1.8.2/doc/apt-verbatim.ent apt-1.8.3/doc/apt-verbatim.ent --- apt-1.8.2/doc/apt-verbatim.ent 2019-05-28 16:40:29.000000000 +0200 +++ apt-1.8.3/doc/apt-verbatim.ent 2019-08-09 11:16:15.000000000 +0200 @@ -268,7 +268,7 @@ "> <!-- this will be updated by 'prepare-release' --> -<!ENTITY apt-product-version "1.8.2"> +<!ENTITY apt-product-version "1.8.3"> <!-- (Code)names for various things used all over the place --> <!ENTITY debian-oldstable-codename "stretch"> diff -Nru apt-1.8.2/doc/po/apt-doc.pot apt-1.8.3/doc/po/apt-doc.pot --- apt-1.8.2/doc/po/apt-doc.pot 2019-05-28 16:40:29.000000000 +0200 +++ apt-1.8.3/doc/po/apt-doc.pot 2019-08-09 11:16:15.000000000 +0200 @@ -5,9 +5,9 @@ #, fuzzy msgid "" msgstr "" -"Project-Id-Version: apt-doc 1.8.2\n" +"Project-Id-Version: apt-doc 1.8.3\n" "Report-Msgid-Bugs-To: APT Development Team <de...@lists.debian.org>\n" -"POT-Creation-Date: 2019-05-28 16:41+0200\n" +"POT-Creation-Date: 2019-08-09 11:16+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <l...@li.org>\n" diff -Nru apt-1.8.2/methods/http.cc apt-1.8.3/methods/http.cc --- apt-1.8.2/methods/http.cc 2019-05-28 16:40:29.000000000 +0200 +++ apt-1.8.3/methods/http.cc 2019-08-09 11:16:15.000000000 +0200 @@ -320,14 +320,14 @@ std::string ProperHost; if (Host.find(':') != std::string::npos) - ProperHost = '[' + Proxy.Host + ']'; + ProperHost = '[' + Host + ']'; else - ProperHost = Proxy.Host; + ProperHost = Host; // Build the connect Req << "CONNECT " << Host << ":" << std::to_string(Port) << " HTTP/1.1\r\n"; if (Proxy.Port != 0) - Req << "Host: " << ProperHost << ":" << std::to_string(Proxy.Port) << "\r\n"; + Req << "Host: " << ProperHost << ":" << std::to_string(Port) << "\r\n"; else Req << "Host: " << ProperHost << "\r\n"; diff -Nru apt-1.8.2/po/apt-all.pot apt-1.8.3/po/apt-all.pot --- apt-1.8.2/po/apt-all.pot 2019-05-28 16:40:29.000000000 +0200 +++ apt-1.8.3/po/apt-all.pot 2019-08-09 11:16:15.000000000 +0200 @@ -5,9 +5,9 @@ #, fuzzy msgid "" msgstr "" -"Project-Id-Version: apt 1.8.2\n" +"Project-Id-Version: apt 1.8.3\n" "Report-Msgid-Bugs-To: APT Development Team <de...@lists.debian.org>\n" -"POT-Creation-Date: 2019-05-28 16:41+0200\n" +"POT-Creation-Date: 2019-08-09 11:16+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <l...@li.org>\n" diff -Nru apt-1.8.2/test/integration/test-proxy-connect apt-1.8.3/test/integration/test-proxy-connect --- apt-1.8.2/test/integration/test-proxy-connect 1970-01-01 01:00:00.000000000 +0100 +++ apt-1.8.3/test/integration/test-proxy-connect 2019-08-09 11:16:15.000000000 +0200 @@ -0,0 +1,22 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" +setupenvironment +configarchitecture 'amd64' + +buildsimplenativepackage 'unrelated' 'all' '0.5~squeeze1' 'unstable' + +setupaptarchive +changetowebserver --request-absolute='uri' + + +msgmsg 'Check that host header we send for CONNECT is for target, not proxy' +echo "deb https://example.example/ example example" > rootdir/etc/apt/sources.list +rm -f rootdir/etc/apt/sources.list.d/* +echo "Acquire::http::Proxy \"http://localhost:${APTHTTPPORT}\";" > rootdir/etc/apt/apt.conf.d/99proxy + +aptget update >/dev/null 2>&1 +testsuccessequal "CONNECT example.example:443 HTTP/1.1\r +Host: example.example:443\r" grep -A1 "^CONNECT" aptarchive/webserver.log