ping :) On Mon, Jan 26, 2015 at 06:48:22PM -0200, Antonio Terceiro wrote: > Package: release.debian.org > Severity: normal > Tags: wheezy > User: release.debian....@packages.debian.org > Usertags: pu > > Hello release team, and pound maintainers (copied via X-Debbugs-Cc). > > The wheezy version of pound has a nasty bug that breaks HTTP → HTTPS > redirects for URL's that contain the '=' character , what is arguably > quite common.
The correct debdiff is attached to this email -- Antonio Terceiro <terce...@debian.org>
diff -Nru pound-2.6/debian/changelog pound-2.6/debian/changelog
--- pound-2.6/debian/changelog 2012-02-03 07:50:41.000000000 -0200
+++ pound-2.6/debian/changelog 2015-01-26 18:29:53.000000000 -0200
@@ -1,3 +1,12 @@
+pound (2.6-2+deb7u1) stable; urgency=medium
+
+ * Non-maintainer upload.
+ * Update XSS redirect vulnerability patch to not break with '=' in the URL.
+ Both the original patch and this update have already been applied
+ upstream. Closes: #723731
+
+ -- Antonio Terceiro <terce...@debian.org> Mon, 26 Jan 2015 18:26:09 -0200
+
pound (2.6-2) unstable; urgency=low
* Update anti_beast patch
diff -Nru pound-2.6/debian/patches/xss_redirect_fix.patch pound-2.6/debian/patches/xss_redirect_fix.patch
--- pound-2.6/debian/patches/xss_redirect_fix.patch 2012-02-03 07:46:07.000000000 -0200
+++ pound-2.6/debian/patches/xss_redirect_fix.patch 2015-01-26 18:33:01.000000000 -0200
@@ -43,7 +43,7 @@
+ (ch>= 'A' && ch <='Z') ||
+ (ch>= 'a' && ch <='z') ||
+ (ch>= '0' && ch <='9') ||
-+ ch == '-' || ch == '_' || ch == '.' || ch == ':' || ch == '/' || ch == '?' || ch == '&' || ch == ';') {
++ ch == '-' || ch == '_' || ch == '.' || ch == ':' || ch == '/' || ch == '?' || ch == '&' || ch == ';' || ch == '=') {
+
+ urlbuf[j++] = ch;
+ continue;
signature.asc
Description: Digital signature
