Bug#858846: jessie-pu: package apt-cacher/1.7.10
Control: tags -1 + pending On Mon, 2017-04-24 at 17:46 +0100, Mark Hindley wrote: > On Sun, Apr 23, 2017 at 09:38:42PM +0100, Adam D. Barratt wrote: > > Control: tags -1 + confirmed > > > > On Mon, 2017-03-27 at 16:47 +0100, Mark Hindley wrote: > > > I would like to arrange update of apt-cacher 1.7.10 in Jessie to fix the > > > HTTP > > > splitting issue tracked in #858739 (no CVE allocated). > > > > > > I have prepared 1.7.10+deb8u1 which is available from > > > http://hindley.org.uk/~mark/debian > > > > Please go ahead. > > Thanks Uploaded and flagged for acceptance. Regards, Adam
Bug#858846: jessie-pu: package apt-cacher/1.7.10
On Wed, May 10, 2017 at 08:26:15PM +0100, Adam D. Barratt wrote: > On Wed, 2017-05-10 at 22:19 +0300, Adrian Bunk wrote: > > > And in a related topic: > > > > #786661 apt-cacher: Does not work in inetd mode - fails to create > > /var/run/apt-cacher > > > > This RC bug was reported against the version in jessie and is still > > unfixed there. > > > > Could you add this fix and then send a debdiff to the bug so that Adam > > can approve fixing also this issue in jessie? > > Please don't, at least in those specific terms. > > If it's a separate issue, it wants a new bug. p-u bugs only get re-used > for subsequent uploads if those are related to the issue covered by the > initial upload. Thanks. I have opened a separate p-u bug for approval of this. See #862327 Best wishes. Mark
Bug#858846: jessie-pu: package apt-cacher/1.7.10
On Wed, 2017-05-10 at 22:19 +0300, Adrian Bunk wrote: > On Sun, Apr 23, 2017 at 09:38:42PM +0100, Adam D. Barratt wrote: > > Control: tags -1 + confirmed > > > > On Mon, 2017-03-27 at 16:47 +0100, Mark Hindley wrote: > > > I would like to arrange update of apt-cacher 1.7.10 in Jessie to fix the > > > HTTP > > > splitting issue tracked in #858739 (no CVE allocated). > > > > > > I have prepared 1.7.10+deb8u1 which is available from > > > http://hindley.org.uk/~mark/debian > > > > Please go ahead. > >... > > Mark, did this upload get lost somewhere? > > This CVE is now fixed in wheezy-security and uploaded for > stretch, but not yet for jessie. It's in the p-u-new queue, waiting for processing, as of last night - as can be seen at https://release.debian.org/proposed-updates/stable.html > And in a related topic: > > #786661 apt-cacher: Does not work in inetd mode - fails to create > /var/run/apt-cacher > > This RC bug was reported against the version in jessie and is still > unfixed there. > > Could you add this fix and then send a debdiff to the bug so that Adam > can approve fixing also this issue in jessie? Please don't, at least in those specific terms. If it's a separate issue, it wants a new bug. p-u bugs only get re-used for subsequent uploads if those are related to the issue covered by the initial upload. Regards, Adam
Bug#858846: jessie-pu: package apt-cacher/1.7.10
On Sun, Apr 23, 2017 at 09:38:42PM +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Mon, 2017-03-27 at 16:47 +0100, Mark Hindley wrote: > > I would like to arrange update of apt-cacher 1.7.10 in Jessie to fix the > > HTTP > > splitting issue tracked in #858739 (no CVE allocated). > > > > I have prepared 1.7.10+deb8u1 which is available from > > http://hindley.org.uk/~mark/debian > > Please go ahead. >... Mark, did this upload get lost somewhere? This CVE is now fixed in wheezy-security and uploaded for stretch, but not yet for jessie. And in a related topic: #786661 apt-cacher: Does not work in inetd mode - fails to create /var/run/apt-cacher This RC bug was reported against the version in jessie and is still unfixed there. Could you add this fix and then send a debdiff to the bug so that Adam can approve fixing also this issue in jessie? > Regards, > > Adam Thanks Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed
Bug#858846: jessie-pu: package apt-cacher/1.7.10
On Mon, 2017-04-24 at 17:46 +0100, Mark Hindley wrote: > On Sun, Apr 23, 2017 at 09:38:42PM +0100, Adam D. Barratt wrote: [...] > > On a related note, I can see that this issue is fixed in unstable, but > > the diff between that and the current version in testing is unlikely to > > get unblocked due to the debhelper compat bump. Do you have a plan for > > resolving that? > > I could prepare 1.7.13+deb9u1. But I am unclear how to upload direct to > testing. Any suggestions? If you'd like to look at that approach, please open an unblock bug (clearly marked as pre-approval), preferably with a tested debdiff. (The answer involves setting the distribution to "stretch", but please don't upload such a package without prior agreement.) Regards, Adam
Bug#858846: jessie-pu: package apt-cacher/1.7.10
On Sun, Apr 23, 2017 at 09:38:42PM +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Mon, 2017-03-27 at 16:47 +0100, Mark Hindley wrote: > > I would like to arrange update of apt-cacher 1.7.10 in Jessie to fix the > > HTTP > > splitting issue tracked in #858739 (no CVE allocated). > > > > I have prepared 1.7.10+deb8u1 which is available from > > http://hindley.org.uk/~mark/debian > > Please go ahead. Thanks > On a related note, I can see that this issue is fixed in unstable, but > the diff between that and the current version in testing is unlikely to > get unblocked due to the debhelper compat bump. Do you have a plan for > resolving that? I could prepare 1.7.13+deb9u1. But I am unclear how to upload direct to testing. Any suggestions? Many thanks, Mark
Bug#858846: jessie-pu: package apt-cacher/1.7.10
Control: tags -1 + confirmed On Mon, 2017-03-27 at 16:47 +0100, Mark Hindley wrote: > I would like to arrange update of apt-cacher 1.7.10 in Jessie to fix the HTTP > splitting issue tracked in #858739 (no CVE allocated). > > I have prepared 1.7.10+deb8u1 which is available from > http://hindley.org.uk/~mark/debian Please go ahead. On a related note, I can see that this issue is fixed in unstable, but the diff between that and the current version in testing is unlikely to get unblocked due to the debhelper compat bump. Do you have a plan for resolving that? Regards, Adam
Bug#858846: jessie-pu: package apt-cacher/1.7.10
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hello, I would like to arrange update of apt-cacher 1.7.10 in Jessie to fix the HTTP splitting issue tracked in #858739 (no CVE allocated). I have prepared 1.7.10+deb8u1 which is available from http://hindley.org.uk/~mark/debian Alternatively, as this is a native package you may prefer me to package it as 1.7.10.1. Please advise. debdiff: Changes from debian/1.7.10 to debian/1.7.10+deb8u1 Modified apt-cacher diff --git a/apt-cacher b/apt-cacher index 668b2d8..5bde2e7 100755 --- a/apt-cacher +++ b/apt-cacher @@ -2093,8 +2093,8 @@ sub get_request { $request->protocol($3||'HTTP/1.0'); clean_uri($request->uri); - if($request->uri =~ m#(?:^|/)\.{2}/#) { # Reject ../ or /../ - sendrsp(HTTP::Response->new(403, 'Forbidden: Invalid URI ' . $request->uri)); + if($request->uri =~ m#(?:^|/)\.{2}/|%0[ad]#i) { # Reject ../, /../ or encoded new lines + sendrsp(HTTP::Response->new(403, 'Forbidden: Insecure URI ' . $request->uri)); return 1; # next REQUEST } return $request if $mode && $mode eq 'cgi'; # Not going to get anything else Modified debian/changelog diff --git a/debian/changelog b/debian/changelog index 43310cd..d8946f6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +apt-cacher (1.7.10+deb8u1) jessie-security; urgency=medium + + * Prevent HTTP response splitting with encoded newlines in +request. Backport of fix for #858739. + + -- Mark HindleySun, 26 Mar 2017 18:25:21 +0100 + apt-cacher (1.7.10) unstable; urgency=low * Internally store http_proxy as URI object which can include Many thanks. Mark