Debian Bug report logs -
#858739
apt-cacher: CVE-2017-7443: HTTP response splitting
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 25 Mar 2017 20:09:02 UTC
Severity: important
Tags: security
Found in versions apt-cacher/1.7.6, apt-cacher/1.7.13, apt-cacher/1.7.10
Fixed in versions apt-cacher/1.7.15, 1.7.6+deb7u1, apt-cacher/1.7.13+deb9u1
Done: Mark Hindley <mark@hindley.org.uk>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mark Hindley <mark@hindley.org.uk>
:
Bug#858739
; Package src:apt-cacher
.
(Sat, 25 Mar 2017 20:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mark Hindley <mark@hindley.org.uk>
.
(Sat, 25 Mar 2017 20:09:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: apt-cacher
Version: 1.7.13
Severity: important
Tags: security
This is to have a BTS reference, since no CVE has been assigned.
Patch:
diff -Nru apt-cacher-1.7.14/apt-cacher apt-cacher-1.7.15/apt-cacher
--- apt-cacher-1.7.14/apt-cacher 2017-01-08 11:29:03.000000000 +0100
+++ apt-cacher-1.7.15/apt-cacher 2017-03-14 17:55:18.000000000 +0100
@@ -2090,8 +2090,8 @@
$request->protocol($3||'HTTP/1.0');
clean_uri($request->uri);
- if($request->uri =~ m#(?:^|/)\.{2}/#) { # Reject ../ or /../
- sendrsp(HTTP::Response->new(403, 'Forbidden: Invalid URI ' . $request->uri));
+ if($request->uri =~ m#(?:^|/)\.{2}/|%0[ad]#i) { # Reject ../, /../ or encoded new lines
+ sendrsp(HTTP::Response->new(403, 'Forbidden: Insecure URI ' . $request->uri));
return 1; # next REQUEST
}
return $request if $mode && $mode eq 'cgi'; # Not going to get anything else
diff -Nru apt-cacher-1.7.14/debian/changelog apt-cacher-1.7.15/debian/changelog
--- apt-cacher-1.7.14/debian/changelog 2017-01-08 11:37:20.000000000 +0100
+++ apt-cacher-1.7.15/debian/changelog 2017-03-21 10:52:04.000000000 +0100
@@ -1,3 +1,9 @@
+apt-cacher (1.7.15) unstable; urgency=medium
+
+ * Prevent HTTP response splitting with encoded newlines in request.
+
+ -- Mark Hindley <mark@hindley.org.uk> Tue, 21 Mar 2017 09:52:04 +0000
+
apt-cacher (1.7.14) unstable; urgency=medium
* Update to debhelper compatibility 9.
Information forwarded
to debian-bugs-dist@lists.debian.org, Mark Hindley <mark@hindley.org.uk>
:
Bug#858739
; Package src:apt-cacher
.
(Sun, 26 Mar 2017 10:18:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>
:
Extra info received and forwarded to list. Copy sent to Mark Hindley <mark@hindley.org.uk>
.
(Sun, 26 Mar 2017 10:18:03 GMT) (full text, mbox, link).
Message #10 received at 858739@bugs.debian.org (full text, mbox, reply):
Hi,
> This is to have a BTS reference, since no CVE has been assigned.
Do you plan to request one, etc.?
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Marked as fixed in versions apt-cacher/1.7.15.
Request was from Mark Hindley <mark@hindley.org.uk>
to control@bugs.debian.org
.
(Sun, 26 Mar 2017 17:09:05 GMT) (full text, mbox, link).
Reply sent
to Chris Lamb <lamby@debian.org>
:
You have taken responsibility.
(Mon, 27 Mar 2017 09:18:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Mon, 27 Mar 2017 09:18:08 GMT) (full text, mbox, link).
Message #17 received at 858739-done@bugs.debian.org (full text, mbox, reply):
Version: 1.7.6+deb7u1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 26 Mar 2017 22:05:16 +0100
Source: apt-cacher
Binary: apt-cacher
Architecture: source all
Version: 1.7.6+deb7u1
Distribution: wheezy-security
Urgency: medium
Maintainer: Mark Hindley <mark@hindley.org.uk>
Changed-By: Mark Hindley <mark@hindley.org.uk>
Description:
apt-cacher - Caching proxy for Debian package and source files
Changes:
apt-cacher (1.7.6+deb7u1) wheezy-security; urgency=medium
.
* Prevent HTTP response splitting with encoded newlines in
request. Backport of fix for #858739.
Checksums-Sha1:
48a8eca61f4dd8d2defc44def155a3bc9c954158 1530 apt-cacher_1.7.6+deb7u1.dsc
d697951df00ef5a50b84edde0292aae55b657974 119849 apt-cacher_1.7.6+deb7u1.tar.gz
3d1546fc1c7dc7a15bfc6f54b05edd8e62ce4830 106052 apt-cacher_1.7.6+deb7u1_all.deb
Checksums-Sha256:
631a29a83eb6d77d335e0806b9317e61e6c140b7f841899b4ab9b9b822a3b7fe 1530 apt-cacher_1.7.6+deb7u1.dsc
eb8803be076eb7d28d0a00b98028eecace50d8c8a094c71fc454ae1efec85679 119849 apt-cacher_1.7.6+deb7u1.tar.gz
262d5abf5329bce62003c286f100f400fc9f96f39f3f75a817a9fb54159ffaf5 106052 apt-cacher_1.7.6+deb7u1_all.deb
Files:
6eeacf10989e8b7f851101397b6f86be 1530 net optional apt-cacher_1.7.6+deb7u1.dsc
f02cd8676e60b0c2c4efd8a3a672be9c 119849 net optional apt-cacher_1.7.6+deb7u1.tar.gz
d19727961f4ac4cdf3e6e3888a9b2293 106052 net optional apt-cacher_1.7.6+deb7u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAljYzoQACgkQHpU+J9Qx
HliKhw/6AmZfnNK+aaobthqVDKKoEUDOMEXl/QCpTwtw9tP25WcAYGtPM4En9kAU
g/gUychSh4RyzEB8pG7Eqot8LGASigl2thtzDEdh8L8dkEDYp5irnCdFUg+chmV2
Oe6syqm4DLaTyP+QCQxkfqjM5ebwNedbUnRRmhm5BJzz6xkk/0m2YlYCQtXRA3f+
nGnav76RwTNxeXLl/BxaGg6zpf0+cJt4ug/58TEAY5J3MtnFvRWB26hptW9/uYwp
mlwTxWhxlp966b1D4cxfgZ4KEJWIJxY3Wq4OaDZ16oyqS/2T14jbLbSRqy/EsXv9
uguyBOgZrkdgRuUxmcfONf04+AjofGso/ORljeAsHfU7pttjs0ItpmYQgJ5bYWIZ
W7M8tgltPCphfJGLO3BPUQ4RJqJMGF6iFavmrF4e1KUv8CqaEG45euvv0SBJK3xN
kAQkm6umD5KBfUf/l+MHwA+255fQqb+9FUUg9nPLDudVa6xLtxOuGGhkpRvQexSO
mmlMwhgyYCTDd8yKHOggXpqFgrJzqqihdh7TyxONSX/aorY+7EBfjDHG1yKVIFTr
5gGp9qZd+fqPYP3h4FY6pqwM+P+nDOd/CqZLq4dfrkCBfItoCGX0FJlghemPItVP
2470Uudsae6CIveGDcCv70AyAY8nmXHLJkki3OiD06fGxhO4lNA=
=uNJZ
-----END PGP SIGNATURE-----
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#858739
; Package src:apt-cacher
.
(Mon, 27 Mar 2017 11:51:04 GMT) (full text, mbox, link).
Message #20 received at 858739@bugs.debian.org (full text, mbox, reply):
Hello,
I have backported this fix to apt-cacher 1.7.10 for jessie.
I would be grateful if you could review it an upload.
Sources of 1.7.10+deb8u1 are available from
http://www.hindley.org.uk/~mark/debian
Many thanks.
Mark
Marked as found in versions apt-cacher/1.7.10.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 27 Mar 2017 11:57:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Mark Hindley <mark@hindley.org.uk>
:
Bug#858739
; Package src:apt-cacher
.
(Mon, 27 Mar 2017 12:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Mark Hindley <mark@hindley.org.uk>
.
(Mon, 27 Mar 2017 12:03:03 GMT) (full text, mbox, link).
Message #27 received at 858739@bugs.debian.org (full text, mbox, reply):
Hi Mark,
On Mon, Mar 27, 2017 at 12:34:38PM +0100, Mark Hindley wrote:
> Hello,
>
> I have backported this fix to apt-cacher 1.7.10 for jessie.
>
> I would be grateful if you could review it an upload.
>
> Sources of 1.7.10+deb8u1 are available from
>
> http://www.hindley.org.uk/~mark/debian
It's not planned to release a DSA for this issue, can you please
shedule a fix via a stable-proposed-update for the next jessie point
release?
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable
Thanks already.
Regards,
Salvatore
Bug 858739 cloned as bug 858833
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 27 Mar 2017 12:39:02 GMT) (full text, mbox, link).
Marked as found in versions apt-cacher/1.7.6.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 27 Mar 2017 12:42:06 GMT) (full text, mbox, link).
Changed Bug title to 'apt-cacher: CVE-2017-7443: HTTP response splitting' from 'apt-cacher: HTTP response splitting'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 06 Apr 2017 04:33:03 GMT) (full text, mbox, link).
Reply sent
to Mark Hindley <mark@hindley.org.uk>
:
You have taken responsibility.
(Tue, 09 May 2017 19:51:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Tue, 09 May 2017 19:51:04 GMT) (full text, mbox, link).
Message #38 received at 858739-close@bugs.debian.org (full text, mbox, reply):
Source: apt-cacher
Source-Version: 1.7.13+deb9u1
We believe that the bug you reported is fixed in the latest version of
apt-cacher, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 858739@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mark Hindley <mark@hindley.org.uk> (supplier of updated apt-cacher package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 24 Apr 2017 19:38:26 +0100
Source: apt-cacher
Binary: apt-cacher
Architecture: source all
Version: 1.7.13+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Mark Hindley <mark@hindley.org.uk>
Changed-By: Mark Hindley <mark@hindley.org.uk>
Description:
apt-cacher - Caching proxy server for Debian/Ubuntu software repositories
Closes: 858739
Changes:
apt-cacher (1.7.13+deb9u1) stretch; urgency=medium
.
* Backport fix for CVE-2017-7443: Prevent HTTP response splitting with
encoded newlines in request. (closes: #858739)
Checksums-Sha1:
56d91905a9d4eb5c20480efd4034ab00df5f8600 1496 apt-cacher_1.7.13+deb9u1.dsc
5df0e54a3ec2e2f4d963b249d593ff14a0243194 99060 apt-cacher_1.7.13+deb9u1.tar.xz
24a5815bf1945bc8895ccffab30e90693d73f939 102220 apt-cacher_1.7.13+deb9u1_all.deb
87541da216a14d9bc3806f287d785b6407889d21 7068 apt-cacher_1.7.13+deb9u1_amd64.buildinfo
Checksums-Sha256:
f56dc234c66699f3f1fb6df838982a885a3934fd9f561efa8e99b41512a8bced 1496 apt-cacher_1.7.13+deb9u1.dsc
0581b7781b561d677c4de329402cd02ed1a28edb6d129149047dffce065f4f44 99060 apt-cacher_1.7.13+deb9u1.tar.xz
a7503265e92c83a22752be66b1ffff3310694f5a17a08b6aff7b11488398bf31 102220 apt-cacher_1.7.13+deb9u1_all.deb
04dbe5633e85f9ca74a4bdbf42064876a473dce401316a498a6e1bc2212f197e 7068 apt-cacher_1.7.13+deb9u1_amd64.buildinfo
Files:
7667daf7e3baffb0f1500afd83840b25 1496 net optional apt-cacher_1.7.13+deb9u1.dsc
b0edc677104ad26244ef7af91021c49d 99060 net optional apt-cacher_1.7.13+deb9u1.tar.xz
d7e8ba1be631225a7ca0da45caf36fef 102220 net optional apt-cacher_1.7.13+deb9u1_all.deb
ce30418fc2f64d289dea8bb5bbd1a2a9 7068 net optional apt-cacher_1.7.13+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEZI3Zj0vEgpAXyw40aXQOXLNf7DwFAlkSFq0ACgkQaXQOXLNf
7Dxq/g/7BTpr0f2GuOHKSZvkbHW7IMQyRiFyfJqaEV9anHghVLw35zzCmbb63izU
G2RTinP5TG3GZrGOfy2aK0NWYjgID7tg543N0vGeF8BdqVKmcT9LFi/mA+5ezyym
ivzu9I46Re906crih/qpfM8oeM6G9XHlf3nc/TWtbY7NJ/Gh4KfsY/GJe+xE+Fih
MdHMLaZj7nQEoeI2+JGBmtvtlm4Nv3E58blPo1GsFLSbTd6df1k0M2hh45XWsa3i
t5iAUTBrBy887N8K5AcdKo4nnBBEzfUZM/goLdpiVSUHIjpUH38Ep/3B9XuUA+KU
ns6V90jTHELDoMW3YFkJA/tn4YUF9oB3l7oa5Kl6mfNb7D59nq7ikypvq5MspTaS
KtuwYldtaAgX3peLDTG2HLVVYbdP1RMoQ3ffgWdAHbXnWIm7JPT83shJaFT6cLjQ
4ZcvYQeQhnrdfNJKKHPg9rOTTXg1/x+nrANz7dEGdBJTBDwwWx3zrIE5RlhiSo3f
do71msl1Z9p/IqY/pWX+Y08mDxdu6v6+PndBv+ecel5/i1G/HimKREXVBnS0WXgJ
WgMmmvlqrJbObcFIcVH67D3hZxkTg7+9pxtW4OpkFA21gADJjljl/2mRGdVjoz75
G4mZiT4TbQ2EsjF/H0FyArc77XiBDeXHxcKsrbJiyvJDcEYDyr8=
=mO/N
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 07 Jun 2017 07:26:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:40:18 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.