Source: apt-cacher
Version: 1.7.13
Severity: important
Tags: security
This is to have a BTS reference, since no CVE has been assigned.
Patch:
diff -Nru apt-cacher-1.7.14/apt-cacher apt-cacher-1.7.15/apt-cacher
--- apt-cacher-1.7.14/apt-cacher 2017-01-08 11:29:03.000000000 +0100
+++ apt-cacher-1.7.15/apt-cacher 2017-03-14 17:55:18.000000000 +0100
@@ -2090,8 +2090,8 @@
$request->protocol($3||'HTTP/1.0');
clean_uri($request->uri);
- if($request->uri =~ m#(?:^|/)\.{2}/#) { # Reject ../ or /../
- sendrsp(HTTP::Response->new(403, 'Forbidden: Invalid
URI ' . $request->uri));
+ if($request->uri =~ m#(?:^|/)\.{2}/|%0[ad]#i) { # Reject
../, /../ or encoded new lines
+ sendrsp(HTTP::Response->new(403, 'Forbidden: Insecure
URI ' . $request->uri));
return 1; # next REQUEST
}
return $request if $mode && $mode eq 'cgi'; # Not going to
get anything else
diff -Nru apt-cacher-1.7.14/debian/changelog apt-cacher-1.7.15/debian/changelog
--- apt-cacher-1.7.14/debian/changelog 2017-01-08 11:37:20.000000000 +0100
+++ apt-cacher-1.7.15/debian/changelog 2017-03-21 10:52:04.000000000 +0100
@@ -1,3 +1,9 @@
+apt-cacher (1.7.15) unstable; urgency=medium
+
+ * Prevent HTTP response splitting with encoded newlines in request.
+
+ -- Mark Hindley <m...@hindley.org.uk> Tue, 21 Mar 2017 09:52:04 +0000
+
apt-cacher (1.7.14) unstable; urgency=medium
* Update to debhelper compatibility 9.
