[Pkg-erlang-commits] r1803 - in yaws/trunk/debian: . patches
sgolovan at alioth.debian.org
sgolovan at alioth.debian.org
Tue Jul 26 10:59:47 UTC 2016
Author: sgolovan
Date: 2016-07-26 10:59:47 +0000 (Tue, 26 Jul 2016)
New Revision: 1803
Added:
yaws/trunk/debian/patches/CVE-2016-1000108.diff
Modified:
yaws/trunk/debian/changelog
yaws/trunk/debian/patches/series
yaws/trunk/debian/rules
Log:
[yaws]
* Applied a patch from upstream to fix CVE-2016-1000108 (passing the
HTTP_PROXY environment variable to CGI scripts). Closes: #832433.
* Finally fixed the paths of run_erl and to_erl utilities in the
/usr/bin/yaws script.
Modified: yaws/trunk/debian/changelog
===================================================================
--- yaws/trunk/debian/changelog 2016-07-26 04:41:25 UTC (rev 1802)
+++ yaws/trunk/debian/changelog 2016-07-26 10:59:47 UTC (rev 1803)
@@ -1,8 +1,11 @@
-yaws (2.0.3-2) UNRELEASED; urgency=medium
+yaws (2.0.3-2) unstable; urgency=medium
- * NOT RELEASED YET
+ * Applied a patch from upstream to fix CVE-2016-1000108 (passing the
+ HTTP_PROXY environment variable to CGI scripts). Closes: #832433.
+ * Finally fixed the paths of run_erl and to_erl utilities in the
+ /usr/bin/yaws script.
- -- Sergei Golovan <sgolovan at debian.org> Sun, 03 Jul 2016 15:41:12 +0300
+ -- Sergei Golovan <sgolovan at debian.org> Tue, 26 Jul 2016 13:48:07 +0300
yaws (2.0.3-1) unstable; urgency=medium
Added: yaws/trunk/debian/patches/CVE-2016-1000108.diff
===================================================================
--- yaws/trunk/debian/patches/CVE-2016-1000108.diff (rev 0)
+++ yaws/trunk/debian/patches/CVE-2016-1000108.diff 2016-07-26 10:59:47 UTC (rev 1803)
@@ -0,0 +1,34 @@
+From: Klacke Wikstrom <cwikstro at cisco.com>
+Date: Mon, 25 Jul 2016 12:46:30 +0200
+Subject: [PATCH] Security flaw http://httpoxy.org/ fixed A security flaw with
+ HTTP_PROXY fixed. When we now construct the cgi env variables, we just skip
+ the Proxy header. Reported by dominic at varspool.com.
+ CVE-2016-1000108
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832433
+
+--- a/src/yaws_cgi.erl
++++ b/src/yaws_cgi.erl
+@@ -368,11 +368,21 @@ build_env(Arg, Scriptfilename, Pathinfo, ExtraEnv, SC) ->
+ {"HTTP_IF_NONE_MATCH", H#headers.if_none_match},
+ {"HTTP_IF_UNMODIFIED_SINCE", H#headers.if_unmodified_since},
+ {"HTTP_COOKIE", flatten_val(make_cookie_val(H#headers.cookie))}
+- ]++lists:map(fun({http_header,_,Var,_,Val})->{tohttp(Var),Val} end,
+- H#headers.other)
++ ]++ other_headers(H#headers.other)
+ )) ++
+ Extra_CGI_Vars.
+
++other_headers(Headers) ->
++ lists:zf(fun({http_header,_,Var,_,Val}) ->
++ case tohttp(Var) of
++ "HTTP_PROXY" ->
++ %% See http://httpoxy.org/
++ false;
++ HTTP ->
++ {true, {HTTP,Val}}
++ end
++ end, Headers).
++
+ tohttp(X) ->
+ "HTTP_"++lists:map(fun tohttp_c/1, yaws:to_list(X)).
+
Modified: yaws/trunk/debian/patches/series
===================================================================
--- yaws/trunk/debian/patches/series 2016-07-26 04:41:25 UTC (rev 1802)
+++ yaws/trunk/debian/patches/series 2016-07-26 10:59:47 UTC (rev 1803)
@@ -1 +1,2 @@
r18.diff
+CVE-2016-1000108.diff
Modified: yaws/trunk/debian/rules
===================================================================
--- yaws/trunk/debian/rules 2016-07-26 04:41:25 UTC (rev 1802)
+++ yaws/trunk/debian/rules 2016-07-26 10:59:47 UTC (rev 1803)
@@ -135,7 +135,7 @@
chmod a-x $(TMPDIR)/var/yaws/www/testdir/index.html
#
# Fix run_erl and to_erl paths.
- sed -e 's:/lib/erlang/erts-[\d.]*/:/:g' $(TMPDIR)/usr/bin/yaws
+ sed -i -e 's:/lib/erlang/erts-[0-9.]*/:/:g' $(TMPDIR)/usr/bin/yaws
#
# Fix permissions of application files
find $(TMPDIR)/var/yaws -type f -exec chmod a-x \{\} \;
More information about the Pkg-erlang-commits
mailing list