[Pkg-erlang-commits] r1806 - in yaws/branches/jessie/debian: . patches

Sun Jul 31 04:16:07 UTC 2016

Author: sgolovan
Date: 2016-07-31 04:16:06 +0000 (Sun, 31 Jul 2016)
New Revision: 1806

Added:
   yaws/branches/jessie/debian/patches/CVE-2016-1000108.diff
Modified:
   yaws/branches/jessie/debian/changelog
   yaws/branches/jessie/debian/patches/series
Log:
[yaws]
  * Applied a patch from upstream to fix CVE-2016-1000108 (passing HTTP_PROXY


Modified: yaws/branches/jessie/debian/changelog
===================================================================

--- yaws/branches/jessie/debian/changelog	2016-07-26 11:05:35 UTC (rev 1805)
+++ yaws/branches/jessie/debian/changelog	2016-07-31 04:16:06 UTC (rev 1806)
@@ -1,3 +1,10 @@
+yaws (1.98-4+deb8u1) jessie; urgency=low
+
+  * Applied a patch from upstream to fix CVE-2016-1000108 (passing HTTP_PROXY
+    to CGI scripts). Closes: #832433.
+
+ -- Sergei Golovan <sgolovan at debian.org>  Tue, 26 Jul 2016 07:47:24 +0300
+
 yaws (1.98-4) unstable; urgency=low
 
   * Switched to the well-known logrotate tool to rotate the YAWS log files

Added: yaws/branches/jessie/debian/patches/CVE-2016-1000108.diff
===================================================================
--- yaws/branches/jessie/debian/patches/CVE-2016-1000108.diff	                        (rev 0)
+++ yaws/branches/jessie/debian/patches/CVE-2016-1000108.diff	2016-07-31 04:16:06 UTC (rev 1806)
@@ -0,0 +1,34 @@
+From: Klacke Wikstrom <cwikstro at cisco.com>
+Date: Mon, 25 Jul 2016 12:46:30 +0200
+Subject: [PATCH] Security flaw http://httpoxy.org/ fixed A security flaw with
+ HTTP_PROXY fixed. When we now construct the cgi env variables, we just skip
+ the Proxy header. Reported by dominic at varspool.com.
+ CVE-2016-1000108
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832433
+
+--- a/src/yaws_cgi.erl
++++ b/src/yaws_cgi.erl
+@@ -368,11 +368,21 @@ build_env(Arg, Scriptfilename, Pathinfo, ExtraEnv, SC) ->
+             {"HTTP_IF_NONE_MATCH", H#headers.if_none_match},
+             {"HTTP_IF_UNMODIFIED_SINCE", H#headers.if_unmodified_since},
+             {"HTTP_COOKIE", flatten_val(make_cookie_val(H#headers.cookie))}
+-           ]++lists:map(fun({http_header,_,Var,_,Val})->{tohttp(Var),Val} end,
+-                        H#headers.other)
++           ]++ other_headers(H#headers.other)
+           )) ++
+         Extra_CGI_Vars.
+ 
++other_headers(Headers) ->
++    lists:zf(fun({http_header,_,Var,_,Val}) ->
++                     case tohttp(Var) of
++                         "HTTP_PROXY" ->
++                             %% See http://httpoxy.org/
++                             false;
++                         HTTP ->
++                             {true, {HTTP,Val}}
++                     end
++             end, Headers).
++
+ tohttp(X) ->
+     "HTTP_"++lists:map(fun tohttp_c/1, yaws:to_list(X)).
+ 

Modified: yaws/branches/jessie/debian/patches/series
===================================================================
--- yaws/branches/jessie/debian/patches/series	2016-07-26 11:05:35 UTC (rev 1805)
+++ yaws/branches/jessie/debian/patches/series	2016-07-31 04:16:06 UTC (rev 1806)
@@ -2,3 +2,4 @@
 gnu.diff
 docs.diff
 m32m64.diff
+CVE-2016-1000108.diff


