Dear security team, ;tl;dr: Should I upload to jessie-security or to jessie-pu? sitesummary (0.1.17+deb8u2) was uploaded and accepted into jessie-security (without a DSA) to fix #852623, which was caused by DSA-3796-1 for apache2, and which complete broke sitesummary. Sadly that version of sitesummary was also affected by #823688, which breaks sitesummary upgrades, thus the fix for #852623 in jessie-security never reached out users :/ Thus I have prepared 0.1.17+deb8u2 now, fixing #823688, thus also+finally fixing #852623. The only question is: Should I upload to jessie-security or to jessie (so that it gets included in the next point release?) Adam Barrat asked me to ask you and it's entirely my fault to only ask today and not 5 days ago. That said, I'd appreciate a quick answer as the window for the next point release closes this weekend and I'd really like to see sitesummary finally fixed in jessie. :) Oh, the debdiffs are rather trivial: This is what I want to upload now: (happy to change that to jessie-security instead or upload as it is…) $ debdiff sitesummary_0.1.17+deb8u2.dsc sitesummary_0.1.17+deb8u3.dsc diff -Nru sitesummary-0.1.17+deb8u2/debian/changelog sitesummary-0.1.17+deb8u3/debian/changelog --- sitesummary-0.1.17+deb8u2/debian/changelog 2017-03-18 15:26:13.000000000 +0100 +++ sitesummary-0.1.17+deb8u3/debian/changelog 2017-04-21 19:46:46.000000000 +0200 @@ -1,3 +1,11 @@ +sitesummary (0.1.17+deb8u3) jessie; urgency=medium + + [ Wolfgang Schweer ] + * Fix d/sitesummary.prerm and provide mandatory facilities. Cherrypicked from + commit 3cff262 (master branch / 0.1.21 release). (Closes: #823688). + + -- Holger Levsen <holger@debian.org> Fri, 21 Apr 2017 19:46:35 +0200 + sitesummary (0.1.17+deb8u2) jessie-security; urgency=high * Backport RC fix from unstable. diff -Nru sitesummary-0.1.17+deb8u2/debian/sitesummary.prerm sitesummary-0.1.17+deb8u3/debian/sitesummary.prerm --- sitesummary-0.1.17+deb8u2/debian/sitesummary.prerm 2017-03-18 15:24:14.000000000 +0100 +++ sitesummary-0.1.17+deb8u3/debian/sitesummary.prerm 2017-04-21 19:37:27.000000000 +0200 @@ -12,6 +12,9 @@ apache2_invoke disconf sitesummary.conf fi ;; + deconfigure|upgrade|failed-upgrade) + : + ;; *) echo "prerm called with unknown argument \`$1'" >&2 exit 1 and this is the fix which is still not available to jessie users: $ debdiff sitesummary_0.1.17+deb8u1.dsc sitesummary_0.1.17+deb8u2.dsc diff -Nru sitesummary-0.1.17+deb8u1/debian/changelog sitesummary-0.1.17+deb8u2/debian/changelog --- sitesummary-0.1.17+deb8u1/debian/changelog 2016-02-20 15:24:11.000000000 +0100 +++ sitesummary-0.1.17+deb8u2/debian/changelog 2017-03-18 15:26:13.000000000 +0100 @@ -1,3 +1,13 @@ +sitesummary (0.1.17+deb8u2) jessie-security; urgency=high + + * Backport RC fix from unstable. + + [ Wolfgang Schweer ] + * Adjust sitesummary-upload to use CRLF (\r\n) line endings to be compliant + with apache 2.4.25 security fixes for HTTP requests. (Closes: #852623). + + -- Holger Levsen <holger@debian.org> Sat, 18 Mar 2017 15:26:10 +0100 + sitesummary (0.1.17+deb8u1) jessie; urgency=medium * Backport RC fixes from unstable. diff -Nru sitesummary-0.1.17+deb8u1/sitesummary-upload sitesummary-0.1.17+deb8u2/sitesummary-upload --- sitesummary-0.1.17+deb8u1/sitesummary-upload 2014-03-31 21:58:06.000000000 +0200 +++ sitesummary-0.1.17+deb8u2/sitesummary-upload 2017-03-18 15:24:19.000000000 +0100 @@ -78,15 +78,13 @@ my $formlen = length($form); #Send data -print $remote <<"EOF"; -POST $submiturl HTTP/1.1 -User-Agent: sitesummary-upload -Host: $host -content-type: multipart/form-data; boundary=$boundary -content-length: $formlen - -$form -EOF +print $remote "POST $submiturl HTTP/1.1\r\n"; +print $remote "User-Agent: sitesummary-upload\r\n"; +print $remote "Host: $host\r\n"; +print $remote "Content-Type: multipart/form-data; boundary=$boundary\r\n"; +print $remote "Content-Length: $formlen\r\n"; +print $remote "\r\n"; +print $remote "$form"; #Get answer my($answer)=""; -- cheers, Holger
Attachment:
signature.asc
Description: Digital signature