Summary: | <www-servers/pound-3.0: HTTP request smuggling (CVE-2018-21245) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | maintainer-needed |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | Flags: | nattka:
sanity-check+
|
Hardware: | All | ||
OS: | Linux | ||
URL: | https://admin.hostpoint.ch/pipermail/pound_apsis.ch/2018-May/000054.html | ||
See Also: |
https://github.com/gentoo/gentoo/pull/20781 https://github.com/gentoo/gentoo/pull/21665 |
||
Whiteboard: | B4 [noglsa] | ||
Package list: |
www-servers/pound-3.0
dev-libs/nanomsg-1.1.5
|
Runtime testing required: | --- |
Bug Depends on: | 674064, 789996 | ||
Bug Blocks: |
Cannot bump to new 2.8 due to bug 674064. 2.8 has not fixed this. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=de8c0aabbe0f74a15532360925f69d4f2ffdb373 commit de8c0aabbe0f74a15532360925f69d4f2ffdb373 Author: Marco Scardovi <marco@scardovi.com> AuthorDate: 2021-05-12 04:42:45 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2021-05-12 07:43:37 +0000 www-servers/pound: bump to 3.0, various changes Bump to version 3.0 Unfortunately this release drop support for alpha, hppa, ppc and sparc because a required dep (dev-libs/nanomsg) is not supported for these architectures. Bug: https://bugs.gentoo.org/714084 Closes: https://bugs.gentoo.org/657942 Closes: https://bugs.gentoo.org/527278 Closes: https://bugs.gentoo.org/657946 Closes: https://bugs.gentoo.org/674064 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Marco Scardovi <marco@scardovi.com> Closes: https://github.com/gentoo/gentoo/pull/20781 Signed-off-by: Joonas Niilola <juippis@gentoo.org> www-servers/pound/Manifest | 1 + www-servers/pound/files/pound-2.2.cfg | 1 - www-servers/pound/pound-3.0.ebuild | 55 +++++++++++++++++++++++++++++++++++ 3 files changed, 56 insertions(+), 1 deletion(-) Thanks, please let us know when ready to stable. Does nanomsg lack support or just need rekeywording? Sanity check failed:
> www-servers/pound-3.0
> depend x86 stable profile default/linux/x86/17.0 (11 total)
> dev-libs/nanomsg:=
> rdepend x86 stable profile default/linux/x86/17.0 (11 total)
> dev-libs/nanomsg:=
Sanity check failed:
> www-servers/pound-3.0
> depend x86 stable profile default/linux/x86/17.0 (11 total)
> dev-libs/nanomsg:=
> rdepend x86 stable profile default/linux/x86/17.0 (11 total)
> dev-libs/nanomsg:=
amd64 done x86 done all arches done Please cleanup. The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bbd7de89934908232803a762b75099f76b1cfa48 commit bbd7de89934908232803a762b75099f76b1cfa48 Author: Marco Scardovi <marco@scardovi.com> AuthorDate: 2021-07-15 21:30:35 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2021-07-15 21:55:27 +0000 www-servers/pound: drop old version Closes: https://bugs.gentoo.org/714084 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Marco Scardovi <marco@scardovi.com> Closes: https://github.com/gentoo/gentoo/pull/21665 Signed-off-by: John Helmert III <ajak@gentoo.org> www-servers/pound/Manifest | 1 - www-servers/pound/pound-2.7f-r1.ebuild | 50 ---------------------------------- 2 files changed, 51 deletions(-) Whoops, even I missed the wrong tag. Scardracs: note that security bugs get closed by the security team. Thanks! No glsa for almost a year, suggest to close this. Low impact and no reverse dependencies, no GLSA. |
Fixed in Pound 2.8: > ... >- fixed potential request smuggling via fudged headers