714084 – (CVE-2018-21245) <www-servers/pound-3.0: HTTP request smuggling (CVE-2018-21245)

Bug 714084 (CVE-2018-21245) - <www-servers/pound-3.0: HTTP request smuggling (CVE-2018-21245)

Summary: <www-servers/pound-3.0: HTTP request smuggling (CVE-2018-21245)

Status:	RESOLVED FIXED

Alias:	CVE-2018-21245

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://admin.hostpoint.ch/pipermail/...
Whiteboard:	B4 [noglsa]
Keywords:	PullRequest

Depends on:	674064 789996
Blocks:
	Show dependency tree

Reported:	2020-03-23 16:05 UTC by Sam James
Modified:	2023-01-09 19:37 UTC (History)
CC List:	1 user (show)

See Also:	https://github.com/gentoo/gentoo/pull/20781 https://github.com/gentoo/gentoo/pull/21665
Package list:	www-servers/pound-3.0 dev-libs/nanomsg-1.1.5
Runtime testing required:	---

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-03-23 16:05:17 UTC

Fixed in Pound 2.8:
> ...
>- fixed potential request smuggling via fudged headers

Comment 1 Sam James archtester

2020-03-24 00:03:51 UTC

Cannot bump to new 2.8 due to bug 674064. 2.8 has not fixed this.

Comment 2 Larry the Git Cow gentoo-dev

2021-05-12 07:45:00 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=de8c0aabbe0f74a15532360925f69d4f2ffdb373

commit de8c0aabbe0f74a15532360925f69d4f2ffdb373
Author:     Marco Scardovi <marco@scardovi.com>
AuthorDate: 2021-05-12 04:42:45 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-05-12 07:43:37 +0000

    www-servers/pound: bump to 3.0, various changes
    
    Bump to version 3.0
    
    Unfortunately this release drop support for alpha, hppa,
    ppc and sparc because a required dep (dev-libs/nanomsg)
    is not supported for these architectures.
    
    Bug: https://bugs.gentoo.org/714084
    Closes: https://bugs.gentoo.org/657942
    Closes: https://bugs.gentoo.org/527278
    Closes: https://bugs.gentoo.org/657946
    Closes: https://bugs.gentoo.org/674064
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Marco Scardovi <marco@scardovi.com>
    Closes: https://github.com/gentoo/gentoo/pull/20781
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-servers/pound/Manifest            |  1 +
 www-servers/pound/files/pound-2.2.cfg |  1 -
 www-servers/pound/pound-3.0.ebuild    | 55 +++++++++++++++++++++++++++++++++++
 3 files changed, 56 insertions(+), 1 deletion(-)

Comment 3 John Helmert III archtester

2021-05-13 14:27:41 UTC

Thanks, please let us know when ready to stable.

Comment 4 Sam James archtester

2021-05-13 14:28:47 UTC

Does nanomsg lack support or just need rekeywording?

Comment 5 NATTkA bot gentoo-dev

2021-05-13 14:32:35 UTC Comment hidden (obsolete)

Sanity check failed:

> www-servers/pound-3.0
>   depend x86 stable profile default/linux/x86/17.0 (11 total)
>     dev-libs/nanomsg:=
>   rdepend x86 stable profile default/linux/x86/17.0 (11 total)
>     dev-libs/nanomsg:=

Comment 6 NATTkA bot gentoo-dev

2021-06-11 17:56:34 UTC Comment hidden (obsolete)

Sanity check failed:

> www-servers/pound-3.0
>   depend x86 stable profile default/linux/x86/17.0 (11 total)
>     dev-libs/nanomsg:=
>   rdepend x86 stable profile default/linux/x86/17.0 (11 total)
>     dev-libs/nanomsg:=

Comment 7 Sam James archtester

2021-06-17 20:18:29 UTC

amd64 done

Comment 8 Sam James archtester

2021-06-17 20:19:56 UTC

x86 done

all arches done

Comment 9 John Helmert III archtester

2021-06-17 20:25:56 UTC

Please cleanup.

Comment 10 Larry the Git Cow gentoo-dev

2021-07-15 22:00:19 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bbd7de89934908232803a762b75099f76b1cfa48

commit bbd7de89934908232803a762b75099f76b1cfa48
Author:     Marco Scardovi <marco@scardovi.com>
AuthorDate: 2021-07-15 21:30:35 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2021-07-15 21:55:27 +0000

    www-servers/pound: drop old version
    
    Closes: https://bugs.gentoo.org/714084
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Marco Scardovi <marco@scardovi.com>
    Closes: https://github.com/gentoo/gentoo/pull/21665
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 www-servers/pound/Manifest             |  1 -
 www-servers/pound/pound-2.7f-r1.ebuild | 50 ----------------------------------
 2 files changed, 51 deletions(-)

Comment 11 John Helmert III archtester

2021-07-15 22:03:41 UTC

Whoops, even I missed the wrong tag. Scardracs: note that security bugs get closed by the security team. Thanks!

Comment 12 Federico Justus Denkena 2022-06-14 18:35:46 UTC

No glsa for almost a year, suggest to close this.

Comment 13 John Helmert III archtester

2023-01-09 19:37:09 UTC

Low impact and no reverse dependencies, no GLSA.