CVE-2017-7443

NameCVE-2017-7443
Descriptionapt-cacher before 1.7.15 and apt-cacher-ng before 3.4 allow HTTP response splitting via encoded newline characters, related to lack of blocking for the %0[ad] regular expression.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-873-1
NVD severitymedium (attack range: remote)
Debian Bugs858739, 858833

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apt-cacher (PTS)jessie1.7.10+deb8u2fixed
stretch1.7.13+deb9u1fixed
buster, sid1.7.19fixed
apt-cacher-ng (PTS)jessie0.8.0-3vulnerable
stretch2-2fixed
buster, sid3.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apt-cachersource(unstable)1.7.15medium858739
apt-cachersourcebuster1.7.13+deb9u1medium
apt-cachersourcejessie1.7.10+deb8u1medium
apt-cachersourcestretch1.7.13+deb9u1medium
apt-cachersourcewheezy1.7.6+deb7u1mediumDLA-873-1
apt-cacher-ngsource(unstable)3-1medium858833
apt-cacher-ngsourcebuster2-2medium
apt-cacher-ngsourcestretch2-2medium

Notes

[jessie] - apt-cacher-ng <no-dsa> (Minor issue)
[wheezy] - apt-cacher-ng <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems