CVE-2017-7443

NameCVE-2017-7443
Descriptionapt-cacher before 1.7.15 and apt-cacher-ng before 3.4 allow HTTP response splitting via encoded newline characters, related to lack of blocking for the %0[ad] regular expression.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-873-1
NVD severitymedium
Debian Bugs858739, 858833

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apt-cacher (PTS)stretch1.7.13+deb9u1fixed
bullseye, buster1.7.20.1fixed
sid1.7.21fixed
apt-cacher-ng (PTS)stretch2-2fixed
buster3.2.1-1fixed
bullseye, sid3.5-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apt-cachersourcewheezy1.7.6+deb7u1DLA-873-1
apt-cachersourcejessie1.7.10+deb8u1
apt-cachersourcestretch1.7.13+deb9u1
apt-cachersourcebuster1.7.13+deb9u1
apt-cachersource(unstable)1.7.15858739
apt-cacher-ngsourcestretch2-2
apt-cacher-ngsourcebuster2-2
apt-cacher-ngsource(unstable)3-1858833

Notes

[jessie] - apt-cacher-ng <no-dsa> (Minor issue)
[wheezy] - apt-cacher-ng <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems