CVE-2017-7443

NameCVE-2017-7443
Descriptionapt-cacher before 1.7.15 and apt-cacher-ng before 3.4 allow HTTP response splitting via encoded newline characters, related to lack of blocking for the %0[ad] regular expression.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-873-1
Debian Bugs858739, 858833

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apt-cacher (PTS)buster1.7.20.1fixed
bullseye1.7.22fixed
bookworm1.7.29fixed
sid, trixie1.7.30fixed
apt-cacher-ng (PTS)buster3.2.1-1fixed
bullseye3.6.4-1fixed
sid, trixie, bookworm3.7.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apt-cachersourcewheezy1.7.6+deb7u1DLA-873-1
apt-cachersourcejessie1.7.10+deb8u1
apt-cachersourcestretch1.7.13+deb9u1
apt-cachersourcebuster1.7.13+deb9u1
apt-cachersource(unstable)1.7.15858739
apt-cacher-ngsourcestretch2-2
apt-cacher-ngsourcebuster2-2
apt-cacher-ngsource(unstable)3-1858833

Notes

[jessie] - apt-cacher-ng <no-dsa> (Minor issue)
[wheezy] - apt-cacher-ng <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems