[Bug 1838771] Re: http:Fix Host header in proxied https connections
Launchpad Bug Tracker
1838771 at bugs.launchpad.net
Thu Sep 12 12:13:46 UTC 2019
This bug was fixed in the package apt - 1.8.3
---------------
apt (1.8.3) unstable; urgency=medium
[ Simon Körner ]
* http: Fix Host header in proxied https connections (LP: #1838771)
[ Brian Murray ]
* Do not include squashfs file systems in df output. (LP: #1756595)
apt (1.8.2) unstable; urgency=medium
[ Alwin Henseler ]
* Flip /: in documented default value of DPkg::Path (Closes: #917986)
[ TilmanK ]
* Fix typo in German manpage translation
[ Américo Monteiro ]
* Portuguese manpages translation update (Closes: #926614)
[ Jean-Pierre Giraud ]
* French manpages translation update (Closes: #929290)
[ Michael Zhivich ]
* methods: https: handle requests for TLS re-handshake (LP: #1829861)
[ Julian Andres Klode ]
* Unlock dpkg locks in reverse locking order (LP: #1829860)
-- Julian Andres Klode <juliank at ubuntu.com> Fri, 09 Aug 2019 11:16:15
+0200
** Changed in: apt (Ubuntu Disco)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1838771
Title:
http:Fix Host header in proxied https connections
Status in apt package in Ubuntu:
Fix Released
Status in apt source package in Bionic:
Fix Released
Status in apt source package in Disco:
Fix Released
Bug description:
[Impact]
Currently CONNECT requests use the name of the proxy as Host value,
instead of the origin server's name.
According to RFC 2616 "The Host field value MUST represent the naming
authority of the origin server or gateway given by the original URL."
The current implementation causes problems with some proxy vendors. This
commit[0] fixes this.
[0] - https://salsa.debian.org/apt-
team/apt/commit/86d4d98060f36c7e71c34af20a1193a75496ef72#54d3193c5d10a0032c80c3a6d3f069507265547f
[Test Case]
Here's one reproducer an impacted user brought to my attention:
# /etc/environment
http_proxy="http://internal:8080"
https_proxy="http://interal:8080"
To support application development activities in-house, I had to
configure Azure CLI APT repository following the instructions from
"https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-apt?view
=azure-cli-latest":
$ sudo apt-get update
$ sudo apt-get install curl apt-transport-https lsb-release gnupg
$ curl -sL https://packages.microsoft.com/keys/microsoft.asc | \
$ gpg --dearmor | \
$ sudo tee /etc/apt/trusted.gpg.d/microsoft.asc.gpg > /dev/null
$ AZ_REPO=$(lsb_release -cs)
$ echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $ $ AZ_REPO main" | \
$ sudo tee /etc/apt/sources.list.d/azure-cli.list
$ sudo apt update
In the final "apt update" command, APT respects system-wide network
proxy variables and successfully fetched Canonical repository data
over HTTP.
However, it was unable to fetch the newly added Microsoft packages
repository served via HTTPS.
By using Wireshark to examine the HTTPS request made by APT, the
request body reveals as:
CONNECT packages.microsoft.com:443 HTTP/1.1\r\n
Host: internal:8080\r\n
User-Agent: Debian APT-HTTP/1.3 (1.6.11)\r\n
...
...
There also is an automated test case in the package that runs as part
of autopkgtest that tests a scenario like this, see the commit.
[Regression Potential]
* Fix already in debian, and Eoan
* Has been reviewed/approved by juliank
* A test package (pre-sru) has been provided to an impacted user, and he confirms it solves the situation.
[Other Info]
# salsa
$ git describe --contains 86d4d98060f36c7e71c34af20a1193a75496ef72
1.9.0~8
# rmadison apt
=> apt | 1.6.11 | bionic-updates | source, amd64, arm64, armhf, i386, ppc64el, s390x
=> apt | 1.8.1 | disco-updates | source, amd64, arm64, armhf, i386, ppc64el, s390x
apt | 1.9.1 | eoan | source, amd64, arm64, armhf, i386, ppc64el, s390x
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1838771/+subscriptions
More information about the foundations-bugs
mailing list