To fix CVE-2019-12523 the urlParse function had to be updated to use the
new SBuf API for better access checks. However at one point in time
upstream did no longer used this function to parse icap headers and
simply copied an already known url. I have attached the
CVE-2019-12523.patch. You can just replace it with the old one. If
everything works as expected I will upload this change as +deb9u3 shortly.
I was about to read code for latest 2 included patches and @ahasenack warned me about:
https:/ /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 965012
with current status:
"""
Hello Andreas,
thanks for your patience. I believe I have found the underlying problem. icap/ModXact. cc and HttpMsg.cc.
It is a parsing issue in src/adaptation/
2020/07/28 09:55:14.614 kid1| 58,3| HttpMsg.cc(184) parse: 127.0.0. 1:1344/ virus_scan ICAP/1.0
HttpMsg::parse: cannot parse isolated headers in 'OPTIONS
icap://
To fix CVE-2019-12523 the urlParse function had to be updated to use the 12523.patch. You can just replace it with the old one. If
new SBuf API for better access checks. However at one point in time
upstream did no longer used this function to parse icap headers and
simply copied an already known url. I have attached the
CVE-2019-
everything works as expected I will upload this change as +deb9u3 shortly.
Regards,
Markus
"""