CVE-2017-7443

Name	CVE-2017-7443
Description	apt-cacher before 1.7.15 and apt-cacher-ng before 3.4 allow HTTP response splitting via encoded newline characters, related to lack of blocking for the %0[ad] regular expression.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-873-1
Debian Bugs	858739, 858833

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
apt-cacher (PTS)	jessie	1.7.10+deb8u2	fixed
	stretch	1.7.13+deb9u1	fixed
	buster	1.7.20.1	fixed
	bullseye	1.7.22	fixed
	bookworm	1.7.29	fixed
	sid, trixie	1.7.30	fixed
apt-cacher-ng (PTS)	jessie	0.8.0-3	vulnerable
	stretch	2-2	fixed
	buster	3.2.1-1	fixed
	bullseye	3.6.4-1	fixed
	bookworm	3.7.4-1	fixed
	sid, trixie	3.7.5-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
apt-cacher	source	wheezy	1.7.6+deb7u1	DLA-873-1
apt-cacher	source	jessie	1.7.10+deb8u1
apt-cacher	source	stretch	1.7.13+deb9u1
apt-cacher	source	buster	1.7.13+deb9u1
apt-cacher	source	(unstable)	1.7.15		858739
apt-cacher-ng	source	stretch	2-2
apt-cacher-ng	source	buster	2-2
apt-cacher-ng	source	(unstable)	3-1		858833

[jessie] - apt-cacher-ng <no-dsa> (Minor issue)
[wheezy] - apt-cacher-ng <no-dsa> (Minor issue)