SECURITY UPDATE: content injection in http method (CVE-2019-3462)

This fixes a security issue that can be exploited to inject arbritrary debs
or other files into a signed repository as followed:

(1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is
    \n encoded)
(2) apt method decodes the redirect (because the method encodes the URLs before
    sending them out), writting something like
    somewhere\n
    <headers>
    into its output
(3) apt then uses the headers injected for validation purposes.

Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec
LP: #1812353
(cherry picked from commit 5eb01ec13f3ede4bae5e60eb16bd8cffb7c03e1b)

0 files changed, 0 insertions, 0 deletions