Hi Ola, On Friday, 23 December 2016 23:56:45 CET Ola Lundqvist wrote: > the Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of apache2: > https://security-tracker.debian.org/tracker/CVE-2016-8743 > > Would you like to take care of this yourself?
The fix for that is very invasive and may well break some things. I would wait with a backport until the fix has seen more exposure, both upstream and in stretch (the fix will migrate from sid in a few days). Also, there is some work upstream to get the changes backported to 2.2 in a separate 2.2.x-merge-http-strict branch [1]. But it has not landed in the 2.2.x branch, yet. I will share with you any insights I get from backporting the changes to jessie. But it is somewhat unlikely that I will have time to do the backport to wheezy myself. Cheers, Stefan [1] https://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x-merge-http-strict/
