Hi Stefan I think it is a wise move to wait with the update until it has got some more testing. I'm not very surprised that it is invasive. This is also the reason I sent a little note that extra care should be taken on this new configuration option. I should have mentioned that it could be an invasive change too.
I have updated the security tracker and dla-needed.txt file with your information. Best regards // Ola On 28 December 2016 at 17:15, Guido Günther <a...@sigxcpu.org> wrote: > Hi Stefan, > On Wed, Dec 28, 2016 at 03:44:25PM +0100, Stefan Fritsch wrote: >> Hi Ola, >> >> On Friday, 23 December 2016 23:56:45 CET Ola Lundqvist wrote: >> > the Debian LTS team would like to fix the security issues which are >> > currently open in the Wheezy version of apache2: >> > https://security-tracker.debian.org/tracker/CVE-2016-8743 >> > >> > Would you like to take care of this yourself? >> >> The fix for that is very invasive and may well break some things. I would >> wait >> with a backport until the fix has seen more exposure, both upstream and in >> stretch (the fix will migrate from sid in a few days). >> >> Also, there is some work upstream to get the changes backported to 2.2 in a >> separate 2.2.x-merge-http-strict branch [1]. But it has not landed in the >> 2.2.x branch, yet. >> >> I will share with you any insights I get from backporting the changes to >> jessie. But it is somewhat unlikely that I will have time to do the backport >> to wheezy myself. > > I was about to start with this fix for apache2 but if upstream prepares > a separate branch I'll gladly pick another package for the moment. > Thanks for the update and please keep us in the loop for any further > progress either upstream or with a port for jessie. > Cheers, > -- Guido > -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
