Hello fellow DDs,
I was redirected here by Moritz:
-------- Weitergeleitete Nachricht --------
Betreff: CVE-2023-25690: Apache2 mod_proxy for old(old)stable?
Datum: Thu, 20 Apr 2023 12:05:19 +0200
Von: Philipp Hahn <h...@univention.de>
Organisation: Univention GmbH
An: t...@security.debian.org, Raphael Hertzog <raph...@freexian.com>
Kopie (CC): Salvatore Bonaccorso <car...@debian.org>, Debian Apache
Maintainers <debian-apa...@lists.debian.org>
Hello fellow DDs,
sorry for wasting your valuable time, but
<https://security-tracker.debian.org/tracker/CVE-2023-25690> lists
"2.4.38-3+deb10u9" from Debian-10-Buster as still vulnerable.
Are there any plans to back-port the change to that older version, e.g.
- Debian-10-Buster Security
- Debian-9-Stretch ELTS (Freexian)
If this is already some work-in-progress maybe you can share some
information on the progress and if there is an estimated time frame.
According to my own research
<https://github.com/apache/httpd/commit/8789f6bb926fa4c33b4231a8444340515c82bdff>
and
<https://github.com/apache/httpd/commit/8b93a6512f14f5f68887ddfe677e91233ed79fb0>
apply cleanly also to both 2.4.25-3+deb9u14 and 2.4.38-3+deb10u9. Ubuntu
seems to go with just these two commits:
<https://ubuntu.com/security/CVE-2023-25690>
Thank you for your work and time
--
Philipp Hahn
Open Source Software Engineer
Univention GmbH
be open.
Mary-Somerville-Str. 1
D-28359 Bremen
📞 +49-421-22232-57
🖶 +49-421-22232-99
✉️ h...@univention.de
🌐 https://www.univention.de/
Geschäftsführer: Peter H. Ganten, Stefan Gohmann
HRB 20755 Amtsgericht Bremen
Steuer-Nr.: 71-597-02876
