Hi Philipp, I am working hard to reproduce the CVE and close on for good. I have a regression test for this near ready.
They are also some regression by applying this patch to perfectly correct configuration what will be now rejected. I am asking the opinion of apache maintainer/security team before releasing. Thanks for remainder Bastien Le jeu. 20 avr. 2023 à 12:33, Philipp Hahn <h...@univention.de> a écrit : > > Hello fellow DDs, > > I was redirected here by Moritz: > > -------- Weitergeleitete Nachricht -------- > Betreff: CVE-2023-25690: Apache2 mod_proxy for old(old)stable? > Datum: Thu, 20 Apr 2023 12:05:19 +0200 > Von: Philipp Hahn <h...@univention.de> > Organisation: Univention GmbH > An: t...@security.debian.org, Raphael Hertzog <raph...@freexian.com> > Kopie (CC): Salvatore Bonaccorso <car...@debian.org>, Debian Apache > Maintainers <debian-apa...@lists.debian.org> > > Hello fellow DDs, > > sorry for wasting your valuable time, but > <https://security-tracker.debian.org/tracker/CVE-2023-25690> lists > "2.4.38-3+deb10u9" from Debian-10-Buster as still vulnerable. > Are there any plans to back-port the change to that older version, e.g. > - Debian-10-Buster Security > - Debian-9-Stretch ELTS (Freexian) > > If this is already some work-in-progress maybe you can share some > information on the progress and if there is an estimated time frame. > > According to my own research > <https://github.com/apache/httpd/commit/8789f6bb926fa4c33b4231a8444340515c82bdff> > and > <https://github.com/apache/httpd/commit/8b93a6512f14f5f68887ddfe677e91233ed79fb0> > apply cleanly also to both 2.4.25-3+deb9u14 and 2.4.38-3+deb10u9. Ubuntu > seems to go with just these two commits: > <https://ubuntu.com/security/CVE-2023-25690> > > Thank you for your work and time > -- > Philipp Hahn > Open Source Software Engineer > > Univention GmbH > be open. > Mary-Somerville-Str. 1 > D-28359 Bremen > > 📞 +49-421-22232-57 > 🖶 +49-421-22232-99 > > ✉️ h...@univention.de > 🌐 https://www.univention.de/ > > Geschäftsführer: Peter H. Ganten, Stefan Gohmann > HRB 20755 Amtsgericht Bremen > Steuer-Nr.: 71-597-02876 >
