On 4/17/24 21:14, Moritz Mühlenhoff wrote:
[...]
DSA has been released, thanks!
Cheers,
Moritz
Hi,
The apache2 package in Bullseye and Bookworm follows the upstream
releases because it's a mess to extract security fixes from their
repository and because Apache/httpd is in practice almost in a state of
LTS maintenance.
So my question is "what to do with Buster/Apache2 ?". Possible solutions:
- try to extract the commits corresponding to the 6 CVEs (at least 3 to
fix, see [1])
- update Buster/apache2 to 2.4.59-1~deb10u1. I prepared a branch:
buster-security-follow-upstream (to be tested)
For the record, there were so many bug fixes inside http2 stack that the
whole mod_http2 was imported from 2.4.41
(debian/patches/import-http2-module-from-2.4.46.patch)
Best regards,
Xavier
[1]: https://security-tracker.debian.org/tracker/source-package/apache2
