Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi, I would like to do an upgrade of apache2 in stretch that upgrades the complete mod_http2 and mod_proxy_http2 modules from the versions from 2.4.25 to the versions from 2.4.33. The reason is that the fix for CVE-2018-1302 [1] is difficult to backport because it concerns a complex life-time issue of data structures, the relevant code has changed greatly between 2.4.25 and 2.4.33, and I am not familiar with the internals of mod_http2. There are other random segfaults [2] and other bugs [3] in stretch's mod_http2 that are reportedly fixed by newer mod_http2. Therefore, upgrading the whole thing seems like the best solution to me. Do you agree with this approach? The diff is not reviewable (58 files changed, 5533 insertions, 4182 deletions), but it only touches the http2 modules. I may also include a few other small bug fixes. I will prepare the updated package and send the detailed information after the pending DSA for some other issues has been released (2.4.25-3+deb9u4). Cheers, Stefan [1] http://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-1302 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873945 [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850947
