Hi, On Sunday, 13 May 2018 19:15:22 CEST Stefan Fritsch wrote: > On Tuesday, 3 April 2018 14:07:33 CEST Stefan Fritsch wrote: > > I would like to do an upgrade of apache2 in stretch that upgrades the > > complete mod_http2 and mod_proxy_http2 modules from the versions from > > 2.4.25 to the versions from 2.4.33. > > > > The reason is that the fix for CVE-2018-1302 [1] is difficult to > > backport because it concerns a complex life-time issue of data > > structures, the relevant code has changed greatly between 2.4.25 and > > 2.4.33, and I am not familiar with the internals of mod_http2. There > > are other random segfaults [2] and other bugs [3] in stretch's mod_http2 > > that are reportedly fixed by newer mod_http2. Therefore, upgrading the > > whole thing seems like the best solution to me. Do you agree with this > > approach? > > I have now prepared updated packages. The changelog diff is:
There is one complication: It turns out that in newer versions of apache2, mod_http2 does no longer support being used with mpm_prefork but only with mpm_worker and mpm_event. If loaded together with mpm_prefork, mod_http2 will log a message and refuse to serve HTTP/2, but HTTP/1.x continues to work. As I don't see any other way to fix the open issues, I would still like to go ahead. But I will prepare a new package/diff with a NEWS.Debian entry that informs about this change. Cheers, Stefan
