On Tue, Jun 21, 2022 at 09:44:37AM +0200, Emilio Pozuelo Monfort wrote: > Hi Roberto, > > On 20/06/2022 22:30, Roberto C. Sánchez wrote: > > Hello Release Managers, > > > > I have been working on updating apache2 for stretch. Most of the open > > CVEs affect both the stretch and buster versions of apache2 (in addition > > to the bullseye version). For the buster/bullseye the CVEs have mostly > > been marked "<no-dsa> (Minor issue; can be fixed in point release)". > > > > Since buster will shortly transition to LTS, it seems likely that we > > will want an update of apache2 in the final buster point release prior > > to the LTS transition. The info at release.debian.org indicates that a > > buster point release is planned for mid-June, which makes me think one > > could be scheduled anytime. > > The final point release is likely to happen in August. > > > I backported the patches for the CVEs fixed upstream in versions 2.4.53 > > and 2.4.54 and I am proposing an upload as described by the attached > > debdiff. Please let me know if this would be acceptable. If so, I will > > file the appropriate bug in the BTS and then proceed with the upload. > > Please file a buster-pu bug so that the reviews can take place there. > Otherwise this may get lost. > > Also please mention (in that bug) what the risk of regressions is, what kind > of testing you have done (e.g. manual testing, test suite, autopkgtests...). > Thanks for the pointer. I will do as you suggest.
Regards, -Roberto -- Roberto C. Sánchez
