On Mon 3 Apr 2023, at 13:27, Harald Dunkel <ha...@afaics.de> wrote: > Hi folks, > > AFAIU apache2 2.4.56-1 has been included in Bullseye to mitigate > CVE-2023-27522 and CVE-2023-25690 (both some mod_proxy issue > with high severity). Good thing. > > Unfortunately this introduced 2 regressions for mod_rewrite and > http2, see > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033284 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033408 > https://metadata.ftp-master.debian.org/changelogs//main/a/apache2/apache2_2.4.56-2_changelog > > Would it be possible to fix the upgrade? I can turn off http2, > but I feel *very* bad about running an apache with a broken > mod_rewrite in production. > > > Thank you very much > > Harri
"In Mitre's CVE dictionary: [..] CVE-2023-25690, CVE-2023-27522 [...] For the stable distribution (bullseye), these problems have been fixed in version 2.4.56-1~deb11u1. We recommend that you upgrade your apache2 packages." https://www.debian.org/security/2023/dsa-5376 $ apt policy apache2 apache2: Installed: 2.4.56-1~deb11u1 Candidate: 2.4.56-1~deb11u1 Version table: *** 2.4.56-1~deb11u1 500 500 http://security.debian.org/debian-security bullseye-security/main amd64 Packages You will need at least deb http://security.debian.org/debian-security/ bullseye-security main in /etc/apt/sources.list if not there already, though I think "contrib" and certainly "non-free" are unnecessary in this particular case. Best wishes, Gareth
