On Mon 3 Apr 2023, at 16:28, Gareth Evans <donots...@fastmail.fm> wrote: > On Mon 3 Apr 2023, at 13:27, Harald Dunkel <ha...@afaics.de> wrote: >> Hi folks, >> >> AFAIU apache2 2.4.56-1 has been included in Bullseye to mitigate >> CVE-2023-27522 and CVE-2023-25690 (both some mod_proxy issue >> with high severity). Good thing. >> >> Unfortunately this introduced 2 regressions for mod_rewrite and >> http2, see >> >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033284 >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033408 >> https://metadata.ftp-master.debian.org/changelogs//main/a/apache2/apache2_2.4.56-2_changelog >> >> Would it be possible to fix the upgrade? I can turn off http2, >> but I feel *very* bad about running an apache with a broken >> mod_rewrite in production. >> >> >> Thank you very much >> >> Harri > > > "In Mitre's CVE dictionary: [..] CVE-2023-25690, CVE-2023-27522 [...] > > For the stable distribution (bullseye), these problems have been fixed > in version 2.4.56-1~deb11u1. > > We recommend that you upgrade your apache2 packages." > > https://www.debian.org/security/2023/dsa-5376 > > $ apt policy apache2 > apache2: > Installed: 2.4.56-1~deb11u1 > Candidate: 2.4.56-1~deb11u1 > Version table: > *** 2.4.56-1~deb11u1 500 > 500 http://security.debian.org/debian-security > bullseye-security/main amd64 Packages > > You will need at least > > deb http://security.debian.org/debian-security/ bullseye-security main > > in /etc/apt/sources.list if not there already, though I think "contrib" > and certainly "non-free" are unnecessary in this particular case. > > Best wishes, > Gareth
Sorry, you were talking about regressions - concentration lapse on my part. G
