Re: Bug#1068412: apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709

To: debian-lts@lists.debian.org
Subject: Re: Bug#1068412: apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709
From: Yadd <yadd@debian.org>
Date: Thu, 18 Apr 2024 12:15:52 +0400
Message-id: <[🔎] 7adc6f45-a4af-4a36-a854-b2eb01641d6d@debian.org>
In-reply-to: <ZiADgxqtUQl3Npq0@pisco.westfalen.local>
References: <Zg72lho/Sw657Uq7@pisco.westfalen.local> <0a324655-b9e2-49a0-b7d8-efd0da7e843f@debian.org> <ZiADgxqtUQl3Npq0@pisco.westfalen.local>

On 4/17/24 21:14, Moritz Mühlenhoff wrote:

[...]
DSA has been released, thanks!

Cheers,
         Moritz

Hi,

The apache2 package in Bullseye and Bookworm follows the upstreamreleases because it's a mess to extract security fixes from theirrepository and because Apache/httpd is in practice almost in a state ofLTS maintenance.


So my question is "what to do with Buster/Apache2 ?". Possible solutions:
 - try to extract the commits corresponding to the 6 CVEs (at least 3 to
   fix, see [1])
 - update Buster/apache2 to 2.4.59-1~deb10u1. I prepared a branch:
   buster-security-follow-upstream (to be tested)

For the record, there were so many bug fixes inside http2 stack that thewhole mod_http2 was imported from 2.4.41(debian/patches/import-http2-module-from-2.4.46.patch)


Best regards,
Xavier

[1]: https://security-tracker.debian.org/tracker/source-package/apache2

Reply to:

Follow-Ups:
- Re: Bug#1068412: apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709
  - From: Markus Koschany <apo@debian.org>

Prev by Date: Re: Bug#1068412: apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709
Next by Date: Re: Bug#1068412: apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709
Previous by thread: Re: Bug#1068412: apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709
Next by thread: Re: Bug#1068412: apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709
Index(es):
- Date
- Thread