Re: Bug#894713: stretch-pu: apache2/2.4.25-3+deb9u5
On Sunday, 13 May 2018 19:15:22 CEST Stefan Fritsch wrote:
> On Tuesday, 3 April 2018 14:07:33 CEST Stefan Fritsch wrote:
> > I would like to do an upgrade of apache2 in stretch that upgrades the
> > complete mod_http2 and mod_proxy_http2 modules from the versions from
> > 2.4.25 to the versions from 2.4.33.
> > The reason is that the fix for CVE-2018-1302  is difficult to
> > backport because it concerns a complex life-time issue of data
> > structures, the relevant code has changed greatly between 2.4.25 and
> > 2.4.33, and I am not familiar with the internals of mod_http2. There
> > are other random segfaults  and other bugs  in stretch's mod_http2
> > that are reportedly fixed by newer mod_http2. Therefore, upgrading the
> > whole thing seems like the best solution to me. Do you agree with this
> > approach?
> I have now prepared updated packages. The changelog diff is:
There is one complication: It turns out that in newer versions of apache2,
mod_http2 does no longer support being used with mpm_prefork but only with
mpm_worker and mpm_event. If loaded together with mpm_prefork, mod_http2 will
log a message and refuse to serve HTTP/2, but HTTP/1.x continues to work.
As I don't see any other way to fix the open issues, I would still like to go
ahead. But I will prepare a new package/diff with a NEWS.Debian entry that
informs about this change.