[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#894713: stretch-pu: apache2/2.4.25-3+deb9u5


On Sunday, 13 May 2018 19:15:22 CEST Stefan Fritsch wrote:
> On Tuesday, 3 April 2018 14:07:33 CEST Stefan Fritsch wrote:
> > I would like to do an upgrade of apache2 in stretch that upgrades the
> > complete mod_http2 and mod_proxy_http2 modules from the versions from
> > 2.4.25 to the versions from 2.4.33.
> > 
> > The reason is that the fix for CVE-2018-1302 [1] is difficult to
> > backport because it concerns a complex life-time issue of data
> > structures, the relevant code has changed greatly between 2.4.25 and
> > 2.4.33, and I am not familiar with the internals of mod_http2.  There
> > are other random segfaults [2] and other bugs [3] in stretch's mod_http2
> > that are reportedly fixed by newer mod_http2. Therefore, upgrading the
> > whole thing seems like the best solution to me. Do you agree with this
> > approach?
> I have now prepared updated packages. The changelog diff is:

There is one complication: It turns out that in newer versions of apache2, 
mod_http2 does no longer support being used with mpm_prefork but only with 
mpm_worker and mpm_event. If loaded together with mpm_prefork, mod_http2 will 
log a message and refuse to serve HTTP/2, but HTTP/1.x continues to work.

As I don't see any other way to fix the open issues, I would still like to go 
ahead. But I will prepare a new package/diff with a NEWS.Debian entry that 
informs about this change.


Reply to: