[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apache2 update for next buster point release?



Hi Roberto,

On 20/06/2022 22:30, Roberto C. Sánchez wrote:
Hello Release Managers,

I have been working on updating apache2 for stretch.  Most of the open
CVEs affect both the stretch and buster versions of apache2 (in addition
to the bullseye version).  For the buster/bullseye the CVEs have mostly
been marked "<no-dsa> (Minor issue; can be fixed in point release)".

Since buster will shortly transition to LTS, it seems likely that we
will want an update of apache2 in the final buster point release prior
to the LTS transition.  The info at release.debian.org indicates that a
buster point release is planned for mid-June, which makes me think one
could be scheduled anytime.

The final point release is likely to happen in August.

I backported the patches for the CVEs fixed upstream in versions 2.4.53
and 2.4.54 and I am proposing an upload as described by the attached
debdiff.  Please let me know if this would be acceptable.  If so, I will
file the appropriate bug in the BTS and then proceed with the upload.

Please file a buster-pu bug so that the reviews can take place there. Otherwise this may get lost.

Also please mention (in that bug) what the risk of regressions is, what kind of testing you have done (e.g. manual testing, test suite, autopkgtests...).

Cheers,
Emilio


Reply to: