Hi Roberto, On 20/06/2022 22:30, Roberto C. Sánchez wrote:
Hello Release Managers, I have been working on updating apache2 for stretch. Most of the open CVEs affect both the stretch and buster versions of apache2 (in addition to the bullseye version). For the buster/bullseye the CVEs have mostly been marked "<no-dsa> (Minor issue; can be fixed in point release)". Since buster will shortly transition to LTS, it seems likely that we will want an update of apache2 in the final buster point release prior to the LTS transition. The info at release.debian.org indicates that a buster point release is planned for mid-June, which makes me think one could be scheduled anytime.
The final point release is likely to happen in August.
I backported the patches for the CVEs fixed upstream in versions 2.4.53 and 2.4.54 and I am proposing an upload as described by the attached debdiff. Please let me know if this would be acceptable. If so, I will file the appropriate bug in the BTS and then proceed with the upload.
Please file a buster-pu bug so that the reviews can take place there. Otherwise this may get lost.
Also please mention (in that bug) what the risk of regressions is, what kind of testing you have done (e.g. manual testing, test suite, autopkgtests...).
Cheers, Emilio