Bug#1068412: apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709
On Fri, Apr 05, 2024 at 08:16:43AM +0400, Yadd wrote:
> On 4/4/24 22:51, Moritz Mühlenhoff wrote:
> > Source: apache2
> > X-Debbugs-CC: team@security.debian.org
> > Severity: grave
> > Tags: security
> >
> > Hi,
> >
> > The following vulnerabilities were published for apache2.
> >
> > CVE-2024-27316[0]:
> > https://www.kb.cert.org/vuls/id/421644
> > https://www.openwall.com/lists/oss-security/2024/04/04/4
> >
> > CVE-2024-24795[1]:
> > https://www.openwall.com/lists/oss-security/2024/04/04/5
> >
> > CVE-2023-38709[2]:
> > https://www.openwall.com/lists/oss-security/2024/04/04/3
> >
> > If you fix the vulnerabilities please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2024-27316
> > https://www.cve.org/CVERecord?id=CVE-2024-27316
> > [1] https://security-tracker.debian.org/tracker/CVE-2024-24795
> > https://www.cve.org/CVERecord?id=CVE-2024-24795
> > [2] https://security-tracker.debian.org/tracker/CVE-2023-38709
> > https://www.cve.org/CVERecord?id=CVE-2023-38709
> >
> > Please adjust the affected versions in the BTS as needed.
>
> Hi,
>
> I'm ready to push 2.4.59 into bookworm-security. Note that this includes a
> test-framework update
Target distribution needs to be bookworm-security, with that please upload.
Can you also preparea the equivalent change for bullseye-security?
The uploads can already happen, but let's keep the update unreleased until
next week, then we can look for regressions reported in unstable (and check
with Ondrej if we received reports based on his repo)
Cheers,
Moritz
Reply to: