[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#972695: marked as done (apache2: logrotate config should mention the importance for TLS of daily rotation)



Your message dated Fri, 11 Jul 2025 05:05:08 +0000
with message-id <E1ua5wa-002vvT-9c@fasolo.debian.org>
and subject line Bug#972695: fixed in apache2 2.4.64-1
has caused the Debian Bug report #972695,
regarding apache2: logrotate config should mention the importance for TLS of daily rotation
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
972695: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972695
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: apache2
Version: 2.4.46-1
Severity: important

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

When using TLS, SSLSessionTickets is enabled by default.

SSLSessionTickets need frequent server reloads for Perfect Forward Secrecy,
which in Debian is ensured through daily logration.

That long chain of logic is not obvious, however,
and a system administrator might find it sensible to adjust frequency
of logrotation without being aware of the security implications.

I strongly recommend to add a comment in the logrotate file
warning that if the server uses TLS, then the server should be reloaded
at least daily, either through logrotation or by other means.

<https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#SSLSessionTickets>

 - Jonas

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAl+RvA0ACgkQLHwxRsGg
ASEF5g//Ue1Inqss8Ryl3WKO4vXcF0BMDAA42kq/GTnoiVROQMb7+fwmGGZmGa30
Qz1sF9neub/5bdg6yYKu99WtTkEHPZDxa0PXhHhQYSLr0hKz7GBgIJ2Zi4qDvQJV
/IWvtN6yJf8fWJns3hXOy2UitM7oGGcf/l7r6EmDn9V58o7wsAyrvanaDfBrB/QB
QaHZRXnE3cStTZHKZ7NrN0mwzq21w3M/9cnMdZyWWL+LHWd+fLp67KqeCJ9LEsoh
wesjxeaPRazz/3+vkpEk6a+VxUbh89O8603dES0ouWl2NPpim7J201ah/kD85Igx
EfZhr+ccaMi1j6CSYYGajRxcQ+IJCqGF2HxYyrI3x4Jk8pzv7C4XMQQq86K6gj0u
IjSH0feNB/YZ3pZMWYdGLIo+QVEUM87oZksZbaovl1GEdsmt1QUZE9dvDI6qMigV
6XQMLZtuqnfnHT7+nt2z5GVDApI8AUQs1wGe+kqVowbiyxVfj3VDh8FGev1GalnO
ZrceW73s70s9wlSCos9RctIBs37Soc5DcfJFPXNzcH0z49vf+y5fVyEMpU+w4llR
vaJ0Qz4ZC3wQi6SYWWXawaHB9DgXSX4ywjXYbWUaCGB4sZTjjuukxWpFHuE/7v8G
YUgOvlA5eCl6hGD0MgGexRMDC6pb8kcC5reNiF9DqY5KbDGE858=
=w4os
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.64-1
Done: Yadd <yadd@debian.org>

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 972695@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 11 Jul 2025 06:37:48 +0200
Source: apache2
Architecture: source
Version: 2.4.64-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 972695 1107049 1108897
Changes:
 apache2 (2.4.64-1) unstable; urgency=medium
 .
   [ Yadd ]
   * Add libanyevent-websocket-client-perl in test-suite dependencies
   * Add build dependency to libcrypt-dev (Closes: #1107049)
   * Update d/ch
   * Drop old and useless build helper (Closes: #1108897)
   * New upstream version 2.4.64
     (Closes: CVE-2025-23048, CVE-2024-42516, CVE-2024-43204, CVE-2024-43394,
     CVE-2024-47252, CVE-2025-49630, CVE-2025-49812, CVE-2025-53020)
   * Unfuzz patches
 .
   [ Jo ]
   * Adapted comment for SSLSessionTickets (Closes: #972695)
Checksums-Sha1: 
 658495411267a5e4eeccf93ff47e1f19c4e5464a 3494 apache2_2.4.64-1.dsc
 8d13febd744e3d2d771902818f87f3f741088b61 9590595 apache2_2.4.64.orig.tar.gz
 ebe55de5501a4bfc40e39c272c80e729abb13eef 833 apache2_2.4.64.orig.tar.gz.asc
 bcb5d8a8d3efbbc52855fbfa3b3bd6f555d005c9 823676 apache2_2.4.64-1.debian.tar.xz
Checksums-Sha256: 
 c6970bf0fcd46ec029dca7b438a4c86ce02cf7c60893f399f8330ad342cd7f3d 3494 apache2_2.4.64-1.dsc
 5802224a30846f1471d19451a21f0274ad7f193169b9dc01ac56e53e554f63a3 9590595 apache2_2.4.64.orig.tar.gz
 b4533960931b044992832688a82af6441e918f544cd367b7ac9016f092b2c191 833 apache2_2.4.64.orig.tar.gz.asc
 0259b138534fc935ab6bcd44031a204550cc2a2b73fb92a126eb978eb5639ca6 823676 apache2_2.4.64-1.debian.tar.xz
Files: 
 666cb19db753ae85da171bf22b4ebef5 3494 httpd optional apache2_2.4.64-1.dsc
 b3e7749bb4a5adcf3cec31d919b953b0 9590595 httpd optional apache2_2.4.64.orig.tar.gz
 52a5dae02ddf9860e0c449fa019bb968 833 httpd optional apache2_2.4.64.orig.tar.gz.asc
 885cb57dd58fc0763e2e52bdd95869c9 823676 httpd optional apache2_2.4.64-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmhwlmwACgkQ9tdMp8mZ
7um7Cw/+K5w/hUOdD9IW/MbFdjPYBtGpBGxi3MnYjD4V0vTclSf2eeJVZBRh4ZQv
thIGHLy4++F4LnWcQ1ol3cYAKuKHOvURygt4XXOwNH8YXHRWrCcnWOJHj5D+17+j
+43fVRcx6lFN1g26YqINIjWlMu+yD1scZF5H1LlxZrLNMBrHRJtYbSRE61zERKqk
9hq52Rp1fP4mFvpwvGuP5qCYJKnSHd2igSp+KGhgI8VDWqgxBXMu4QMTP3IjsNo+
XtrXOWJGPBNRU1+cUhMI1de3bLemF58ceiwJE7qiqrlZQ43+sBRIn1ksHESRSABP
seTVrM8fhu5fQl8KBqDj2s8qaSN3d6PWyhos+WKaf3Pq3a/tpJro0uDtcNn2JaB8
oYNZOIul2ZRzMFmENOkmdsBq111w8jxkHxpZkQjY2SSMMryLePQWs4PIxnOrHRAP
ZNzRdpELSlKY6LlROX+uBLwAZPBmsOWXG4+/34otT4BeLdOKPGGfkmOkFauzpDjL
yxitUSWYCaWV8a8YjW29dDgFd9jv2FvkZ2Zx46lG48aeixAoDG9J8UBPtidwXVrT
8kIf7nu0OT4eR2AoOt/xiqGXvD/+0nlUeR3XJxrkSb07mZXNvsnMIihcEYcsYbHU
q1LMG5d3NqIlbxkRwB4zo7noBNX7VlZFiahvgIBUbv6nwpxGxOU=
=GSaT
-----END PGP SIGNATURE-----

Attachment: pgp35qPObof1_.pgp
Description: PGP signature


--- End Message ---

Reply to: