Re: Wheezy update of apache2?

To: ola@inguza.com
Cc: debian-apache@lists.debian.org, debian-lts@lists.debian.org
Subject: Re: Wheezy update of apache2?
From: Stefan Fritsch <sf@sfritsch.de>
Date: Wed, 28 Dec 2016 15:44:25 +0100
Message-id: <[🔎] 2530466.Ei2EqynSFq@k>
In-reply-to: <[🔎] 20161223225643.GA24261@inguza.net>
References: <[🔎] 20161223225643.GA24261@inguza.net>

Hi Ola,

On Friday, 23 December 2016 23:56:45 CET Ola Lundqvist wrote:
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of apache2:
> https://security-tracker.debian.org/tracker/CVE-2016-8743
> 
> Would you like to take care of this yourself?

The fix for that is very invasive and may well break some things. I would wait 
with a backport until the fix has seen more exposure, both upstream and in 
stretch (the fix will migrate from sid in a few days). 

Also, there is some work upstream to get the changes backported to 2.2 in a 
separate 2.2.x-merge-http-strict branch [1]. But it has not landed in the 
2.2.x branch, yet.

I will share with you any insights I get from backporting the changes to 
jessie. But it is somewhat unlikely that I will have time to do the backport 
to wheezy myself.

Cheers,
Stefan

[1] https://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x-merge-http-strict/

Reply to:

Follow-Ups:
- Re: Wheezy update of apache2?
  - From: Guido Günther <agx@sigxcpu.org>

References:
- Wheezy update of apache2?
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: Call for advice regarding curl CVE-2016-9586
Next by Date: Re: Wheezy update of apache2?
Previous by thread: Wheezy update of apache2?
Next by thread: Re: Wheezy update of apache2?
Index(es):
- Date
- Thread