Re: Wheezy update of apache2?

[Guido Günther <agx@sigxcpu.org>]

Hi Stefan,
On Wed, Dec 28, 2016 at 03:44:25PM +0100, Stefan Fritsch wrote:
> Hi Ola,
> 
> On Friday, 23 December 2016 23:56:45 CET Ola Lundqvist wrote:
> > the Debian LTS team would like to fix the security issues which are
> > currently open in the Wheezy version of apache2:
> > https://security-tracker.debian.org/tracker/CVE-2016-8743
> > 
> > Would you like to take care of this yourself?
> 
> The fix for that is very invasive and may well break some things. I would wait 
> with a backport until the fix has seen more exposure, both upstream and in 
> stretch (the fix will migrate from sid in a few days). 
> 
> Also, there is some work upstream to get the changes backported to 2.2 in a 
> separate 2.2.x-merge-http-strict branch [1]. But it has not landed in the 
> 2.2.x branch, yet.
> 
> I will share with you any insights I get from backporting the changes to 
> jessie. But it is somewhat unlikely that I will have time to do the backport 
> to wheezy myself.

I was about to start with this fix for apache2 but if upstream prepares
a separate branch I'll gladly pick another package for the moment.
Thanks for the update and please keep us in the loop for any further
progress either upstream or with a port for jessie.
Cheers,
 -- Guido