Re: Wheezy update of apache2?

To: Stefan Fritsch <sf@sfritsch.de>
Cc: Debian LTS <debian-lts@lists.debian.org>, Guido Günther <agx@sigxcpu.org>
Subject: Re: Wheezy update of apache2?
From: Ola Lundqvist <ola@inguza.com>
Date: Thu, 29 Dec 2016 22:33:33 +0100
Message-id: <[🔎] CABY6=0miHzDAZwMcnFjy=qR4_ZhczpVFHCy5aGNOu_1dS2MtEQ@mail.gmail.com>
In-reply-to: <[🔎] 20161228161531.cu25v6e5rklmpbxo@bogon.m.sigxcpu.org>
References: <[🔎] 20161223225643.GA24261@inguza.net> <[🔎] 2530466.Ei2EqynSFq@k> <[🔎] 20161228161531.cu25v6e5rklmpbxo@bogon.m.sigxcpu.org>

Hi Stefan

I think it is a wise move to wait with the update until it has got
some more testing. I'm not very surprised that it is invasive.
This is also the reason I sent a little note that extra care should be
taken on this new configuration option. I should have mentioned that
it could be an invasive change too.

I have updated the security tracker and dla-needed.txt file with your
information.

Best regards

// Ola

On 28 December 2016 at 17:15, Guido Günther <agx@sigxcpu.org> wrote:
> Hi Stefan,
> On Wed, Dec 28, 2016 at 03:44:25PM +0100, Stefan Fritsch wrote:
>> Hi Ola,
>>
>> On Friday, 23 December 2016 23:56:45 CET Ola Lundqvist wrote:
>> > the Debian LTS team would like to fix the security issues which are
>> > currently open in the Wheezy version of apache2:
>> > https://security-tracker.debian.org/tracker/CVE-2016-8743
>> >
>> > Would you like to take care of this yourself?
>>
>> The fix for that is very invasive and may well break some things. I would wait
>> with a backport until the fix has seen more exposure, both upstream and in
>> stretch (the fix will migrate from sid in a few days).
>>
>> Also, there is some work upstream to get the changes backported to 2.2 in a
>> separate 2.2.x-merge-http-strict branch [1]. But it has not landed in the
>> 2.2.x branch, yet.
>>
>> I will share with you any insights I get from backporting the changes to
>> jessie. But it is somewhat unlikely that I will have time to do the backport
>> to wheezy myself.
>
> I was about to start with this fix for apache2 but if upstream prepares
> a separate branch I'll gladly pick another package for the moment.
> Thanks for the update and please keep us in the loop for any further
> progress either upstream or with a port for jessie.
> Cheers,
>  -- Guido
>



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Reply to:

References:
- Wheezy update of apache2?
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Wheezy update of apache2?
  - From: Stefan Fritsch <sf@sfritsch.de>
- Re: Wheezy update of apache2?
  - From: Guido Günther <agx@sigxcpu.org>

Prev by Date: Re: Wheezy update of maradns?
Next by Date: Re: Wheezy update of imagemagick?
Previous by thread: Re: Wheezy update of apache2?
Next by thread: Testing Asterisk for Wheezy LTS
Index(es):
- Date
- Thread