Apache2 policy for Bullseye

To: Debian Security Team <team@security.debian.org>
Cc: debian-release@lists.debian.org
Subject: Apache2 policy for Bullseye
From: Yadd <yadd@debian.org>
Date: Thu, 10 Jun 2021 08:18:17 +0200
Message-id: <[🔎] 03f6bc47-fcf3-cfb4-6168-b0ecc175743c@debian.org>

Hi all,

In the past we had some problems to follow CVE fixes for Apache2. For
Buster, we had to import the whole http2 module from 2.4.46 into 2.4.38
because it was impossible to apply the upstream fix due to module
changes. This isolated import was really risky but we didn't found a
better way.

Now the story restarts with CVE-2021-31618. The upstream fix is simple
but refers to other changes. In particular the whole SSL stack changed.
Even for Bullseye, there are too many differences between 2.4.46 and
2.4.48 to apply this fix.

Apache2 is RFH for years, but has too many reverse dependencies to be
removed from Bullseye (even if there are some alternatives).

Our current apache2 policy keeps a lot of (maybe unimportant) CVE opened
[1].

Then I'd like to see if it is possible to follow 2.4.x changes for
Bullseye (and maybe Buster). Upstream provides fully-tested versions
with no major behavior changes in 2.4.x branch [2], but with many CVE
fixes [3].

But maybe is there a better way to fix these vulnerabilities (and future
ones) ?

Cheers,
Yadd

[1] https://security-tracker.debian.org/tracker/source-package/apache2
[2] https://downloads.apache.org/httpd/CHANGES_2.4
[3] http://httpd.apache.org/security/vulnerabilities_24.html

Reply to:

Follow-Ups:
- Re: Apache2 policy for Bullseye
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Bug#989587: unblock: uacme/1.7.1-1
Next by Date: Bug#989678: unblock: nettle/3.7.3-1
Previous by thread: Bug#989675: marked as done (unblock: libmaus2/2.0.768+dfsg-2)
Next by thread: Re: Apache2 policy for Bullseye
Index(es):
- Date
- Thread