Re: Apache2 policy for Bullseye

To: Yadd <yadd@debian.org>
Cc: Debian Security Team <team@security.debian.org>, debian-release@lists.debian.org
Subject: Re: Apache2 policy for Bullseye
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Mon, 14 Jun 2021 21:08:14 +0200
Message-id: <[🔎] YMepHqljdA5YaPIK@pisco.westfalen.local>
In-reply-to: <[🔎] 03f6bc47-fcf3-cfb4-6168-b0ecc175743c@debian.org>
References: <[🔎] 03f6bc47-fcf3-cfb4-6168-b0ecc175743c@debian.org>

Yadd wrote:
> Our current apache2 policy keeps a lot of (maybe unimportant) CVE opened
> [1].

Note that this isn't really accurate: While there are CVEs listed with
2019- or 2020-, those were in fact all only recently published with the
latest Apache release.

> Then I'd like to see if it is possible to follow 2.4.x changes for
> Bullseye (and maybe Buster). Upstream provides fully-tested versions
> with no major behavior changes in 2.4.x branch [2], but with many CVE
> fixes [3].

JFTR, I think this is worth a shot. TTBOMK the httpd developers avoid
breaking changes within 2.4.x and with the many different modules around,
the test coverage around their maintenance releases is certainly higher
than what we can realistically cover with testing for isolated backports.

Cheers,
	 Moritz

Reply to:

Follow-Ups:
- Re: Apache2 policy for Bullseye
  - From: Sebastian Ramacher <sramacher@debian.org>

References:
- Apache2 policy for Bullseye
  - From: Yadd <yadd@debian.org>

Prev by Date: Bug#989825: marked as done (unblock: user-mode-linux/5.10um3)
Next by Date: Bug#989851: pre-approval unblock: uwsgi/2.0.19.1-8
Previous by thread: Apache2 policy for Bullseye
Next by thread: Re: Apache2 policy for Bullseye
Index(es):
- Date
- Thread