On 2021-06-14 21:08:14 +0200, Moritz Mühlenhoff wrote: > Yadd wrote: > > Our current apache2 policy keeps a lot of (maybe unimportant) CVE opened > > [1]. > > Note that this isn't really accurate: While there are CVEs listed with > 2019- or 2020-, those were in fact all only recently published with the > latest Apache release. > > > Then I'd like to see if it is possible to follow 2.4.x changes for > > Bullseye (and maybe Buster). Upstream provides fully-tested versions > > with no major behavior changes in 2.4.x branch [2], but with many CVE > > fixes [3]. > > JFTR, I think this is worth a shot. TTBOMK the httpd developers avoid > breaking changes within 2.4.x and with the many different modules around, > the test coverage around their maintenance releases is certainly higher > than what we can realistically cover with testing for isolated backports. Okay, if that helps with security maintenance in the long run, let's do this. Please keep any unreleated changes to a minimum, though. Also note that the full freeze is coming closer, so the upload would need to happen very soon. Cheers > > Cheers, > Moritz > -- Sebastian Ramacher
Attachment:
signature.asc
Description: PGP signature