Re: Apache2 policy for Bullseye
Le 19/06/2021 à 14:57, Sebastian Ramacher a écrit :
> On 2021-06-14 21:08:14 +0200, Moritz Mühlenhoff wrote:
>> Yadd wrote:
>>> Our current apache2 policy keeps a lot of (maybe unimportant) CVE opened
>>> [1].
>>
>> Note that this isn't really accurate: While there are CVEs listed with
>> 2019- or 2020-, those were in fact all only recently published with the
>> latest Apache release.
>>
>>> Then I'd like to see if it is possible to follow 2.4.x changes for
>>> Bullseye (and maybe Buster). Upstream provides fully-tested versions
>>> with no major behavior changes in 2.4.x branch [2], but with many CVE
>>> fixes [3].
>>
>> JFTR, I think this is worth a shot. TTBOMK the httpd developers avoid
>> breaking changes within 2.4.x and with the many different modules around,
>> the test coverage around their maintenance releases is certainly higher
>> than what we can realistically cover with testing for isolated backports.
>
> Okay, if that helps with security maintenance in the long run, let's do
> this. Please keep any unreleated changes to a minimum, though. Also note
> that the full freeze is coming closer, so the upload would need to
> happen very soon.
>
> Cheers
Hi,
thanks, I just pushed apache2 2.4.48-2 to unstable. I'm going to push an
unblock request.
Of course, I'll upload new Apache2 versions to Bullseye, only if there
is a significant CVE (this means 50% ;-))
Cheers,
Yadd
Reply to: