Bug#1007249: bullseye-pu: package apache2/2.4.53-1~deb11u1

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

Control: tags -1 + confirmed

For reference, this mail did not make it to debian-release, most likely
due to the size of the attachments. In such cases, you may wish to
follow-up to the original mail with a small response so that it is more
visible to people following the list rather than the BTS.

On Mon, 2022-03-14 at 18:14 +0100, Yadd wrote:
> Apache2 is vulnerable to 4 medium CVEs:
>  * mod_lua Use of uninitialized value of in r:parsebody (CVE-2022-
> 22719)
>  * HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52
> and earlier (CVE-2022-22720)
>  * Possible buffer overflow with very large or unlimited
> LimitXMLRequestBody (CVE-2022-22721)
>  * mod_sed: Read/write beyond bounds (CVE-2022-23943)
> 
> [ Impact ]
> Medium vulnerabilities
> 
> [ Tests ]
> Test updated (debian/perl-framework/ directory), passed
> 
> [ Risks ]
> Moderate risk. We choose to follow upstream versions in Bullseye
> because
> we didn't succeed to maintain previous versions due to big upstream
> changes. For example, Buster http2 stack is a full port of
> Apache-2.4.48.
> Upstream seems to provide well tested upgrades without regressions.

Please go ahead.

Regards,

Adam