Re: apache2 update for next buster point release?
On Tue, Jun 21, 2022 at 09:44:37AM +0200, Emilio Pozuelo Monfort wrote:
> Hi Roberto,
>
> On 20/06/2022 22:30, Roberto C. Sánchez wrote:
> > Hello Release Managers,
> >
> > I have been working on updating apache2 for stretch. Most of the open
> > CVEs affect both the stretch and buster versions of apache2 (in addition
> > to the bullseye version). For the buster/bullseye the CVEs have mostly
> > been marked "<no-dsa> (Minor issue; can be fixed in point release)".
> >
> > Since buster will shortly transition to LTS, it seems likely that we
> > will want an update of apache2 in the final buster point release prior
> > to the LTS transition. The info at release.debian.org indicates that a
> > buster point release is planned for mid-June, which makes me think one
> > could be scheduled anytime.
>
> The final point release is likely to happen in August.
>
> > I backported the patches for the CVEs fixed upstream in versions 2.4.53
> > and 2.4.54 and I am proposing an upload as described by the attached
> > debdiff. Please let me know if this would be acceptable. If so, I will
> > file the appropriate bug in the BTS and then proceed with the upload.
>
> Please file a buster-pu bug so that the reviews can take place there.
> Otherwise this may get lost.
>
> Also please mention (in that bug) what the risk of regressions is, what kind
> of testing you have done (e.g. manual testing, test suite, autopkgtests...).
>
Thanks for the pointer. I will do as you suggest.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: