[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1032977: unblock: apache2/2.4.56-1

Control: tags -1 - moreinfo

hi Sebastian,

On Sat, Mar 18, 2023 at 09:17:25AM +0100, Sebastian Ramacher wrote:
> Control: tags -1 moreinfo
> 
> Hi security team
> 
> On 2023-03-15 06:46:32 +0400, Yadd wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian.org@packages.debian.org
> > Usertags: unblock
> > X-Debbugs-Cc: apache2@packages.debian.org
> > Control: affects -1 + src:apache2
> > 
> > Please unblock package apache2
> > 
> > [ Reason ]
> > Apache2 < 2.4.56 is vulnerable to 2 CVE, the major is CVE-2023-25690
> > (bypass access control using HTTP Request Smuggling attack)
> 
> What's the plan regarding apache2 in bookworm? Will future DSAs update
> apache2 with update bugfix releases?

Yes that is the plan. We do have e.g. already for bullseye-security
2.4.56-1~deb11u1 pending (we were waiting to move the version to
bookworm and get some more coverage).

The plan for bookworm is the same and do sas we switched for bullseye.

Regards,
Salvatore
Reply to: