[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apache2: fix the regressions introduced by security upgrade in Bullseye?

Hi,

On 2023-04-03 14:27:48 +0200, Harald Dunkel wrote:
> AFAIU apache2 2.4.56-1 has been included in Bullseye to mitigate
> CVE-2023-27522 and CVE-2023-25690 (both some mod_proxy issue
> with high severity). Good thing.
> 
> Unfortunately this introduced 2 regressions for mod_rewrite and
> http2, see
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033284
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033408
> https://metadata.ftp-master.debian.org/changelogs//main/a/apache2/apache2_2.4.56-2_changelog
> 
> Would it be possible to fix the upgrade? I can turn off http2,
> but I feel *very* bad about running an apache with a broken
> mod_rewrite in production.

What about apache2 2.4.56-2?

"Fix regression in mod_rewrite introduced in version 2.4.56"
"Fix regression in http2 introduced by 2.4.56"

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply to: