Re: apache2: fix the regressions introduced by security upgrade in Bullseye?
On Mon 3 Apr 2023, at 16:28, Gareth Evans <donotspam@fastmail.fm> wrote:
> On Mon 3 Apr 2023, at 13:27, Harald Dunkel <harri@afaics.de> wrote:
>> Hi folks,
>>
>> AFAIU apache2 2.4.56-1 has been included in Bullseye to mitigate
>> CVE-2023-27522 and CVE-2023-25690 (both some mod_proxy issue
>> with high severity). Good thing.
>>
>> Unfortunately this introduced 2 regressions for mod_rewrite and
>> http2, see
>>
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033284
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033408
>> https://metadata.ftp-master.debian.org/changelogs//main/a/apache2/apache2_2.4.56-2_changelog
>>
>> Would it be possible to fix the upgrade? I can turn off http2,
>> but I feel *very* bad about running an apache with a broken
>> mod_rewrite in production.
>>
>>
>> Thank you very much
>>
>> Harri
>
>
> "In Mitre's CVE dictionary: [..] CVE-2023-25690, CVE-2023-27522 [...]
>
> For the stable distribution (bullseye), these problems have been fixed
> in version 2.4.56-1~deb11u1.
>
> We recommend that you upgrade your apache2 packages."
>
> https://www.debian.org/security/2023/dsa-5376
>
> $ apt policy apache2
> apache2:
> Installed: 2.4.56-1~deb11u1
> Candidate: 2.4.56-1~deb11u1
> Version table:
> *** 2.4.56-1~deb11u1 500
> 500 http://security.debian.org/debian-security
> bullseye-security/main amd64 Packages
>
> You will need at least
>
> deb http://security.debian.org/debian-security/ bullseye-security main
>
> in /etc/apt/sources.list if not there already, though I think "contrib"
> and certainly "non-free" are unnecessary in this particular case.
>
> Best wishes,
> Gareth
Sorry, you were talking about regressions - concentration lapse on my part.
G
Reply to: