Re: Wheezy update of apache2?
On 2017-07-18 20:53:35, Stefan Fritsch wrote: > On Monday, 17 July 2017 16:57:00 CEST Roberto C. Sánchez wrote: >> I did the deb7u9 update of apache2 and I was not aware of the regression >> either. I wonder if it makes sense for bugs above a certain severity >> affecting versions of a package which are security uploads to show up in >> the security tracker. Or would there be some other sensible way, aside >> from having to go to the BTS directly? > > Sorry that I haven't forwarded that to you in a timely manner. I think I have > mentioned it before the previous upload, but it may have gotten lost > somewhere. > > I don't know how a reasonable automatic notification could look like. > Probably > it has to be up to the maintainer to forward such bug reports. I would agree as well - we can't possibly watch all of the BTS for such reports. :) Honestly, I was surprised there wasn't more pushback on DLA-841-1: it was a major change with significant impact. The patch was a mess to backport, and basically rewrote the request parser in Apache (!). It was bound to introduce more issues. I'll try to tackle this one, naturally, since I'm the one who issued the DLA in the end! sorry about the trouble. a. -- A genius is someone who discovers that the stone that falls and the moon that doesn't fall represent one and the same phenomenon. - Ernesto Sabato
Re: Wheezy update of apache2?
Hi there, Am 17.07.2017 um 22:50 schrieb Chris Lamb: > Hi Stefan, > >> Note that a previous DLSA introduced a regression. It would be nice if >> you could take a look at that, too: >> >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858373 > > Unfortunately I uploaded this morning before I saw your note about > this regression. > > I've added anarcat and mejo to CC as they are mentioned in the > apache2 2.2.22-13+deb7u8 upload; could one of you take care of it? Unfortunately I'm on holidays with bad internet connectivity until August 5th. Will not find time to look into the regression earlier. Also, I just did further debugging and a final fix to the deb7u8 upload. I remember that backporting the CVE-2016-8743 fix to 2.2.22 very intrusive and complex. Kind regards, jonas signature.asc Description: OpenPGP digital signature
Re: Wheezy update of apache2?
On Monday, 17 July 2017 16:57:00 CEST Roberto C. Sánchez wrote: > I did the deb7u9 update of apache2 and I was not aware of the regression > either. I wonder if it makes sense for bugs above a certain severity > affecting versions of a package which are security uploads to show up in > the security tracker. Or would there be some other sensible way, aside > from having to go to the BTS directly? Sorry that I haven't forwarded that to you in a timely manner. I think I have mentioned it before the previous upload, but it may have gotten lost somewhere. I don't know how a reasonable automatic notification could look like. Probably it has to be up to the maintainer to forward such bug reports. Cheers, Stefan
Re: Wheezy update of apache2?
I did the deb7u9 update of apache2 and I was not aware of the regression either. I wonder if it makes sense for bugs above a certain severity affecting versions of a package which are security uploads to show up in the security tracker. Or would there be some other sensible way, aside from having to go to the BTS directly? Regards, -Roberto On Mon, Jul 17, 2017 at 09:50:11PM +0100, Chris Lamb wrote: > Hi Stefan, > > > Note that a previous DLSA introduced a regression. It would be nice if > > you could take a look at that, too: > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858373 > > Unfortunately I uploaded this morning before I saw your note about > this regression. > > I've added anarcat and mejo to CC as they are mentioned in the > apache2 2.2.22-13+deb7u8 upload; could one of you take care of it? > > > Best wishes, > > -- > ,''`. > : :' : Chris Lamb, Debian Project Leader > `. `'` la...@debian.org / chris-lamb.co.uk >`- > -- Roberto C. Sánchez signature.asc Description: Digital signature
Re: Wheezy update of apache2?
Hi Stefan, > Note that a previous DLSA introduced a regression. It would be nice if > you could take a look at that, too: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858373 Unfortunately I uploaded this morning before I saw your note about this regression. I've added anarcat and mejo to CC as they are mentioned in the apache2 2.2.22-13+deb7u8 upload; could one of you take care of it? Best wishes, -- ,''`. : :' : Chris Lamb, Debian Project Leader `. `'` la...@debian.org / chris-lamb.co.uk `-
Re: Wheezy update of apache2?
Hi Raphael, On Saturday, 15 July 2017 11:52:49 CEST Raphael Hertzog wrote: > Hello Stefan, > > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of apache2: > https://security-tracker.debian.org/tracker/CVE-2017-9788 > > Would you like to take care of this yourself? no, please do take care of it. Note that a previous DLSA introduced a regression. It would be nice if you could take a look at that, too: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858373 Cheers, Stefan
Re: Wheezy update of apache2?
Hi Raphael, On Tuesday, 20 June 2017 16:38:12 CEST Raphael Hertzog wrote: > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of apache2: > https://security-tracker.debian.org/tracker/CVE-2017-3167 > https://security-tracker.debian.org/tracker/CVE-2017-3169 > https://security-tracker.debian.org/tracker/CVE-2017-7668 > https://security-tracker.debian.org/tracker/CVE-2017-7679 > > Would you like to take care of this yourself? > I don't think I have enough time in the near future to deal with wheezy, too. Arno hasn't been active for some time. Please do take care of it. Note that it seems the last DLSA introduced a regression. It would be nice if you could fix that, too: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858373 Cheers, Stefan
Re: Wheezy update of apache2?
Hi Ola, On Friday, 23 December 2016 23:56:45 CET Ola Lundqvist wrote: > the Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of apache2: > https://security-tracker.debian.org/tracker/CVE-2016-8743 > > Would you like to take care of this yourself? The fix for that is very invasive and may well break some things. I would wait with a backport until the fix has seen more exposure, both upstream and in stretch (the fix will migrate from sid in a few days). Also, there is some work upstream to get the changes backported to 2.2 in a separate 2.2.x-merge-http-strict branch [1]. But it has not landed in the 2.2.x branch, yet. I will share with you any insights I get from backporting the changes to jessie. But it is somewhat unlikely that I will have time to do the backport to wheezy myself. Cheers, Stefan [1] https://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x-merge-http-strict/
