Your message dated Sat, 11 Jul 2026 10:32:47 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1139713,
regarding trixie-pu: package apache2/2.4.68-1~deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1139713: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139713
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:apache2
User: [email protected]
Usertags: pu

[ Reason ]
Apache2 is vulnerable to various medium CVEs (CVE-2026-29167, CVE-2026-29170,
CVE-2026-34355, CVE-2026-34356, CVE-2026-42535, CVE-2026-42536,
CVE-2026-43951, CVE-2026-44119, CVE-2026-44185, CVE-2026-44186,
CVE-2026-44631, CVE-2026-48913).

[ Impact ]
Medium security issues

[ Tests ]
Diff contains a test-framework update

[ Risks ]
As usual with Apache, low but not null risk

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
This release contains only fixes (a lot...)

[ Other info ]
I put here just the debian/ diff. The whole diff is big
diff --git a/debian/changelog b/debian/changelog
index a04158c1..8e4b38fa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+apache2 (2.4.68-1~deb13u1) trixie; urgency=medium
+
+  * New upstream version (Closes: CVE-2026-29167, CVE-2026-29170,
+    CVE-2026-34355, CVE-2026-34356, CVE-2026-42535, CVE-2026-42536,
+    CVE-2026-43951, CVE-2026-44119, CVE-2026-44185, CVE-2026-44186,
+    CVE-2026-44631, CVE-2026-48913)
+  * Drop CVE-2026-49975_*, now included in upstream
+  * Update debian/convert_docs
+  * Update test framework
+
+ -- Xavier Guimard <[email protected]>  Thu, 11 Jun 2026 20:28:43 +0200
+
 apache2 (2.4.67-1~deb13u3) trixie-security; urgency=medium
 
   * Fix CVE-2026-49975 (HTTP/2 Bomb)
diff --git a/debian/convert_docs b/debian/convert_docs
index b39a58fa..b8c07370 100755
--- a/debian/convert_docs
+++ b/debian/convert_docs
@@ -49,7 +49,7 @@ foreach my $h (@html) {
                elsif ( -f "$SRC/$h.$l" ) {
                        conv("$SRC/$h.$l", "$tdir$h", $h, $updir);
                }
-               else {
+               elsif ( ! -e "$tdir$h" ) {
                        symlink("$updir/en/$h", "$tdir$h");
                }
                
diff --git a/debian/patches/CVE-2026-49975_1.patch 
b/debian/patches/CVE-2026-49975_1.patch
deleted file mode 100644
index 28ec9897..00000000
--- a/debian/patches/CVE-2026-49975_1.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From: Stefan Eissing <[email protected]>
-Date: Wed, 27 May 2026 10:50:32 +0200
-Subject: cookie reqest header counting
-
-Account merged cookie headers as an "add" to keep LimitRequestFields effective.
-
-origin: backport, 
https://github.com/icing/mod_h2/commit/cb7cd2eec3b6ef02dea62d77de2a38a108af66ee
-bug: https://github.com/icing/mod_h2/pull/324
-bug-security: https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb
----
- modules/http2/h2_util.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/modules/http2/h2_util.c b/modules/http2/h2_util.c
-index b377ff7..b265bc9 100644
---- a/modules/http2/h2_util.c
-+++ b/modules/http2/h2_util.c
-@@ -1719,6 +1719,8 @@ static apr_status_t req_add_header(apr_table_t *headers, 
apr_pool_t *pool,
-             apr_table_setn(headers, "Cookie",
-                            apr_psprintf(pool, "%s; %.*s", existing,
-                                         (int)nv->valuelen, nv->value));
-+            /* Treat the merge as an "add" to not escape LimitRequestFields */
-+            *pwas_added = 1;
-             return APR_SUCCESS;
-         }
-     }
diff --git a/debian/patches/CVE-2026-49975_2.patch 
b/debian/patches/CVE-2026-49975_2.patch
deleted file mode 100644
index 851e5b36..00000000
--- a/debian/patches/CVE-2026-49975_2.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From: Stefan Eissing <[email protected]>
-Date: Wed, 27 May 2026 11:05:44 +0200
-Subject: ignore duplicate empty cookie headers
-
-origin: backport, 
https://github.com/icing/mod_h2/commit/b5c211e7010d31224ac2621664479177314aec96
-bug: https://github.com/icing/mod_h2/pull/324
-bug-security: https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb
----
- modules/http2/h2_util.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/modules/http2/h2_util.c b/modules/http2/h2_util.c
-index b265bc9..b303945 100644
---- a/modules/http2/h2_util.c
-+++ b/modules/http2/h2_util.c
-@@ -1708,6 +1708,8 @@ static apr_status_t req_add_header(apr_table_t *headers, 
apr_pool_t *pool,
-              && !ap_cstr_casecmpn("cookie", (const char *)nv->name, 
nv->namelen)) {
-         existing = apr_table_get(headers, "cookie");
-         if (existing) {
-+            if (!nv->valuelen)
-+                return APR_SUCCESS;
-             /* Cookie header come separately in HTTP/2, but need
-              * to be merged by "; " (instead of default ", ")
-              */
diff --git a/debian/patches/fhs_compliance.patch 
b/debian/patches/fhs_compliance.patch
index ee4715fd..b0c3b185 100644
--- a/debian/patches/fhs_compliance.patch
+++ b/debian/patches/fhs_compliance.patch
@@ -6,7 +6,7 @@ Last-Update: 2026-05-05
 
 --- a/configure
 +++ b/configure
-@@ -42443,16 +42443,17 @@
+@@ -42455,16 +42455,17 @@
  
  cat >>confdefs.h <<_ACEOF
  #define HTTPD_ROOT "${ap_prefix}"
@@ -28,7 +28,7 @@ Last-Update: 2026-05-05
  
 --- a/configure.in
 +++ b/configure.in
-@@ -934,11 +934,11 @@
+@@ -936,11 +936,11 @@
  echo $MODLIST | $AWK -f $srcdir/build/build-modules-c.awk > modules.c
  
  APR_EXPAND_VAR(ap_prefix, $prefix)
diff --git a/debian/patches/series b/debian/patches/series
index 2aabdc69..450653aa 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,5 +5,3 @@ customize_apxs.patch
 build_suexec-custom.patch
 reproducible_builds.diff
 fix-macro.patch
-CVE-2026-49975_1.patch
-CVE-2026-49975_2.patch
diff --git a/debian/perl-framework/t/apache/expr.t 
b/debian/perl-framework/t/apache/expr.t
index 7d62bc04..06e031d0 100644
--- a/debian/perl-framework/t/apache/expr.t
+++ b/debian/perl-framework/t/apache/expr.t
@@ -115,7 +115,6 @@ my @test_cases = (
     [ q[toupper(escape('?')) = '%3F' ] => 1 ],
     [ q[tolower(toupper(escape('?'))) = '%3f' ] => 1 ],
     [ q[%{toupper:%{escape:?}} = '%3F' ] => 1 ],
-    [ q[file('] . $file_foo . q[') = 'foo\n' ]  => 1 ],
     # unary operators
     [ q[-n '']  => 0 ],
     [ q[-z '']  => 1 ],
@@ -198,11 +197,13 @@ push @test_cases, @bool_test_cases;
 push @test_cases, map { ["!($_->[0])" => neg($_->[1]) ] } @bool_test_cases;
 
 if (have_min_apache_version("2.3.13")) {
+    my $restrict2_result = have_min_apache_version('2.4.68') ? undef : 1;
     push(@test_cases, (
         # functions
-        [ q[filesize('] . $file_foo      . q[') = 4 ]  => 1 ],
-        [ q[filesize('] . $file_notexist . q[') = 0 ]  => 1 ],
-        [ q[filesize('] . $file_zero     . q[') = 0 ]  => 1 ],
+        [ q[filesize('] . $file_foo      . q[') = 4 ]  => $restrict2_result ],
+        [ q[filesize('] . $file_notexist . q[') = 0 ]  => $restrict2_result ],
+        [ q[filesize('] . $file_zero     . q[') = 0 ]  => $restrict2_result ],
+        [ q[file('] . $file_foo . q[') = 'foo\n' ]  => $restrict2_result ],
         # unary operators
         [ qq[-d '$file_foo' ] => 0 ],
         [ qq[-e '$file_foo' ] => 1 ],
diff --git a/debian/perl-framework/t/apache/pr64339.t 
b/debian/perl-framework/t/apache/pr64339.t
index 00097e66..4915418c 100644
--- a/debian/perl-framework/t/apache/pr64339.t
+++ b/debian/perl-framework/t/apache/pr64339.t
@@ -18,7 +18,7 @@ my @testcases = (
     ['/doc.notxml', "application/notreallyxml", "f\xf3\xf3\n" ],
 
     # Sent with charset=ISO-8859-1 - should be transformed to utf-8
-    ['/doc.isohtml', "text/html;charset=utf-8", 
"<html><body><p>fóó\n</p></body></html>" ],
+    ['/doc.isohtml', "text/html;charset=utf-8", 
"<html><body>.*fóó\n.*</body></html>" ],
 );
 
 # mod_xml2enc on trunk behaves quite differently to the 2.4.x version
@@ -42,5 +42,5 @@ foreach my $t (@testcases) {
     
     ok t_cmp($r->code, 200, "fetching ".$t->[0]);
     ok t_cmp($r->header('Content-Type'), $t->[1], "content-type header test 
for ".$t->[0]);
-    ok t_cmp($r->content, $t->[2], "content test for ".$t->[0]);
+    ok t_cmp($r->content, qr/$t->[2]/, "content test for ".$t->[0]);
 }
diff --git 
a/debian/perl-framework/t/htdocs/modules/include/apexpr/restrict_func.shtml 
b/debian/perl-framework/t/htdocs/modules/include/apexpr/restrict_func.shtml
new file mode 100644
index 00000000..31401606
--- /dev/null
+++ b/debian/perl-framework/t/htdocs/modules/include/apexpr/restrict_func.shtml
@@ -0,0 +1,5 @@
+<!--#if expr="file('%{DOCUMENT_ROOT}/foobar.html') =~ /foobar/" -->
+IF_FUNC_TRUE
+<!--#else -->
+IF_FUNC_FALSE
+<!--#endif -->
diff --git a/debian/perl-framework/t/modules/dav.t 
b/debian/perl-framework/t/modules/dav.t
index a1b6248b..8ff990d8 100644
--- a/debian/perl-framework/t/modules/dav.t
+++ b/debian/perl-framework/t/modules/dav.t
@@ -10,7 +10,7 @@ use HTTP::Date;
 ## mod_dav tests
 ##
 
-plan tests => 21, [qw(dav HTTP::DAV)];
+plan tests => 22, [qw(dav HTTP::DAV)];
 require HTTP::DAV;
 
 my $vars = Apache::Test::vars();
@@ -178,6 +178,15 @@ print "PR 49825: expect 400 bad request got: $actual\n";
 ok $actual == 400;
 $user_agent->default_header('Content-Range' => undef);
 
+## Test PUT to .DAV subdirectory (should be blocked in 2.4.68+) ##
+my $dav_uri = "/$dir/.DAV/test.html";
+my $dav_resource = $dav->new_resource( -uri => "http://$server$dav_uri";);
+my $expected = have_min_apache_version('2.4.68') ? 403 : 201;
+$response = $dav_resource->put($body);
+$actual = $response->code;
+ok t_cmp($actual, $expected);
+
 ## clean up ##
+unlink "$htdocs/$dir/.DAV/test.html";
 rmdir "$htdocs/$dir/.DAV" or print "warning: could not remove .DAV dir: $!";
 rmdir "$htdocs/$dir" or print "warning: could not remove dav dir: $!";
diff --git a/debian/perl-framework/t/modules/headers.t 
b/debian/perl-framework/t/modules/headers.t
index 4892b95c..40bd5c32 100644
--- a/debian/perl-framework/t/modules/headers.t
+++ b/debian/perl-framework/t/modules/headers.t
@@ -115,7 +115,27 @@ my @testcases = (
        [  ],
        [ 'Test-Header' => 'foo' ],
     ],
+    # 500 error test - invalid regex pattern
+    [
+       "Header edit Test-Header (unclosed bar",                      # 
malformed regex (unmatched parenthesis)
+       [  ],
+       [  ],
+       500,
+    ],
 );
+if (have_min_apache_version('2.4.68')) {
+    push(@testcases,
+        (
+            # edit*
+        [
+           "Header set Test-Header \"expr=%{base64:%{file:$htaccess}}\"", # no 
file() in htaccess
+           [  ],
+           [  ],
+           500,
+        ],
+    )
+  );
+}
 if (have_min_apache_version('2.5.1')) {
     push(@testcases,
         (
@@ -297,6 +317,9 @@ sub test_header2 {
     my @test = @_;
     my $h = HTTP::Headers->new;
     
+    # Extract expected status code (default to 200 if not specified)
+    my $expected_status = $test[0][3] // 200;
+    
     print "\n\n\n";
     for (my $i = 0; $i < scalar @{$test[0][1]}; $i += 2) {
         print "Header sent n°" . $i/2 . ":\n";
@@ -312,22 +335,30 @@ sub test_header2 {
     ## 
     my $r = HTTP::Request->new('GET', 
"http://$hostport/modules/headers/htaccess/";, $h);
     my $res = $ua->request($r);
-    ok t_cmp($res->code, 200, "Checking return code is '200'");
+    ok t_cmp($res->code, $expected_status, "Checking return code is 
'$expected_status'");
     
-    my $isok = 1;
-    for (my $i = 0; $i < scalar @{$test[0][2]}; $i += 2) {
-        print "\n";
-        print "Header received n°" . $i/2 . ":\n";
-        print "  header:   " . $test[0][2][$i] . "\n";
-        print "  expected: " . $test[0][2][$i+1] . "\n";
-        if ($res->header($test[0][2][$i])) {
-            print "  received: " . $res->header($test[0][2][$i]) . "\n";
-        } else {
-            print "  received: <undefined>\n";
+    # Only validate headers if we expect a successful response
+    if ($expected_status == 200) {
+        my $isok = 1;
+        for (my $i = 0; $i < scalar @{$test[0][2]}; $i += 2) {
+            print "\n";
+            print "Header received n°" . $i/2 . ":\n";
+            print "  header:   " . $test[0][2][$i] . "\n";
+            print "  expected: " . $test[0][2][$i+1] . "\n";
+            if ($res->header($test[0][2][$i])) {
+                print "  received: " . $res->header($test[0][2][$i]) . "\n";
+            } else {
+                print "  received: <undefined>\n";
+            }
+            $isok = $isok && $res->header($test[0][2][$i]) && 
$test[0][2][$i+1] eq $res->header($test[0][2][$i]);
         }
-        $isok = $isok && $res->header($test[0][2][$i]) && $test[0][2][$i+1] eq 
$res->header($test[0][2][$i]);
-    }
-    print "\nResponse received is:\n" . $res->as_string;
+        print "\nResponse received is:\n" . $res->as_string;
 
-    ok $isok;
+        ok $isok;
+    } else {
+        # For error responses, skip header validation
+        print "\nExpected error response received (status $expected_status)\n";
+        print "Response received is:\n" . $res->as_string;
+        ok 1;
+    }
 }
diff --git a/debian/perl-framework/t/modules/include.t 
b/debian/perl-framework/t/modules/include.t
index 99644971..a4b1e80b 100644
--- a/debian/perl-framework/t/modules/include.t
+++ b/debian/perl-framework/t/modules/include.t
@@ -85,7 +85,7 @@ my %test = (
 "echo3.shtml"           =>    ['<!--#echo var="DOCUMENT_NAME" -->', 
"retagged1"], 
 "notreal.shtml"         =>    "pass <!--",
 "malformed.shtml"       =>    "[an error occurred while processing this ".
-                              "directive] malformed.shtml",
+                              "directive]",
 "exec/off/cmd.shtml"    =>    "[an error occurred while processing this ".
                               "directive]",
 "exec/on/cmd.shtml"     =>    "pass",
@@ -107,9 +107,11 @@ my %test = (
 my %ap_expr_test = (
 "apexpr/if1.shtml"      =>    "pass",
 "apexpr/err.shtml"      =>    "[an error occurred while processing this ".
-                              "directive] err.shtml",
+                              "directive]",
 "apexpr/restrict.shtml" =>    "[an error occurred while processing this ".
-                              "directive] restrict.shtml",
+                              "directive]",
+"apexpr/restrict_func.shtml" => "[an error occurred while processing this ".
+                              "directive]",
 "apexpr/var.shtml"      =>    "pass   pass   pass",
 "apexpr/lazyvar.shtml"  =>    "pass",
 );
@@ -303,6 +305,12 @@ foreach $doc (sort keys %tests) {
             skip "Skipping 'exec cgi' test; no cgi module.", 2;
         }
     }
+    elsif ($doc =~ m/malformed|apexpr/) {
+        ok t_cmp(super_chomp(GET_BODY "$dir$doc"),
+                 qr/\Q$tests{$doc}\E/,
+                 "GET $dir$doc"
+                );
+    }
     else {
         ok t_cmp(super_chomp(GET_BODY "$dir$doc"),
                  $tests{$doc},
diff --git a/debian/perl-framework/t/modules/proxy_fcgi.t 
b/debian/perl-framework/t/modules/proxy_fcgi.t
index dce4a804..6da6253f 100644
--- a/debian/perl-framework/t/modules/proxy_fcgi.t
+++ b/debian/perl-framework/t/modules/proxy_fcgi.t
@@ -154,7 +154,7 @@ sub run_fcgi_envvar_request
     }
 
     if(defined($fcgi_port)) {
-        if ($r->code ge '500') {
+        if ($r->code ge '400') {
             # Unknown failure, probably the request didn't hit the FCGI child
             # process, so it will hang waiting for our request
             kill 'TERM', $child;
@@ -328,6 +328,11 @@ foreach my $url (@udstests) {
 }
 
 for my $t (@balancertests) {
+    if (!have_module("proxy_balancer")) {
+        skip "no proxy_balancer";
+        skip "no proxy_balancer";
+        next;
+    }
     my $url = $t->{"url"};
     my $pathinfo = $t->{"pathinfo"};
     $envs = run_fcgi_envvar_request($fcgi_port, $url);
diff --git a/debian/perl-framework/t/modules/setenvif.t 
b/debian/perl-framework/t/modules/setenvif.t
index cb561c28..0b13fb81 100644
--- a/debian/perl-framework/t/modules/setenvif.t
+++ b/debian/perl-framework/t/modules/setenvif.t
@@ -56,7 +56,7 @@ my @var = qw(VAR_ONE VAR_TWO VAR_THREE);
 
 my $htaccess = "$htdocs/modules/setenvif/htaccess/.htaccess";
 
-plan tests => @var * 10 + (keys %var_att) * 6 * @var + 4,
+plan tests => @var * 10 + (keys %var_att) * 6 * @var + 5,
     have_module qw(setenvif include);
 
 sub write_htaccess {
@@ -178,6 +178,16 @@ else {
     skip "skipping inverted match test with version <2.4.38"
 }
 
+if (need_min_apache_version("2.4.67")) {
+    # file() access should be disallowed in htaccess context
+    write_htaccess("SetEnvIfExpr \"file('$htdocs/foobar.html') =~ /(.+)/\" 
VAR_ONE=\$0");
+    $body = GET_BODY $page;
+    ok ! t_cmp($body, qr/^1:foobar/);
+}
+else {
+    skip "skipping test for CVE-2026-24072 in version <2.4.67";
+}
+
 ## i think this should work, but it doesnt.
 ## leaving it commented now pending investigation.
 ## seems you cant override variables that have been previously set.

--- End Message ---
--- Begin Message ---
Version: 13.6

This update was released as part of 13.6.

--- End Message ---

Reply via email to