Hi Steinar, hi Tobias,
On Fri, Dec 30, 2022 at 12:04:29PM +0100, Tobias Frost wrote:
> On Fri, Dec 30, 2022 at 11:18:14AM +0100, Steinar H. Gunderson wrote:
> > On Fri, Dec 30, 2022 at 11:04:46AM +0100, Tobias Frost wrote:
> > > I was trying to triage this CVE and *maybe* those revisions are related:
> > >
> > > r1894937 ("apreq_parse_headers: Discard CRLF of folded values.")
> > > r1894940 ("reindent (no functional change).")
> > > r1894977 ("Follow up to r1894937: Fix setting of empty value.")
> > > r1895054 ("Follow up to r1894937: Always eat CRLF at the end of header
> > > value.")
> >
> > Perhaps it's best to remove libapreq2 entirely? I don't use nor maintain it
> > anymore, it's been out of testing for a while, and there's this CVE.
>
> #ssh mirror.ftp-master.debian.org "dak rm -Rn libapreq2"
>
> Will remove the following packages from unstable:
>
> libapache2-mod-apreq2 | 2.13-7+b4 | amd64, arm64, armel, armhf, i386,
> mips64el, mipsel, ppc64el, s390x
> libapache2-request-perl | 2.13-7+b4 | amd64, arm64, armel, armhf,
> i386, mips64el, mipsel, ppc64el, s390x
> libapreq2 | 2.13-7 | source
> libapreq2-3 | 2.13-7+b4 | amd64, arm64, armel, armhf, i386, mips64el,
> mipsel, ppc64el, s390x
> libapreq2-dev | 2.13-7+b4 | amd64, arm64, armel, armhf, i386,
> mips64el, mipsel, ppc64el, s390x
> libapreq2-doc | 2.13-7 | all
>
> Maintainer: Steinar H. Gunderson <se...@debian.org>
>
> ------------------- Reason -------------------
>
> ----------------------------------------------
>
> Checking reverse dependencies...
> # Broken Depends:
> libapache2-authcassimple-perl: libapache2-authcassimple-perl
> libapache2-sitecontrol-perl: libapache2-sitecontrol-perl
> lua-apr: lua-apr
> rapache: libapache2-mod-r-base
>
> # Broken Build-Depends:
> libapache2-sitecontrol-perl: libapache2-request-perl
> lua-apr: libapreq2-dev
> rapache: libapreq2-dev
>
> Dependency problem found.
>
> ... and still theres a need to fix the CVE for stable (and also for (E)LTS)
>
> (I'm currently take a look at 2.17, to see if I can get it packages, if I'm
> succeeding,
> there will be an NMU announcement :))
Upstream has still not clarified on
https://www.openwall.com/lists/oss-security/2022/08/26/4 and given it
was now out of bookworm, it might be wise that we actually sunset it
for bookworm (including having the above reverse dependencies out of
bookworm).
Fixing stable and oldstable is then another story, and I still hope we
get feedback from upstream on pinpointing the fixes.
Regards,
Salvatore
