On Fri, Dec 30, 2022 at 04:14:25PM +0100, Salvatore Bonaccorso wrote:
> Hi Steinar, hi Tobias,
>
> On Fri, Dec 30, 2022 at 12:04:29PM +0100, Tobias Frost wrote:
> > On Fri, Dec 30, 2022 at 11:18:14AM +0100, Steinar H. Gunderson wrote:
> > > On Fri, Dec 30, 2022 at 11:04:46AM +0100, Tobias Frost wrote:
> > > > I was trying to triage this CVE and *maybe* those revisions are related:
> > > >
> > > > r1894937 ("apreq_parse_headers: Discard CRLF of folded values.")
> > > > r1894940 ("reindent (no functional change).")
> > > > r1894977 ("Follow up to r1894937: Fix setting of empty value.")
> > > > r1895054 ("Follow up to r1894937: Always eat CRLF at the end of header
> > > > value.")
> > >
> > > Perhaps it's best to remove libapreq2 entirely? I don't use nor maintain
> > > it
> > > anymore, it's been out of testing for a while, and there's this CVE.
> >
> > #ssh mirror.ftp-master.debian.org "dak rm -Rn libapreq2"
> >
> > Will remove the following packages from unstable:
> >
> > libapache2-mod-apreq2 | 2.13-7+b4 | amd64, arm64, armel, armhf, i386,
> > mips64el, mipsel, ppc64el, s390x
> > libapache2-request-perl | 2.13-7+b4 | amd64, arm64, armel, armhf,
> > i386, mips64el, mipsel, ppc64el, s390x
> > libapreq2 | 2.13-7 | source
> > libapreq2-3 | 2.13-7+b4 | amd64, arm64, armel, armhf, i386, mips64el,
> > mipsel, ppc64el, s390x
> > libapreq2-dev | 2.13-7+b4 | amd64, arm64, armel, armhf, i386,
> > mips64el, mipsel, ppc64el, s390x
> > libapreq2-doc | 2.13-7 | all
> >
> > Maintainer: Steinar H. Gunderson <se...@debian.org>
> >
> > ------------------- Reason -------------------
> >
> > ----------------------------------------------
> >
> > Checking reverse dependencies...
> > # Broken Depends:
> > libapache2-authcassimple-perl: libapache2-authcassimple-perl
> > libapache2-sitecontrol-perl: libapache2-sitecontrol-perl
> > lua-apr: lua-apr
> > rapache: libapache2-mod-r-base
> >
> > # Broken Build-Depends:
> > libapache2-sitecontrol-perl: libapache2-request-perl
> > lua-apr: libapreq2-dev
> > rapache: libapreq2-dev
> >
> > Dependency problem found.
> >
> > ... and still theres a need to fix the CVE for stable (and also for (E)LTS)
> >
> > (I'm currently take a look at 2.17, to see if I can get it packages, if I'm
> > succeeding,
> > there will be an NMU announcement :))
>
> Upstream has still not clarified on
> https://www.openwall.com/lists/oss-security/2022/08/26/4 and given it
> was now out of bookworm, it might be wise that we actually sunset it
> for bookworm (including having the above reverse dependencies out of
> bookworm).
>
> Fixing stable and oldstable is then another story, and I still hope we
> get feedback from upstream on pinpointing the fixes.
ACK, I will file a "not suitable for bookworm" bug, so that the new package and
r-depends won't migrate.
Lets hope that upstream answers…
--
tobi
> Regards,
> Salvatore
