Hi all, In the past we had some problems to follow CVE fixes for Apache2. For Buster, we had to import the whole http2 module from 2.4.46 into 2.4.38 because it was impossible to apply the upstream fix due to module changes. This isolated import was really risky but we didn't found a better way.
Now the story restarts with CVE-2021-31618. The upstream fix is simple but refers to other changes. In particular the whole SSL stack changed. Even for Bullseye, there are too many differences between 2.4.46 and 2.4.48 to apply this fix. Apache2 is RFH for years, but has too many reverse dependencies to be removed from Bullseye (even if there are some alternatives). Our current apache2 policy keeps a lot of (maybe unimportant) CVE opened [1]. Then I'd like to see if it is possible to follow 2.4.x changes for Bullseye (and maybe Buster). Upstream provides fully-tested versions with no major behavior changes in 2.4.x branch [2], but with many CVE fixes [3]. But maybe is there a better way to fix these vulnerabilities (and future ones) ? Cheers, Yadd [1] https://security-tracker.debian.org/tracker/source-package/apache2 [2] https://downloads.apache.org/httpd/CHANGES_2.4 [3] http://httpd.apache.org/security/vulnerabilities_24.html
