Le 10/06/2021 à 17:31, Yadd a écrit : > Le 10/06/2021 à 14:07, Moritz Muehlenhoff a écrit : >> On Thu, Jun 10, 2021 at 02:02:05PM +0200, Yadd wrote: >>> Le 10/06/2021 à 12:16, Yadd a écrit : >>>> Le 10/06/2021 à 11:51, Yadd a écrit : >>>>> Hi, >>>>> >>>>> Hopefully there is an available-and-simple fix for #989562 >>>>> (CVE-2021-31618) ! >>>>> >>>>> Cheers, >>>>> Yadd >>>> >>>> Here is the debdiff >>> >>> Updated with all CVE fixes. Thanks to security-tracker and its >>> maintainers ;-) >>> >>> Cheers, >>> Yadd >> >>> diff --git a/debian/changelog b/debian/changelog >>> index b6096f7d..41cb8b28 100644 >>> --- a/debian/changelog >>> +++ b/debian/changelog >>> @@ -1,3 +1,12 @@ >>> +apache2 (2.4.38-3+deb10u5) buster-security; urgency=medium >>> + >>> + * Fix "NULL pointer dereference on specially crafted HTTP/2 request" >>> + (Closes: #989562, CVE-2021-31618) >>> + * Fix various low security issues (Closes: CVE-2020-13950, >>> CVE-2020-35452, >>> + CVE-2021-26690, CVE-2021-26691, CVE-2021-30641) >> >> There's also https://security-tracker.debian.org/tracker/CVE-2019-17567 >> https://www.openwall.com/lists/oss-security/2021/06/10/2 >> >> The CVE ID is from 2019, but it got public yesterday with the other fixes. >> >> Cheers, >> Moritz > > Hi, > > this adds a non trivial patch (attached debdiff shows the difference > with 2.4.46-6 which is already proposed in unblock issue (#989683). I > had to modify significantly upstream patch. As proposed earlier, I think > it should be more safe to upload Apache 2.4.48 in Bullseye instead of > this increasingly deviant hybrid (already 7 CVEs patches!). > > @release-team: please consider this new debdiff as a pre-aproval for > 2.4.46-7 > > Cheers, > Yadd
And autopkgtest finally failed, so I'm not able to fix CVE-2019-31618... (patch uses some other changes introduced in 2.4.47 or 2.4.48)
