Le 19/06/2021 à 14:57, Sebastian Ramacher a écrit : > On 2021-06-14 21:08:14 +0200, Moritz Mühlenhoff wrote: >> Yadd wrote: >>> Our current apache2 policy keeps a lot of (maybe unimportant) CVE opened >>> [1]. >> >> Note that this isn't really accurate: While there are CVEs listed with >> 2019- or 2020-, those were in fact all only recently published with the >> latest Apache release. >> >>> Then I'd like to see if it is possible to follow 2.4.x changes for >>> Bullseye (and maybe Buster). Upstream provides fully-tested versions >>> with no major behavior changes in 2.4.x branch [2], but with many CVE >>> fixes [3]. >> >> JFTR, I think this is worth a shot. TTBOMK the httpd developers avoid >> breaking changes within 2.4.x and with the many different modules around, >> the test coverage around their maintenance releases is certainly higher >> than what we can realistically cover with testing for isolated backports. > > Okay, if that helps with security maintenance in the long run, let's do > this. Please keep any unreleated changes to a minimum, though. Also note > that the full freeze is coming closer, so the upload would need to > happen very soon. > > Cheers
Hi, thanks, I just pushed apache2 2.4.48-2 to unstable. I'm going to push an unblock request. Of course, I'll upload new Apache2 versions to Bullseye, only if there is a significant CVE (this means 50% ;-)) Cheers, Yadd
