On Sat, Mar 18, 2023 at 09:17:25AM +0100, Sebastian Ramacher wrote:
> Control: tags -1 moreinfo
>
> Hi security team
>
> On 2023-03-15 06:46:32 +0400, Yadd wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian....@packages.debian.org
> > Usertags: unblock
> > X-Debbugs-Cc: apac...@packages.debian.org
> > Control: affects -1 + src:apache2
> >
> > Please unblock package apache2
> >
> > [ Reason ]
> > Apache2 < 2.4.56 is vulnerable to 2 CVE, the major is CVE-2023-25690
> > (bypass access control using HTTP Request Smuggling attack)
>
> What's the plan regarding apache2 in bookworm? Will future DSAs update
> apache2 with update bugfix releases?
Indeed, that's also what was done for bullseye as well, e.g. DSA 4982 moved
to 2.4.51 or DSA 5035 moved to 2.4.52.
As such, it would be good to age apache to 10 days; we'd like to release
2.4.56 for bullseye-security and otherwise the higher version in stable
over testing might cause upgrade issues.
Cheers,
Moritz
