[Git][security-tracker-team/security-tracker][master] Postpone apache2 DLA for CVE-2021-33193.

Fri, 27 Aug 2021 07:57:19 -0700 


Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3d6b11ef by Roberto C. Sánchez at 2021-08-27T10:56:42-04:00
Postpone apache2 DLA for CVE-2021-33193.

Following the same rationale as the security team on this: the main part
of the fix doesn't apply prior to 2.4.47 because of significant changes
to how SSL works and the lower likelihood of HTTP/2 being deployed on a
much older Apache.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -15793,6 +15793,7 @@ CVE-2021-33193 (A crafted method sent through HTTP/2 
will bypass validation and
        - apache2 2.4.48-4
        [bullseye] - apache2 2.4.48-3.1+deb11u1
        [buster] - apache2 <postponed> (Revisit when a suitable backport is 
available for 2.4.38)
+       [stretch] - apache2 <postponed> (Revisit when a suitable backport is 
available for 2.4.25)
        NOTE: https://portswigger.net/research/http2
        NOTE: 
https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c
 CVE-2021-33192 (A vulnerability in the HTML pages of Apache Jena Fuseki allows 
an atta ...)


=====================================
data/dla-needed.txt
=====================================
@@ -18,8 +18,6 @@ ansible
   NOTE: 20210411: after that LTS. (apo)
   NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/
 --
-apache2 (Roberto C. Sánchez)
---
 exiv2 (Utkarsh Gupta)
   NOTE: 20210801: check further; some no-dsa issues have piled up, too. 
(utkarsh)
   NOTE: 20210816: wip, new CVEs added, too. comparing w/ buster. (utkarsh)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d6b11ef1157de698d7091f86c2eb0430ee907d4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d6b11ef1157de698d7091f86c2eb0430ee907d4
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to