[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Fwd: CVE-2023-25690: Apache2 mod_proxy for old(old)stable?

Hello fellow DDs,

I was redirected here by Moritz:

-------- Weitergeleitete Nachricht --------
Betreff: CVE-2023-25690: Apache2 mod_proxy for old(old)stable?
Datum: Thu, 20 Apr 2023 12:05:19 +0200
Von: Philipp Hahn <hahn@univention.de>
Organisation: Univention GmbH
An: team@security.debian.org, Raphael Hertzog <raphael@freexian.com>
Kopie (CC): Salvatore Bonaccorso <carnil@debian.org>, Debian Apache Maintainers <debian-apache@lists.debian.org> 

Hello fellow DDs,
sorry for wasting your valuable time, but <https://security-tracker.debian.org/tracker/CVE-2023-25690> lists "2.4.38-3+deb10u9" from Debian-10-Buster as still vulnerable. 
Are there any plans to back-port the change to that older version, e.g.
- Debian-10-Buster Security
- Debian-9-Stretch ELTS (Freexian)
If this is already some work-in-progress maybe you can share some information on the progress and if there is an estimated time frame.
According to my own research <https://github.com/apache/httpd/commit/8789f6bb926fa4c33b4231a8444340515c82bdff> and <https://github.com/apache/httpd/commit/8b93a6512f14f5f68887ddfe677e91233ed79fb0> apply cleanly also to both 2.4.25-3+deb9u14 and 2.4.38-3+deb10u9. Ubuntu seems to go with just these two commits: <https://ubuntu.com/security/CVE-2023-25690> 

Thank you for your work and time
--
Philipp Hahn
Open Source Software Engineer

Univention GmbH
be open.
Mary-Somerville-Str. 1
D-28359 Bremen

📞 +49-421-22232-57
🖶 +49-421-22232-99

✉️ hahn@univention.de
🌐 https://www.univention.de/

Geschäftsführer: Peter H. Ganten, Stefan Gohmann
HRB 20755 Amtsgericht Bremen
Steuer-Nr.: 71-597-02876
Reply to: