apache2: fix the regressions introduced by security upgrade in Bullseye?

To: Debian User <debian-user@lists.debian.org>
Subject: apache2: fix the regressions introduced by security upgrade in Bullseye?
From: Harald Dunkel <harri@afaics.de>
Date: Mon, 3 Apr 2023 14:27:48 +0200
Message-id: <[🔎] c8b14647-ca51-b7c6-30ec-fd534e6c6a9f@afaics.de>

Hi folks,

AFAIU apache2 2.4.56-1 has been included in Bullseye to mitigate
CVE-2023-27522 and CVE-2023-25690 (both some mod_proxy issue
with high severity). Good thing.

Unfortunately this introduced 2 regressions for mod_rewrite and
http2, see

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033284
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033408
https://metadata.ftp-master.debian.org/changelogs//main/a/apache2/apache2_2.4.56-2_changelog

Would it be possible to fix the upgrade? I can turn off http2,
but I feel *very* bad about running an apache with a broken
mod_rewrite in production.


Thank you very much

Harri

Reply to:

Follow-Ups:
- Re: apache2: fix the regressions introduced by security upgrade in Bullseye?
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: apache2: fix the regressions introduced by security upgrade in Bullseye?
  - From: "Gareth Evans" <donotspam@fastmail.fm>

Prev by Date: Re: Buster => Bullseye: packages kept back
Next by Date: Re: apache2: fix the regressions introduced by security upgrade in Bullseye?
Previous by thread: Re: Buster => Bullseye: packages kept back
Next by thread: Re: apache2: fix the regressions introduced by security upgrade in Bullseye?
Index(es):
- Date
- Thread