Hi Philipp,
> <https://security-tracker.debian.org/tracker/CVE-2023-25690> lists
> "2.4.38-3+deb10u9" from Debian-10-Buster as still vulnerable.
> Are there any plans to back-port the change to that older version, e.g.
> - Debian-10-Buster Security
> - Debian-9-Stretch ELTS (Freexian)
>
> If this is already some work-in-progress maybe you can share some
> information on the progress and if there is an estimated time frame.
>
> According to my own research
> <https://github.com/apache/httpd/commit/8789f6bb926fa4c33b4231a8444340515c82bdff>
> and
> <https://github.com/apache/httpd/commit/8b93a6512f14f5f68887ddfe677e91233ed79fb0>
> apply cleanly also to both 2.4.25-3+deb9u14 and 2.4.38-3+deb10u9. Ubuntu
> seems to go with just these two commits:
> <https://ubuntu.com/security/CVE-2023-25690>
>
> Thank you for your work and time
Buster is in LTS stage at this point, you should direct your question
to debian-lts@l.d.o instead.
Greetings to Horn-Lehe :-)
Moritz
