Hi Philipp, > <https://security-tracker.debian.org/tracker/CVE-2023-25690> lists > "2.4.38-3+deb10u9" from Debian-10-Buster as still vulnerable. > Are there any plans to back-port the change to that older version, e.g. > - Debian-10-Buster Security > - Debian-9-Stretch ELTS (Freexian) > > If this is already some work-in-progress maybe you can share some > information on the progress and if there is an estimated time frame. > > According to my own research > <https://github.com/apache/httpd/commit/8789f6bb926fa4c33b4231a8444340515c82bdff> > and > <https://github.com/apache/httpd/commit/8b93a6512f14f5f68887ddfe677e91233ed79fb0> > apply cleanly also to both 2.4.25-3+deb9u14 and 2.4.38-3+deb10u9. Ubuntu > seems to go with just these two commits: > <https://ubuntu.com/security/CVE-2023-25690> > > Thank you for your work and time
Buster is in LTS stage at this point, you should direct your question to debian-lts@l.d.o instead. Greetings to Horn-Lehe :-) Moritz