Le 23/01/2019 à 21:50, Salvatore Bonaccorso a écrit : > Hi Xavier, > > On Wed, Jan 23, 2019 at 09:46:44PM +0100, Xavier wrote: >> Le 23/01/2019 à 20:57, Salvatore Bonaccorso a écrit : >>> Control: tags -1 + fixed-upstream >>> Control: tags -1 - patch >>> >>> Hi Xavier, >>> >>> On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote: >>>> Hello, >>>> >>>> Debian bug is tagged as "patch", but I didn't find any patch in the >>>> related documents. Can you give me the link to patch ? >>> >>> Well you are right, not a patch per se, maybe fixed-upstream and >>> "there is a patch" would have been better. Let me fix that. >>> >>> If feasible possibly updating to the new upstream version fixing this >>> CVE (and two other) would be better if still feasible so short before >>> the soft freeze. >>> >>> Regards, >>> Salvatore >> >> Hello, >> >> looking at last release changelog, bug seems not fixed > > Cf. https://www.openwall.com/lists/oss-security/2019/01/22/4, where it > is fixed in 2.4.38 upstream. > > HTH, > > Regards, > Salvatore
I see that but the provided link [1] doesn't mention it, neither apache2 changelog. [1] https://httpd.apache.org/security/vulnerabilities_24.html
