Yadd wrote: > Our current apache2 policy keeps a lot of (maybe unimportant) CVE opened > [1].
Note that this isn't really accurate: While there are CVEs listed with 2019- or 2020-, those were in fact all only recently published with the latest Apache release. > Then I'd like to see if it is possible to follow 2.4.x changes for > Bullseye (and maybe Buster). Upstream provides fully-tested versions > with no major behavior changes in 2.4.x branch [2], but with many CVE > fixes [3]. JFTR, I think this is worth a shot. TTBOMK the httpd developers avoid breaking changes within 2.4.x and with the many different modules around, the test coverage around their maintenance releases is certainly higher than what we can realistically cover with testing for isolated backports. Cheers, Moritz