subject:"apache2\: fix the regressions introduced by security upgrade in Bullseye\?"

Re: apache2: fix the regressions introduced by security upgrade in Bullseye?

2023-04-03 Thread Gareth Evans

On Mon  3 Apr 2023, at 16:28, Gareth Evans  wrote:
> On Mon  3 Apr 2023, at 13:27, Harald Dunkel  wrote:
>> Hi folks,
>>
>> AFAIU apache2 2.4.56-1 has been included in Bullseye to mitigate
>> CVE-2023-27522 and CVE-2023-25690 (both some mod_proxy issue
>> with high severity). Good thing.
>>
>> Unfortunately this introduced 2 regressions for mod_rewrite and
>> http2, see
>>
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033284
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033408
>> https://metadata.ftp-master.debian.org/changelogs//main/a/apache2/apache2_2.4.56-2_changelog
>>
>> Would it be possible to fix the upgrade? I can turn off http2,
>> but I feel *very* bad about running an apache with a broken
>> mod_rewrite in production.
>>
>>
>> Thank you very much
>>
>> Harri
>
>
> "In Mitre's CVE dictionary: [..] CVE-2023-25690, CVE-2023-27522 [...] 
>
> For the stable distribution (bullseye), these problems have been fixed 
> in version 2.4.56-1~deb11u1.
>
> We recommend that you upgrade your apache2 packages."
>
> https://www.debian.org/security/2023/dsa-5376
>
> $ apt policy apache2
> apache2:
>   Installed: 2.4.56-1~deb11u1
>   Candidate: 2.4.56-1~deb11u1
>   Version table:
>  *** 2.4.56-1~deb11u1 500
> 500 http://security.debian.org/debian-security 
> bullseye-security/main amd64 Packages
>
> You will need at least
>
> deb http://security.debian.org/debian-security/ bullseye-security main 
>
> in /etc/apt/sources.list if not there already, though I think "contrib" 
> and certainly "non-free" are unnecessary in this particular case.
>
> Best wishes,
> Gareth

Sorry, you were talking about regressions - concentration lapse on my part.
G

Re: apache2: fix the regressions introduced by security upgrade in Bullseye?

2023-04-03 Thread Gareth Evans

On Mon  3 Apr 2023, at 13:27, Harald Dunkel  wrote:
> Hi folks,
>
> AFAIU apache2 2.4.56-1 has been included in Bullseye to mitigate
> CVE-2023-27522 and CVE-2023-25690 (both some mod_proxy issue
> with high severity). Good thing.
>
> Unfortunately this introduced 2 regressions for mod_rewrite and
> http2, see
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033284
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033408
> https://metadata.ftp-master.debian.org/changelogs//main/a/apache2/apache2_2.4.56-2_changelog
>
> Would it be possible to fix the upgrade? I can turn off http2,
> but I feel *very* bad about running an apache with a broken
> mod_rewrite in production.
>
>
> Thank you very much
>
> Harri


"In Mitre's CVE dictionary: [..] CVE-2023-25690, CVE-2023-27522 [...] 

For the stable distribution (bullseye), these problems have been fixed in 
version 2.4.56-1~deb11u1.

We recommend that you upgrade your apache2 packages."

https://www.debian.org/security/2023/dsa-5376

$ apt policy apache2
apache2:
  Installed: 2.4.56-1~deb11u1
  Candidate: 2.4.56-1~deb11u1
  Version table:
 *** 2.4.56-1~deb11u1 500
500 http://security.debian.org/debian-security bullseye-security/main 
amd64 Packages

You will need at least

deb http://security.debian.org/debian-security/ bullseye-security main 

in /etc/apt/sources.list if not there already, though I think "contrib" and 
certainly "non-free" are unnecessary in this particular case.

Best wishes,
Gareth

Re: apache2: fix the regressions introduced by security upgrade in Bullseye?

2023-04-03 Thread Vincent Lefevre

On 2023-04-03 15:59:15 +0200, Harald Dunkel wrote:
> On 2023-04-03 14:49:16, Vincent Lefevre wrote:
> > 
> > What about apache2 2.4.56-2?
> 
> This version is not in Bullseye. Only 2.4.56-1, introducing
> the regressions.

If you're talking about Bullseye, 2.4.56-1 isn't in Bullseye either.
It is 2.4.56-1~deb11u1 that got to stable-security. So I think that
you need to wait for another update for Bullseye, but since the
regressions were fixed only yesterday, this may take several days.
See when something new appears on

  https://tracker.debian.org/pkg/apache2

You may also try to patch and rebuild apache2.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: apache2: fix the regressions introduced by security upgrade in Bullseye?

2023-04-03 Thread Harald Dunkel


On 2023-04-03 14:49:16, Vincent Lefevre wrote:


What about apache2 2.4.56-2?



This version is not in Bullseye. Only 2.4.56-1, introducing
the regressions.

Re: apache2: fix the regressions introduced by security upgrade in Bullseye?

2023-04-03 Thread Vincent Lefevre

Hi,

On 2023-04-03 14:27:48 +0200, Harald Dunkel wrote:
> AFAIU apache2 2.4.56-1 has been included in Bullseye to mitigate
> CVE-2023-27522 and CVE-2023-25690 (both some mod_proxy issue
> with high severity). Good thing.
> 
> Unfortunately this introduced 2 regressions for mod_rewrite and
> http2, see
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033284
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033408
> https://metadata.ftp-master.debian.org/changelogs//main/a/apache2/apache2_2.4.56-2_changelog
> 
> Would it be possible to fix the upgrade? I can turn off http2,
> but I feel *very* bad about running an apache with a broken
> mod_rewrite in production.

What about apache2 2.4.56-2?

"Fix regression in mod_rewrite introduced in version 2.4.56"
"Fix regression in http2 introduced by 2.4.56"

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

apache2: fix the regressions introduced by security upgrade in Bullseye?

2023-04-03 Thread Harald Dunkel


Hi folks,

AFAIU apache2 2.4.56-1 has been included in Bullseye to mitigate
CVE-2023-27522 and CVE-2023-25690 (both some mod_proxy issue
with high severity). Good thing.

Unfortunately this introduced 2 regressions for mod_rewrite and
http2, see

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033284
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033408
https://metadata.ftp-master.debian.org/changelogs//main/a/apache2/apache2_2.4.56-2_changelog

Would it be possible to fix the upgrade? I can turn off http2,
but I feel *very* bad about running an apache with a broken
mod_rewrite in production.


Thank you very much

Harri

Re: apache2: fix the regressions introduced by security upgrade in Bullseye?

Re: apache2: fix the regressions introduced by security upgrade in Bullseye?

Re: apache2: fix the regressions introduced by security upgrade in Bullseye?

Re: apache2: fix the regressions introduced by security upgrade in Bullseye?

Re: apache2: fix the regressions introduced by security upgrade in Bullseye?

apache2: fix the regressions introduced by security upgrade in Bullseye?

6 matches

Site Navigation

Mail list logo

Footer information