[Git][security-tracker-team/security-tracker][master] Postpone apache2 DLA for CVE-2021-33193.

Roberto C. Sánchez (@roberto) roberto at debian.org
Fri Aug 27 15:57:10 BST 2021 


Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3d6b11ef by Roberto C. Sánchez at 2021-08-27T10:56:42-04:00
Postpone apache2 DLA for CVE-2021-33193.

Following the same rationale as the security team on this: the main part
of the fix doesn't apply prior to 2.4.47 because of significant changes
to how SSL works and the lower likelihood of HTTP/2 being deployed on a
much older Apache.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -15793,6 +15793,7 @@ CVE-2021-33193 (A crafted method sent through HTTP/2 will bypass validation and
 	- apache2 2.4.48-4
 	[bullseye] - apache2 2.4.48-3.1+deb11u1
 	[buster] - apache2 <postponed> (Revisit when a suitable backport is available for 2.4.38)
+	[stretch] - apache2 <postponed> (Revisit when a suitable backport is available for 2.4.25)
 	NOTE: https://portswigger.net/research/http2
 	NOTE: https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c
 CVE-2021-33192 (A vulnerability in the HTML pages of Apache Jena Fuseki allows an atta ...)


=====================================
data/dla-needed.txt
=====================================
@@ -18,8 +18,6 @@ ansible
   NOTE: 20210411: after that LTS. (apo)
   NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/
 --
-apache2 (Roberto C. Sánchez)
---
 exiv2 (Utkarsh Gupta)
   NOTE: 20210801: check further; some no-dsa issues have piled up, too. (utkarsh)
   NOTE: 20210816: wip, new CVEs added, too. comparing w/ buster. (utkarsh)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d6b11ef1157de698d7091f86c2eb0430ee907d4

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d6b11ef1157de698d7091f86c2eb0430ee907d4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210827/49a8fd34/attachment.htm>

More information about the debian-security-tracker-commits mailing list