[Git][security-tracker-team/security-tracker][master] Postpone apache2 DLA for CVE-2021-33193.
Roberto C. Sánchez (@roberto)
roberto at debian.org
Fri Aug 27 15:57:10 BST 2021
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker
Commits:
3d6b11ef by Roberto C. Sánchez at 2021-08-27T10:56:42-04:00
Postpone apache2 DLA for CVE-2021-33193.
Following the same rationale as the security team on this: the main part
of the fix doesn't apply prior to 2.4.47 because of significant changes
to how SSL works and the lower likelihood of HTTP/2 being deployed on a
much older Apache.
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -15793,6 +15793,7 @@ CVE-2021-33193 (A crafted method sent through HTTP/2 will bypass validation and
- apache2 2.4.48-4
[bullseye] - apache2 2.4.48-3.1+deb11u1
[buster] - apache2 <postponed> (Revisit when a suitable backport is available for 2.4.38)
+ [stretch] - apache2 <postponed> (Revisit when a suitable backport is available for 2.4.25)
NOTE: https://portswigger.net/research/http2
NOTE: https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c
CVE-2021-33192 (A vulnerability in the HTML pages of Apache Jena Fuseki allows an atta ...)
=====================================
data/dla-needed.txt
=====================================
@@ -18,8 +18,6 @@ ansible
NOTE: 20210411: after that LTS. (apo)
NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/
--
-apache2 (Roberto C. Sánchez)
---
exiv2 (Utkarsh Gupta)
NOTE: 20210801: check further; some no-dsa issues have piled up, too. (utkarsh)
NOTE: 20210816: wip, new CVEs added, too. comparing w/ buster. (utkarsh)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d6b11ef1157de698d7091f86c2eb0430ee907d4
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d6b11ef1157de698d7091f86c2eb0430ee907d4
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210827/49a8fd34/attachment.htm>
More information about the debian-security-tracker-commits
mailing list