Hi Xavier, On Wed, Jan 23, 2019 at 09:54:29PM +0100, Xavier wrote: > Le 23/01/2019 à 21:50, Salvatore Bonaccorso a écrit : > > Hi Xavier, > > > > On Wed, Jan 23, 2019 at 09:46:44PM +0100, Xavier wrote: > >> Le 23/01/2019 à 20:57, Salvatore Bonaccorso a écrit : > >>> Control: tags -1 + fixed-upstream > >>> Control: tags -1 - patch > >>> > >>> Hi Xavier, > >>> > >>> On Wed, Jan 23, 2019 at 09:18:36AM +0100, Xavier wrote: > >>>> Hello, > >>>> > >>>> Debian bug is tagged as "patch", but I didn't find any patch in the > >>>> related documents. Can you give me the link to patch ? > >>> > >>> Well you are right, not a patch per se, maybe fixed-upstream and > >>> "there is a patch" would have been better. Let me fix that. > >>> > >>> If feasible possibly updating to the new upstream version fixing this > >>> CVE (and two other) would be better if still feasible so short before > >>> the soft freeze. > >>> > >>> Regards, > >>> Salvatore > >> > >> Hello, > >> > >> looking at last release changelog, bug seems not fixed > > > > Cf. https://www.openwall.com/lists/oss-security/2019/01/22/4, where it > > is fixed in 2.4.38 upstream. > > > > HTH, > > > > Regards, > > Salvatore > > I see that but the provided link [1] doesn't mention it, neither apache2 > changelog.
I'm almost sure this is just because the respective vulnerabilities_24 page has just not yet been updated accordingly. The fixes are mentioned already in the upstream changelog at https://www.apache.org/dist/httpd/CHANGES_2.4.38 . Regards, Salvatore
