Control: tags -1 + confirmed For reference, this mail did not make it to debian-release, most likely due to the size of the attachments. In such cases, you may wish to follow-up to the original mail with a small response so that it is more visible to people following the list rather than the BTS.
On Mon, 2022-03-14 at 18:14 +0100, Yadd wrote: > Apache2 is vulnerable to 4 medium CVEs: > * mod_lua Use of uninitialized value of in r:parsebody (CVE-2022- > 22719) > * HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 > and earlier (CVE-2022-22720) > * Possible buffer overflow with very large or unlimited > LimitXMLRequestBody (CVE-2022-22721) > * mod_sed: Read/write beyond bounds (CVE-2022-23943) > > [ Impact ] > Medium vulnerabilities > > [ Tests ] > Test updated (debian/perl-framework/ directory), passed > > [ Risks ] > Moderate risk. We choose to follow upstream versions in Bullseye > because > we didn't succeed to maintain previous versions due to big upstream > changes. For example, Buster http2 stack is a full port of > Apache-2.4.48. > Upstream seems to provide well tested upgrades without regressions. Please go ahead. Regards, Adam
