Le 08/06/2021 à 10:51, Yadd a écrit : > Le 08/06/2021 à 08:25, Yadd a écrit : >> Le 08/06/2021 à 07:58, Yadd a écrit : >>> Le 07/06/2021 à 17:34, Salvatore Bonaccorso a écrit : >>>> Source: apache2 >>>> Version: 2.4.47-1 >>>> Severity: grave >>>> Tags: security upstream >>>> Justification: user security hole >>>> X-Debbugs-Cc: car...@debian.org, Debian Security Team >>>> <t...@security.debian.org> >>>> >>>> Hi, >>>> >>>> The following vulnerability was published for apache2. >>>> >>>> CVE-2021-31618[0]: >>>> | httpd: NULL pointer dereference on specially crafted HTTP/2 request >>>> >>>> If you fix the vulnerability please also make sure to include the >>>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry. >>>> >>>> For further information see: >>>> >>>> [0] https://security-tracker.debian.org/tracker/CVE-2021-31618 >>>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31618 >>>> [1] >>>> https://github.com/apache/httpd/commit/a4fba223668c554e06bc78d6e3a88f33d4238ae4 >>>> [2] >>>> https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-31618 >>>> >>>> Please adjust the affected versions in the BTS as needed. >>>> >>>> Regards, >>>> Salvatore >>> >>> Hi all, >>> >>> I can't import the whole patch for Bullseye since it is written for >>> 2.4.47. I think the best solution is to import the whole http2 module in >>> Bullseye. This gives the attached patch >>> >>> Cheers, >>> Yadd >> >> We can also fix this for Buster using the same way (we did it previously >> for 2.4.46). Here is the debdiff > > Update for Buster
I as wrong for both Bullseye and Buster: we can't import HTTP2 from 2.4.28 (too intrusive: SSL stack changed) So I'll try to patch Apache but it seems not easy to do... Cheers (and sorry), Yadd
