On Fri, Dec 30, 2022 at 11:18:14AM +0100, Steinar H. Gunderson wrote:
> On Fri, Dec 30, 2022 at 11:04:46AM +0100, Tobias Frost wrote:
> > I was trying to triage this CVE and *maybe* those revisions are related:
> >
> > r1894937 ("apreq_parse_headers: Discard CRLF of folded values.")
> > r1894940 ("reindent (no functional change).")
> > r1894977 ("Follow up to r1894937: Fix setting of empty value.")
> > r1895054 ("Follow up to r1894937: Always eat CRLF at the end of header
> > value.")
>
> Perhaps it's best to remove libapreq2 entirely? I don't use nor maintain it
> anymore, it's been out of testing for a while, and there's this CVE.
#ssh mirror.ftp-master.debian.org "dak rm -Rn libapreq2"
Will remove the following packages from unstable:
libapache2-mod-apreq2 | 2.13-7+b4 | amd64, arm64, armel, armhf, i386,
mips64el, mipsel, ppc64el, s390x
libapache2-request-perl | 2.13-7+b4 | amd64, arm64, armel, armhf,
i386, mips64el, mipsel, ppc64el, s390x
libapreq2 | 2.13-7 | source
libapreq2-3 | 2.13-7+b4 | amd64, arm64, armel, armhf, i386, mips64el,
mipsel, ppc64el, s390x
libapreq2-dev | 2.13-7+b4 | amd64, arm64, armel, armhf, i386,
mips64el, mipsel, ppc64el, s390x
libapreq2-doc | 2.13-7 | all
Maintainer: Steinar H. Gunderson <se...@debian.org>
------------------- Reason -------------------
----------------------------------------------
Checking reverse dependencies...
# Broken Depends:
libapache2-authcassimple-perl: libapache2-authcassimple-perl
libapache2-sitecontrol-perl: libapache2-sitecontrol-perl
lua-apr: lua-apr
rapache: libapache2-mod-r-base
# Broken Build-Depends:
libapache2-sitecontrol-perl: libapache2-request-perl
lua-apr: libapreq2-dev
rapache: libapreq2-dev
Dependency problem found.
... and still theres a need to fix the CVE for stable (and also for (E)LTS)
(I'm currently take a look at 2.17, to see if I can get it packages, if I'm
succeeding,
there will be an NMU announcement :))
> /* Steinar */
> --
> Homepage: https://www.sesse.net/
signature.asc
Description: PGP signature
