consider a newer version of apache2 for lucid or backport some changes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Binary package hint: apache2
Apache2 in an LTS release would greatly benefit from some recent changes in the Debian package:
In 2.2.14-6:
* Add a hook to apache2.2-common's postrm script that may come in handy
when upgrading to 2.4.
This may allow to do the 2.2 -> 2.4 upgrade in a cleaner way than the hack that was done for 2.0 -> 2.2 (which involved apache2.2-common deleting apache2-common's postrm script).
In 2.2.15:
- mod_ssl: Add SSLInsecureRene
renegotiation with clients which do not yet support the secure
renegotiation protocol. As this requires openssl 0.9.8m, bump
build dependency accordingly.
This allows an admin to configure how to treat clients that are vulnerable to CVE-2009-3555. Also, 2.2.15 has some improved protection for vulnerable clients.
In case you want to update to the most recent version despite the sizable changes, you should use 2.2.15-3, which has some important bug fixes over 2.2.15-2.
Thanks Stefan for the heads up about what's going on in Debian.
According to the Debian changelog 2.2.15 requires openssl 0.9.8m which is not available in lucid. I'm not sure we could update to this version of openssl in Lucid.
2.2.14-6 also introduces a bunch of new features which would require a Feature Freeze Exception.
Given where we are in the Lucid release cycle it seems the best option would be to backport the apache2.2-common postrm hook to the package in Lucid.