Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted apache2 2.4.67-2 (source) into unstable
Date: Wed, 03 Jun 2026 16:49:10 +0000
Signed by: Bastien ROUCARIÈS <rouca@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 08 May 2026 18:39:07 +0200
Source: apache2
Architecture: source
Version: 2.4.67-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Closes: 1135096
Changes:
 apache2 (2.4.67-2) unstable; urgency=medium
 .
   * Fix a typo in NEWS file (Closes: #1135096)
   * Fix CVE-2026-49975 (HTTP/2 Bomb)
     The bomb targets HPACK, HTTP/2's header compression
     scheme: one byte on the wire becomes one full header
     allocation on the server, repeated thousands of times
     per request. The hold is a zero-byte flow-control
     window that keeps the server from ever freeing any of it.
Checksums-Sha1:
 73a8aeada189d35106e1c5c79fe4ae7b42df9cb7 3680 apache2_2.4.67-2.dsc
 46e72f3395f75d49d6c8ab20c31521bf1a3d8107 9714011 apache2_2.4.67.orig.tar.gz
 837c2618ed0b131cdab25466f45bceb7fb73c291 870 apache2_2.4.67.orig.tar.gz.asc
 85f9daed138e380b52b47ad0aa89144b78d0ef81 833504 apache2_2.4.67-2.debian.tar.xz
 764247bfd950a12fa87a02172f9e155ca1ed1099 5778 apache2_2.4.67-2_source.buildinfo
Checksums-Sha256:
 445ddd95bfe20cfc40b03382e45f6a5065a9929342eeeaa1fa138b4ac3d6a814 3680 apache2_2.4.67-2.dsc
 10a578d199c3930250534fac629995f34ef7571709a7c88c45239e1fdc88cf77 9714011 apache2_2.4.67.orig.tar.gz
 d8a6e18c2f892aa901121d14852717bddf42e430b0f48f853a4effce7b89f348 870 apache2_2.4.67.orig.tar.gz.asc
 b3d6cc0cb511afb5fa6c4a03d091e124d926363cd50d2bad3e8b21c4456353d2 833504 apache2_2.4.67-2.debian.tar.xz
 cfa467e6641b3772f07304e6d59c2f0bbed747d600d7a2d1eeaff614a5c94d06 5778 apache2_2.4.67-2_source.buildinfo
Files:
 1e2402f59a4837d1f6de58d048b0e8bb 3680 httpd optional apache2_2.4.67-2.dsc
 cf51fc1963b35360240f4225c2921d4b 9714011 httpd optional apache2_2.4.67.orig.tar.gz
 8831f0957bcf06bb810d7def20d5d790 870 httpd optional apache2_2.4.67.orig.tar.gz.asc
 f53a150f1e77bd828c829f303e2cf77e 833504 httpd optional apache2_2.4.67-2.debian.tar.xz
 cf1dabc6655cbde5e2f039e5b70f927d 5778 httpd optional apache2_2.4.67-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJqIFd0CRAAOhotqkEIX0cUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmcuaUYTwnMuZ2NISiUNew1XpUw+5+np6+YCv2PRghlt
5BYhBF0Bh7lAokW617D1agA6Gi2qQQhfAADFfQ//S4MF8T8D103yoLzAXMrxZqXK
yVYgIyoDRieyTvMLqmQs8N+0c/zGi+G5NWY3QKgyZyPFdzwb9LW4GTUlCOar4p4F
qn52ljztLOhtpqPqiKYSkQ7yY0oeJp8gKUjgMGJGk6co3mUFMj7jEFSVIifeYPAy
z/BvP+pzvjeh1qjdr+d/eoDrLUQwhy+YhRJH8I48n3DHW/UBGWBj80NmQAKEkBR1
NkE6mXB9rPZGDic4EMh8ZAIJ2QI3rgkWBhKlDezMwSdsQ9WZzdnfAPGCvKH0DeXk
5wrEQl2Gre84c2MGmklwtdGyRj0hiuWw1n1CdmBKDkrOHTpt4VfEGzIEvbPUvGiD
Bc5q0KHhNQevfm2AsSw6Uz5JLt/wYCxiEK57gk8t5Fc2slXvJE8AOsDCiTU345ch
iECPGl0UmVeZv9pWcZrxi8+b7q7EEe7IGAhH+vi4OGY31rYPkWNaIx8mUCIG76aV
9iqM6zwxwuOSFzQ7vutugFfesmjdwZMHCx8Q3XLbUzgHshuIGMuZjAwpsV9PZNTB
P9RVIWFBgWqeqObnksB7WuYmYzZr5B8Ex7yy6N6tIBs7Ntj90UecULcUiGAzYN1A
eB9S2tWJLjfYu0XKF8uKZP3nOzU88TSdO0SbL4X7fcdI0QiDN4SJ+oW0N/mTCsvG
IZhAU8kn4rAUiPCzSsk=
=TWvq
-----END PGP SIGNATURE-----
News for package apache2
