Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <>
Subject: Accepted apache2 2.4.67-1~deb12u3 (source) into oldstable-security
Date: Sat, 06 Jun 2026 14:27:04 +0000
Signed by: Bastien ROUCARIÈS <rouca@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 05 Jun 2026 12:55:53 +0200
Source: apache2
Architecture: source
Version: 2.4.67-1~deb12u3
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Changes:
 apache2 (2.4.67-1~deb12u3) bookworm-security; urgency=medium
 .
   * Fix CVE-2026-49975 (HTTP/2 Bomb)
     The bomb targets HPACK, HTTP/2's header compression
     scheme: one byte on the wire becomes one full header
     allocation on the server, repeated thousands of times
     per request. The hold is a zero-byte flow-control
     window that keeps the server from ever freeing any of it.
Checksums-Sha1:
 1d31257505e5e0df6dd0f3a6423875bfbc235202 3559 apache2_2.4.67-1~deb12u3.dsc
 46e72f3395f75d49d6c8ab20c31521bf1a3d8107 9714011 apache2_2.4.67.orig.tar.gz
 837c2618ed0b131cdab25466f45bceb7fb73c291 870 apache2_2.4.67.orig.tar.gz.asc
 d0c35c2d7d478133908cb47b1ae741393c0934b8 825092 apache2_2.4.67-1~deb12u3.debian.tar.xz
 545310e1e3ae0e8139721cd4e1368252cbfe7ba4 5680 apache2_2.4.67-1~deb12u3_source.buildinfo
Checksums-Sha256:
 6c0bbad12aecc9f9f81baf0fb5e3f648b6ffeb0958721a4b0a1d4a9d4ba7581e 3559 apache2_2.4.67-1~deb12u3.dsc
 10a578d199c3930250534fac629995f34ef7571709a7c88c45239e1fdc88cf77 9714011 apache2_2.4.67.orig.tar.gz
 d8a6e18c2f892aa901121d14852717bddf42e430b0f48f853a4effce7b89f348 870 apache2_2.4.67.orig.tar.gz.asc
 ee6804789abfbb4e21fbc77f0587f5cb3debab2d97977f1e9957d8103543efc7 825092 apache2_2.4.67-1~deb12u3.debian.tar.xz
 76ada28959788cce8573ca9377e08cdf752b8e09778b78f439d14281908136a2 5680 apache2_2.4.67-1~deb12u3_source.buildinfo
Files:
 e6367c7d270bed8ebfce5d820f6ed63e 3559 httpd optional apache2_2.4.67-1~deb12u3.dsc
 cf51fc1963b35360240f4225c2921d4b 9714011 httpd optional apache2_2.4.67.orig.tar.gz
 8831f0957bcf06bb810d7def20d5d790 870 httpd optional apache2_2.4.67.orig.tar.gz.asc
 bf029ead00276f29c19a1556b80c3b52 825092 httpd optional apache2_2.4.67-1~deb12u3.debian.tar.xz
 d8579f4b14c1638fb9148195dc9bd18f 5680 httpd optional apache2_2.4.67-1~deb12u3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmoj/7YACgkQADoaLapB
CF9yDw//Xpi9qSGkRM96OgONiZnAQJuFPyF7D4E3QEeJtZ1PluaohFKwHFIkeHRP
2x1LUm1RqVw45AiJ/T8Gt3H8Rpb/ZGOKUC+noivwxAsB8hwnsVLo1cqYEde8Hmog
5Ng+V6KPNSb6xR599XRMp2EaB/274CbIvvLJlKyVdHJFstVKuLAtNGfoLO2UKMwc
PxbPaPQ9tZ45Hoid42EtyIJBLEchIzufKMYPkueMOablSz9G9TH+JxWpdwNHU4/o
DIqHpwZWRvoqwUV4pQftLYEziTnwhcUNtD1NDgi733Kl7ObAKzkBUVBVBlg5CCE7
ZEanDEyzji8FcguFGcjFynaQPy/vLu0ibOtslFaAvXXOcEXAJg+WpQgDvF42p4MS
Q2y/mSm2tJHIIgPKnmuD6tmxjlTWSwTKsag3+/BdaBlU8DdWLZ1c3vNGJK+C5lqG
jopBmoKgjpF1mQaU+W5PTmlcnraOPCfc4+hqzv2zABytFVkaHKiGFCss2QFhlGuz
lqxY7AKrlPhvWNz0KHhIPCg7zRVcLb7M8Ox49jcNKo87w3NGxHYNb0gcFg/r4gdU
y+u7xDP/IEWfWEL/HRKl82LizYzF13DcBaoYfiIzOh0OQsZQzL76x4x8mqj5wdiS
TL6ukSnqwgpQes6aY8Dvs2HRKjxPG0a80IrnF/Q+/Rwl3ly9+Qc=
=UG+D
-----END PGP SIGNATURE-----
News for package apache2
