-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 05 Jun 2026 12:55:53 +0200 Source: apache2 Architecture: source Version: 2.4.67-1~deb13u3 Distribution: trixie-security Urgency: medium Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> Changed-By: Bastien Roucariès <rouca@debian.org> Changes: apache2 (2.4.67-1~deb13u3) trixie-security; urgency=medium . * Fix CVE-2026-49975 (HTTP/2 Bomb) The bomb targets HPACK, HTTP/2's header compression scheme: one byte on the wire becomes one full header allocation on the server, repeated thousands of times per request. The hold is a zero-byte flow-control window that keeps the server from ever freeing any of it. Checksums-Sha1: dbe7dcd08b5a69ad4b8a73e74f5edd39bcc152b5 3526 apache2_2.4.67-1~deb13u3.dsc 46e72f3395f75d49d6c8ab20c31521bf1a3d8107 9714011 apache2_2.4.67.orig.tar.gz 837c2618ed0b131cdab25466f45bceb7fb73c291 870 apache2_2.4.67.orig.tar.gz.asc e108587c5a4f5d41f502d1422f7ac29640f78ccb 828724 apache2_2.4.67-1~deb13u3.debian.tar.xz 72aa52d1a9ed326bb4ae2319a71814d39743cc58 5712 apache2_2.4.67-1~deb13u3_source.buildinfo Checksums-Sha256: 433f50fca7e2d3e0f2a340d3376e14ae16d8bf216e11f40d064642974f77de73 3526 apache2_2.4.67-1~deb13u3.dsc 10a578d199c3930250534fac629995f34ef7571709a7c88c45239e1fdc88cf77 9714011 apache2_2.4.67.orig.tar.gz d8a6e18c2f892aa901121d14852717bddf42e430b0f48f853a4effce7b89f348 870 apache2_2.4.67.orig.tar.gz.asc 40836c7da438b3a7cf8a600fac8baa842cfd4edd43b11934e2a2f2ba4f8a1ab1 828724 apache2_2.4.67-1~deb13u3.debian.tar.xz dbc7475baf2658997e88528cdf2be649d34c624a547ebb6ac3b847ed17f9f84c 5712 apache2_2.4.67-1~deb13u3_source.buildinfo Files: 6130552746fa8dbe90c881da9223edc1 3526 httpd optional apache2_2.4.67-1~deb13u3.dsc cf51fc1963b35360240f4225c2921d4b 9714011 httpd optional apache2_2.4.67.orig.tar.gz 8831f0957bcf06bb810d7def20d5d790 870 httpd optional apache2_2.4.67.orig.tar.gz.asc 1f4e87334ea2de1f1bc1834a3835dbb8 828724 httpd optional apache2_2.4.67-1~deb13u3.debian.tar.xz ff643df869272a5463a9ae004b63a462 5712 httpd optional apache2_2.4.67-1~deb13u3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmokGocACgkQADoaLapB CF+i0BAAgjod9sl8wwfP2QsEJIFWvf5NjDtFsuUBAnwo62ae4/exumA8PC2wDtX1 fvoBvkdAYBLVi2/wBynhXrMyQqtx0uWuDbjFfCGPMFdVn2qK4xTEyUKWPlL2oO9Q M50JbL2hRTrvG8zCpuc33tH7iDtHup+ShPWj8qWrq9KDTTEGTEzLtQjySBXu4wpD j91Qxf7QWg7j/emoWpuDRG3i12IHkBc1VCZa6uB0I249xt1EhAKZ9hyjXSfQXRee WzEg5/Ix7x85npdtStkNxeadEA/2nUDvf86ieC8/BqHGF+XxKa6jE2eLobLaHZbP QAsqyiV3Y1oR+ACxarlbilhUZArWPHc98VNzUD/ndlzPxz6fhFgheRSx9yTQT0/M zSEMcSc79Es4rasnhx3BXV/WEx7VLeIR5M7dVYYBz8vkoh/3YE5ZsII+Tni2Riv1 +iCBunYvr0sxZ8iVPFn/TWO8l01OfBM5qEPSvObEvMojm8Y1FSMffObb5mlG4euN gAGnK6j3kgqZqUkDws5XzVTq9SARXUhBekazYi1cU2NXfrT/0swFgcxUk1R5WfSx LTuD6OPacuqxH1IgYECx+O68uz4hm5R+UeeCGi0KOU//nt5FRJzjFKMKMMnCvMKS fTX1zxrXCyneZCR5DCUWyAo9WzRSo+I67Xp+SlMwpqnaV7c7R6M= =ZT4K -----END PGP SIGNATURE-----
