Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted apache2 2.4.67-1~deb11u2 (source) into oldoldstable-security
Date: Sun, 07 Jun 2026 07:40:17 +0000
Signed by: Bastien ROUCARIÈS <rouca@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 06 Jun 2026 19:10:00 +0200
Source: apache2
Architecture: source
Version: 2.4.67-1~deb11u2
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Closes: 1138750
Changes:
 apache2 (2.4.67-1~deb11u2) bullseye-security; urgency=medium
 .
   * Fix CVE-2026-49975 (HTTP/2 Bomb)
     The bomb targets HPACK, HTTP/2's header compression
     scheme: one byte on the wire becomes one full header
     allocation on the server, repeated thousands of times
     per request. The hold is a zero-byte flow-control
     window that keeps the server from ever freeing any of it.
     (Closes: #1138750)
Checksums-Sha1:
 0ad1c89f0db1c8d898f9244ffde11c509236f818 3578 apache2_2.4.67-1~deb11u2.dsc
 46e72f3395f75d49d6c8ab20c31521bf1a3d8107 9714011 apache2_2.4.67.orig.tar.gz
 837c2618ed0b131cdab25466f45bceb7fb73c291 870 apache2_2.4.67.orig.tar.gz.asc
 05b0b263db6f6c1d75a9531ef297c464c8ee7f25 823312 apache2_2.4.67-1~deb11u2.debian.tar.xz
 24bbc635f62135fc314fa946f548f2bd79113d33 5680 apache2_2.4.67-1~deb11u2_source.buildinfo
Checksums-Sha256:
 c610b1bfeaae92f3431a9a6020fb8f535a9f49d35733473aa19c30347014a0ef 3578 apache2_2.4.67-1~deb11u2.dsc
 10a578d199c3930250534fac629995f34ef7571709a7c88c45239e1fdc88cf77 9714011 apache2_2.4.67.orig.tar.gz
 d8a6e18c2f892aa901121d14852717bddf42e430b0f48f853a4effce7b89f348 870 apache2_2.4.67.orig.tar.gz.asc
 b62f7c7935b2703988c80586f98be4e2ae8304c302e7fbe2a3fef9e0df904ca8 823312 apache2_2.4.67-1~deb11u2.debian.tar.xz
 202f0a5d66bcb2e6f4ad9029ab4f6cd752c6611a1d032a43bffd27d45b43babc 5680 apache2_2.4.67-1~deb11u2_source.buildinfo
Files:
 059a42bbdf29ef3a0e2c94ba0a476e66 3578 httpd optional apache2_2.4.67-1~deb11u2.dsc
 cf51fc1963b35360240f4225c2921d4b 9714011 httpd optional apache2_2.4.67.orig.tar.gz
 8831f0957bcf06bb810d7def20d5d790 870 httpd optional apache2_2.4.67.orig.tar.gz.asc
 46d15698475e3fdc2a5d2c89b5ed2e5e 823312 httpd optional apache2_2.4.67-1~deb11u2.debian.tar.xz
 2b1d5147bff64f67628c76d3c8ada2e4 5680 httpd optional apache2_2.4.67-1~deb11u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmolG9cACgkQADoaLapB
CF+CdBAAnCpXb4Vc+h97p+WH/qdasC5Pi5KtC3fXFUFKODTE9hfiqIINxY5kjD4z
RQeFMVoBRBx3UkdgeL81WLijVG8nryW9As8a9ktmi9Eov53g2J6qBNSRPWB7+JB7
bnsGQef9bp30/d6u8hWyP2U9yfyMkxZ2VksD8ef4YPvG7nLb1Y/PINVDdCSMv5rz
AaIoe9Vv3aCK9iTzAovQcP6sojX7sN5L3kRgFr8hfj6qg9N93XVaiuIkCSXl0G9m
vORHJtA/nZW0p97AUUicDXpM1AbIxm+WW6C53PSQ28aQzlfHTOX9VFjX94ewOMWJ
IkfdMwPhBrYm4OKI+yZFgj2TrAWf+t45fpXSdmOxauJrC6zzmEF3OspsebXew9Ye
nh3AJ9d//25K5Tv5Wtsb1y6tdBjSIinb/ig/v/b0ebXT0nPfQkVFKDGl+vQ4ouHx
FNzOtrxzljqmYMy8ArGX1TGrbPAIIV8pOr/PzWiM7FluL26bmc6Q893M+mafzB99
9T5j65q9ErFrQ/nTk7ZRv9LZbNmKlUcH1DeLK+85mlpN9Nywd4jD8gLfMhloVypk
SX4k4KdBvSci9kTjbhB0rsF/CO3l9/51lB1/pTCsB/9GL5ZeTJTD9goooAMRJbAk
RAG3W0OOdmUftTLxbsnMniFGAY3bppQTqnJfgthhGHZftCikd+0=
=1eN+
-----END PGP SIGNATURE-----

News for package apache2