Debian alert DLA-4452-1 (apache2)
| From: | rouca@debian.org | |
| To: | <debian-lts-announce@lists.debian.org> | |
| Subject: | [SECURITY] [DLA 4452-1] apache2 security update | |
| Date: | Sat, 24 Jan 2026 23:23:45 +0100 | |
| Message-ID: | <2d4b3028cb7df153c5479cdeb18b005d@debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4452-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Bastien Roucariès January 24, 2026 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : apache2 Version : 2.4.66-1~deb11u1 CVE ID : CVE-2025-55753 CVE-2025-58098 CVE-2025-59775 CVE-2025-65082 CVE-2025-66200 Debian Bug : 1121926 Multiple vulnerabilities were fixed for apache httpd a popular webserver. CVE-2025-55753 An integer overflow was found in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds CVE-2025-58098 Apache with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. CVE-2025-59775 A Server-Side Request Forgery (SSRF) vulnerability was found in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF CVE-2025-65082 An Improper Neutralization of Escape, Meta, or Control Sequences vulnerability was found in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. CVE-2025-66200 An mod_userdir+suexec bypass, via AllowOverride FileInfo vulnerability was found in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. For Debian 11 bullseye, these problems have been fixed in version 2.4.66-1~deb11u1. We recommend that you upgrade your apache2 packages. For the detailed security status of apache2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/apache2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAml1RnEACgkQADoaLapB CF9dAhAAqWd0u9sVPX6cltbVE/BHNMphUQZtHLvg92mHGBxJqip8B7pg51y4agxa GcLi9WOfiqhS5gg9z36ZBQM3ODyILwZxPkVbSfKGAlJ0y1vBCEn8hCmtG2FWLgIr 2QTASKq5C9VGIrT+KrBQ9cz/d19Wnl36zSrzH+dRTQSzp+UklqM6gua2uLg0fkzv triaZ4NHGJQjG5AI2BDZWFSuMKUq8Z0BNwticOk0RX2HdtSbKzR8ludDR+G/+VQp wJwYK52oUtyjJAB1Arvckh2LhjMTMESZflBfKSZU10EUQUNuh2oBkfA98EDWpbX5 APoye4eAQFBjOUvzIC5LEDvd6rjDhpyTmuucs4c3WD1p/UazJTzoZYCgF4q7S95I iGNnRMOKwP4W3sLi6aYZxEC/Oy4VTjbZLilCgz9LTC6vQ6aYtqRRfmeBMDHzxv0R PYxeijE3hjgXpe0Urr5eM90s3fTP1iZS2sDot5QSnqv7ylNTYL1vrgTXp7vOQF4s x3c2hKiG59dLiLkNfFgLT57IcIfcat2xHiBpkMBVsTHJS09AxzkXhw5/J7helGXG mknTd1bw2uAgOgMIwNxKog6KOYvcoX0MhwTfNSzPZC1ghPNtrPW8WZV6Gls3dxSm C0xLS3NIsMMjTPHx4Swf26d2nIF/6YSjcqtFwDqthlrJ9gwdflA= =xooq -----END PGP SIGNATURE-----