-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4452-1 [email protected]
https://www.debian.org/lts/security/ Bastien Roucariès
January 24, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : apache2
Version : 2.4.66-1~deb11u1
CVE ID : CVE-2025-55753 CVE-2025-58098 CVE-2025-59775 CVE-2025-65082
CVE-2025-66200
Debian Bug : 1121926
Multiple vulnerabilities were fixed for apache httpd a popular webserver.
CVE-2025-55753
An integer overflow was found in the case of failed ACME certificate
renewal leads, after a number of failures (~30 days in default
configurations),
to the backoff timer becoming 0. Attempts to renew the certificate
then are repeated without delays until it succeeds
CVE-2025-58098
Apache with Server Side Includes (SSI) enabled and mod_cgid (but not
mod_cgi)
passes the shell-escaped query string to #exec cmd="..." directives.
CVE-2025-59775
A Server-Side Request Forgery (SSRF) vulnerability was found
in Apache HTTP Server on Windows with AllowEncodedSlashes On
and MergeSlashes Off allows to potentially leak NTLM hashes to
a malicious server via SSRF
CVE-2025-65082
An Improper Neutralization of Escape, Meta, or Control Sequences
vulnerability was found in Apache HTTP Server through environment
variables set via the Apache configuration unexpectedly superseding
variables calculated by the server for CGI programs.
CVE-2025-66200
An mod_userdir+suexec bypass, via AllowOverride FileInfo
vulnerability was found in Apache HTTP Server.
Users with access to use the RequestHeader directive
in htaccess can cause some CGI scripts to run under an unexpected userid.
For Debian 11 bullseye, these problems have been fixed in version
2.4.66-1~deb11u1.
We recommend that you upgrade your apache2 packages.
For the detailed security status of apache2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/apache2
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAml1RnEACgkQADoaLapB
CF9dAhAAqWd0u9sVPX6cltbVE/BHNMphUQZtHLvg92mHGBxJqip8B7pg51y4agxa
GcLi9WOfiqhS5gg9z36ZBQM3ODyILwZxPkVbSfKGAlJ0y1vBCEn8hCmtG2FWLgIr
2QTASKq5C9VGIrT+KrBQ9cz/d19Wnl36zSrzH+dRTQSzp+UklqM6gua2uLg0fkzv
triaZ4NHGJQjG5AI2BDZWFSuMKUq8Z0BNwticOk0RX2HdtSbKzR8ludDR+G/+VQp
wJwYK52oUtyjJAB1Arvckh2LhjMTMESZflBfKSZU10EUQUNuh2oBkfA98EDWpbX5
APoye4eAQFBjOUvzIC5LEDvd6rjDhpyTmuucs4c3WD1p/UazJTzoZYCgF4q7S95I
iGNnRMOKwP4W3sLi6aYZxEC/Oy4VTjbZLilCgz9LTC6vQ6aYtqRRfmeBMDHzxv0R
PYxeijE3hjgXpe0Urr5eM90s3fTP1iZS2sDot5QSnqv7ylNTYL1vrgTXp7vOQF4s
x3c2hKiG59dLiLkNfFgLT57IcIfcat2xHiBpkMBVsTHJS09AxzkXhw5/J7helGXG
mknTd1bw2uAgOgMIwNxKog6KOYvcoX0MhwTfNSzPZC1ghPNtrPW8WZV6Gls3dxSm
C0xLS3NIsMMjTPHx4Swf26d2nIF/6YSjcqtFwDqthlrJ9gwdflA=
=xooq
-----END PGP SIGNATURE-----
