Overview

File _patchinfo of Package patchinfo.40370

<patchinfo incident="40370">
  <issue tracker="jsc" id="PED-13317"/>
  <issue tracker="cve" id="2024-42516"/>
  <issue tracker="cve" id="2024-43204"/>
  <issue tracker="cve" id="2024-47252"/>
  <issue tracker="cve" id="2025-23048"/>
  <issue tracker="cve" id="2025-49630"/>
  <issue tracker="cve" id="2025-49812"/>
  <issue tracker="cve" id="2025-53020"/>
  <issue tracker="cve" id="2025-58098"/>
  <issue tracker="cve" id="2025-55753"/>
  <issue tracker="cve" id="2025-66200"/>
  <issue tracker="cve" id="2025-65082"/>
  <issue tracker="cve" id="2023-45802"/>
  <issue tracker="bnc" id="1254514">VUL-0: CVE-2025-65082: apache2: Apache HTTP Server: CGI environment variable override</issue>
  <issue tracker="bnc" id="1254511">VUL-0: CVE-2025-55753: apache2: Apache HTTP Server: mod_md (ACME), unintended retry intervals</issue>
  <issue tracker="bnc" id="1254515">VUL-0: CVE-2025-66200: apache2: Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo</issue>
  <issue tracker="bnc" id="1254512">VUL-0: CVE-2025-58098: apache2: Apache HTTP Server: Server Side Includes adds query string to #exec cmd=...</issue>
  <issue tracker="bnc" id="1207327">apache 2.4 mod_proxy handling of very long url</issue>
  <issue tracker="bnc" id="1209585">apache2: Random build failures in "install-recursive"</issue>
  <issue tracker="bnc" id="1246306">VUL-0: CVE-2025-53020: apache2: HTTP/2 denial of service due to late release of memory after effective lifetime</issue>
  <issue tracker="bnc" id="1197301">apache cores frequently after recent update - Need app core analyzed</issue>
  <issue tracker="bnc" id="1209638">[Build :28256:apache2] openQA test fails in update_install</issue>
  <issue tracker="bnc" id="1246477">VUL-0: CVE-2024-42516: apache2: HTTP response splitting</issue>
  <issue tracker="bnc" id="1196249">apache2 had 2 crashes after updating apache2-prefork to 2.4.51-35.7.1 - coredump analysis needed</issue>
  <issue tracker="bnc" id="1198907">http2 child processes not being terminated ref:_00D1igLOd._5005q4vI2i:ref</issue>
  <issue tracker="bnc" id="1207399">apache2 httpd-prefork - 2.4.51-150400.6.3.1 - SIGFPE</issue>
  <issue tracker="bnc" id="1246169">VUL-0: CVE-2025-49812: apache2: Opossum Attack Application Layer Desynchronization using Opportunistic TLS</issue>
  <issue tracker="bnc" id="1209552">[Build 20230320-1] apache2 (tls13 fallout?) fails to access password protected directory</issue>
  <issue tracker="bnc" id="1246303">VUL-0: CVE-2024-47252: apache2: insufficient escaping of user-supplied data in mod_ssl allows an untrusted SSL/TLS client to insert escape characters into log files</issue>
  <issue tracker="bnc" id="1209500">Package conflict between apache2-tls13-prefork apache2-tls13-worker</issue>
  <issue tracker="bnc" id="1214454">"apache2-tls13-utils-2.4.51-35.32.1.ppc64le conflicts with apache-notls13-utils provided by apache2-utils-2.4.51-35.32.1.ppc64le" when installing apache2 packages</issue>
  <issue tracker="bnc" id="1246307">VUL-0: CVE-2025-49630: apache2: denial of service can be triggered by untrusted clients causing an assertion in mod_proxy_http2</issue>
  <issue tracker="bnc" id="1209511">Missing /etc/sysconfig/apache2 for apache2-tls13 package</issue>
  <issue tracker="bnc" id="1246302">VUL-0: CVE-2025-23048: apache2: access control bypass by trusted clients through TLS 1.3 session resumption in some mod_ssl configurations</issue>
  <issue tracker="bnc" id="1246305">VUL-0: CVE-2024-43204: apache2: SSRF when mod_proxy is loaded allows an attacker to send outbound proxy requests to a URL controlled by them</issue>
  <issue tracker="bnc" id="1197177">apache2 crashes after updating apache2-prefork to 2.4.51-35.7.1 - coredump analysis needed</issue>
  <issue tracker="bnc" id="1216423">VUL-0: CVE-2023-45802: apache2: HTTP/2 stream memory not reclaimed right away on RST</issue>
  <packager>mschreiner</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for apache2</summary>
  <description>This update for apache2 fixes the following issues:

- CVE-2025-55753: Fixed mod_md (ACME) unintended retry intervals (bsc#1254511)
- CVE-2025-65082: Fixed CGI environment variable override (bsc#1254514)
- CVE-2025-58098: Fixed Server Side Includes adding query string to #exec cmd=... (bsc#1254512)
- CVE-2025-66200: Fixed mod_userdir+suexec bypass via AllowOverride FileInfo (bsc#1254515)

Version update to 2.4.51 (jsc#PED-13317):

  - CVE-2024-42516: Fixed HTTP response splitting (bsc#1246477)
  - CVE-2024-43204: Fixed SSRF when mod_proxy is loaded allowing an attacker to send outbound proxy requests (bsc#1246305)
  - CVE-2024-47252: Fixed insufficient escaping of user-supplied data in mod_ssl (bsc#1246303)
  - CVE-2025-23048: Fixed access control bypass by trusted clients (bsc#1246302)
  - CVE-2025-49630: Fixed denial of service in mod_proxy_http2 (bsc#1246307)
  - CVE-2025-49812: Fixed Opossum Attack Application Layer Desynchronization using Opportunistic TLS (bsc#1246169)
  - CVE-2025-53020: Fixed HTTP/2 denial of service due to late release of memory after effective lifetime (bsc#1246306)
  - CVE-2023-45802: Fixed HTTP/2 stream memory not reclaimed right away on RST (bsc#1216423)
  </description>
</patchinfo>
openSUSE Build Service is sponsored by
Places