File _patchinfo of Package patchinfo.39827

<patchinfo incident="39827">
  <issue tracker="cve" id="2025-53020"/>
  <issue tracker="cve" id="2025-49812"/>
  <issue tracker="cve" id="2024-42516"/>
  <issue tracker="cve" id="2024-43204"/>
  <issue tracker="cve" id="2025-49630"/>
  <issue tracker="cve" id="2025-23048"/>
  <issue tracker="cve" id="2024-47252"/>
  <issue tracker="bnc" id="1246477">VUL-0: CVE-2024-42516: apache2: HTTP response splitting</issue>
  <issue tracker="bnc" id="1246305">VUL-0: CVE-2024-43204: apache2: SSRF when mod_proxy is loaded allows an attacker to send outbound proxy requests to a URL controlled by them</issue>
  <issue tracker="bnc" id="1246306">VUL-0: CVE-2025-53020: apache2: HTTP/2 denial of service due to late release of memory after effective lifetime</issue>
  <issue tracker="bnc" id="1246307">VUL-0: CVE-2025-49630: apache2: denial of service can be triggered by untrusted clients causing an assertion in mod_proxy_http2</issue>
  <issue tracker="bnc" id="1246302">VUL-0: CVE-2025-23048: apache2: access control bypass by trusted clients through TLS 1.3 session resumption in some mod_ssl configurations</issue>
  <issue tracker="bnc" id="1246169">VUL-0: CVE-2025-49812: apache2: Opossum Attack Application Layer Desynchronization using Opportunistic TLS</issue>
  <issue tracker="bnc" id="1246303">VUL-0: CVE-2024-47252: apache2: insufficient escaping of user-supplied data in mod_ssl allows an untrusted SSL/TLS client to insert escape characters into log files</issue>
  <packager>mschreiner</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for apache2</summary>
  <description>This update for apache2 fixes the following issues:

- CVE-2024-42516: Fixed HTTP response splitting. (bsc#1246477)
- CVE-2024-43204: Fixed a SSRF when mod_proxy is loaded that allows an attacker to send outbound proxy requests to a URL controlled by them. (bsc#1246305)
- CVE-2024-47252: Fixed insufficient escaping of user-supplied data in mod_ssl allows an untrusted SSL/TLS client to insert escape characters into log file. (bsc#1246303)
- CVE-2025-23048: Fixed access control bypass by trusted clients through TLS 1.3 session resumption in some mod_ssl configurations. (bsc#1246302)
- CVE-2025-49630: Fixed denial of service can be triggered by untrusted clients causing an assertion in mod_proxy_http2. (bsc#1246307)
- CVE-2025-49812: Fixed Opossum Attack Application Layer Desynchronization using Opportunistic TLS. (bsc#1246169)
- CVE-2025-53020: Fixed HTTP/2 denial of service due to late release of memory after effective lifetime. (bsc#1246306)
</description>
</patchinfo>