| Package | apache2 |
|---|---|
| Version | 2.4.59-1~deb10u6 (buster) |
| Related CVEs | CVE-2025-55753 CVE-2025-58098 CVE-2025-65082 CVE-2025-66200 |
Multiple vulnerabilities were fixed in apache HTTPD server, a popular webserver.
CVE-2025-55753
Update mod_md to v2.6.6
An integer overflow was found. In the case of failed ACME certificate
renewal leads, after a number of failures (~30 days in default
configurations), to the backoff timer becoming 0. Attempts to renew
the certificate then are repeated without delays until it succeeds
CVE-2025-58098
Apache HTTP Server with Server Side Includes (SSI) enabled
and mod_cgid (but not mod_cgi) passes the shell-escaped
query string to #exec cmd="..." directives
CVE-2025-65082
Improper Neutralization of Escape, Meta, or Control Sequences
vulnerability was found in Apache HTTP Server through
environment variables set via the Apache configuration
unexpectedly superseding variables calculated
by the server for CGI programs
CVE-2025-66200
A mod_userdir+suexec bypass vulnerability via AllowOverride FileInfo was
found in Apache HTTP Server. Users with access to use the RequestHeader directive
in htaccess can cause some CGI scripts to run under an unexpected userid.
For Debian 10 buster, these problems have been fixed in version 2.4.59-1~deb10u6.
We recommend that you upgrade your apache2 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.