| Package | apache2 |
|---|---|
| Version | 2.4.25-3+deb9u24 (stretch), 2.4.59-1~deb10u8 (buster) |
| Related CVEs | CVE-2026-49975 |
It was discovered that incorrect cookie header accounting in the HTTP/2 implementation of the Apache HTTP server may result in denial of service (excessive resources consumption).
For Debian 10 buster, these problems have been fixed in version 2.4.59-1~deb10u8.
For Debian 9 stretch, these problems have been fixed in version 2.4.25-3+deb9u24.
We recommend that you upgrade your apache2 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.