SUSE-SU-2026:21846-1: important: Security update for apache2
SLE-SECURITY-UPDATES
null at suse.de
Mon Jun 1 20:37:43 UTC 2026
# Security update for apache2
Announcement ID: SUSE-SU-2026:21846-1
Release Date: 2026-05-26T09:51:49Z
Rating: important
References:
* jsc#PED-16181
Cross-References:
* CVE-2024-42516
* CVE-2024-43204
* CVE-2024-47252
* CVE-2025-23048
* CVE-2025-49630
* CVE-2025-49812
* CVE-2025-53020
* CVE-2025-55753
* CVE-2025-58098
* CVE-2025-59775
* CVE-2025-65082
* CVE-2025-66200
CVSS scores:
* CVE-2024-42516 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2024-42516 ( SUSE ): 4.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
* CVE-2024-42516 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2024-43204 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2024-43204 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2024-43204 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2024-47252 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2024-47252 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
* CVE-2024-47252 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2025-23048 ( SUSE ): 7.7
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-23048 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-23048 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2025-49630 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-49630 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-49630 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-49812 ( SUSE ): 8.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
* CVE-2025-49812 ( SUSE ): 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
* CVE-2025-49812 ( NVD ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2025-53020 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-53020 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-53020 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-55753 ( SUSE ): 6.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-55753 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-55753 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2025-58098 ( SUSE ): 6.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2025-58098 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
* CVE-2025-58098 ( NVD ): 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
* CVE-2025-59775 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2025-65082 ( SUSE ): 6.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2025-65082 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
* CVE-2025-65082 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2025-66200 ( SUSE ): 5.7
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2025-66200 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2025-66200 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Affected Products:
* SUSE Linux Enterprise Server 16.0
* SUSE Linux Enterprise Server for SAP applications 16.0
An update that solves 12 vulnerabilities and contains one feature can now be
installed.
## Description:
This update for apache2 fixes the following issues:
Changes in apache2:
Version update to 2.4.66 (jsc#PED-16181)
_) SECURITY: CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec bypass via
AllowOverride FileInfo. mod_userdir+suexec bypass via AllowOverride FileInfo
vulnerability in Apache HTTP Server. Users with access to use the RequestHeader
directive in htaccess can cause some CGI scripts to run under an unexpected
userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65._)
SECURITY: CVE-2025-65082: Apache HTTP Server: CGI environment variable override.
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in
Apache HTTP Server through environment variables set via the Apache
configuration unexpectedly superseding variables calculated by the server for
CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.
_) SECURITY: CVE-2025-59775: Apache HTTP Server: NTLM Leakage on Windows through
UNC SSRF. Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server
on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to
potentially leak NTLM hashes to a malicious server via SSRF and malicious
requests or content_) SECURITY: CVE-2025-58098: Apache HTTP Server: Server Side
Includes adds query string to #exec cmd=... Apache HTTP Server 2.4.65 and
earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi)
passes the shell-escaped query string to #exec cmd="..." directives. This issue
affects Apache HTTP Server before 2.4.66. _) SECURITY: CVE-2025-55753: Apache
HTTP Server: mod_md (ACME), unintended retry intervals An integer overflow in
the case of failed ACME certificate renewal leads, after a number of failures
(~30 days in default configurations), to the backoff timer becoming 0. Attempts
to renew the certificate then are repeated without delays until it succeeds.
This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66._) mod_http2:
Fix handling of 304 responses from mod_cache. _) mod_http2/mod_proxy_http2: fix
a bug in calculating the log2 value of integers, used in push diaries and proxy
window size calculations._) mod_md: update to version 2.6.5 \- New directive
`MDInitialDelay`, controlling how longer to wait after a server restart before
checking certificates for renewal. [Michael Kaufmann] \- Hardening: when build
with OpenSSL older than 1.0.2 or old libressl versions, the parsing of ASN.1
time strings did not do a length check. \- Hardening: when reading back OCSP
responses stored in the local JSON store, missing 'valid' key led to
uninitialized values, resulting in wrong refresh behaviour. _) mod_md: update to
version 2.6.6 \- Fix a small memory leak when using OpenSSL 's BIGNUMs. \- Fix
reuse of curl easy handles by resetting them. _) mod_http2: update to version
2.0.35 New directive `H2MaxStreamErrors` to control how much bad behaviour by
clients is tolerated before the connection is closed. _) mod_proxy_http2: add
support for ProxyErrorOverride directive._) mpm_common: Add new
ListenTCPDeferAccept directive that allows to specify the value set for the
TCP_DEFER_ACCEPT socket option on listen sockets. _) mod_ssl: Add
SSLVHostSNIPolicy directive to control the virtual host compatibility policy._)
mod_md: update to version 2.6.2 \- Fix error retry delay calculation to not
already doubling the wait on the first error. *) mod_md: update to version 2.6.1
\- Increasing default `MDRetryDelay` to 30 seconds to generate less bursty
traffic on errored renewals for the ACME CA. This leads to error retries of 30s,
1 minute, 2, 4, etc. up to daily attempts. \- Checking that configuring
`MDRetryDelay` will result in a positive duration. A delay of 0 is not accepted.
\- Fix a bug in checking Content-Type of responses from the ACME server. \-
Added ACME ARI support (rfc9773) to the module. Enabled by default. New
directive "MDRenewViaARI on|off" for controlling this. \- Removing tailscale
support. It has not been working for a long time as the company decided to
change their APIs. Away with the dead code, documentation and tests. \- Fixed a
compilation issue with pre-industrial versions of libcurl.
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Server 16.0
zypper in -t patch SUSE-SLES-16.0-800=1
* SUSE Linux Enterprise Server for SAP applications 16.0
zypper in -t patch SUSE-SLES-16.0-800=1
## Package List:
* SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
* apache2-utils-2.4.66-160000.1.1
* apache2-debugsource-2.4.66-160000.1.1
* apache2-debuginfo-2.4.66-160000.1.1
* apache2-utils-debugsource-2.4.66-160000.1.1
* apache2-worker-debuginfo-2.4.66-160000.1.1
* apache2-2.4.66-160000.1.1
* apache2-event-2.4.66-160000.1.1
* apache2-prefork-2.4.66-160000.1.1
* apache2-event-debuginfo-2.4.66-160000.1.1
* apache2-worker-debugsource-2.4.66-160000.1.1
* apache2-devel-2.4.66-160000.1.1
* apache2-prefork-debugsource-2.4.66-160000.1.1
* apache2-prefork-debuginfo-2.4.66-160000.1.1
* apache2-utils-debuginfo-2.4.66-160000.1.1
* apache2-event-debugsource-2.4.66-160000.1.1
* apache2-worker-2.4.66-160000.1.1
* SUSE Linux Enterprise Server 16.0 (noarch)
* apache2-manual-2.4.66-160000.1.1
* SUSE Linux Enterprise Server for SAP applications 16.0 (ppc64le x86_64)
* apache2-utils-2.4.66-160000.1.1
* apache2-debugsource-2.4.66-160000.1.1
* apache2-debuginfo-2.4.66-160000.1.1
* apache2-utils-debugsource-2.4.66-160000.1.1
* apache2-worker-debuginfo-2.4.66-160000.1.1
* apache2-2.4.66-160000.1.1
* apache2-event-2.4.66-160000.1.1
* apache2-prefork-2.4.66-160000.1.1
* apache2-event-debuginfo-2.4.66-160000.1.1
* apache2-worker-debugsource-2.4.66-160000.1.1
* apache2-devel-2.4.66-160000.1.1
* apache2-prefork-debugsource-2.4.66-160000.1.1
* apache2-prefork-debuginfo-2.4.66-160000.1.1
* apache2-utils-debuginfo-2.4.66-160000.1.1
* apache2-event-debugsource-2.4.66-160000.1.1
* apache2-worker-2.4.66-160000.1.1
* SUSE Linux Enterprise Server for SAP applications 16.0 (noarch)
* apache2-manual-2.4.66-160000.1.1
## References:
* https://www.suse.com/security/cve/CVE-2024-42516.html
* https://www.suse.com/security/cve/CVE-2024-43204.html
* https://www.suse.com/security/cve/CVE-2024-47252.html
* https://www.suse.com/security/cve/CVE-2025-23048.html
* https://www.suse.com/security/cve/CVE-2025-49630.html
* https://www.suse.com/security/cve/CVE-2025-49812.html
* https://www.suse.com/security/cve/CVE-2025-53020.html
* https://www.suse.com/security/cve/CVE-2025-55753.html
* https://www.suse.com/security/cve/CVE-2025-58098.html
* https://www.suse.com/security/cve/CVE-2025-59775.html
* https://www.suse.com/security/cve/CVE-2025-65082.html
* https://www.suse.com/security/cve/CVE-2025-66200.html
* https://jira.suse.com/browse/PED-16181
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20260601/860a9160/attachment.htm>
More information about the sle-security-updates
mailing list