Security update for apache2

Announcement ID:	SUSE-SU-2026:21846-1
Release Date:	2026-05-26T09:51:49Z
Rating:	important
References:	jsc#PED-16181
Cross-References:	CVE-2024-42516 CVE-2024-43204 CVE-2024-47252 CVE-2025-23048 CVE-2025-49630 CVE-2025-49812 CVE-2025-53020 CVE-2025-55753 CVE-2025-58098 CVE-2025-59775 CVE-2025-65082 CVE-2025-66200
CVSS scores:	CVE-2024-42516 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2024-42516 ( SUSE ): 4.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N CVE-2024-42516 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2024-43204 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2024-43204 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2024-43204 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2024-47252 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2024-47252 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2024-47252 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2025-23048 ( SUSE ): 7.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-23048 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-23048 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2025-49630 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-49630 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-49630 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-49812 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N CVE-2025-49812 ( SUSE ): 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L CVE-2025-49812 ( NVD ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2025-53020 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-53020 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-53020 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-55753 ( SUSE ): 6.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-55753 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-55753 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2025-58098 ( SUSE ): 6.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2025-58098 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2025-58098 ( NVD ): 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L CVE-2025-59775 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2025-65082 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVE-2025-65082 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2025-65082 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2025-66200 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVE-2025-66200 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2025-66200 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Affected Products:	SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP applications 16.0

An update that solves 12 vulnerabilities and contains one feature can now be installed.

Description:

This update for apache2 fixes the following issues:

Changes in apache2:

Version update to 2.4.66 (jsc#PED-16181)

) SECURITY: CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo. mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. ) SECURITY: CVE-2025-65082: Apache HTTP Server: CGI environment variable override. Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. ) SECURITY: CVE-2025-59775: Apache HTTP Server: NTLM Leakage on Windows through UNC SSRF. Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content ) SECURITY: CVE-2025-58098: Apache HTTP Server: Server Side Includes adds query string to #exec cmd=... Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. ) SECURITY: CVE-2025-55753: Apache HTTP Server: mod_md (ACME), unintended retry intervals An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. ) mod_http2: Fix handling of 304 responses from mod_cache. ) mod_http2/mod_proxy_http2: fix a bug in calculating the log2 value of integers, used in push diaries and proxy window size calculations. ) mod_md: update to version 2.6.5 - New directive MDInitialDelay, controlling how longer to wait after a server restart before checking certificates for renewal. [Michael Kaufmann] - Hardening: when build with OpenSSL older than 1.0.2 or old libressl versions, the parsing of ASN.1 time strings did not do a length check. - Hardening: when reading back OCSP responses stored in the local JSON store, missing 'valid' key led to uninitialized values, resulting in wrong refresh behaviour. ) mod_md: update to version 2.6.6 - Fix a small memory leak when using OpenSSL's BIGNUMs. - Fix reuse of curl easy handles by resetting them. ) mod_http2: update to version 2.0.35 New directive H2MaxStreamErrors to control how much bad behaviour by clients is tolerated before the connection is closed. ) mod_proxy_http2: add support for ProxyErrorOverride directive. ) mpm_common: Add new ListenTCPDeferAccept directive that allows to specify the value set for the TCP_DEFER_ACCEPT socket option on listen sockets. ) mod_ssl: Add SSLVHostSNIPolicy directive to control the virtual host compatibility policy. ) mod_md: update to version 2.6.2 - Fix error retry delay calculation to not already doubling the wait on the first error. *) mod_md: update to version 2.6.1 - Increasing default MDRetryDelay to 30 seconds to generate less bursty traffic on errored renewals for the ACME CA. This leads to error retries of 30s, 1 minute, 2, 4, etc. up to daily attempts. - Checking that configuring MDRetryDelay will result in a positive duration. A delay of 0 is not accepted. - Fix a bug in checking Content-Type of responses from the ACME server. - Added ACME ARI support (rfc9773) to the module. Enabled by default. New directive "MDRenewViaARI on|off" for controlling this. - Removing tailscale support. It has not been working for a long time as the company decided to change their APIs. Away with the dead code, documentation and tests. - Fixed a compilation issue with pre-industrial versions of libcurl.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 16.0
  zypper in -t patch SUSE-SLES-16.0-800=1
• SUSE Linux Enterprise Server for SAP applications 16.0
  zypper in -t patch SUSE-SLES-16.0-800=1

Package List:

• SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
  • apache2-utils-2.4.66-160000.1.1
  • apache2-debugsource-2.4.66-160000.1.1
  • apache2-debuginfo-2.4.66-160000.1.1
  • apache2-utils-debugsource-2.4.66-160000.1.1
  • apache2-worker-debuginfo-2.4.66-160000.1.1
  • apache2-2.4.66-160000.1.1
  • apache2-event-2.4.66-160000.1.1
  • apache2-prefork-2.4.66-160000.1.1
  • apache2-event-debuginfo-2.4.66-160000.1.1
  • apache2-worker-debugsource-2.4.66-160000.1.1
  • apache2-devel-2.4.66-160000.1.1
  • apache2-prefork-debugsource-2.4.66-160000.1.1
  • apache2-prefork-debuginfo-2.4.66-160000.1.1
  • apache2-utils-debuginfo-2.4.66-160000.1.1
  • apache2-event-debugsource-2.4.66-160000.1.1
  • apache2-worker-2.4.66-160000.1.1
• SUSE Linux Enterprise Server 16.0 (noarch)
  • apache2-manual-2.4.66-160000.1.1
• SUSE Linux Enterprise Server for SAP applications 16.0 (ppc64le x86_64)
  • apache2-utils-2.4.66-160000.1.1
  • apache2-debugsource-2.4.66-160000.1.1
  • apache2-debuginfo-2.4.66-160000.1.1
  • apache2-utils-debugsource-2.4.66-160000.1.1
  • apache2-worker-debuginfo-2.4.66-160000.1.1
  • apache2-2.4.66-160000.1.1
  • apache2-event-2.4.66-160000.1.1
  • apache2-prefork-2.4.66-160000.1.1
  • apache2-event-debuginfo-2.4.66-160000.1.1
  • apache2-worker-debugsource-2.4.66-160000.1.1
  • apache2-devel-2.4.66-160000.1.1
  • apache2-prefork-debugsource-2.4.66-160000.1.1
  • apache2-prefork-debuginfo-2.4.66-160000.1.1
  • apache2-utils-debuginfo-2.4.66-160000.1.1
  • apache2-event-debugsource-2.4.66-160000.1.1
  • apache2-worker-2.4.66-160000.1.1
• SUSE Linux Enterprise Server for SAP applications 16.0 (noarch)
  • apache2-manual-2.4.66-160000.1.1

References:

• https://www.suse.com/security/cve/CVE-2024-42516.html
• https://www.suse.com/security/cve/CVE-2024-43204.html
• https://www.suse.com/security/cve/CVE-2024-47252.html
• https://www.suse.com/security/cve/CVE-2025-23048.html
• https://www.suse.com/security/cve/CVE-2025-49630.html
• https://www.suse.com/security/cve/CVE-2025-49812.html
• https://www.suse.com/security/cve/CVE-2025-53020.html
• https://www.suse.com/security/cve/CVE-2025-55753.html
• https://www.suse.com/security/cve/CVE-2025-58098.html
• https://www.suse.com/security/cve/CVE-2025-59775.html
• https://www.suse.com/security/cve/CVE-2025-65082.html
• https://www.suse.com/security/cve/CVE-2025-66200.html
• https://jira.suse.com/browse/PED-16181