UbuntuUpdates.org

Package "apache2"

Name: apache2

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • Apache HTTP Server configurable suexec program for mod_suexec
  • Apache HTTP Server standard suexec program for mod_suexec
Latest version: 2.4.64-1ubuntu3.2
Release: questing (25.10)
Level: security
Repository: universe

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "apache2" in Questing

Repository Area Version
base main 2.4.64-1ubuntu3
base universe 2.4.64-1ubuntu3
security main 2.4.64-1ubuntu3.2
updates main 2.4.64-1ubuntu3.2
updates universe 2.4.64-1ubuntu3.2

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2.4.64-1ubuntu3.2 2026-01-19 19:15:45 UTC

  apache2 (2.4.64-1ubuntu3.2) questing-security; urgency=medium

  * SECURITY UPDATE: Integer overflow in the case of failed ACME
    certificate renewal
    - debian/patches/CVE-2025-55753-1.patch: update mod_md to version
      2.6.2 in modules/md/*
    - debian/patches/CVE-2025-55753-2.patch: update mod_md to version
      2.6.6 in modules/md/*
    - CVE-2025-55753
  * SECURITY UPDATE: Server Side Includes adds query string to #exec cmd=
    - debian/patches/CVE-2025-58098.patch: don't pass args for SSI request
      in modules/generators/mod_cgid.c.
    - CVE-2025-58098
  * SECURITY UPDATE: CGI environment variable override
    - debian/patches/CVE-2025-65082.patch: envvars from HTTP headers low
      precedence in server/util_script.c.
    - CVE-2025-65082
  * SECURITY UPDATE: mod_userdir+suexec bypass via AllowOverride FileInfo
    - debian/patches/CVE-2025-66200.patch: don't use request notes for
      suexec in modules/mappers/mod_userdir.c,
      modules/metadata/mod_headers.c.
    - CVE-2025-66200
  * SECURITY REGRESSION: Misdirected Request error (LP: #2117112)
    - debian/patches/CVE-2025-23048-regression.patch: add SSLVHostSNIPolicy
      directive to set the compatibility level required for VirtualHost
      matching in modules/ssl/*.
    - debian/patches/CVE-2025-23048-regression-2.patch: fix handling of
      STRICT mode in modules/ssl/ssl_engine_kernel.c.

 -- Marc Deslauriers <email address hidden> Tue, 09 Dec 2025 10:50:28 -0500
2117112 421 Misdirected Request: apache2 regression
CVE-2025-55753 An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the bac
CVE-2025-58098 Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to
CVE-2025-65082 Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache co
CVE-2025-66200 mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in hta
CVE-2025-23048 In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3


About   -   Send Feedback to @ubuntu_updates