{"schema_version":"1.7.2","id":"OESA-2026-1528","modified":"2026-03-06T12:43:26Z","published":"2026-03-06T12:43:26Z","upstream":["CVE-2025-55753","CVE-2025-58098","CVE-2025-65082","CVE-2025-66200"],"summary":"httpd security update","details":"Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.\r\n\r\nSecurity Fix(es):\n\nAn integer overflow vulnerability was found in Apache HTTP Server versions 2.4.30 to 2.4.66. In case of failed ACME certificate renewal, after a number of failures (~30 days in default configurations), the backoff timer becomes 0. Certificate renewal attempts are then repeated without delays until successful. This issue affects confidentiality, integrity, and availability.(CVE-2025-55753)\n\nApache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives.\n\nThis issue affects Apache HTTP Server before 2.4.66.\n\nUsers are recommended to upgrade to version 2.4.66, which fixes the issue.(CVE-2025-58098)\n\nImproper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs.\n\nThis issue affects Apache HTTP Server from 2.4.0 through 2.4.65.\n\nUsers are recommended to upgrade to version 2.4.66 which fixes the issue.(CVE-2025-65082)\n\nmod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid.\n\nThis issue affects Apache HTTP Server: from 2.4.7 through 2.4.65.\n\nUsers are recommended to upgrade to version 2.4.66, which fixes the issue.(CVE-2025-66200)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP1","name":"httpd","purl":"pkg:rpm/openEuler/httpd&distro=openEuler-24.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.58-12.oe2403sp1"}]}],"ecosystem_specific":{"aarch64":["httpd-2.4.58-12.oe2403sp1.aarch64.rpm","httpd-debuginfo-2.4.58-12.oe2403sp1.aarch64.rpm","httpd-debugsource-2.4.58-12.oe2403sp1.aarch64.rpm","httpd-devel-2.4.58-12.oe2403sp1.aarch64.rpm","httpd-tools-2.4.58-12.oe2403sp1.aarch64.rpm","mod_ldap-2.4.58-12.oe2403sp1.aarch64.rpm","mod_md-2.4.58-12.oe2403sp1.aarch64.rpm","mod_proxy_html-2.4.58-12.oe2403sp1.aarch64.rpm","mod_session-2.4.58-12.oe2403sp1.aarch64.rpm","mod_ssl-2.4.58-12.oe2403sp1.aarch64.rpm"],"noarch":["httpd-filesystem-2.4.58-12.oe2403sp1.noarch.rpm","httpd-help-2.4.58-12.oe2403sp1.noarch.rpm"],"src":["httpd-2.4.58-12.oe2403sp1.src.rpm"],"x86_64":["httpd-2.4.58-12.oe2403sp1.x86_64.rpm","httpd-debuginfo-2.4.58-12.oe2403sp1.x86_64.rpm","httpd-debugsource-2.4.58-12.oe2403sp1.x86_64.rpm","httpd-devel-2.4.58-12.oe2403sp1.x86_64.rpm","httpd-tools-2.4.58-12.oe2403sp1.x86_64.rpm","mod_ldap-2.4.58-12.oe2403sp1.x86_64.rpm","mod_md-2.4.58-12.oe2403sp1.x86_64.rpm","mod_proxy_html-2.4.58-12.oe2403sp1.x86_64.rpm","mod_session-2.4.58-12.oe2403sp1.x86_64.rpm","mod_ssl-2.4.58-12.oe2403sp1.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1528"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55753"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58098"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-65082"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66200"}],"database_specific":{"severity":"High"}}