[Git][security-tracker-team/security-tracker][master] Track proposed update for apache2 via bookworm-pu

Salvatore Bonaccorso (@carnil) carnil at debian.org
Tue Jul 29 08:26:44 BST 2025 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c64cf770 by Salvatore Bonaccorso at 2025-07-29T09:26:17+02:00
Track proposed update for apache2 via bookworm-pu

- - - - -


3 changed files:

- data/CVE/list
- data/dsa-needed.txt
- data/next-point-update.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -4682,6 +4682,7 @@ CVE-2025-53364 (Parse Server is an open source backend that can be deployed to a
 	NOT-FOR-US: Parse Server
 CVE-2025-53020 (Late Release of Memory after Effective Lifetime vulnerability in Apach ...)
 	- apache2 2.4.64-1
+	[bookworm] - apache2 <no-dsa> (Will be updated via point release)
 	NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2025-53020
 	NOTE: Fixed by: https://github.com/apache/httpd/commit/ef98f4f494ff2f99d736a3716cd31219688b46f5
 CVE-2025-52837 (Trend Micro Password Manager (Consumer) version 5.8.0.1327 and below i ...)
@@ -4710,10 +4711,12 @@ CVE-2025-4972 (An issue has been discovered in GitLab EE affecting all versions
 	- gitlab <not-affected> (Specific to EE)
 CVE-2025-49812 (In some mod_ssl configurations on Apache HTTP Server versions through  ...)
 	- apache2 2.4.64-1
+	[bookworm] - apache2 <no-dsa> (Will be updated via point release)
 	NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2025-49812
 	NOTE: Fixed by: https://github.com/apache/httpd/commit/87a7351c755c9ef8ab386e3090e44838c2a06d48
 CVE-2025-49630 (In certain proxy configurations, a denial of service attack againstApa ...)
 	- apache2 2.4.64-1
+	[bookworm] - apache2 <no-dsa> (Will be updated via point release)
 	NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2025-49630
 	NOTE: Fixed by: https://github.com/apache/httpd/commit/88304321841a2fe8bd5eacc70e69418b0b545ca5
 CVE-2025-49464 (Classic buffer overflow in certain Zoom Clients for Windows may allow  ...)
@@ -4770,12 +4773,14 @@ CVE-2025-27889 (Wing FTP Server before 7.4.4 does not properly validate and sani
 	NOT-FOR-US: Wing FTP Server
 CVE-2025-23048 (In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to ...)
 	- apache2 2.4.64-1
+	[bookworm] - apache2 <no-dsa> (Will be updated via point release)
 	NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2025-23048
 	NOTE: Fixed by: https://github.com/apache/httpd/commit/c4cfa50c9068e8b8134c530ab21674e77d1278a2
 CVE-2024-7650 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...)
 	NOT-FOR-US: OpenText
 CVE-2024-47252 (Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP  ...)
 	- apache2 2.4.64-1
+	[bookworm] - apache2 <no-dsa> (Will be updated via point release)
 	NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-47252
 	NOTE: Fixed by: https://github.com/apache/httpd/commit/c01e60707048be14a510f0a92128a5227923215c
 CVE-2024-43394 (Server-Side Request Forgery (SSRF)in Apache HTTP Server on Windows all ...)
@@ -4783,10 +4788,12 @@ CVE-2024-43394 (Server-Side Request Forgery (SSRF)in Apache HTTP Server on Windo
 	NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-43394
 CVE-2024-43204 (SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to ...)
 	- apache2 2.4.64-1
+	[bookworm] - apache2 <no-dsa> (Will be updated via point release)
 	NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-43204
 	NOTE: Fixed by: https://github.com/apache/httpd/commit/b3d3ded288815bea063c3bf77dd80b26446f76ce
 CVE-2024-42516 (HTTP response splitting in the core of Apache HTTP Server allows an at ...)
 	- apache2 2.4.64-1
+	[bookworm] - apache2 <no-dsa> (Will be updated via point release)
 	NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-42516
 	NOTE: CVE exists, because original patch for CVE-2023-38709 did not address the issue.
 	NOTE: Fixed by: https://github.com/apache/httpd/commit/a7a9d814c7c23e990283277230ddd5a9efec27c7


=====================================
data/dsa-needed.txt
=====================================
@@ -15,9 +15,6 @@ If needed, specify the release by adding a slash after the name of the source pa
 amd64-microcode (carnil)
   Coordinating with maintainer DSA/bookworm-pu and sync with mitgations in src:linux
 --
-apache2
-  First have it exposed in unstable for a week or so
---
 ark (jmm)
 --
 frr


=====================================
data/next-point-update.txt
=====================================
@@ -266,3 +266,17 @@ CVE-2025-49794
 	[bookworm] - libxml2 2.9.14+dfsg-1.3~deb12u3
 CVE-2025-49796
 	[bookworm] - libxml2 2.9.14+dfsg-1.3~deb12u3
+CVE-2024-42516
+	[bookworm] - apache2 2.4.65-1~deb12u1
+CVE-2024-43204
+	[bookworm] - apache2 2.4.65-1~deb12u1
+CVE-2024-47252
+	[bookworm] - apache2 2.4.65-1~deb12u1
+CVE-2025-23048
+	[bookworm] - apache2 2.4.65-1~deb12u1
+CVE-2025-49630
+	[bookworm] - apache2 2.4.65-1~deb12u1
+CVE-2025-49812
+	[bookworm] - apache2 2.4.65-1~deb12u1
+CVE-2025-53020
+	[bookworm] - apache2 2.4.65-1~deb12u1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c64cf770718d3a93f3026699eb8c3c03526132c0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c64cf770718d3a93f3026699eb8c3c03526132c0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250729/a5e318cf/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list