[Git][security-tracker-team/security-tracker][master] Reserve DLA-4452-1 for apache2

[Bastien Roucariès (@rouca)]

Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5a34c67e by Bastien Roucariès at 2026-01-24T23:14:04+01:00
Reserve DLA-4452-1 for apache2

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -23998,14 +23998,12 @@ CVE-2025-66200 (mod_userdir+suexec bypass via AllowOverride FileInfo vulnerabili
 	- apache2 2.4.66-1 (bug #1121926)
 	[trixie] - apache2 2.4.66-1~deb13u1
 	[bookworm] - apache2 2.4.66-1~deb12u1
-	[bullseye] - apache2 <postponed> (Minor issue)
 	NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2025-66200
 	NOTE: https://github.com/apache/httpd/commit/9d26b95787b229a3f6195d7beead774d131eeda1
 CVE-2025-65082 (Improper Neutralization of Escape, Meta, or Control Sequences vulnerab ...)
 	- apache2 2.4.66-1 (bug #1121926)
 	[trixie] - apache2 2.4.66-1~deb13u1
 	[bookworm] - apache2 2.4.66-1~deb12u1
-	[bullseye] - apache2 <postponed> (Minor issue)
 	NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2025-65082
 	NOTE: https://github.com/apache/httpd/commit/e4f00c5eb71d8a7aa1f52b5279832986f669d463
 CVE-2025-59775 (Server-Side Request Forgery (SSRF) vulnerability   in Apache HTTP Serv ...)
@@ -24015,14 +24013,12 @@ CVE-2025-58098 (Apache HTTP Server 2.4.65 and earlier with Server Side Includes
 	- apache2 2.4.66-1 (bug #1121926)
 	[trixie] - apache2 2.4.66-1~deb13u1
 	[bookworm] - apache2 2.4.66-1~deb12u1
-	[bullseye] - apache2 <postponed> (Minor issue)
 	NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2025-58098
 	NOTE: https://github.com/apache/httpd/commit/ecc1b8f3817e3dcab9c1f24f905752d3c0a279af
 CVE-2025-55753 (An integer overflow in the case of failed ACME certificate renewal lea ...)
 	- apache2 2.4.66-1 (bug #1121926)
 	[trixie] - apache2 2.4.66-1~deb13u1
 	[bookworm] - apache2 2.4.66-1~deb12u1
-	[bullseye] - apache2 <postponed> (Minor issue)
 	NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2025-55753
 	NOTE: https://github.com/apache/httpd/commit/ab9dd8e2cfe7d62efe5ff8925fbef1de756a2fc2
 CVE-2025-40215 (In the Linux kernel, the following vulnerability has been resolved:  x ...)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[24 Jan 2026] DLA-4452-1 apache2 - security update
+	{CVE-2025-55753 CVE-2025-58098 CVE-2025-59775 CVE-2025-65082 CVE-2025-66200}
+	[bullseye] - apache2 2.4.66-1~deb11u1
 [24 Jan 2026] DLA-4451-1 shapelib - security update
 	{CVE-2022-0699}
 	[bullseye] - shapelib 1.5.0-2+deb11u1


=====================================
data/dla-needed.txt
=====================================
@@ -47,10 +47,6 @@ ansible
   NOTE: 20241123: Made a partial release. only CVE-2024-11079 needed but more upstream backport work needed (rouca)
   NOTE: 20250422: Testing/bisecting will take more time, please keep it assigned to me (lee)
 --
-apache2 (rouca)
-  NOTE: 20260122: Added by Front-Desk (pochu)
-  NOTE: 20260122: Update to 2.4.66 beware of regression (pochu)
---
 ca-certificates
   NOTE: 20250613: Added by Front-Desk (rouca)
   NOTE: 20250613: Lack some certificates #1095913 (rouca/FD)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a34c67e77a5a48b30f7244b2335d412c98b75c0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a34c67e77a5a48b30f7244b2335d412c98b75c0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260124/c8286805/attachment-0001.htm>