OESA-2026-1529

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-1529
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2026-1529.json
JSON Data
https://api.osv.dev/v1/vulns/OESA-2026-1529
Upstream
Published
2026-03-06T12:43:28Z
Modified
2026-03-06T13:15:14.621516Z
Summary
httpd security update
Details

Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.

Security Fix(es):

An integer overflow vulnerability was found in Apache HTTP Server versions 2.4.30 to 2.4.66. In case of failed ACME certificate renewal, after a number of failures (~30 days in default configurations), the backoff timer becomes 0. Certificate renewal attempts are then repeated without delays until successful. This issue affects confidentiality, integrity, and availability.(CVE-2025-55753)

Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and modcgid (but not modcgi) passes the shell-escaped query string to #exec cmd="..." directives.

This issue affects Apache HTTP Server before 2.4.66.

Users are recommended to upgrade to version 2.4.66, which fixes the issue.(CVE-2025-58098)

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs.

This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.

Users are recommended to upgrade to version 2.4.66 which fixes the issue.(CVE-2025-65082)

mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid.

This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65.

Users are recommended to upgrade to version 2.4.66, which fixes the issue.(CVE-2025-66200)

Database specific 
{
    "severity": "High"
}
References

Affected packages

openEuler:20.03-LTS-SP4 / httpd

Package

Name
httpd
Purl
pkg:rpm/openEuler/httpd&distro=openEuler-20.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.43-32.oe2003sp4

Ecosystem specific 

{
    "noarch": [
        "httpd-filesystem-2.4.43-32.oe2003sp4.noarch.rpm",
        "httpd-help-2.4.43-32.oe2003sp4.noarch.rpm"
    ],
    "x86_64": [
        "httpd-2.4.43-32.oe2003sp4.x86_64.rpm",
        "httpd-debuginfo-2.4.43-32.oe2003sp4.x86_64.rpm",
        "httpd-debugsource-2.4.43-32.oe2003sp4.x86_64.rpm",
        "httpd-devel-2.4.43-32.oe2003sp4.x86_64.rpm",
        "httpd-tools-2.4.43-32.oe2003sp4.x86_64.rpm",
        "mod_ldap-2.4.43-32.oe2003sp4.x86_64.rpm",
        "mod_md-2.4.43-32.oe2003sp4.x86_64.rpm",
        "mod_proxy_html-2.4.43-32.oe2003sp4.x86_64.rpm",
        "mod_session-2.4.43-32.oe2003sp4.x86_64.rpm",
        "mod_ssl-2.4.43-32.oe2003sp4.x86_64.rpm"
    ],
    "aarch64": [
        "httpd-2.4.43-32.oe2003sp4.aarch64.rpm",
        "httpd-debuginfo-2.4.43-32.oe2003sp4.aarch64.rpm",
        "httpd-debugsource-2.4.43-32.oe2003sp4.aarch64.rpm",
        "httpd-devel-2.4.43-32.oe2003sp4.aarch64.rpm",
        "httpd-tools-2.4.43-32.oe2003sp4.aarch64.rpm",
        "mod_ldap-2.4.43-32.oe2003sp4.aarch64.rpm",
        "mod_md-2.4.43-32.oe2003sp4.aarch64.rpm",
        "mod_proxy_html-2.4.43-32.oe2003sp4.aarch64.rpm",
        "mod_session-2.4.43-32.oe2003sp4.aarch64.rpm",
        "mod_ssl-2.4.43-32.oe2003sp4.aarch64.rpm"
    ],
    "src": [
        "httpd-2.4.43-32.oe2003sp4.src.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-1529.json"