Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
417e31f8 by Salvatore Bonaccorso at 2025-08-12T19:36:38+02:00
Revert "Triage CVE-2024-42516, CVE-2024-43204, CVE-2024-47252, CVE-2025-23048,
CVE-2025-49630, CVE-2025-49812 & CVE-2025-53020 in apache2 for bullseye LTS."
This reverts commit d238eb4883cc8b687b60727dbb7fb337d606fddf.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -7906,7 +7906,6 @@ CVE-2025-53364 (Parse Server is an open source backend
that can be deployed to a
CVE-2025-53020 (Late Release of Memory after Effective Lifetime vulnerability
in Apach ...)
- apache2 2.4.64-1
[bookworm] - apache2 <no-dsa> (Will be updated via point release)
- [bullseye] - apache2 <postponed> (Minor issue; can be fixed in next
update)
NOTE:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2025-53020
NOTE: Fixed by:
https://github.com/apache/httpd/commit/ef98f4f494ff2f99d736a3716cd31219688b46f5
CVE-2025-52837 (Trend Micro Password Manager (Consumer) version 5.8.0.1327 and
below i ...)
@@ -7936,13 +7935,11 @@ CVE-2025-4972 (An issue has been discovered in GitLab
EE affecting all versions
CVE-2025-49812 (In some mod_ssl configurations on Apache HTTP Server versions
through ...)
- apache2 2.4.64-1
[bookworm] - apache2 <no-dsa> (Will be updated via point release)
- [bullseye] - apache2 <postponed> (Minor issue; can be fixed in next
update)
NOTE:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2025-49812
NOTE: Fixed by:
https://github.com/apache/httpd/commit/87a7351c755c9ef8ab386e3090e44838c2a06d48
CVE-2025-49630 (In certain proxy configurations, a denial of service attack
againstApa ...)
- apache2 2.4.64-1
[bookworm] - apache2 <no-dsa> (Will be updated via point release)
- [bullseye] - apache2 <postponed> (Minor issue; can be fixed in next
update)
NOTE:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2025-49630
NOTE: Fixed by:
https://github.com/apache/httpd/commit/88304321841a2fe8bd5eacc70e69418b0b545ca5
CVE-2025-49464 (Classic buffer overflow in certain Zoom Clients for Windows
may allow ...)
@@ -8000,7 +7997,6 @@ CVE-2025-27889 (Wing FTP Server before 7.4.4 does not
properly validate and sani
CVE-2025-23048 (In some mod_ssl configurations on Apache HTTP Server 2.4.35
through to ...)
- apache2 2.4.64-1
[bookworm] - apache2 <no-dsa> (Will be updated via point release)
- [bullseye] - apache2 <postponed> (Minor issue; can be fixed in next
update)
NOTE:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2025-23048
NOTE: Fixed by:
https://github.com/apache/httpd/commit/c4cfa50c9068e8b8134c530ab21674e77d1278a2
NOTE: possible regression for misconfigured load balancer
@@ -8010,7 +8006,6 @@ CVE-2024-7650 (Improper Control of Generation of Code
('Code Injection') vulnera
CVE-2024-47252 (Insufficient escaping of user-supplied data in mod_ssl in
Apache HTTP ...)
- apache2 2.4.64-1
[bookworm] - apache2 <no-dsa> (Will be updated via point release)
- [bullseye] - apache2 <postponed> (Minor issue; can be fixed in next
update)
NOTE:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-47252
NOTE: Fixed by:
https://github.com/apache/httpd/commit/c01e60707048be14a510f0a92128a5227923215c
CVE-2024-43394 (Server-Side Request Forgery (SSRF)in Apache HTTP Server on
Windows all ...)
@@ -8019,14 +8014,12 @@ CVE-2024-43394 (Server-Side Request Forgery (SSRF)in
Apache HTTP Server on Windo
CVE-2024-43204 (SSRF in Apache HTTP Server with mod_proxy loaded allows an
attacker to ...)
- apache2 2.4.64-1
[bookworm] - apache2 <no-dsa> (Will be updated via point release)
- [bullseye] - apache2 <postponed> (Minor issue; can be fixed in next
update)
NOTE:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-43204
NOTE: Fixed by [1/2]:
https://github.com/apache/httpd/commit/6764774d51f3dcb07e79779c64a463d3c112b53f
(2.4.64)
NOTE: Fixed by [2/2]:
https://github.com/apache/httpd/commit/b3d3ded288815bea063c3bf77dd80b26446f76ce
(2.4.64)
CVE-2024-42516 (HTTP response splitting in the core of Apache HTTP Server
allows an at ...)
- apache2 2.4.64-1
[bookworm] - apache2 <no-dsa> (Will be updated via point release)
- [bullseye] - apache2 <postponed> (Minor issue; can be fixed in next
update)
NOTE:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-42516
NOTE: CVE exists, because original patch for CVE-2023-38709 did not
address the issue.
NOTE: Fixed by:
https://github.com/apache/httpd/commit/a7a9d814c7c23e990283277230ddd5a9efec27c7
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/417e31f84929ccbbc8a773c6040fce9c9b8a5cb9
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/417e31f84929ccbbc8a773c6040fce9c9b8a5cb9
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
