- apache2:prefork
-
- Version update to 2.4.66 (jsc#PED-16181)
* ) SECURITY: CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec
bypass via AllowOverride FileInfo (cve.mitre.org)
mod_userdir+suexec bypass via AllowOverride FileInfo
vulnerability in Apache HTTP Server. Users with access to use
the RequestHeader directive in htaccess can cause some CGI
scripts to run under an unexpected userid.
This issue affects Apache HTTP Server: from 2.4.7 through
2.4.65.
* ) SECURITY: CVE-2025-65082: Apache HTTP Server: CGI environment
variable override (cve.mitre.org)
Improper Neutralization of Escape, Meta, or Control Sequences
vulnerability in Apache HTTP Server through environment
variables set via the Apache configuration unexpectedly
superseding variables calculated by the server for CGI programs.
This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.
* ) SECURITY: CVE-2025-59775: Apache HTTP Server: NTLM Leakage on
Windows through UNC SSRF (cve.mitre.org)
Server-Side Request Forgery (SSRF) vulnerability
 in Apache HTTP Server on Windows
with AllowEncodedSlashes On and MergeSlashes Off allows to
potentially leak NTLM
hashes to a malicious server via SSRF and malicious requests or
content
* ) SECURITY: CVE-2025-58098: Apache HTTP Server: Server Side
Includes adds query string to #exec cmd=... (cve.mitre.org)
Apache HTTP Server 2.4.65 and earlier with Server Side Includes
(SSI) enabled and mod_cgid (but not mod_cgi) passes the
shell-escaped query string to #exec cmd="..." directives.
This issue affects Apache HTTP Server before 2.4.66.
* ) SECURITY: CVE-2025-55753: Apache HTTP Server: mod_md (ACME),
unintended retry intervals (cve.mitre.org)
An integer overflow in the case of failed ACME certificate
renewal leads, after a number of failures (~30 days in default
configurations), to the backoff timer becoming 0. Attempts to
renew the certificate then are repeated without delays until it
succeeds.
This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66.
* ) mod_http2: Fix handling of 304 responses from mod_cache.
* ) mod_http2/mod_proxy_http2: fix a bug in calculating the log2 value of
integers, used in push diaries and proxy window size calculations.
* ) mod_md: update to version 2.6.5
- New directive `MDInitialDelay`, controlling how longer to wait after
a server restart before checking certificates for renewal.
[Michael Kaufmann]
- Hardening: when build with OpenSSL older than 1.0.2 or old libressl
versions, the parsing of ASN.1 time strings did not do a length check.
- Hardening: when reading back OCSP responses stored in the local JSON
store, missing 'valid' key led to uninitialized values, resulting in
wrong refresh behaviour.
* ) mod_md: update to version 2.6.6
- Fix a small memory leak when using OpenSSL's BIGNUMs.
- Fix reuse of curl easy handles by resetting them.
* ) mod_http2: update to version 2.0.35
New directive `H2MaxStreamErrors` to control how much bad behaviour
by clients is tolerated before the connection is closed.
* ) mod_proxy_http2: add support for ProxyErrorOverride directive.
* ) mpm_common: Add new ListenTCPDeferAccept directive that allows to specify
the value set for the TCP_DEFER_ACCEPT socket option on listen sockets.
* ) mod_ssl: Add SSLVHostSNIPolicy directive to control the virtual
host compatibility policy.
* ) mod_md: update to version 2.6.2
- Fix error retry delay calculation to not already doubling the wait
on the first error.
* ) mod_md: update to version 2.6.1
- Increasing default `MDRetryDelay` to 30 seconds to generate less bursty
traffic on errored renewals for the ACME CA. This leads to error retries
of 30s, 1 minute, 2, 4, etc. up to daily attempts.
- Checking that configuring `MDRetryDelay` will result in a positive
duration. A delay of 0 is not accepted.
- Fix a bug in checking Content-Type of responses from the ACME server.
- Added ACME ARI support (rfc9773) to the module. Enabled by default. New
directive "MDRenewViaARI on|off" for controlling this.
- Removing tailscale support. It has not been working for a long time
as the company decided to change their APIs. Away with the dead code,
documentation and tests.
- Fixed a compilation issue with pre-industrial versions of libcurl.
- httpd testsuite of svn revision 1929573
- Remove the following patches, as they've been upstream as of 2.4.66:
* CVE-2024-42516.patch
* CVE-2024-43204.patch
* CVE-2024-47252.patch
* CVE-2025-23048.patch
* CVE-2025-49630.patch
* CVE-2025-49812.patch
* CVE-2025-53020.patch
* CVE-2025-55753.patch
* CVE-2025-58098.patch
* CVE-2025-65082.patch
* CVE-2025-66200.patch
- Refresh patches:
* apache-test-application-xml-type.patch
* apache-test-turn-off-variables-in-ssl-var-lookup.patch
* apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch
* apache2-LimitRequestFieldSize-limits-headers.patch
- apache2
-
- Version update to 2.4.66 (jsc#PED-16181)
* ) SECURITY: CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec
bypass via AllowOverride FileInfo (cve.mitre.org)
mod_userdir+suexec bypass via AllowOverride FileInfo
vulnerability in Apache HTTP Server. Users with access to use
the RequestHeader directive in htaccess can cause some CGI
scripts to run under an unexpected userid.
This issue affects Apache HTTP Server: from 2.4.7 through
2.4.65.
* ) SECURITY: CVE-2025-65082: Apache HTTP Server: CGI environment
variable override (cve.mitre.org)
Improper Neutralization of Escape, Meta, or Control Sequences
vulnerability in Apache HTTP Server through environment
variables set via the Apache configuration unexpectedly
superseding variables calculated by the server for CGI programs.
This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.
* ) SECURITY: CVE-2025-59775: Apache HTTP Server: NTLM Leakage on
Windows through UNC SSRF (cve.mitre.org)
Server-Side Request Forgery (SSRF) vulnerability
 in Apache HTTP Server on Windows
with AllowEncodedSlashes On and MergeSlashes Off allows to
potentially leak NTLM
hashes to a malicious server via SSRF and malicious requests or
content
* ) SECURITY: CVE-2025-58098: Apache HTTP Server: Server Side
Includes adds query string to #exec cmd=... (cve.mitre.org)
Apache HTTP Server 2.4.65 and earlier with Server Side Includes
(SSI) enabled and mod_cgid (but not mod_cgi) passes the
shell-escaped query string to #exec cmd="..." directives.
This issue affects Apache HTTP Server before 2.4.66.
* ) SECURITY: CVE-2025-55753: Apache HTTP Server: mod_md (ACME),
unintended retry intervals (cve.mitre.org)
An integer overflow in the case of failed ACME certificate
renewal leads, after a number of failures (~30 days in default
configurations), to the backoff timer becoming 0. Attempts to
renew the certificate then are repeated without delays until it
succeeds.
This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66.
* ) mod_http2: Fix handling of 304 responses from mod_cache.
* ) mod_http2/mod_proxy_http2: fix a bug in calculating the log2 value of
integers, used in push diaries and proxy window size calculations.
* ) mod_md: update to version 2.6.5
- New directive `MDInitialDelay`, controlling how longer to wait after
a server restart before checking certificates for renewal.
[Michael Kaufmann]
- Hardening: when build with OpenSSL older than 1.0.2 or old libressl
versions, the parsing of ASN.1 time strings did not do a length check.
- Hardening: when reading back OCSP responses stored in the local JSON
store, missing 'valid' key led to uninitialized values, resulting in
wrong refresh behaviour.
* ) mod_md: update to version 2.6.6
- Fix a small memory leak when using OpenSSL's BIGNUMs.
- Fix reuse of curl easy handles by resetting them.
* ) mod_http2: update to version 2.0.35
New directive `H2MaxStreamErrors` to control how much bad behaviour
by clients is tolerated before the connection is closed.
* ) mod_proxy_http2: add support for ProxyErrorOverride directive.
* ) mpm_common: Add new ListenTCPDeferAccept directive that allows to specify
the value set for the TCP_DEFER_ACCEPT socket option on listen sockets.
* ) mod_ssl: Add SSLVHostSNIPolicy directive to control the virtual
host compatibility policy.
* ) mod_md: update to version 2.6.2
- Fix error retry delay calculation to not already doubling the wait
on the first error.
* ) mod_md: update to version 2.6.1
- Increasing default `MDRetryDelay` to 30 seconds to generate less bursty
traffic on errored renewals for the ACME CA. This leads to error retries
of 30s, 1 minute, 2, 4, etc. up to daily attempts.
- Checking that configuring `MDRetryDelay` will result in a positive
duration. A delay of 0 is not accepted.
- Fix a bug in checking Content-Type of responses from the ACME server.
- Added ACME ARI support (rfc9773) to the module. Enabled by default. New
directive "MDRenewViaARI on|off" for controlling this.
- Removing tailscale support. It has not been working for a long time
as the company decided to change their APIs. Away with the dead code,
documentation and tests.
- Fixed a compilation issue with pre-industrial versions of libcurl.
- httpd testsuite of svn revision 1929573
- Remove the following patches, as they've been upstream as of 2.4.66:
* CVE-2024-42516.patch
* CVE-2024-43204.patch
* CVE-2024-47252.patch
* CVE-2025-23048.patch
* CVE-2025-49630.patch
* CVE-2025-49812.patch
* CVE-2025-53020.patch
* CVE-2025-55753.patch
* CVE-2025-58098.patch
* CVE-2025-65082.patch
* CVE-2025-66200.patch
- Refresh patches:
* apache-test-application-xml-type.patch
* apache-test-turn-off-variables-in-ssl-var-lookup.patch
* apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch
* apache2-LimitRequestFieldSize-limits-headers.patch
- aws-cli-container
-
n/a
- aws-sdk-container
-
n/a
- cups
-
- Version upgrade to 2.4.19:
See https://github.com/openprinting/cups/releases
Release 2.4.19 contains another hotfix after CVE-2026-27447 fix:
* Fixed a regression in shared printing from non-local accounts
(Issue #1557)
Issues are those at https://github.com/OpenPrinting/cups/issues
- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.19
- Added 'Michael R Sweet' key to cups.keyring
because cups-2.4.19-source.tar.gz.sig belongs to him.
- Version upgrade to 2.4.18:
See https://github.com/openprinting/cups/releases
The new release 2.4.18 contains hotfix after CVE-2026-27447 fix:
* Fixed cupsd crash if user does not exist (Issue #1555)
Issues are those at https://github.com/OpenPrinting/cups/issues
- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.18
- Version upgrade to 2.4.17:
See https://github.com/openprinting/cups/releases
The new release 2.4.17 contains the following security fixes:
* CVE-2026-27447: The scheduler treated local user
and group names as case-insensitive (bsc#1261572)
* CVE-2026-34978: The RSS notifier could write outside
the scheduler's RSS directory (bsc#1261571)
* CVE-2026-34980: The scheduler did not filter control
characters from option values (bsc#1261569)
* CVE-2026-34979: The scheduler did not always allocate
enough memory for a job's options string (bsc#1261570)
* CVE-2026-34990: The scheduler incorrectly allowed
local certificates over the loopback interface (bsc#1261568)
* CVE-2026-39314: Fixed the range check for
job password strings (bsc#1261743)
* CVE-2026-39316: Fixed a printer subscription bug
in the scheduler (bsc#1261742)
* CVE-2026-41079: Fixed a SNMP string conversion bug
in the backends (bsc#1263116)
- The release includes other fixes as well, listed in CHANGES.md.
Issues are those at https://github.com/OpenPrinting/cups/issues
Detailed list (from CHANGES.md):
* The scheduler followed symbolic links when cleaning out
its temporary directory (Issue #1448)
* Updated `cupsFileGetConf` and `cupsFilePutConf` to escape
more characters.
* Updated man page `cancel` (Issue #984)
* Updated `cupsRasterReadHeader` to validate more of the
page header values (Issue #1501)
* Fixed an issue with the class/printer CGI name checking.
* Fixed infinite loop in `http_write()` on busy print servers
(Issue #827)
* Fixed potential TLS blocking issues (Issue #1128)
* Fixed a job history bug in the scheduler (Issue #1440)
* Fixed notifier logging bug that would result in nul bytes
getting into the log (Issue #1450)
* Fixed possible use-after-free in `cupsdReadClient()`
(Issue #1454)
* Fixed a document format bug in the IPP backend (Issue #1457)
* Fixed DRAIN_OUTPUT race condition (Issue #1461)
* Fixed a bug when then `ippFindXxx` and `ippSetXxx` functions
were mixed.
* Fixed the mapping of supply type keywords to SNMP names.
* Fixed a bug in the IPP backend when SNMP was disabled.
* Fixed a crash bug in the rastertoepson filter.
* Fixed a bug in cgiCheckVariables.
* Fixed handling read/write errors with OpenSSL (Issue #1506)
* Fixed handling rehandshake error in `_httpTLSRead`
(Issue #1508)
* Fixed a debug printf bug on Windows (Issue #1529)
* Fixed a recursion issue with encoding of nested collections
(Issue #1539)
* Fixed parsing of the `LimitRequestBody`, `MaxLogSize`,
and `MaxRequestSize` directives in "cupsd.conf" (Issue #1540)
* Fixed a parsing bug in `ipptool` (Issue #1542)
* Fixed blank line detection in the `rastertolabel` filter
(Issue #1545)
* Fixed `httpPeek` edge case on compressed streams
Issues are those at https://github.com/OpenPrinting/cups/issues
- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.17
- xz
-
- Fix buffer overflow in lzma_index_append (bsc#1261280, CVE-2026-34743)
* CVE-2026-34743.patch