httpd-2.4.62-7.el9_7.3

エラータID: AXSA:2025-11631:11

Release date: 
Friday, December 26, 2025 - 11:45
Subject: 
httpd-2.4.62-7.el9_7.3
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es):

* httpd: Apache HTTP Server: CGI environment variable override (CVE-2025-65082)
* httpd: Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo (CVE-2025-66200)
* httpd: Apache HTTP Server: Server Side Includes adds query string to #exec cmd=... (CVE-2025-58098)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-58098
Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
CVE-2025-65082
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue.
CVE-2025-66200

Solution: 

Update packages.

CVEs: 
CVE-2025-58098
Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
CVE-2025-65082
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue.
CVE-2025-66200
mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
Additional Info: 

N/A

Download: 

SRPMS
  1. httpd-2.4.62-7.el9_7.3.src.rpm
    MD5: 5805eebcffbbf5100303e2966b5d40d1
    SHA-256: 23591bcb189897bdbfd5f0761e38ca1142b642965e4890ae60057a2742b5bb21
    Size: 7.65 MB

Asianux Server 9 for x86_64
  1. httpd-2.4.62-7.el9_7.3.x86_64.rpm
    MD5: f83c49155c9926456914e7a62058bcd2
    SHA-256: 4075424065da61ad3094353b4f6672722ba5ef208b7c1bb79b603fe4b296ca55
    Size: 50.33 kB
  2. httpd-core-2.4.62-7.el9_7.3.x86_64.rpm
    MD5: 67390df1b422af8ccd25090e2b123361
    SHA-256: ad83d38ea35cf2789999b49e62139d00dcab4838a2f30fd8422e7417782d6d02
    Size: 1.47 MB
  3. httpd-devel-2.4.62-7.el9_7.3.x86_64.rpm
    MD5: 45a6742097f5f9237e9ef6f6186937ef
    SHA-256: ca2d83c74686e0fd1905317e213d7e81ed2aa8a35e08f91ddddc71d6f1fc3269
    Size: 210.98 kB
  4. httpd-filesystem-2.4.62-7.el9_7.3.noarch.rpm
    MD5: 029f8202a124a365f054e57eed71348a
    SHA-256: 4beac093f71328544dc4c0f458eb25a29384451fefa2cb6b53aae335b7dc77c5
    Size: 12.09 kB
  5. httpd-manual-2.4.62-7.el9_7.3.noarch.rpm
    MD5: 4a581fbfaf4567e9f828c3a4863a9777
    SHA-256: 870978eaf935387872c8a5fe4cfb55c75f8ba6a8ed2ee087cd4b66519d5b661a
    Size: 2.30 MB
  6. httpd-tools-2.4.62-7.el9_7.3.x86_64.rpm
    MD5: 3de7b50902698504f574f8c31d3ffe40
    SHA-256: 76a361766d2cf239b5c4762aded0ae2b7038f3e243c6984dc845cf24c84f5d17
    Size: 82.99 kB
  7. mod_ldap-2.4.62-7.el9_7.3.x86_64.rpm
    MD5: 47a6148f93008397e1b8e84d1974ef44
    SHA-256: e7bb7ad4b69c904834b4d1fc8de7c721f41ddc4b86b0e713ae4a047f11ca03b9
    Size: 59.57 kB
  8. mod_lua-2.4.62-7.el9_7.3.x86_64.rpm
    MD5: b535ac40d54840721a877d6a850ea8e7
    SHA-256: 7062215efbece93415dd829a721e5d8c1f49cbbe3b4a5c6db811009201689e5c
    Size: 58.76 kB
  9. mod_proxy_html-2.4.62-7.el9_7.3.x86_64.rpm
    MD5: 4c0aae00fc1be7878256c75acc298f95
    SHA-256: cbc5024cbf2b54a456de67e29a9bff07b74cb038544359c9968fc0d631ea8e99
    Size: 34.47 kB
  10. mod_session-2.4.62-7.el9_7.3.x86_64.rpm
    MD5: 942de70b2f07395d576e8f1630986be9
    SHA-256: 44ef4407a3269eef9f84e1fb74b9c585273d3e5f72bb0591b08c6a17c0feaba2
    Size: 46.16 kB
  11. mod_ssl-2.4.62-7.el9_7.3.x86_64.rpm
    MD5: 9814423e531e3f2dd1af994c506655f4
    SHA-256: 57eebe9e0330084cf537c24fbda1d6b6b42061f8bc043fa32f337fb67de73096
    Size: 110.03 kB