[security - high] httpd:2.4 security update

エラータID: AXSA:2026-017:01

リリース日: 
2026/01/08 Thursday - 21:06
題名: 
[security - high] httpd:2.4 security update
影響のあるチャネル: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es):

* httpd: Apache HTTP Server: CGI environment variable override (CVE-2025-65082)
* mod_md: Apache HTTP Server: mod_md (ACME), unintended retry intervals (CVE-2025-55753)
* httpd: Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo (CVE-2025-66200)
* httpd: Apache HTTP Server: Server Side Includes adds query string to #exec cmd=... (CVE-2025-58098)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-55753
An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
CVE-2025-58098
Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
CVE-2025-65082
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue.
CVE-2025-66200
mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are recommended to upgrade to version 2.4.66, which fixes the issue.

Modularity name: "httpd"
Stream name: "2.4"

解決策: 

Update packages.

CVE: 
CVE-2025-55753
An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
CVE-2025-58098
Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
CVE-2025-65082
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue.
CVE-2025-66200
mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. httpd-2.4.37-65.module+el8+1937+fa8c1182.7.ML.1.src.rpm
    MD5: ffd0d81f441c150c7d1515454744fb41
    SHA-256: 3705501514b65e99570b57ad15d34e19ef645dd5b4cb246a2ff920c3374d67f9
    Size: 6.99 MB
  2. mod_http2-1.15.7-10.module+el8+1937+fa8c1182.4.src.rpm
    MD5: 8e713e3aeed324cf9f6433121d4dd2e8
    SHA-256: d9560a7f69a9a184a5b38671cc1c4a9f082bab86db47b8d758cbb2de4223a87a
    Size: 1.02 MB
  3. mod_md-2.0.8-8.module+el8+1937+fa8c1182.2.src.rpm
    MD5: 3458ddfad497c98a375ab5c27b7dc5dc
    SHA-256: 99d59fb6ef906ee998474b3ee12a909def5931cae0c461affa72bd71d17174f4
    Size: 636.08 kB

Asianux Server 8 for x86_64
  1. httpd-2.4.37-65.module+el8+1937+fa8c1182.7.ML.1.x86_64.rpm
    MD5: afda8d250f603e2137befcdb2d1cd76e
    SHA-256: 273bb3144d8e60f74809a0cb547d1a32f35c3a07e782ec577703dfa46e360e7a
    Size: 1.42 MB
  2. httpd-debugsource-2.4.37-65.module+el8+1937+fa8c1182.7.ML.1.x86_64.rpm
    MD5: 8950277bf657462711726d327d2c567b
    SHA-256: 04e7b30a535b1244760107e52f4ff8533b71df1ebcc128f817379864ded78eef
    Size: 1.46 MB
  3. httpd-devel-2.4.37-65.module+el8+1937+fa8c1182.7.ML.1.x86_64.rpm
    MD5: 92584106822391f80e6705d1116e890a
    SHA-256: 37eb2157105d35acfea1542c6f49e69b2be3a82394667f9e335465e886de5176
    Size: 229.44 kB
  4. httpd-filesystem-2.4.37-65.module+el8+1937+fa8c1182.7.ML.1.noarch.rpm
    MD5: 7380918101c390d2483ce67131c2edb3
    SHA-256: 326a31d23de8c4e0131cdda0a0faaa8773c9dab48fada1602335ca7f4d06953e
    Size: 45.56 kB
  5. httpd-manual-2.4.37-65.module+el8+1937+fa8c1182.7.ML.1.noarch.rpm
    MD5: 1e0778f580a1641c6ba6c13356cd964e
    SHA-256: 7627b7874af9f4a703c5b882f0d339d8a66269cba8021a054ff4ca88dcda41d9
    Size: 2.38 MB
  6. httpd-tools-2.4.37-65.module+el8+1937+fa8c1182.7.ML.1.x86_64.rpm
    MD5: 554b1fbe4ef8955faddf98c5dbe821c2
    SHA-256: a081f9530dec3d0264c72fcfcadd13c2f696b09d9664c6354c1545587e26fa78
    Size: 112.51 kB
  7. mod_http2-1.15.7-10.module+el8+1937+fa8c1182.4.x86_64.rpm
    MD5: 32671b94042f0aecf388adbc7a780bc8
    SHA-256: 85343fa8c8e7f40c3d5fcd2abdaffec5bc1926b73c95c90f1cc3bca1cf8ab586
    Size: 154.98 kB
  8. mod_http2-debugsource-1.15.7-10.module+el8+1937+fa8c1182.4.x86_64.rpm
    MD5: 4156cd7a5fbca6d618e18fcefb854c51
    SHA-256: dd46a88d47fc76f5ff845e96021bc0475d18579893f67cbbcea8d7634897a46a
    Size: 148.67 kB
  9. mod_ldap-2.4.37-65.module+el8+1937+fa8c1182.7.ML.1.x86_64.rpm
    MD5: a0a231facb98f808f02e5f934456b5b9
    SHA-256: 033bd7e8dea23125467812afebcef0e87d1ee6ca4514da44c9756ac2dc4ce0ce
    Size: 90.88 kB
  10. mod_md-2.0.8-8.module+el8+1937+fa8c1182.2.x86_64.rpm
    MD5: bb05ef24c7d26621414373f86646702f
    SHA-256: 443089b7983f3e75e29bb89d134125d604aa6064beafeac485dd2907148a1d86
    Size: 183.56 kB
  11. mod_md-debugsource-2.0.8-8.module+el8+1937+fa8c1182.2.x86_64.rpm
    MD5: 5739e3f943c0b6aede5943eb2544d959
    SHA-256: ce60e5a4dadbd94dcebfb0b2cd87cf9a7081321ec22aa8e06a06412c222832e9
    Size: 126.48 kB
  12. mod_proxy_html-2.4.37-65.module+el8+1937+fa8c1182.7.ML.1.x86_64.rpm
    MD5: ec09433ae59f665cf98b0ec0ab53c366
    SHA-256: 94ab54326fb51e33c0fc78313ef6c2d28e80a2ba72689a378f9d863c958bb03a
    Size: 68.08 kB
  13. mod_session-2.4.37-65.module+el8+1937+fa8c1182.7.ML.1.x86_64.rpm
    MD5: cda1b4d15b9bf8f67559bb5e57a196d1
    SHA-256: 31a496937422075fb4f167a0164b99a98a18abe44fed84b1195dfe384f80ad38
    Size: 79.66 kB
  14. mod_ssl-2.4.37-65.module+el8+1937+fa8c1182.7.ML.1.x86_64.rpm
    MD5: 644bc5ffc6371089ed49adc00b098b67
    SHA-256: 104bb44bc6ff5e237cd89c21ac0c867a76a3c5a04de13fbda2fe9b07c6bc2e2f
    Size: 143.01 kB