SB2026010593 - SUSE update for apache2
Published: January 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Integer overflow (CVE-ID: CVE-2025-55753)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to an integer overflow in mod_md (ACME) in the case of failed ACME certificate renewal. The web server will set the backoff timer becoming 0 after a number of failures (~30 days in default configurations), leading to a denial of service condition.
2) Improper Neutralization of Server-Side Includes (SSI) Within a Web Page (CVE-ID: CVE-2025-58098)
The vulnerability allows a remote attacker to execute arbitrary commands.
The vulnerability exists due to insufficient input validation with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi). The web server passes the shell-escaped query string to #exec cmd="..." directives. A remote attacker can send a specially crafted HTTP request to the server and potentially execute arbitrary code.
3) Code injection (CVE-ID: CVE-2025-65082)
The vulnerability allows a local user to affect web server behavior.
The vulnerability exists due to improper input validation when handling environment variables set via the Apache configuration. A local user can set specially crafted values that supersede variables calculated by the server for CGI programs.
4) Input validation error (CVE-ID: CVE-2025-66200)
The vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input when parsing the RequestHeader directive in .htaccess files. A local user can bypass mod_userdir+suexec security measures via AllowOverride FileInfo and run certain CGI scripts under an unexpected userid.
Remediation
Install update from vendor's website.