{"id":"USN-7639-1","summary":"apache2 vulnerabilities","details":"It was discovered that the Apache HTTP Server incorrectly handled certain\nContent-Type response headers. A remote attacker could possibly use this\nissue to perform HTTP response splitting attacks. (CVE-2024-42516)\n\nxiaojunjie discovered that the Apache HTTP Server mod_proxy module\nincorrectly handled certain requests. A remote attacker could possibly use\nthis issue to send outbound proxy requests to an arbitrary URL.\n(CVE-2024-43204)\n\nJohn Runyon discovered that the Apache HTTP Server mod_ssl module\nincorrectly escaped certain data. A remote attacker could possibly use this\nissue to insert escape characters into log files. (CVE-2024-47252)\n\nSven Hebrok, Felix Cramer, Tim Storm, Maximilian Radoy, and Juraj\nSomorovsky discovered that the Apache HTTP Server mod_ssl module\nincorrectly handled TLS 1.3 session resumption. A remote attacker could\npossibly use this issue to bypass access control. (CVE-2025-23048)\n\nAnthony CORSIEZ discovered that the Apache HTTP Server mod_proxy_http2\nmodule incorrectly handled missing host headers. A remote attacker could\npossibly use this issue to cause the server to crash, resulting in a denial\nof service. (CVE-2025-49630)\n\nRobert Merget discovered that the Apache HTTP Server mod_ssl module\nincorrectly handled TLS upgrades. A remote attacker could possibly use this\nissue to hijack an HTTP session. This update removes the old \"SSLEngine\noptional\" configuration option, possibly requiring a configuration change\nin certain environments. (CVE-2025-49812)\n\nGal Bar Nahum discovered that the Apache HTTP Server incorrectly handled\ncertain memory operations. A remote attacker could possibly use this\nissue to cause the server to consume resources, leading to a denial of\nservice. (CVE-2025-53020)","modified":"2026-02-10T04:49:34Z","published":"2025-07-16T17:25:15Z","related":["UBUNTU-CVE-2024-42516","UBUNTU-CVE-2024-43204","UBUNTU-CVE-2024-47252","UBUNTU-CVE-2025-23048","UBUNTU-CVE-2025-49630","UBUNTU-CVE-2025-49812","UBUNTU-CVE-2025-53020"],"upstream":["CVE-2024-42516","CVE-2024-43204","CVE-2024-47252","CVE-2025-23048","CVE-2025-49630","CVE-2025-49812","CVE-2025-53020","UBUNTU-CVE-2024-42516","UBUNTU-CVE-2024-43204","UBUNTU-CVE-2024-47252","UBUNTU-CVE-2025-23048","UBUNTU-CVE-2025-49630","UBUNTU-CVE-2025-49812","UBUNTU-CVE-2025-53020"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7639-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-42516"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-43204"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-47252"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-23048"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-49630"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-49812"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-53020"}],"affected":[{"package":{"name":"apache2","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/apache2@2.4.52-1ubuntu4.15?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.52-1ubuntu4.15"}]}],"versions":["2.4.48-3.1ubuntu3","2.4.48-3.1ubuntu4","2.4.51-2ubuntu1","2.4.52-1ubuntu1","2.4.52-1ubuntu2","2.4.52-1ubuntu4","2.4.52-1ubuntu4.1","2.4.52-1ubuntu4.2","2.4.52-1ubuntu4.3","2.4.52-1ubuntu4.4","2.4.52-1ubuntu4.5","2.4.52-1ubuntu4.6","2.4.52-1ubuntu4.7","2.4.52-1ubuntu4.8","2.4.52-1ubuntu4.9","2.4.52-1ubuntu4.10","2.4.52-1ubuntu4.11","2.4.52-1ubuntu4.12","2.4.52-1ubuntu4.13","2.4.52-1ubuntu4.14"],"ecosystem_specific":{"binaries":[{"binary_name":"apache2","binary_version":"2.4.52-1ubuntu4.15"},{"binary_name":"apache2-bin","binary_version":"2.4.52-1ubuntu4.15"},{"binary_name":"apache2-data","binary_version":"2.4.52-1ubuntu4.15"},{"binary_name":"apache2-dev","binary_version":"2.4.52-1ubuntu4.15"},{"binary_name":"apache2-ssl-dev","binary_version":"2.4.52-1ubuntu4.15"},{"binary_name":"apache2-suexec-custom","binary_version":"2.4.52-1ubuntu4.15"},{"binary_name":"apache2-suexec-pristine","binary_version":"2.4.52-1ubuntu4.15"},{"binary_name":"apache2-utils","binary_version":"2.4.52-1ubuntu4.15"},{"binary_name":"libapache2-mod-md","binary_version":"2.4.52-1ubuntu4.15"},{"binary_name":"libapache2-mod-proxy-uwsgi","binary_version":"2.4.52-1ubuntu4.15"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:22.04:LTS","cves":[{"id":"CVE-2024-42516","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2024-43204","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2024-47252","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2025-23048","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2025-49630","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2025-49812","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2025-53020","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7639-1.json"}},{"package":{"name":"apache2","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/apache2@2.4.58-1ubuntu8.7?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.58-1ubuntu8.7"}]}],"versions":["2.4.57-2ubuntu2","2.4.57-2ubuntu3","2.4.58-1ubuntu1","2.4.58-1ubuntu2","2.4.58-1ubuntu6","2.4.58-1ubuntu7","2.4.58-1ubuntu8","2.4.58-1ubuntu8.1","2.4.58-1ubuntu8.2","2.4.58-1ubuntu8.3","2.4.58-1ubuntu8.4","2.4.58-1ubuntu8.5","2.4.58-1ubuntu8.6"],"ecosystem_specific":{"binaries":[{"binary_name":"apache2","binary_version":"2.4.58-1ubuntu8.7"},{"binary_name":"apache2-bin","binary_version":"2.4.58-1ubuntu8.7"},{"binary_name":"apache2-data","binary_version":"2.4.58-1ubuntu8.7"},{"binary_name":"apache2-dev","binary_version":"2.4.58-1ubuntu8.7"},{"binary_name":"apache2-ssl-dev","binary_version":"2.4.58-1ubuntu8.7"},{"binary_name":"apache2-suexec-custom","binary_version":"2.4.58-1ubuntu8.7"},{"binary_name":"apache2-suexec-pristine","binary_version":"2.4.58-1ubuntu8.7"},{"binary_name":"apache2-utils","binary_version":"2.4.58-1ubuntu8.7"},{"binary_name":"libapache2-mod-md","binary_version":"2.4.58-1ubuntu8.7"},{"binary_name":"libapache2-mod-proxy-uwsgi","binary_version":"2.4.58-1ubuntu8.7"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:24.04:LTS","cves":[{"id":"CVE-2024-42516","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2024-43204","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2024-47252","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2025-23048","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2025-49630","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2025-49812","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2025-53020","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7639-1.json"}}],"schema_version":"1.7.3"}