[CLSA-2026:1784045513] Fix CVE(s): CVE-2024-47252, CVE-2025-49812, CVE-2025-55753, CVE-2025-58098
Type:
security
Severity:
Important
Release date:
2026-07-14 16:12:14 UTC
Description:
* SECURITY UPDATE: query string passed to SSI "#exec cmd" via mod_cgid - debian/patches/CVE-2025-58098.patch: in cgid_server() in modules/generators/mod_cgid.c, do not pass the request query string (r->args) to create_argv() for Server Side Includes requests by passing NULL when cgid_req.req_type == SSI_REQ, and add a NULL guard to create_argv() so a shell-escaped query string can no longer be split into extra arguments of an SSI "#exec cmd" command. Backported from httpd commit ecc1b8f3817e3dcab9c1f24f905752d3c0a279af (SVN r1930161). - CVE-2025-58098 * SECURITY UPDATE: log injection via unescaped mod_ssl log variables - debian/patches/CVE-2024-47252.patch: in ssl_var_log_handler_c() and ssl_var_log_handler_x() in modules/ssl/ssl_engine_vars.c, escape the SSL/TLS variables returned by these mod_ssl log handlers with ap_escape_logitem() so client-supplied values such as SSL_TLS_SNI logged via "%{varname}c"/"%{varname}x" can no longer insert escape characters into log files. Backported from httpd commit c01e60707048be14a510f0a92128a5227923215c (SVN r1927042). - CVE-2024-47252
Updated packages:
  • apache2_2.4.41-4ubuntu3.23+tuxcare.els12_amd64.deb
    sha:e944279ec50035aec3475a6ca6d48467c216bb75
  • apache2-bin_2.4.41-4ubuntu3.23+tuxcare.els12_amd64.deb
    sha:5707bd0664e8d508fbc652ee6586078dfa4b90d0
  • apache2-data_2.4.41-4ubuntu3.23+tuxcare.els12_all.deb
    sha:2a41b524ce6b1a9c1b3a6b5ceb0d61c0b2a93c95
  • apache2-dev_2.4.41-4ubuntu3.23+tuxcare.els12_amd64.deb
    sha:0a0b7f36689e834f81f6882536614e5fe9b3f24f
  • apache2-doc_2.4.41-4ubuntu3.23+tuxcare.els12_all.deb
    sha:01b62f54ebdf4665165c2a39fec7e89a18ed0294
  • apache2-ssl-dev_2.4.41-4ubuntu3.23+tuxcare.els12_amd64.deb
    sha:8e2263ac669f71533b8608456e67a294abb3c951
  • apache2-suexec-custom_2.4.41-4ubuntu3.23+tuxcare.els12_amd64.deb
    sha:e4bd457e2dfade15ad410804b388cb9f7c175c07
  • apache2-suexec-pristine_2.4.41-4ubuntu3.23+tuxcare.els12_amd64.deb
    sha:1e734497e0d2a09cfe7cab3c63e3f8c15c251ae9
  • apache2-utils_2.4.41-4ubuntu3.23+tuxcare.els12_amd64.deb
    sha:2e29a605e35698ca38ed13804b898ca8ecf4b0c4
  • libapache2-mod-md_2.4.41-4ubuntu3.23+tuxcare.els12_amd64.deb
    sha:842a4a794236edf942379af907cf6ef6b83d0836
  • libapache2-mod-proxy-uwsgi_2.4.41-4ubuntu3.23+tuxcare.els12_amd64.deb
    sha:72a4243041b77e8b550ce41bdcd709866a7a1833
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.