An update for httpd is now available for openEuler-24.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-1528 Final 1.0 1.0 2026-03-06 Initial 2026-03-06 2026-03-06 openEuler SA Tool V1.0 2026-03-06 httpd security update An update for httpd is now available for openEuler-24.03-LTS-SP1 Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server. Security Fix(es): An integer overflow vulnerability was found in Apache HTTP Server versions 2.4.30 to 2.4.66. In case of failed ACME certificate renewal, after a number of failures (~30 days in default configurations), the backoff timer becomes 0. Certificate renewal attempts are then repeated without delays until successful. This issue affects confidentiality, integrity, and availability.(CVE-2025-55753) Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.(CVE-2025-58098) Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue.(CVE-2025-65082) mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are recommended to upgrade to version 2.4.66, which fixes the issue.(CVE-2025-66200) An update for httpd is now available for openEuler-24.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High httpd https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1528 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-55753 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-58098 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-65082 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-66200 https://nvd.nist.gov/vuln/detail/CVE-2025-55753 https://nvd.nist.gov/vuln/detail/CVE-2025-58098 https://nvd.nist.gov/vuln/detail/CVE-2025-65082 https://nvd.nist.gov/vuln/detail/CVE-2025-66200 openEuler-24.03-LTS-SP1 httpd-2.4.58-12.oe2403sp1.aarch64.rpm httpd-debuginfo-2.4.58-12.oe2403sp1.aarch64.rpm httpd-debugsource-2.4.58-12.oe2403sp1.aarch64.rpm httpd-devel-2.4.58-12.oe2403sp1.aarch64.rpm httpd-tools-2.4.58-12.oe2403sp1.aarch64.rpm mod_ldap-2.4.58-12.oe2403sp1.aarch64.rpm mod_md-2.4.58-12.oe2403sp1.aarch64.rpm mod_proxy_html-2.4.58-12.oe2403sp1.aarch64.rpm mod_session-2.4.58-12.oe2403sp1.aarch64.rpm mod_ssl-2.4.58-12.oe2403sp1.aarch64.rpm httpd-2.4.58-12.oe2403sp1.src.rpm httpd-2.4.58-12.oe2403sp1.x86_64.rpm httpd-debuginfo-2.4.58-12.oe2403sp1.x86_64.rpm httpd-debugsource-2.4.58-12.oe2403sp1.x86_64.rpm httpd-devel-2.4.58-12.oe2403sp1.x86_64.rpm httpd-tools-2.4.58-12.oe2403sp1.x86_64.rpm mod_ldap-2.4.58-12.oe2403sp1.x86_64.rpm mod_md-2.4.58-12.oe2403sp1.x86_64.rpm mod_proxy_html-2.4.58-12.oe2403sp1.x86_64.rpm mod_session-2.4.58-12.oe2403sp1.x86_64.rpm mod_ssl-2.4.58-12.oe2403sp1.x86_64.rpm httpd-filesystem-2.4.58-12.oe2403sp1.noarch.rpm httpd-help-2.4.58-12.oe2403sp1.noarch.rpm An integer overflow vulnerability was found in Apache HTTP Server versions 2.4.30 to 2.4.66. In case of failed ACME certificate renewal, after a number of failures (~30 days in default configurations), the backoff timer becomes 0. Certificate renewal attempts are then repeated without delays until successful. This issue affects confidentiality, integrity, and availability. 2026-03-06 CVE-2025-55753 openEuler-24.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N httpd security update 2026-03-06 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1528 Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue. 2026-03-06 CVE-2025-58098 openEuler-24.03-LTS-SP1 High 8.3 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L httpd security update 2026-03-06 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1528 Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue. 2026-03-06 CVE-2025-65082 openEuler-24.03-LTS-SP1 Medium 6.5 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N httpd security update 2026-03-06 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1528 mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are recommended to upgrade to version 2.4.66, which fixes the issue. 2026-03-06 CVE-2025-66200 openEuler-24.03-LTS-SP1 Medium 5.4 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L httpd security update 2026-03-06 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1528