Explore top 10 tips to secure your open-source projects now. Read More
×An update that solves four vulnerabilities can now be installed.. # Security update for apache2 Announcement ID: SUSE-SU-2026:0020-1 Release Date: 2026-01-05T11:10:13Z Rating: important References: * bsc#1254511 * bsc#1254512 * bsc#1254514 * bsc#1254515 Cross-References: * CVE-2025-55753 * CVE-2025-58098 * CVE-2025-65082 * CVE-2025-66200 CVSS scores: * CVE-2025-55753 ( SUSE ): 6.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2025-55753 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2025-55753 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2025-58098 ( SUSE ): 6.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2025-58098 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N * CVE-2025-58098 ( NVD ): 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L * CVE-2025-65082 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2025-65082 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N * CVE-2025-65082 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N * CVE-2025-66200 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2025-66200 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2025-66200 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L Affected Products: * openSUSE Leap 15.6 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server 15 SP6 LTSS * SUSE Linux Enterprise Server for SAP Applications 15 SP6 An update that solves four vulnerabilities can now be installed. ## Description: This update for apache2 fixes the following issues: * CVE-2025-55753: Fixed mod_md (ACME) unintended retry intervals (bsc#1254511) * CVE-2025-65082: Fixed CGI environment variable override (bsc#1254514) * CVE-2025-58098: Fixed Server Side Includes adding query string to #exec cmd=... (bsc#1254512) * CVE-2025-66200: Fixedmod_userdir+suexec bypass via AllowOverride FileInfo (bsc#1254515) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Server for SAP Applications 15 SP6 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-20=1 * openSUSE Leap 15.6 zypper in -t patch SUSE-2026-20=1 openSUSE-SLE-15.6-2026-20=1 * SUSE Linux Enterprise Server 15 SP6 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-20=1 ## Package List: * SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64) * apache2-utils-debuginfo-2.4.58-150600.5.41.1 * apache2-debugsource-2.4.58-150600.5.41.1 * apache2-prefork-2.4.58-150600.5.41.1 * apache2-utils-2.4.58-150600.5.41.1 * apache2-prefork-debuginfo-2.4.58-150600.5.41.1 * apache2-prefork-debugsource-2.4.58-150600.5.41.1 * apache2-devel-2.4.58-150600.5.41.1 * apache2-worker-debuginfo-2.4.58-150600.5.41.1 * apache2-utils-debugsource-2.4.58-150600.5.41.1 * apache2-worker-debugsource-2.4.58-150600.5.41.1 * apache2-debuginfo-2.4.58-150600.5.41.1 * apache2-worker-2.4.58-150600.5.41.1 * apache2-2.4.58-150600.5.41.1 * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586) * apache2-utils-debuginfo-2.4.58-150600.5.41.1 * apache2-event-2.4.58-150600.5.41.1 * apache2-debugsource-2.4.58-150600.5.41.1 * apache2-event-debugsource-2.4.58-150600.5.41.1 * apache2-prefork-2.4.58-150600.5.41.1 * apache2-utils-2.4.58-150600.5.41.1 * apache2-prefork-debuginfo-2.4.58-150600.5.41.1 * apache2-prefork-debugsource-2.4.58-150600.5.41.1 * apache2-devel-2.4.58-150600.5.41.1 * apache2-worker-debuginfo-2.4.58-150600.5.41.1 * apache2-utils-debugsource-2.4.58-150600.5.41.1 * apache2-worker-debugsource-2.4.58-150600.5.41.1 * apache2-event-debuginfo-2.4.58-150600.5.41.1 *apache2-debuginfo-2.4.58-150600.5.41.1 * apache2-worker-2.4.58-150600.5.41.1 * apache2-2.4.58-150600.5.41.1 * openSUSE Leap 15.6 (noarch) * apache2-manual-2.4.58-150600.5.41.1 * SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64) * apache2-utils-debuginfo-2.4.58-150600.5.41.1 * apache2-debugsource-2.4.58-150600.5.41.1 * apache2-prefork-2.4.58-150600.5.41.1 * apache2-utils-2.4.58-150600.5.41.1 * apache2-prefork-debuginfo-2.4.58-150600.5.41.1 * apache2-prefork-debugsource-2.4.58-150600.5.41.1 * apache2-devel-2.4.58-150600.5.41.1 * apache2-worker-debuginfo-2.4.58-150600.5.41.1 * apache2-utils-debugsource-2.4.58-150600.5.41.1 * apache2-worker-debugsource-2.4.58-150600.5.41.1 * apache2-debuginfo-2.4.58-150600.5.41.1 * apache2-worker-2.4.58-150600.5.41.1 * apache2-2.4.58-150600.5.41.1 ## References: * https://www.suse.com/security/cve/CVE-2025-55753.html * https://www.suse.com/security/cve/CVE-2025-58098.html * https://www.suse.com/security/cve/CVE-2025-65082.html * https://www.suse.com/security/cve/CVE-2025-66200.html * https://bugzilla.suse.com/show_bug.cgi?id=1254511 * https://bugzilla.suse.com/show_bug.cgi?id=1254512 * https://bugzilla.suse.com/show_bug.cgi?id=1254514 * https://bugzilla.suse.com/show_bug.cgi?id=1254515 . An important security update for apache2 addresses four vulnerabilities affecting SUSE systems. Immediate action is advised.. SUSE security update, apache2 vulnerabilities, important apache2 patch. . Severity: Important. LinuxSecurity.com Team
MGAA-2025-0107 - Updated less package fixes bug. MGAA-2025-0107 - Updated less package fixes bug Publication date: 29 Dec 2025 URL: https://advisories.mageia.org/MGAA-2025-0107.html Type: bugfix Affected Mageia releases: 9 Description: The current version does not set the environment variable LESSOPEN which means that you can't view gz, bz2, lzma, zip, rpm, html, etc. files. This update fixes the reported issue. After the update you should close the terminal emulator in use for the fix to take effect. References: - https://bugs.mageia.org/show_bug.cgi?id=34892 SRPMS: - 9/core/less-678-1.2.mga9 . An update to the less package in Mageia fixes a crucial bug affecting file viewing functionality. Install now!. less package update,Mageia fix,bug resolution,Mageia updates. . Severity: Informational. LinuxSecurity.com Team
An untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library versions 2.27 to 2.38 allows attacker-controlled loading of dynamically shared libraries in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo). (CVE-2025-4802) . MGASA-2025-0164 - Updated glibc packages fix security vulnerability Publication date: 24 May 2025 URL: https://advisories.mageia.org/MGASA-2025-0164.html Type: security Affected Mageia releases: 9 CVE: CVE-2025-4802 An untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library versions 2.27 to 2.38 allows attacker-controlled loading of dynamically shared libraries in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo). (CVE-2025-4802) References: - https://bugs.mageia.org/show_bug.cgi?id=34286 - https://www.openwall.com/lists/oss-security/2025/05/16/7 - https://www.openwall.com/lists/oss-security/2025/05/17/2 - https://www.cve.org/CVERecord?id=CVE-2025-4802 SRPMS: - 9/core/glibc-2.36-56.mga9 . A critical LD_LIBRARY_PATH exploit in glibc affects Mageia, allowing malicious library loading by attackers.. glibc Vulnerability, LD_LIBRARY_PATH, Mageia Security Advisory, Dynamic Library Control. . Severity: Important. LinuxSecurity.com Team
Several security issues were fixed in PHP.. ========================================================================== Ubuntu Security Notice USN-7049-3 February 26, 2025 php5 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS Summary: Several security issues were fixed in PHP. Software Description: - php5: HTML-embedded scripting language interpreter Details: USN-7049-1 fixed vulnerabilities in PHP. This update provides the corresponding updates for Ubuntu 14.04 LTS. Original advisory details: It was discovered that PHP incorrectly handled parsing multipart form data.A remote attacker could possibly use this issue to inject payloads and cause PHP to ignore legitimate data. (CVE-2024-8925) It was discovered that PHP incorrectly handled the cgi.force_redirect configuration option due to environment variable collisions. In certain configurations, an attacker could possibly use this issue bypass force_redirect restrictions. (CVE-2024-8927) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.29+esm16 Available with Ubuntu Pro php5 5.5.9+dfsg-1ubuntu4.29+esm16 Available with Ubuntu Pro php5-cgi 5.5.9+dfsg-1ubuntu4.29+esm16 Available with Ubuntu Pro php5-cli 5.5.9+dfsg-1ubuntu4.29+esm16 Available with Ubuntu Pro php5-fpm 5.5.9+dfsg-1ubuntu4.29+esm16 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7049-3 https://ubuntu.com/security/notices/USN-7049-2 https://ubuntu.com/security/notices/USN-7049-1 CVE-2024-8925, CVE-2024-8927 . Enhancements for PHP security vulnerabilities in Ubuntu 14.04 LTS to mitigate risks of attacks and data breaches. Discover more!. PHP Security Updates, Ubuntu 14.04, Security Patches. . Severity: Critical. LinuxSecurity.com Team
The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network: . Oracle Linux Security Advisory ELSA-2024-10882 http://linux.oracle.com/errata/ELSA-2024-10882.html The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network: aarch64: postgresql-9.2.24-9.0.3.el7_9.aarch64.rpm postgresql-contrib-9.2.24-9.0.3.el7_9.aarch64.rpm postgresql-devel-9.2.24-9.0.3.el7_9.aarch64.rpm postgresql-docs-9.2.24-9.0.3.el7_9.aarch64.rpm postgresql-libs-9.2.24-9.0.3.el7_9.aarch64.rpm postgresql-plperl-9.2.24-9.0.3.el7_9.aarch64.rpm postgresql-plpython-9.2.24-9.0.3.el7_9.aarch64.rpm postgresql-pltcl-9.2.24-9.0.3.el7_9.aarch64.rpm postgresql-server-9.2.24-9.0.3.el7_9.aarch64.rpm postgresql-test-9.2.24-9.0.3.el7_9.aarch64.rpm postgresql-static-9.2.24-9.0.3.el7_9.aarch64.rpm postgresql-upgrade-9.2.24-9.0.3.el7_9.aarch64.rpm SRPMS: http://oss.oracle.com/ol7/SRPMS-updates//postgresql-9.2.24-9.0.3.el7_9.src.rpm Related CVEs: CVE-2024-10979 Description of changes: [9.2.24-9.0.3] - Fixes CVE-2024-10979 where environment variable mutations [Orabug: 37370704] - are incorrectly allowed from trusted PL/Perl code _______________________________________________ El-errata mailing list
In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because . MGASA-2023-0025 - Updated sudo packages fix security vulnerability Publication date: 24 Jan 2023 URL: https://advisories.mageia.org/MGASA-2023-0025.html Type: security Affected Mageia releases: 8 CVE: CVE-2023-22809 In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value. (CVE-2023-22809) References: - https://bugs.mageia.org/show_bug.cgi?id=31437 - - https://lists.debian.org/debian-security-announce/2023/msg00010.html - https://ubuntu.com/security/notices/USN-5811-1 - https://lists.fedoraproject.org/archives/list/
Stack-based buffer overflow in auphone.c that can be triggered by an environment variable. Also, the x11-util-cf-files package has been patched to allow building nas. . MGASA-2022-0066 - Updated nas packages fix security vulnerability Publication date: 18 Feb 2022 URL: https://advisories.mageia.org/MGASA-2022-0066.html Type: security Affected Mageia releases: 8 Stack-based buffer overflow in auphone.c that can be triggered by an environment variable. Also, the x11-util-cf-files package has been patched to allow building nas. References: - https://bugs.mageia.org/show_bug.cgi?id=30020 - https://lists.fedoraproject.org/archives/list/
In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other . MGASA-2021-0248 - Updated docker-containerd packages fix security vulnerability Publication date: 13 Jun 2021 URL: https://advisories.mageia.org/MGASA-2021-0248.html Type: security Affected Mageia releases: 7, 8 CVE: CVE-2021-21334 In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. (CVE-2021-21334). References: - https://bugs.mageia.org/show_bug.cgi?id=29003 - https://lists.fedoraproject.org/archives/list/
Get the latest Linux and open source security news straight to your inbox.