BDU:2025-08695

Уязвимость функции mod_proxy_http2 веб-сервера Apache HTTP Server, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: HIGH (7.8) Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

References:

CVE-2025-49630

Published: 2025-07-10
Modified: 2025-07-29

CVE-2025-49630

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

https://httpd.apache.org/security/vulnerabilities_24.html

Published: 2025-07-10
Modified: 2025-07-29

CVE-2025-53020

Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

https://httpd.apache.org/security/vulnerabilities_24.html

Version: 2.1.2

Package apache2-mod_http2 update in sisyphus_loongarch64 on 2025-07-22

ALT-PU-2025-9585-1

Closed vulnerabilities

BDU:2025-08695

CVE-2025-49630

CVE-2025-53020