apache2 - Debian Package Tracker

general

source: apache2 (main)
version: 2.4.64-1
maintainer: Debian Apache Maintainers (archive) (DMD)
uploaders: Arno Töll [DMD] – Yadd [DMD] – Bastien Roucariès [DMD] – Ondřej Surý [DMD] – Stefan Fritsch [DMD]
arch: all any
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.4.38-3+deb10u8
o-o-sec: 2.4.59-1~deb10u1
oldstable: 2.4.62-1~deb11u1
old-sec: 2.4.62-1~deb11u2
old-p-u: 2.4.62-1~deb11u1
stable: 2.4.62-1~deb12u2
stable-sec: 2.4.62-1~deb12u2
testing: 2.4.63-1
unstable: 2.4.64-1

versioned links

2.4.38-3+deb10u8: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.59-1~deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.62-1~deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.62-1~deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.62-1~deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.63-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4.64-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

apache2 (121 bugs: 0, 80, 41, 0)
apache2-bin (38 bugs: 0, 29, 9, 0)
apache2-data
apache2-dev (5 bugs: 0, 2, 3, 0)
apache2-doc (4 bugs: 0, 3, 1, 0)
apache2-ssl-dev
apache2-suexec-custom (3 bugs: 0, 2, 1, 0)
apache2-suexec-pristine (3 bugs: 0, 1, 2, 0)
apache2-utils (8 bugs: 0, 4, 4, 0)

action needed

7 security issues in bullseye high

There are 7 open security issues in bullseye.

7 important issues:

CVE-2024-42516: HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response. This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP Server 2.4.59 did not address the issue. Users are recommended to upgrade to version 2.4.64, which fixes this issue.
CVE-2024-43204: SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request. Users are recommended to upgrade to version 2.4.64 which fixes this issue.
CVE-2024-47252: Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.
CVE-2025-23048: In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.
CVE-2025-49630: In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".
CVE-2025-49812: In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.
CVE-2025-53020: Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue.

Created: 2025-07-10 Last update: 2025-07-18 05:00

7 security issues in bookworm high

There are 7 open security issues in bookworm.

7 important issues:

CVE-2024-42516: HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response. This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP Server 2.4.59 did not address the issue. Users are recommended to upgrade to version 2.4.64, which fixes this issue.
CVE-2024-43204: SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request. Users are recommended to upgrade to version 2.4.64 which fixes this issue.
CVE-2024-47252: Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.
CVE-2025-23048: In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.
CVE-2025-49630: In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".
CVE-2025-49812: In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.
CVE-2025-53020: Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue.

Created: 2025-07-10 Last update: 2025-07-18 05:00

1 bug tagged help in the BTS normal

The BTS contains 1 bug tagged help, please consider helping the maintainer in dealing with it.

Created: 2022-12-02 Last update: 2025-07-18 14:30

18 bugs tagged patch in the BTS normal

The BTS contains patches fixing 18 bugs (20 if counting merged bugs), consider including or untagging them.

Created: 2025-01-06 Last update: 2025-07-18 14:30

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 2.4.64-2, distribution unstable) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 75c7415aca1314070e53dc728d136ecf8f427f57
Author: Bastien Roucariès <rouca@debian.org>
Date:   Thu Jul 17 18:13:29 2025 +0200

    Disable by default TLS 1.0 and TLS 1.1

Created: 2025-07-17 Last update: 2025-07-17 17:32

lintian reports 12 warnings normal

Lintian reports 12 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2024-10-05 Last update: 2025-07-11 15:00

RFH: The maintainer is looking for help with this package. normal

The current maintainer is looking for someone who can help with the maintenance of this package. If you are interested in this package, please consider helping out. One way you can help is offer to be a co-maintainer or triage bugs in the BTS. Please see bug number #910917 for more information.

Created: 2018-10-13 Last update: 2020-01-27 22:50

debian/patches: 2 patches to forward upstream low

Among the 7 debian patches available in version 2.4.64-1 of the package, we noticed the following issues:

2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2025-07-11 14:00

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2025-01-16 Last update: 2025-01-16 16:33

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.6.2).

Created: 2024-04-07 Last update: 2025-07-11 10:03

testing migrations

This package will soon be part of the auto-libxml2 transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2025-07-18] apache2 2.4.64-1 MIGRATED to testing (Debian testing watch)
[2025-07-11] Accepted apache2 2.4.64-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2025-01-28] apache2 2.4.63-1 MIGRATED to testing (Debian testing watch)
[2025-01-24] Accepted apache2 2.4.63-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-12-01] Accepted apache2 2.4.62-6 (source) into experimental (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-11-24] Accepted apache2 2.4.62-5 (source) into experimental (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-10-17] Accepted apache2 2.4.62-1~deb11u2 (source) into oldstable-security (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-10-10] Accepted apache2 2.4.62-1~deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Bastien ROUCARIÈS)
[2024-10-08] Accepted apache2 2.4.62-1~deb12u2 (source) into stable-security (Debian FTP Masters) (signed by: Bastien ROUCARIÈS)
[2024-10-07] apache2 2.4.62-3 MIGRATED to testing (Debian testing watch)
[2024-10-05] Accepted apache2 2.4.62-4 (source) into experimental (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-10-04] Accepted apache2 2.4.62-3 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-10-03] Accepted apache2 2.4.62-2 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-08-16] Accepted apache2 2.4.62-1~deb11u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2024-08-16] Accepted apache2 2.4.62-1~deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2024-07-20] apache2 2.4.62-1 MIGRATED to testing (Debian testing watch)
[2024-07-18] Accepted apache2 2.4.62-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-07-12] Accepted apache2 2.4.61-1~deb11u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2024-07-12] Accepted apache2 2.4.61-1~deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2024-07-11] Accepted apache2 2.4.61-1~deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Xavier Guimard)
[2024-07-11] Accepted apache2 2.4.61-1~deb11u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Xavier Guimard)
[2024-07-08] apache2 2.4.61-1 MIGRATED to testing (Debian testing watch)
[2024-07-03] Accepted apache2 2.4.61-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-07-01] Accepted apache2 2.4.60-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-05-24] Accepted apache2 2.4.59-1~deb10u1 (source) into oldoldstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-05-05] Accepted apache2 2.4.59-1~deb11u1 (source amd64 all) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2024-05-05] Accepted apache2 2.4.59-1~deb12u1 (source amd64 all) into proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2024-05-04] apache2 2.4.59-2 MIGRATED to testing (Debian testing watch)
[2024-04-30] Accepted apache2 2.4.59-2 (source) into unstable (Bastien Roucariès) (signed by: Xavier Guimard)
[2024-04-16] Accepted apache2 2.4.59-1~deb12u1 (source amd64 all) into stable-security (Debian FTP Masters) (signed by: Xavier Guimard)

bugs [bug history graph]

all: 198 203
RC: 0
I&N: 138 140
M&W: 59 62
F&P: 1
patch: 18 20
help: 1

links

homepage
lintian (0, 12)
buildd: logs, checks, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.4.63-1ubuntu3
63 bugs (4 patches)
patches for 2.4.63-1ubuntu3