DEBIAN-CVE-2025-49812

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2025-49812

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-49812.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2025-49812

Upstream

CVE-2025-49812

Published

2025-07-10T17:15:48Z

Modified

2025-09-19T07:34:44.665813Z

Summary

[none]

Details

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.

References

https://security-tracker.debian.org/tracker/CVE-2025-49812

Affected packages

Debian:11 / apache2

Package

Name: apache2
Purl: pkg:deb/debian/apache2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.65-1~deb11u1

Affected versions

2.*

2.4.48-3.1

2.4.48-3.1+deb11u1

2.4.48-4

2.4.49-1~bpo10+1

2.4.49-1~deb11u1

2.4.49-1~deb11u2

2.4.49-1~deb11u3

2.4.49-1

2.4.49-2

2.4.49-3

2.4.49-4

2.4.50-1~deb11u1

2.4.50-1

2.4.51-1~bpo10+1

2.4.51-1~bpo10+2

2.4.51-1~deb11u1

2.4.51-1

2.4.51-2

2.4.52-1~bpo10+1

2.4.52-1~deb11u1

2.4.52-1~deb11u2

2.4.52-1

2.4.52-2

2.4.52-3

2.4.53-1~deb11u1

2.4.53-1

2.4.53-2~bpo10+1

2.4.53-2

2.4.54-1~deb11u1

2.4.54-1

2.4.54-2

2.4.54-3

2.4.54-4

2.4.54-5

2.4.55-1

2.4.56-1~deb11u1

2.4.56-1~deb11u2

2.4.56-1

2.4.56-2

2.4.57-1

2.4.57-2

2.4.57-3

2.4.58-1

2.4.59-1~deb10u1

2.4.59-1~deb11u1

2.4.59-1~deb12u1

2.4.59-1

2.4.59-2

2.4.60-1

2.4.61-1~deb11u1

2.4.61-1~deb12u1

2.4.61-1

2.4.62-1~deb11u1

2.4.62-1~deb11u2

2.4.62-1~deb12u1

2.4.62-1~deb12u2

2.4.62-1

2.4.62-2

2.4.62-3

2.4.62-4

2.4.62-5

2.4.62-6

2.4.63-1

2.4.64-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / apache2

Package

Name: apache2
Purl: pkg:deb/debian/apache2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.65-1~deb12u1

Affected versions

2.*

2.4.57-2

2.4.57-3

2.4.58-1

2.4.59-1~deb10u1

2.4.59-1~deb11u1

2.4.59-1~deb12u1

2.4.59-1

2.4.59-2

2.4.60-1

2.4.61-1~deb11u1

2.4.61-1~deb12u1

2.4.61-1

2.4.62-1~deb11u1

2.4.62-1~deb11u2

2.4.62-1~deb12u1

2.4.62-1~deb12u2

2.4.62-1

2.4.62-2

2.4.62-3

2.4.62-4

2.4.62-5

2.4.62-6

2.4.63-1

2.4.64-1

2.4.65-1~deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / apache2

Package

Name: apache2
Purl: pkg:deb/debian/apache2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.64-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / apache2

Package

Name: apache2
Purl: pkg:deb/debian/apache2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.64-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}