This update addresses a regression in USN-7968-1 where the `MDStapleOthers` setting in `mod_md` was ignored, breaking OCSP for some domains. The original advisory fixed four vulnerabilities: CVE-2025-58098 (CVSS 8.3), allowing arbitrary code execution via SSI and `mod_cgid`; CVE-2025-55753 (CVSS 7.5), causing a DoS via aggressive ACME renewal retries; CVE-2025-65082 (CVSS 6.5), allowing environment variable superseding for CGI; and CVE-2025-66200, a privilege escalation via `mod_userdir`. Affected versions are Apache HTTP Server 2.4.30 to 2.4.65 for CVE-2025-55753, all versions before 2.4.66 for CVE-2025-58098, and 2.4.0 to 2.4.65 for CVE-2025-65082; all are fixed in version 2.4.66.
USN-7968-1 fixed vulnerabilities in Apache HTTP Server. The update introduced a regression in mod_md where the MDStapleOthers setting was ignored which resulted in OCSP being broken for some domains. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that the Apache HTTP Server incorrectly handled failed ACME certificate renewals. This could result in renewal attempts to be repeated without delays, possibly leading to a denial of service. (CVE-2025-55753) Anthony Parfenov discovered that the Apache HTTP Server would pass the query string to cmd directives when configured with Server Side Includes (SSI) enabled and mod_cgid. An attacker could possibly use this issue to execute arbitrary code. (CVE-2025-58098) Mattias Ã…sander discovered that the Apache HTTP Server incorrectly neutralized certain environment variables. This could result in unexpectedly superseding variables calculated by the server for CGI programs. (CVE-2025-65082) Mattias Ã…sander discovered that the Apache HTTP Server incorrectly handled AllowOverride FileInfo configurations when using mod_userdir with suexec. An attacker with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. (CVE-2025-66200)