Security update for apache2-mod_security2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:03422-1 Final 1 1 2025-09-29T08:50:32Z current 2025-09-29T08:50:32Z 2025-09-29T08:50:32Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2-mod_security2 This update for apache2-mod_security2 fixes the following issues: - CVE-2025-54571: Fixed insufficient return value handling on modsecurity leads to xss and source code disclosure (bsc#1247674) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-3422,SUSE-SLE-Module-Server-Applications-15-SP6-2025-3422,SUSE-SLE-Module-Server-Applications-15-SP7-2025-3422,openSUSE-SLE-15.6-2025-3422 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202503422-1/ Link for SUSE-SU-2025:03422-1 https://lists.suse.com/pipermail/sle-updates/2025-September/041971.html E-Mail link for SUSE-SU-2025:03422-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1247674 SUSE Bug 1247674 https://www.suse.com/security/cve/CVE-2025-54571/ SUSE CVE CVE-2025-54571 page SUSE Linux Enterprise Module for Server Applications 15 SP6 SUSE Linux Enterprise Module for Server Applications 15 SP7 openSUSE Leap 15.6 apache2-mod_security2-2.9.4-150400.3.12.1 apache2-mod_security2-2.9.4-150400.3.12.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP6 apache2-mod_security2-2.9.4-150400.3.12.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP7 apache2-mod_security2-2.9.4-150400.3.12.1 as a component of openSUSE Leap 15.6 ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response's Content-Type, which could lead to several issues depending on the HTTP scenario. For example, we have demonstrated the potential for XSS and arbitrary script source code disclosure in the latest version of mod_security2. This issue is fixed in version 2.9.12. CVE-2025-54571 SUSE Linux Enterprise Module for Server Applications 15 SP6:apache2-mod_security2-2.9.4-150400.3.12.1 SUSE Linux Enterprise Module for Server Applications 15 SP7:apache2-mod_security2-2.9.4-150400.3.12.1 openSUSE Leap 15.6:apache2-mod_security2-2.9.4-150400.3.12.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503422-1/ https://www.suse.com/security/cve/CVE-2025-54571.html CVE-2025-54571 https://bugzilla.suse.com/1247674 SUSE Bug 1247674