Security update for apache2-mod_security2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:03423-1 Final 1 1 2025-09-29T08:50:52Z current 2025-09-29T08:50:52Z 2025-09-29T08:50:52Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2-mod_security2 This update for apache2-mod_security2 fixes the following issues: - CVE-2025-54571: Fixed insufficient return value handling on modsecurity leads to xss and source code disclosure (bsc#1247674) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-3423,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-3423 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202503423-1/ Link for SUSE-SU-2025:03423-1 https://lists.suse.com/pipermail/sle-updates/2025-September/041969.html E-Mail link for SUSE-SU-2025:03423-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1247674 SUSE Bug 1247674 https://www.suse.com/security/cve/CVE-2025-54571/ SUSE CVE CVE-2025-54571 page SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 apache2-mod_security2-2.8.0-7.12.1 apache2-mod_security2-2.8.0-7.12.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response's Content-Type, which could lead to several issues depending on the HTTP scenario. For example, we have demonstrated the potential for XSS and arbitrary script source code disclosure in the latest version of mod_security2. This issue is fixed in version 2.9.12. CVE-2025-54571 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:apache2-mod_security2-2.8.0-7.12.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503423-1/ https://www.suse.com/security/cve/CVE-2025-54571.html CVE-2025-54571 https://bugzilla.suse.com/1247674 SUSE Bug 1247674