[CLSA-2026:1779091399] httpd: Fix of 8 CVEs
Type:
security
Severity:
Important
Release date:
2026-05-18 08:03:28 UTC
Description:
- CVE-2026-24072: mod_rewrite/mod_setenvif: use AP_EXPR_FLAG_RESTRICTED in htaccess to prevent reading server-side files via ap_expr from .htaccess - CVE-2026-29169: mod_dav_lock: NULL pointer dereference in dav_generic_refresh_locks (use dp_scan instead of dp) - CVE-2026-33006: mod_auth_digest: timing attack — use constant-time compare for nonce/digest verification - CVE-2026-33007: mod_authn_socache: NULL pointer dereference when r->uri has no '/' in directory context - CVE-2026-33523: scan outgoing status line for newlines and control characters to prevent HTTP response splitting - CVE-2026-33857: mod_proxy_ajp: off-by-one OOB reads in ajp_msg_get/peek length checks - CVE-2026-34032: mod_proxy_ajp: improper null termination and OOB read in ajp_msg_get_string - CVE-2026-34059: mod_proxy_ajp: heap over-read in ajp_parse_data when message is too small
Updated packages:
  • httpd-2.4.6-99.0.5.el7_9.1.tuxcare.els10.x86_64.rpm
    sha:de7160bc8b9d2fed08a077874d124ad68d9d47aabd67a5f4a4c51ea930dfe7d9
  • httpd-devel-2.4.6-99.0.5.el7_9.1.tuxcare.els10.x86_64.rpm
    sha:c695043802b86c82a04b2b01f6ed7526c23d3246d4ec624dc361bbebdfcecf89
  • httpd-manual-2.4.6-99.0.5.el7_9.1.tuxcare.els10.noarch.rpm
    sha:7fdf2ae4c00219fc53a92ada000e4cab438149224bb1c4c5f93a7dcbe82d7d6f
  • httpd-tools-2.4.6-99.0.5.el7_9.1.tuxcare.els10.x86_64.rpm
    sha:4056211e53206dc9acc5afbbf5c9e422e6a1ebbfd19c76c827b16f92a95ed4d8
  • mod_ldap-2.4.6-99.0.5.el7_9.1.tuxcare.els10.x86_64.rpm
    sha:b1069e0936d416dc7ae7534a356ff9a872b62554bd6475647283b84f7c607ef9
  • mod_proxy_html-2.4.6-99.0.5.el7_9.1.tuxcare.els10.x86_64.rpm
    sha:3fdb4a9decc7614813b0f43c50c4a69a98895e7e2526a19eeb07e54bd06ea4e8
  • mod_session-2.4.6-99.0.5.el7_9.1.tuxcare.els10.x86_64.rpm
    sha:9d5d4e1e0de8f298a02c58ba6988c65be1607b69d215868a6cee21e4f9544086
  • mod_ssl-2.4.6-99.0.5.el7_9.1.tuxcare.els10.x86_64.rpm
    sha:88510dab51c0f4ab6a2917237fd9c282a2ae7288720ae68c9607aae8dd46bff5
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.