Release date:
2026-05-20 16:58:16 UTC
Description:
- CVE-2026-28780: mod_proxy_ajp 4-byte heap buffer overflow when contacting a malicious AJP backend (off-by-AJP_HEADER_LEN check in ajp_msg_check_header)
- CVE-2026-34059: mod_proxy_ajp heap over-read in ajp_parse_data on short AJP replies
- CVE-2026-33006: mod_auth_digest used non-constant-time strcmp() for nonce-hash and response-digest comparisons; replace with constant-time comparison and validate nonce/digest sizes
- CVE-2026-33857: mod_proxy_ajp off-by-one out-of-bounds reads in ajp_msg_get_uint8/uint16/uint32 and ajp_msg_peek_uint8/uint16 length checks
- CVE-2026-34032: mod_proxy_ajp ajp_msg_get_string: tighten length check to msg->len and verify the NUL terminator is present
Updated packages:
-
httpd-2.2.15-72.el6.tuxcare.els12.x86_64.rpm
sha:69601cd2920cd422a8d1a4a1f71879e7e973b1e99aea1fcf40ca06a9ecd95d4d
-
httpd-devel-2.2.15-72.el6.tuxcare.els12.i686.rpm
sha:6280e1a99e96d55145f9b034932c4859835d7d2092a8e22ec5de526ff8830e77
-
httpd-devel-2.2.15-72.el6.tuxcare.els12.x86_64.rpm
sha:25f9ed2f04beecb8e2e8a1691bd3f28a29cdd56fede829b5b7a3161f2920d84c
-
httpd-manual-2.2.15-72.el6.tuxcare.els12.noarch.rpm
sha:2fa550806999ccf53daa968a4ec7120c3ff8c9253e3c00a39495d2fd2c913f1f
-
httpd-tools-2.2.15-72.el6.tuxcare.els12.x86_64.rpm
sha:f92fb656fadd03f5c45b6854f35ba43960a8c75a97ceb3cadcee612753538242
-
mod_ssl-2.2.15-72.el6.tuxcare.els12.x86_64.rpm
sha:f4a6aa878e1c31d2e4d554ef2c30ae48b54da9f5709ffbcf60eb3b358f9d48a2
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
