{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2026-34059: fix ajp_parse_data message length check\n- CVE-2026-29169: fix mod_dav_lock NULL deref\n- CVE-2026-33006: fix mod_auth_digest timing attack\n- CVE-2026-24072: restrict ap_expr in htaccess\n- CVE-2026-33523: scan outgoing status line for newlines and controls\n- CVE-2026-33857: fix length checks in AJP msg_get functions\n- CVE-2026-34032: fix ajp_msg_get_string buffer checks\n- CVE-2026-33007: validate URL earlier in mod_authn_socache\n- CVE-2026-28780: fix ajp_msg_check_header boundary check (companion to CVE-2026-33857)", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2026:1778785352", "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1778785352" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/amazonlinux2els/advisories/2026/clsa-2026_1778785352.json" } ], "tracking": { "current_release_date": "2026-05-14T19:04:29Z", "generator": { "date": "2026-05-14T19:04:29Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1778785352", "initial_release_date": "2026-05-14T19:04:29Z", "revision_history": [ { "date": "2026-05-14T19:04:29Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "httpd: Fix of 9 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Amazon Linux 2", "product": { "name": "Amazon Linux 2", "product_id": "Amazon-Linux-2", "product_identification_helper": { "cpe": "cpe:2.3:o:amazon:amazon_linux:2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Amazon Linux" } ], "category": "vendor", "name": "Amazon Web Services, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product": { "name": "mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product_id": "mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/mod_ldap@2.4.66-1.amzn2.0.1.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product": { "name": "httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product_id": "httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/httpd@2.4.66-1.amzn2.0.1.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product": { "name": "httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product_id": "httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/httpd-devel@2.4.66-1.amzn2.0.1.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product": { "name": "mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product_id": "mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/mod_ssl@2.4.66-1.amzn2.0.1.tuxcare.els1?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product": { "name": "mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product_id": "mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/mod_proxy_html@2.4.66-1.amzn2.0.1.tuxcare.els1?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product": { "name": "mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product_id": "mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/mod_md@2.4.66-1.amzn2.0.1.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product": { "name": "httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product_id": "httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/httpd-tools@2.4.66-1.amzn2.0.1.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product": { "name": "mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product_id": "mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/mod_session@2.4.66-1.amzn2.0.1.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "product": { "name": "httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "product_id": "httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/httpd-filesystem@2.4.66-1.amzn2.0.1.tuxcare.els1?arch=noarch" } } }, { "category": "product_version", "name": "httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "product": { "name": "httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "product_id": "httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/httpd-manual@2.4.66-1.amzn2.0.1.tuxcare.els1?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" }, "product_reference": "mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" }, "product_reference": "httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" }, "product_reference": "httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" }, "product_reference": "mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" }, "product_reference": "mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch" }, "product_reference": "httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" }, "product_reference": "mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch" }, "product_reference": "httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" }, "product_reference": "httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" }, { "category": "default_component_of", "full_product_name": { "name": "mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64 as a component of Amazon Linux 2", "product_id": "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" }, "product_reference": "mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "relates_to_product_reference": "Amazon-Linux-2" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-34059", "cwe": { "id": "CWE-126", "name": "Buffer Over-read" }, "notes": [ { "category": "description", "text": "A flaw was found in the mod_proxy_ajp module of httpd. When processing AJP (Apache JServ Protocol) messages, the ajp_parse_data function attempts to read data beyond the allocated buffer size, allowing an attacker or a malformed request to cause a heap-based buffer over-read. This issue potentially leads to memory disclosure and a denial of service.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-34059" } ], "release_date": "2026-05-04T12:39:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-14T19:02:35.282006Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1778785352", "product_ids": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1778785352" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1" }, "products": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-29169", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "description", "text": "A flaw was found in the mod_dav_lock module of httpd. This vulnerability allows a remote unauthenticated attacker to crash the server due to a NULL pointer dereference via a specially crafted request.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-29169" } ], "release_date": "2026-05-04T14:48:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-14T19:02:35.282006Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1778785352", "product_ids": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1778785352" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-33006", "cwe": { "id": "CWE-208", "name": "Observable Timing Discrepancy" }, "notes": [ { "category": "description", "text": "A flaw was found in the mod_auth_digest module of httpd. A remote unauthenticated attacker can bypass digest authentication by measuring timing discrepancies of requests. This issue leads to unauthorized access to resources protected by digest authentication.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-33006" } ], "release_date": "2026-05-04T14:42:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-14T19:02:35.282006Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1778785352", "product_ids": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1778785352" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2026-24072", "cwe": { "id": "CWE-73", "name": "External Control of File Name or Path" }, "notes": [ { "category": "description", "text": "A flaw was found in Apache HTTP Server. This escalation of privilege vulnerability allows local attackers, specifically those with the ability to author .htaccess files, to read sensitive files. This flaw enables unauthorized access to files with the privileges of the httpd user, potentially leading to information disclosure.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-24072" } ], "release_date": "2026-05-04T12:37:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-14T19:02:35.282006Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1778785352", "product_ids": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1778785352" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2026-33523", "cwe": { "id": "CWE-443", "name": "DEPRECATED: HTTP response splitting" }, "notes": [ { "category": "description", "text": "A flaw was found in httpd. When processing responses from an untrusted or compromised backend server, multiple modules fail to sanitize Carriage Return and Line Feed (CRLF) sequences in the HTTP status line. This issue leads to an HTTP response splitting attack.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-33523" } ], "release_date": "2026-05-04T14:40:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-14T19:02:35.282006Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1778785352", "product_ids": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1778785352" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2026-33857", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "description", "text": "A flaw was found in the mod_proxy_ajp module of httpd. When processing AJP (Apache JServ Protocol) messages, the AJP getter functions attempt to read data beyond the allocated buffer size, allowing an attacker or a malformed request to cause an out-of-bounds read. This issue leads to a denial of service.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-33857" } ], "release_date": "2026-05-04T13:07:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-14T19:02:35.282006Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1778785352", "product_ids": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1778785352" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-34032", "cwe": { "id": "CWE-170", "name": "Improper Null Termination" }, "notes": [ { "category": "description", "text": "A flaw was found in the mod_proxy_ajp module of httpd. When processing AJP (Apache JServ Protocol) messages, the server fails to properly check if a string is null-terminated before attempting to read it, allowing an attacker or a malformed request to cause a heap-based buffer over-read. This issue potentially leads to memory disclosure and a denial of service.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-34032" } ], "release_date": "2026-05-04T12:54:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-14T19:02:35.282006Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1778785352", "product_ids": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1778785352" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1" }, "products": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-28780", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "description", "text": "A flaw was found in mod_proxy_ajp of Apache HTTP Server. This heap-based buffer overflow vulnerability allows a remote attacker, by connecting to a malicious AJP (Apache JServ Protocol) server, to send a specially crafted message. This message can cause mod_proxy_ajp to write attacker-controlled data beyond a heap-based buffer, potentially leading to arbitrary code execution or a denial of service.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-28780" } ], "release_date": "2026-05-05T21:29:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-14T19:02:35.282006Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1778785352", "product_ids": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1778785352" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-33007", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "description", "text": "A flaw was found in the mod_authn_socache module of httpd. This vulnerability allows an unauthenticated remote user to crash a child process due to a NULL pointer dereference when the server is operating in a caching forward proxy configuration.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-33007" } ], "release_date": "2026-05-04T14:41:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-14T19:02:35.282006Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1778785352", "product_ids": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1778785352" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "Amazon-Linux-2:httpd-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-devel-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:httpd-filesystem-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-manual-0:2.4.66-1.amzn2.0.1.tuxcare.els1.noarch", "Amazon-Linux-2:httpd-tools-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ldap-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_md-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_proxy_html-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_session-0:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64", "Amazon-Linux-2:mod_ssl-1:2.4.66-1.amzn2.0.1.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }