[CLSA-2026:1778254557] httpd: Fix of 8 CVEs
Type:
security
Severity:
Important
Release date:
2026-05-13 08:53:59 UTC
Description:
- CVE-2026-24072: mod_rewrite/mod_setenvif: use AP_EXPR_FLAG_RESTRICTED in htaccess to prevent reading server-side files via ap_expr from .htaccess - CVE-2026-29169: mod_dav_lock: NULL pointer dereference in dav_generic_refresh_locks (use dp_scan instead of dp) - CVE-2026-33006: mod_auth_digest: timing attack — use constant-time compare for nonce/digest verification - CVE-2026-33007: mod_authn_socache: NULL pointer dereference when r->uri has no '/' in directory context - CVE-2026-33523: scan outgoing status line for newlines and control characters to prevent HTTP response splitting - CVE-2026-33857: mod_proxy_ajp: off-by-one OOB reads in ajp_msg_get/peek length checks - CVE-2026-34032: mod_proxy_ajp: improper null termination and OOB read in ajp_msg_get_string - CVE-2026-34059: mod_proxy_ajp: heap over-read in ajp_parse_data when message is too small
Updated packages:
  • httpd-2.4.6-99.0.5.el7.centos.1.tuxcare.els10.x86_64.rpm
    sha:e09c49faf39db65f6953e6eaeddeb248d30ee0b23c8d261140d6a03ff18f68eb
  • httpd-devel-2.4.6-99.0.5.el7.centos.1.tuxcare.els10.x86_64.rpm
    sha:6692fdb6b2c3d7a9433446f1e798de78c7caf024d68717576faf1fdde708eb29
  • httpd-manual-2.4.6-99.0.5.el7.centos.1.tuxcare.els10.noarch.rpm
    sha:2ad9967d201f49ddbd803f1d864414d585e7ec8869bec5792e742915ae7ccd3f
  • httpd-tools-2.4.6-99.0.5.el7.centos.1.tuxcare.els10.x86_64.rpm
    sha:39524fc318a8ad60a07138ce58e0b2ddccac20b05aa26afa2eee5cd81f7e592d
  • mod_ldap-2.4.6-99.0.5.el7.centos.1.tuxcare.els10.x86_64.rpm
    sha:f36323971a113b2486e6560db1a84fb81d4c0b751c7f70455db72cbbbdbe0849
  • mod_proxy_html-2.4.6-99.0.5.el7.centos.1.tuxcare.els10.x86_64.rpm
    sha:c995b852ea5d96899acc0b099a2dfdeaa9c5844a324699b2e747b27436a91682
  • mod_session-2.4.6-99.0.5.el7.centos.1.tuxcare.els10.x86_64.rpm
    sha:0aa099a6839e211dffbbd0234e40f0314f4b2061542683e92bd186f0794b3389
  • mod_ssl-2.4.6-99.0.5.el7.centos.1.tuxcare.els10.x86_64.rpm
    sha:92fac9a6446f7f37160fab37b5bf2417e38131172a787e3a089ba6dea366eef8
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.