Release date:
2026-06-22 13:54:26 UTC
Description:
- CVE-2026-29167: mod_ldap: use-after-free in per-directory configuration —
deep-copy the client certificate list (and referenced path/password
strings) into the connection pool instead of a shallow header copy
- CVE-2026-29170: mod_proxy_ftp: cross-site scripting in the generated FTP
directory listing — escape href filenames with ap_os_escape_path() wrapped
in ap_escape_html() instead of ap_escape_uri()
- CVE-2026-34355: mod_proxy_html: heap buffer overflow reachable from an
untrusted backend — replace hand-rolled buffer management with the
ap_varbuf API
- CVE-2026-42535: mod_dav_fs: deny WebDAV access to/within the .DAV state
directory in dav_fs_get_resource()
- CVE-2026-42536: mod_xml2enc: heap buffer overflow in fix_skipto — keep the
buffer length (bblen) accounting in sync when advancing the buffer
Updated packages:
-
httpd-2.4.6-99.el7.1.tuxcare.els14.x86_64.rpm
sha:b443265f7154b33d795dfbe5b9d8e65f53a09eb5eb70f1c81242e2a391059e1c
-
httpd-devel-2.4.6-99.el7.1.tuxcare.els14.x86_64.rpm
sha:ea5b23d0577f21b66dd6e05ef7a54a788eca68dd46b2d53b3e38f8f850dcdbf2
-
httpd-manual-2.4.6-99.el7.1.tuxcare.els14.noarch.rpm
sha:2d7cd756f135b71861c01bcd8c8e9387db66a20e3c81ae69c816ae73256979ca
-
httpd-tools-2.4.6-99.el7.1.tuxcare.els14.x86_64.rpm
sha:beaca04248a9b929b71a6e9453cfaeece402e168942b7ea8cf884dbe15f4f9a2
-
mod_ldap-2.4.6-99.el7.1.tuxcare.els14.x86_64.rpm
sha:538bb4eef86550468031152e745771bf6c3f02ba11b4df9bbd9cc68e8247085d
-
mod_proxy_html-2.4.6-99.el7.1.tuxcare.els14.x86_64.rpm
sha:d16725c7dc0f13fc93c4a0c2704f6375b89c6788835f7ff5a884e78909965e1a
-
mod_session-2.4.6-99.el7.1.tuxcare.els14.x86_64.rpm
sha:cf875bda6c6b7f6460da9c76a8fdf8a1148b1794e07d39a59c7966b0de2350ac
-
mod_ssl-2.4.6-99.el7.1.tuxcare.els14.x86_64.rpm
sha:db99641933fd33d8542c2760b5c9b5823f6505762b3a663343855308f16b5a44
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
