[CLSA-2026:1781622427] httpd: Fix of 5 CVEs
Type:
security
Severity:
Critical
Release date:
2026-06-16 15:07:26 UTC
Description:
- CVE-2026-29167: mod_ldap: use-after-free in per-directory configuration — deep-copy the client certificate list (and referenced path/password strings) into the connection pool instead of a shallow header copy - CVE-2026-29170: mod_proxy_ftp: cross-site scripting in the generated FTP directory listing — escape href filenames with ap_os_escape_path() wrapped in ap_escape_html() instead of ap_escape_uri() - CVE-2026-34355: mod_proxy_html: heap buffer overflow reachable from an untrusted backend — replace hand-rolled buffer management with the ap_varbuf API - CVE-2026-42535: mod_dav_fs: deny WebDAV access to/within the .DAV state directory in dav_fs_get_resource() - CVE-2026-42536: mod_xml2enc: heap buffer overflow in fix_skipto — keep the buffer length (bblen) accounting in sync when advancing the buffer
CVEs fixed:
Updated packages:
  • httpd-2.4.6-99.0.5.el7_9.1.tuxcare.els12.x86_64.rpm
    sha:1635da8db41123d29fa1fe9186fb950253cc59584e3beac75c2707ee80fc40ee
  • httpd-devel-2.4.6-99.0.5.el7_9.1.tuxcare.els12.x86_64.rpm
    sha:82627eb69b45018bcd9c2d768d8ec4b3d7758eca1ca06533cbac1554d9894e26
  • httpd-manual-2.4.6-99.0.5.el7_9.1.tuxcare.els12.noarch.rpm
    sha:ab402710a875b4b01a8fabdf1e65b21f76c216571323cc9a0feb829404617db4
  • httpd-tools-2.4.6-99.0.5.el7_9.1.tuxcare.els12.x86_64.rpm
    sha:b5714759f6d8ab9a461c3a8ff31ee29d5fa16ffaa6d34744b3a9dcf9b6c657bb
  • mod_ldap-2.4.6-99.0.5.el7_9.1.tuxcare.els12.x86_64.rpm
    sha:db9df95604bea87f22a0b145741172e5aad97966e49ce748449ad87c456e5af0
  • mod_proxy_html-2.4.6-99.0.5.el7_9.1.tuxcare.els12.x86_64.rpm
    sha:7e44a786bf4c5c36bb939f95adaad138fc6ad4ae2203767c205b14668ef3c482
  • mod_session-2.4.6-99.0.5.el7_9.1.tuxcare.els12.x86_64.rpm
    sha:6ae5b4184f2ae1101881d105ab60ac2b77f7c8c05ff06d450ca71968451fedf4
  • mod_ssl-2.4.6-99.0.5.el7_9.1.tuxcare.els12.x86_64.rpm
    sha:e568077834e12750ca0f2e631efb9235d457576f4334a59a877f5f892e572a63
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.