[CLSA-2026:1778254552] httpd: Fix of 8 CVEs
Type:
security
Severity:
Low
Release date:
2026-05-08 15:36:12 UTC
Description:
- CVE-2026-24072: mod_rewrite/mod_setenvif: use AP_EXPR_FLAG_RESTRICTED in htaccess to prevent reading server-side files via ap_expr from .htaccess - CVE-2026-29169: mod_dav_lock: NULL pointer dereference in dav_generic_refresh_locks (use dp_scan instead of dp) - CVE-2026-33006: mod_auth_digest: timing attack — use constant-time compare for nonce/digest verification - CVE-2026-33007: mod_authn_socache: NULL pointer dereference when r->uri has no '/' in directory context - CVE-2026-33523: scan outgoing status line for newlines and control characters to prevent HTTP response splitting - CVE-2026-33857: mod_proxy_ajp: off-by-one OOB reads in ajp_msg_get/peek length checks - CVE-2026-34032: mod_proxy_ajp: improper null termination and OOB read in ajp_msg_get_string - CVE-2026-34059: mod_proxy_ajp: heap over-read in ajp_parse_data when message is too small
Updated packages:
  • httpd-2.4.6-99.0.5.el7_9.1.tuxcare.els10.x86_64.rpm
    sha:d67a306f655c08b4b182fc921d33d671705b4f048f273190d838f6f6428a5364
  • httpd-devel-2.4.6-99.0.5.el7_9.1.tuxcare.els10.x86_64.rpm
    sha:5cc3131f8b0959b4025d6367eeb7cf654225084360ed855ed6fc250817ceb415
  • httpd-manual-2.4.6-99.0.5.el7_9.1.tuxcare.els10.noarch.rpm
    sha:df5f66a57ecc89b3fdcd0f6a81c85bae3e60c0079d4dd38d3036e34b5870f5b5
  • httpd-tools-2.4.6-99.0.5.el7_9.1.tuxcare.els10.x86_64.rpm
    sha:b52a098996ba9b0386e0b622ff2ad371def9dcf8f228fa5a79de446d254e64a4
  • mod_ldap-2.4.6-99.0.5.el7_9.1.tuxcare.els10.x86_64.rpm
    sha:7b8ac104344e5aa629f06ebdd78a040b6744b90f6564d0ffd9ea2a3a109bb289
  • mod_proxy_html-2.4.6-99.0.5.el7_9.1.tuxcare.els10.x86_64.rpm
    sha:9bc485ad71caee685ba15853d09fe50c42b43b05b18ccafaecff3dd10a39a5c1
  • mod_session-2.4.6-99.0.5.el7_9.1.tuxcare.els10.x86_64.rpm
    sha:c90d72cf4b99758ea39977bf1e10e8416e4afd3944f55531841fe42b3828187c
  • mod_ssl-2.4.6-99.0.5.el7_9.1.tuxcare.els10.x86_64.rpm
    sha:203938a42dbe33085e23537fc1c952d72d000e1cd55be37b74100fe18f82f2aa
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.