[CLSA-2026:1778847162] httpd: Fix of CVE-2026-28780
Type:
security
Severity:
Important
Release date:
2026-05-15 16:17:54 UTC
Description:
- CVE-2026-28780: heap-based buffer overflow in ajp_msg_check_header() in mod_proxy_ajp when proxying to a malicious AJP backend that returns an oversized response, allowing a 4-byte out-of-bounds write past the heap buffer
Updated packages:
  • httpd-2.4.53-11.el9_2.5.tuxcare.els13.x86_64.rpm
    sha:54f96f8f8d50b3bf2efe2f45827f05947274f13b35bbd81a20014e403703e6f6
  • httpd-core-2.4.53-11.el9_2.5.tuxcare.els13.x86_64.rpm
    sha:3350292414dbc60a370c1168ca938c8ba352673f3990cacd385519bc4f75592c
  • httpd-devel-2.4.53-11.el9_2.5.tuxcare.els13.x86_64.rpm
    sha:0da01afbe371d8b883dd7985573085a80b15fd4b4bd98ea24c83c08a215d3fa8
  • httpd-filesystem-2.4.53-11.el9_2.5.tuxcare.els13.noarch.rpm
    sha:ebaa9f452adbcf05b1b65bcd6db8b90b7423897972146ec89b1eb458b8714244
  • httpd-manual-2.4.53-11.el9_2.5.tuxcare.els13.noarch.rpm
    sha:07b120845e7a2ae5e13da66abb69c23fc7673f5a9ce25b90525a5979dc73b864
  • httpd-tools-2.4.53-11.el9_2.5.tuxcare.els13.x86_64.rpm
    sha:37c06429733831093450ee73b003cb25961453fbac44c95acbb0e93534e505d3
  • mod_ldap-2.4.53-11.el9_2.5.tuxcare.els13.x86_64.rpm
    sha:44627a25419b96bbdd35b0c616bde0ac8bc90d57a8e0f168af74f53a6e073f91
  • mod_lua-2.4.53-11.el9_2.5.tuxcare.els13.x86_64.rpm
    sha:6f9ecc79d4aba14d71ccf4fbe575d83659a6bb69407b3570f35faed6aea96988
  • mod_proxy_html-2.4.53-11.el9_2.5.tuxcare.els13.x86_64.rpm
    sha:cfde59cef420831ecf4d2775a2d95942eac39ae02de82942b815d4b69287331a
  • mod_session-2.4.53-11.el9_2.5.tuxcare.els13.x86_64.rpm
    sha:921f9105f5de75c659541c4f2f32938477168c06d0b92f57fbdef990e4f80ba1
  • mod_ssl-2.4.53-11.el9_2.5.tuxcare.els13.x86_64.rpm
    sha:bcd62c4f63e141e39deaf37ac924d75c8d75de3c0927294f6ad8ec3c5919c424
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.