Release date:
2026-05-16 14:38:58 UTC
Description:
* SECURITY UPDATE: off-by-one OOB read in mod_proxy_ajp message getters
- debian/patches/CVE-2026-33857.patch: tighten length checks
(`> msg->len` -> `>= msg->len`) in ajp_msg_get_uint8/16/32 and
ajp_msg_peek_uint8/16 in modules/proxy/ajp_msg.c.
- CVE-2026-33857
* SECURITY UPDATE: heap over-read in mod_proxy_ajp via missing
null-termination check in ajp_msg_get_string()
- debian/patches/CVE-2026-34032.patch: switch the buffer overflow
check to compare against msg->len and verify the expected null
terminator is present before returning the pointer in
modules/proxy/ajp_msg.c.
- CVE-2026-34032
* SECURITY UPDATE: heap over-read and memory disclosure in
mod_proxy_ajp ajp_parse_data() via missing minimum message-length
validation
- debian/patches/CVE-2026-34059.patch: reject AJP data messages
whose `msg->len` is smaller than AJP_HEADER_LEN +
AJP_HEADER_SZ_LEN + 1 + 1 before computing expected_len in
modules/proxy/ajp_header.c.
- CVE-2026-34059
* SECURITY UPDATE: local information disclosure via .htaccess /
mod_setenvif / ProxyFCGISetEnvIf, where a non-privileged user
with .htaccess write access could read files accessible to the
httpd service account
- debian/patches/CVE-2026-24072.patch: pass
AP_EXPR_FLAG_RESTRICTED when parsing ap_expr expressions from
htaccess context in modules/mappers/mod_rewrite.c,
modules/metadata/mod_setenvif.c, and
modules/proxy/mod_proxy_fcgi.c.
- CVE-2026-24072
* SECURITY UPDATE: timing attack against mod_auth_digest allowing
bypass of Digest authentication
- debian/patches/CVE-2026-33006.patch: validate nonce and digest
lengths earlier and replace the strcmp of the nonce hash with
the constant-time apr_crypto_equals (apr-util >= 1.6) in
modules/aaa/mod_auth_digest.c; bump APU minimum to 1.6 in
configure.in.
- CVE-2026-33006
* SECURITY UPDATE: NULL pointer dereference in mod_authn_socache
crashes the child process in a caching forward proxy setup
- debian/patches/CVE-2026-33007.patch: validate the URL before
using the cache hash in construct_key() in
modules/aaa/mod_authn_socache.c.
- CVE-2026-33007
* SECURITY UPDATE: HTTP response splitting via newline/control
characters in an outgoing status line forwarded from a
compromised backend
- debian/patches/CVE-2026-33523.patch: reject status reason
strings that contain newlines or control characters in
modules/http/http_filters.c.
- CVE-2026-33523
Updated packages:
-
apache2_2.4.41-4ubuntu3.23+tuxcare.els4_amd64.deb
sha:c3ef4d4ce18786768553b9bdd291e49bd1eab187
-
apache2-bin_2.4.41-4ubuntu3.23+tuxcare.els4_amd64.deb
sha:c5116ae212c3879e21867b08994ee19068fbb8ab
-
apache2-data_2.4.41-4ubuntu3.23+tuxcare.els4_all.deb
sha:610e910f6507372dca860571d2b626db6b207806
-
apache2-dev_2.4.41-4ubuntu3.23+tuxcare.els4_amd64.deb
sha:37eecf7462a422f62b745558a98b8bf7e82536c1
-
apache2-doc_2.4.41-4ubuntu3.23+tuxcare.els4_all.deb
sha:d56ae88cf5c3a3478548621087113fd67b0c6536
-
apache2-ssl-dev_2.4.41-4ubuntu3.23+tuxcare.els4_amd64.deb
sha:eb05a8741724dcf59ce50fed52183c249f8a59b7
-
apache2-suexec-custom_2.4.41-4ubuntu3.23+tuxcare.els4_amd64.deb
sha:ad95db3d63a09e77d58d1bf46842f9cc572e4322
-
apache2-suexec-pristine_2.4.41-4ubuntu3.23+tuxcare.els4_amd64.deb
sha:8dba5ac7b6cd7141294570c2a25e02284ac31442
-
apache2-utils_2.4.41-4ubuntu3.23+tuxcare.els4_amd64.deb
sha:5fba9373a00a7a9152a97926b8b985ab4901c413
-
libapache2-mod-md_2.4.41-4ubuntu3.23+tuxcare.els4_amd64.deb
sha:594bf31a20cb7466797653b3e2812e6d038404e5
-
libapache2-mod-proxy-uwsgi_2.4.41-4ubuntu3.23+tuxcare.els4_amd64.deb
sha:f2c4cd8cea66b55b9fe46aeb8050fb37f185ea32
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
