This update for apache2 fixes the following issues
- CVE-2026-23918: http2: double free and possible RCE on early reset (bsc#1263957).
- CVE-2026-24072: mod_rewrite elevation of privileges via ap_expr (bsc#1263935).
- CVE-2026-28780: heap buffer overflow in `mod_proxy_ajp` via `ajp_msg_check_header()` (bsc#1264163).
- CVE-2026-29168: allocation of resources without limits in `mod_md` via OCSP response (bsc#1264150).
- CVE-2026-29169: NULL pointer dereference in `mod_dav_lock` allows server crash via malicious requests (bsc#1263956).
- CVE-2026-33006: `mod_auth_digest` timing attack allows bypass of Digest authentication (bsc#1263955).
- CVE-2026-33007: NULL pointer dereference in `mod_authn_socache` allows unauthenticated remote user to crash a child
processes (bsc#1263954).
- CVE-2026-33523: HTTP response splitting forwarding malicious status line (bsc#1263953).
- CVE-2026-33857: off-by-one OOB reads in AJP getter functions (bsc#1263952).
- CVE-2026-34032: heap buffer overread in...
Read the Full Advisory- openSUSE Leap 16.0:
apache2-2.4.66-160000.2.1
apache2-devel-2.4.66-160000.2.1
apache2-event-2.4.66-160000.2.1
apache2-manual-2.4.66-160000.2.1
apache2-prefork-2.4.66-160000.2.1
apache2-utils-2.4.66-160000.2.1
apache2-worker-2.4.66-160000.2.1
* bsc#1263935
* bsc#1263950
* bsc#1263951
* bsc#1263952
* bsc#1263953
* bsc#1263954
* bsc#1263955
* bsc#1263956
* bsc#1263957
* bsc#1264150
* bsc#1264163
References:
* https://www.suse.com/security/cve/CVE-2026-23918.html
* https://www.suse.com/security/cve/CVE-2026-24072.html
* https://www.suse.com/security/cve/CVE-2026-28780.html
* https://www.suse.com/security/cve/CVE-2026-29168.html
* https://www.suse.com/security/cve/CVE-2026-29169.html
* https://www.suse.com/security/cve/CVE-2026-33006.html
* https://www.suse.com/security/cve/CVE-2026-33007.html
* https://www.suse.com/security/cve/CVE-2026-33523.html
* https://www.suse.com/security/cve/CVE-2026-33857.html
* https://www.suse.com/security/cve/CVE-2026-34032.html
* https://www.suse.com/security/cve/CVE-2026-34059.html
Get the latest Linux and open source security news straight to your inbox.