Explore top 10 tips to secure your open-source projects now. Read More
×new version 2.4.68 fixes various security issues. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-37947358ea 2026-06-25 16:24:07.917255+00:00 -------------------------------------------------------------------------------- Name : httpd Product : Fedora 43 Version : 2.4.68 Release : 1.fc43 URL : https://httpd.apache.org/ Summary : Apache HTTP Server Description : The Apache HTTP Server is a powerful, efficient, and extensible web server. -------------------------------------------------------------------------------- Update Information: new version 2.4.68 fixes various security issues -------------------------------------------------------------------------------- ChangeLog: * Tue Jun 9 2026 Luboš Uhliarik - 2.4.68-1 - new version 2.4.68 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2486351 - httpd-2.4.68 is available https://bugzilla.redhat.com/show_bug.cgi?id=2486351 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-37947358ea' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Fedora 43 update for httpd 2.4.68 addresses critical security aspects. Upgrade recommended for enhanced protection.. Fedora httpd update Apache security fix. . Severity: Important. LinuxSecurity.com Team
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-21391 http://linux.oracle.com/errata/ELSA-2026-21391.html The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: x86_64: httpd-2.4.62-13.0.1.el9_8.1.x86_64.rpm httpd-core-2.4.62-13.0.1.el9_8.1.x86_64.rpm httpd-devel-2.4.62-13.0.1.el9_8.1.x86_64.rpm httpd-filesystem-2.4.62-13.0.1.el9_8.1.noarch.rpm httpd-manual-2.4.62-13.0.1.el9_8.1.noarch.rpm httpd-tools-2.4.62-13.0.1.el9_8.1.x86_64.rpm mod_ldap-2.4.62-13.0.1.el9_8.1.x86_64.rpm mod_lua-2.4.62-13.0.1.el9_8.1.x86_64.rpm mod_proxy_html-2.4.62-13.0.1.el9_8.1.x86_64.rpm mod_session-2.4.62-13.0.1.el9_8.1.x86_64.rpm mod_ssl-2.4.62-13.0.1.el9_8.1.x86_64.rpm aarch64: httpd-2.4.62-13.0.1.el9_8.1.aarch64.rpm httpd-core-2.4.62-13.0.1.el9_8.1.aarch64.rpm httpd-devel-2.4.62-13.0.1.el9_8.1.aarch64.rpm httpd-filesystem-2.4.62-13.0.1.el9_8.1.noarch.rpm httpd-manual-2.4.62-13.0.1.el9_8.1.noarch.rpm httpd-tools-2.4.62-13.0.1.el9_8.1.aarch64.rpm mod_ldap-2.4.62-13.0.1.el9_8.1.aarch64.rpm mod_lua-2.4.62-13.0.1.el9_8.1.aarch64.rpm mod_proxy_html-2.4.62-13.0.1.el9_8.1.aarch64.rpm mod_session-2.4.62-13.0.1.el9_8.1.aarch64.rpm mod_ssl-2.4.62-13.0.1.el9_8.1.aarch64.rpm SRPMS: http://oss.oracle.com/ol9/SRPMS-updates/httpd-2.4.62-13.0.1.el9_8.1.src.rpm Related CVEs: CVE-2026-28780 CVE-2026-33007 CVE-2026-33857 CVE-2026-34032 CVE-2026-34059 Description of changes: [2.4.62-13.0.1.el9_8.1] - Replace index.html with Oracle's index page oracle_index.html. [2.4.62-13.1] - Resolves: RHEL-173555 - httpd: Apache HTTP Server mod_proxy_ajp: Arbitrary code execution via heap-based buffer overflow (CVE-2026-28780) - Resolves: RHEL-175080 - httpd: NULL pointer dereference can cause a child process crash (CVE-2026-33007) - Resolves: RHEL-175100 - httpd: off-by-one out-of-bounds reads in AJP getter functions (CVE-2026-33857) - Resolves: RHEL-175028 - httpd: heap-based buffer over-read due to missing null-termination check (CVE-2026-34032) - Resolves: RHEL-175062 - httpd: heap-based buffer over-read and memory disclosure in ajp_parse_data() (CVE-2026-34059) _______________________________________________ El-errata mailing list
The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-25090 http://linux.oracle.com/errata/ELSA-2026-25090.html The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable LinuxNetwork: x86_64: httpd-2.4.37-65.0.1.module+el8.10.0+90909+2fc0e3ca.8.x86_64.rpm httpd-devel-2.4.37-65.0.1.module+el8.10.0+90909+2fc0e3ca.8.x86_64.rpm httpd-filesystem-2.4.37-65.0.1.module+el8.10.0+90909+2fc0e3ca.8.noarch.rpm httpd-manual-2.4.37-65.0.1.module+el8.10.0+90909+2fc0e3ca.8.noarch.rpm httpd-tools-2.4.37-65.0.1.module+el8.10.0+90909+2fc0e3ca.8.x86_64.rpm mod_http2-1.15.7-10.module+el8.10.0+90909+2fc0e3ca.6.x86_64.rpm mod_ldap-2.4.37-65.0.1.module+el8.10.0+90909+2fc0e3ca.8.x86_64.rpm mod_md-2.0.8-8.module+el8.10.0+90899+db89cbcc.2.x86_64.rpm mod_proxy_html-2.4.37-65.0.1.module+el8.10.0+90909+2fc0e3ca.8.x86_64.rpm mod_session-2.4.37-65.0.1.module+el8.10.0+90909+2fc0e3ca.8.x86_64.rpm mod_ssl-2.4.37-65.0.1.module+el8.10.0+90909+2fc0e3ca.8.x86_64.rpm aarch64: httpd-2.4.37-65.0.1.module+el8.10.0+90909+2fc0e3ca.8.aarch64.rpm httpd-devel-2.4.37-65.0.1.module+el8.10.0+90909+2fc0e3ca.8.aarch64.rpm httpd-filesystem-2.4.37-65.0.1.module+el8.10.0+90909+2fc0e3ca.8.noarch.rpm httpd-manual-2.4.37-65.0.1.module+el8.10.0+90909+2fc0e3ca.8.noarch.rpm httpd-tools-2.4.37-65.0.1.module+el8.10.0+90909+2fc0e3ca.8.aarch64.rpm mod_http2-1.15.7-10.module+el8.10.0+90909+2fc0e3ca.6.aarch64.rpm mod_ldap-2.4.37-65.0.1.module+el8.10.0+90909+2fc0e3ca.8.aarch64.rpm mod_md-2.0.8-8.module+el8.10.0+90899+db89cbcc.2.aarch64.rpm mod_proxy_html-2.4.37-65.0.1.module+el8.10.0+90909+2fc0e3ca.8.aarch64.rpm mod_session-2.4.37-65.0.1.module+el8.10.0+90909+2fc0e3ca.8.aarch64.rpm mod_ssl-2.4.37-65.0.1.module+el8.10.0+90909+2fc0e3ca.8.aarch64.rpm SRPMS: http://oss.oracle.com/ol8/SRPMS-updates/httpd-2.4.37-65.0.1.module+el8.10.0+90909+2fc0e3ca.8.src.rpm http://oss.oracle.com/ol8/SRPMS-updates/mod_http2-1.15.7-10.module+el8.10.0+90909+2fc0e3ca.6.src.rpm http://oss.oracle.com/ol8/SRPMS-updates/mod_md-2.0.8-8.module+el8.10.0+90899+db89cbcc.2.src.rpm Related CVEs: CVE-2026-49975 Description of changes: httpd [2.4.37-65.0.1.8] - Replace index.html with Oracle's index page oracle_index.html [2.4.37-65.8] - Resolves: RHEL-173558 - httpd:2.4/httpd:Apache HTTP Server mod_proxy_ajp: Arbitrary code execution via heap-based buffer overflow (CVE-2026-28780) - Resolves: RHEL-175074 - httpd:2.4/httpd: NULL pointer dereference can cause a child process crash (CVE-2026-33007) - Resolves: RHEL-175088 - httpd:2.4/httpd: off-by-one out-of-bounds reads in AJP getter functions (CVE-2026-33857) - Resolves: RHEL-175620 - httpd:2.4/httpd: NULL pointer dereference via specially crafted request (CVE-2026-29169) - Resolves: RHEL-175055 - httpd: heap-based buffer over-read and memory disclosure in ajp_parse_data() (CVE-2026-34059) [2.4.37-65.7] - Resolves: RHEL-135054 - httpd: Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo (CVE-2025-66200) - Resolves: RHEL-135039 - httpd: Apache HTTP Server: CGI environment variable override (CVE-2025-65082) - Resolves: RHEL-134471 - httpd: Apache HTTP Server: Server Side Includes adds query string to #exec cmd=... (CVE-2025-58098) [2.4.37-65.6] - Resolves: RHEL-127073 - mod_ssl: allow more fine grained SSL SNI vhost check to avoid unnecessary 421 errors after CVE-2025-23048 fix - mod_ssl: add conf.d/snipolicy.conf to set 'SSLVHostSNIPolicy authonly' default [2.4.37-65.5] - Resolves: RHEL-99944 - CVE-2025-49812 httpd: HTTP Session Hijack via a TLS upgrade - Resolves: RHEL-99969 - CVE-2024-47252 httpd: insufficient escaping of user-supplied data in mod_ssl - Resolves: RHEL-99961 - CVE-2025-23048 httpd: access control bypass by trusted clients is possible using TLS 1.3 session resumption [2.4.37-65.4] - Resolves: RHEL-87641 - apache Bug 63192 - mod_ratelimit breaks HEAD requests [2.4.37-65.3] - Resolves: RHEL-56068 - Apache HTTPD no longer parse PHP files with unicode characters in the name [2.4.37-65.2] - Resolves: RHEL-46040 - httpd:2.4/httpd: Security issues via backend applications whose response headers are malicious or exploitable (CVE-2024-38476) - Resolves: RHEL-53022 - Regression introduced by CVE-2024-38474 fix [2.4.37-65.1] - Resolves: RHEL-45812 - httpd:2.4/httpd:Substitution encoding issue in mod_rewrite (CVE-2024-38474) - Resolves: RHEL-45785 - httpd:2.4/httpd: Encoding problem in mod_proxy (CVE-2024-38473) - Resolves: RHEL-45777 - httpd:2.4/httpd: Improper escaping of output in mod_rewrite (CVE-2024-38475) - Resolves: RHEL-45758 - httpd:2.4/httpd: null pointer dereference in mod_proxy (CVE-2024-38477) - Resolves: RHEL-45743 - httpd:2.4/httpd: Potential SSRF in mod_rewrite (CVE-2024-39573) [2.4.37-65] - Resolves: RHEL-31857 - httpd:2.4/httpd: HTTP response splitting (CVE-2023-38709) mod_http2 [1.15.7-10.6] - Resolves: RHEL-182418 - mod_http2: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack (CVE-2026-49975) [1.15.7-10.5] - Resolves: RHEL-166277 - httpd:2.4/httpd: Apache HTTP Server: HTTP/2 DoS by Memory Increase (CVE-2025-53020) [1.15.7-10.4] - Resolves: RHEL-105186 - httpd:2.4/httpd: untrusted input from a client causes an assertion to fail in the Apache mod_proxy_http2 module (CVE-2025-49630) [1.15.7-10.3] - Resolves: RHEL-58454 - mod_proxy_http2 failures after CVE-2024-38477 fix - Resolves: RHEL-59017 - random failures in other requests on http/2 stream when client resets one request [1.15.7-10.2] - Resolves: RHEL-71575: Wrong Content-Type when proxying using H2 protocol [1.15.7-10.1] - Resolves: RHEL-46214 - Access logs and ErrorDocument don't work when HTTP431 occurs using http/2 on RHEL8 [1.15.7-10] - Resolves: RHEL-29817 - httpd:2.4/mod_http2: httpd: CONTINUATION frames DoS (CVE-2024-27316) [1.15.7-9.3] - Resolves: RHEL-13367 - httpd:2.4/mod_http2: reset requests exhaust memory (incomplete fix of CVE-2023-44487)(CVE-2023-45802) [1.15.7-8.3] - Resolves: #2177748 - CVE-2023-25690 httpd:2.4/httpd: HTTP request splitting with mod_rewrite and mod_proxy [1.15.7-7] - Resolves: #2095650 - Dependency from mod_http2 on httpd broken mod_md [1:2.0.8-8.2] - Resolves: RHEL-134487 - httpd:2.4/httpd: Apache HTTP Server: mod_md (ACME), unintended retry intervals (CVE-2025-55753) [1:2.0.8-8] - Resolves:#1832844 - mod_md does not work with ACME server that does not provide keyChange or revokeCert resources [1:2.0.8-7] - Resolves: #1747912 - add a2md(1) documentation [1:2.0.8-6] - Resolves: #1781263 - mod_md ACMEv1 crash [1:2.0.8-5] - Resolves: #1747898 - add mod_md package [1:2.0.8-4] - require mod_ssl, update package description [1:2.0.8-3] - rebuild against 2.4.41 [1:2.0.8-2] - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild [1:2.0.8-1] - update to 2.0.8 [2.0.3-1] - Initial import (#1719248). _______________________________________________ El-errata mailing list
new version 2.4.68 fixes various security issues. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-d4136fe979 2026-06-11 00:54:51.286493+00:00 -------------------------------------------------------------------------------- Name : httpd Product : Fedora 44 Version : 2.4.68 Release : 1.fc44 URL : https://httpd.apache.org/ Summary : Apache HTTP Server Description : The Apache HTTP Server is a powerful, efficient, and extensible web server. -------------------------------------------------------------------------------- Update Information: new version 2.4.68 fixes various security issues -------------------------------------------------------------------------------- ChangeLog: * Tue Jun 9 2026 Luboš Uhliarik - 2.4.68-1 - new version 2.4.68 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2486351 - httpd-2.4.68 is available https://bugzilla.redhat.com/show_bug.cgi?id=2486351 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-d4136fe979' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Fedora 44 Apache httpd version 2.4.68 includes fixes for various security issues. Stay updated with this release.. Fedora 44, httpd 2.4.68, security updates, Apache fixes. . LinuxSecurity.com Team
New httpd packages are available for Slackware 15.0 and -current to fix a security issue.. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] httpd (SSA:2026-154-01) New httpd packages are available for Slackware 15.0 and -current to fix a security issue. Here are the details from the Slackware 15.0 ChangeLog: +--------------------------+ patches/packages/httpd-2.4.67-i586-2_slack15.0.txz: Rebuilt. This update fixes "HTTP/2 Bomb", a resource exhaustion denial-of-service attack against HTTP/2. For more information, see: https://seclists.org/oss-sec/2026/q2/790 https://www.cve.org/CVERecord?id=CVE-2026-49975 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 15.0: ftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/httpd-2.4.67-i586-2_slack15.0.txz Updated package for Slackware x86_64 15.0: ftp://ftp.slackware.com/pub/slackware/slackware64-15.0/patches/packages/httpd-2.4.67-x86_64-2_slack15.0.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.4.67-i686-2.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.4.67-x86_64-2.txz MD5 signatures: +-------------+ Slackware 15.0 package: fe1db72c286841174ff38534c6e6918d httpd-2.4.67-i586-2_slack15.0.txz Slackware x86_64 15.0 package: b14dd1a6d97a842eee7a5ecd7b8f0855 httpd-2.4.67-x86_64-2_slack15.0.txz Slackware -current package: eee9bd40cb210f87590334e724d2bde0 n/httpd-2.4.67-i686-2.txz Slackware x86_64 -current package: 594fcc2edd5ca2f41a3aade3b7d467bb n/httpd-2.4.67-x86_64-2.txz Installationinstructions: +------------------------+ Upgrade the package as root: # upgradepkg httpd-2.4.67-i586-2_slack15.0.txz Then, restart Apache httpd: # /etc/rc.d/rc.httpd stop # /etc/rc.d/rc.httpd start +-----+ . New httpd packages address security issues in Slackware 15.0 and -current ensuring system stability. Updates recommended.. HTTPD Security Update, Slackware Linux, Resource Exhaustion, Denial of Service, Security Advisory. . Severity: Important. LinuxSecurity.com Team
The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-22140 http://linux.oracle.com/errata/ELSA-2026-22140.html The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable LinuxNetwork: x86_64: httpd-2.4.37-65.0.1.module+el8.10.0+90899+db89cbcc.7.x86_64.rpm httpd-devel-2.4.37-65.0.1.module+el8.10.0+90899+db89cbcc.7.x86_64.rpm httpd-filesystem-2.4.37-65.0.1.module+el8.10.0+90899+db89cbcc.7.noarch.rpm httpd-manual-2.4.37-65.0.1.module+el8.10.0+90899+db89cbcc.7.noarch.rpm httpd-tools-2.4.37-65.0.1.module+el8.10.0+90899+db89cbcc.7.x86_64.rpm mod_http2-1.15.7-10.module+el8.10.0+90899+db89cbcc.5.x86_64.rpm mod_ldap-2.4.37-65.0.1.module+el8.10.0+90899+db89cbcc.7.x86_64.rpm mod_md-2.0.8-8.module+el8.10.0+90899+db89cbcc.2.x86_64.rpm mod_proxy_html-2.4.37-65.0.1.module+el8.10.0+90899+db89cbcc.7.x86_64.rpm mod_session-2.4.37-65.0.1.module+el8.10.0+90899+db89cbcc.7.x86_64.rpm mod_ssl-2.4.37-65.0.1.module+el8.10.0+90899+db89cbcc.7.x86_64.rpm aarch64: httpd-2.4.37-65.0.1.module+el8.10.0+90899+db89cbcc.7.aarch64.rpm httpd-devel-2.4.37-65.0.1.module+el8.10.0+90899+db89cbcc.7.aarch64.rpm httpd-filesystem-2.4.37-65.0.1.module+el8.10.0+90899+db89cbcc.7.noarch.rpm httpd-manual-2.4.37-65.0.1.module+el8.10.0+90899+db89cbcc.7.noarch.rpm httpd-tools-2.4.37-65.0.1.module+el8.10.0+90899+db89cbcc.7.aarch64.rpm mod_http2-1.15.7-10.module+el8.10.0+90899+db89cbcc.5.aarch64.rpm mod_ldap-2.4.37-65.0.1.module+el8.10.0+90899+db89cbcc.7.aarch64.rpm mod_md-2.0.8-8.module+el8.10.0+90899+db89cbcc.2.aarch64.rpm mod_proxy_html-2.4.37-65.0.1.module+el8.10.0+90899+db89cbcc.7.aarch64.rpm mod_session-2.4.37-65.0.1.module+el8.10.0+90899+db89cbcc.7.aarch64.rpm mod_ssl-2.4.37-65.0.1.module+el8.10.0+90899+db89cbcc.7.aarch64.rpm SRPMS: http://oss.oracle.com/ol8/SRPMS-updates/httpd-2.4.37-65.0.1.module+el8.10.0+90899+db89cbcc.7.src.rpm http://oss.oracle.com/ol8/SRPMS-updates/mod_http2-1.15.7-10.module+el8.10.0+90899+db89cbcc.5.src.rpm http://oss.oracle.com/ol8/SRPMS-updates/mod_md-2.0.8-8.module+el8.10.0+90899+db89cbcc.2.src.rpm Related CVEs: CVE-2025-53020 CVE-2026-28780 CVE-2026-33007 CVE-2026-33857 CVE-2026-34032 CVE-2026-34059 Description of changes: httpd [2.4.37-65.0.1.7] - Replace index.html with Oracle's index pageoracle_index.html mod_http2 [1.15.7-10.5] - Resolves: RHEL-166277 - httpd:2.4/httpd: Apache HTTP Server: HTTP/2 DoS by Memory Increase (CVE-2025-53020) mod_md [1:2.0.8-8.2] - Resolves: RHEL-134487 - httpd:2.4/httpd: Apache HTTP Server: mod_md (ACME), unintended retry intervals (CVE-2025-55753) _______________________________________________ El-errata mailing list
new version 2.4.67. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-0c87f546f8 2026-05-24 00:50:16.962711+00:00 -------------------------------------------------------------------------------- Name : httpd Product : Fedora 43 Version : 2.4.67 Release : 1.fc43 URL : https://httpd.apache.org/ Summary : Apache HTTP Server Description : The Apache HTTP Server is a powerful, efficient, and extensible web server. -------------------------------------------------------------------------------- Update Information: new version 2.4.67 -------------------------------------------------------------------------------- ChangeLog: * Wed May 6 2026 Lubo\u0161 Uhliarik - 2.4.67-1 - new version 2.4.67 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2464943 - httpd-2.4.67 is available https://bugzilla.redhat.com/show_bug.cgi?id=2464943 [ 2 ] Bug #2466956 - CVE-2026-28780 httpd: Apache HTTP Server mod_proxy_ajp: Arbitrary code execution via heap-based buffer overflow [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2466956 [ 3 ] Bug #2469229 - CVE-2026-34032 httpd: heap-based buffer over-read due to missing null-termination check [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2469229 [ 4 ] Bug #2469240 - CVE-2026-34059 httpd: heap-based buffer over-read and memory disclosure in ajp_parse_data() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2469240 [ 5 ] Bug #2469242 - CVE-2026-33007 httpd: NULL pointer dereference can cause a child process crash [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2469242 [ 6 ] Bug #2469243 - CVE-2026-33857 httpd: off-by-one out-of-bounds reads in AJP getter functions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2469243 [ 7 ] Bug #2476561 - CVE-2026-33006 httpd: timing attack allows a bypass of digest authentication[fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2476561 [ 8 ] Bug #2476562 - CVE-2026-29169 httpd: NULL pointer dereference via specially crafted request [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2476562 [ 9 ] Bug #2476563 - CVE-2026-33523 httpd: HTTP response splitting forwarding malicious status line [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2476563 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-0c87f546f8' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . A critical update for Fedora 43 httpd addresses new vulnerabilities and enhances security for users. Read more!. Fedora httpd update, security advisory, buffer overflow vulnerability, Apache server update. . Severity: Important. LinuxSecurity.com Team
New httpd packages are available for Slackware 15.0 and -current to fix security issues.. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] httpd (SSA:2026-124-01) New httpd packages are available for Slackware 15.0 and -current to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: +--------------------------+ patches/packages/httpd-2.4.67-i586-1_slack15.0.txz: Upgraded. This release fixes bugs and the following security issues: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data(). mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check. Off-by-one OOB reads in AJP getter functions. HTTP response splitting forwarding malicious status line. mod_authn_socache crash. mod_auth_digest timing attack. mod_md unrestricted OCSP response. buffer overflow in mod_proxy_ajp via ajp_msg_check_header(). mod_rewrite elevation of privileges via ap_expr. http2: double free and possible RCE on early reset. For more information, see: https://downloads.apache.org/httpd/CHANGES_2.4.67 https://www.cve.org/CVERecord?id=CVE-2026-34059 https://www.cve.org/CVERecord?id=CVE-2026-34032 https://www.cve.org/CVERecord?id=CVE-2026-33857 https://www.cve.org/CVERecord?id=CVE-2026-33523 https://www.cve.org/CVERecord?id=CVE-2026-33007 https://www.cve.org/CVERecord?id=CVE-2026-33006 https://www.cve.org/CVERecord?id=CVE-2026-29169 https://www.cve.org/CVERecord?id=CVE-2026-29168 https://www.cve.org/CVERecord?id=CVE-2026-28780 https://www.cve.org/CVERecord?id=CVE-2026-24072 https://www.cve.org/CVERecord?id=CVE-2026-23918 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package forSlackware 15.0: ftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/httpd-2.4.67-i586-1_slack15.0.txz Updated package for Slackware x86_64 15.0: ftp://ftp.slackware.com/pub/slackware/slackware64-15.0/patches/packages/httpd-2.4.67-x86_64-1_slack15.0.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.4.67-i686-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.4.67-x86_64-1.txz MD5 signatures: +-------------+ Slackware 15.0 package: 40ae34142dbfef476bca1cb0ff03ae48 httpd-2.4.67-i586-1_slack15.0.txz Slackware x86_64 15.0 package: d0f86d622aeae7fbc4f2ac87f6dcd22b httpd-2.4.67-x86_64-1_slack15.0.txz Slackware -current package: a7cae891b9054296e09995e8806bea99 n/httpd-2.4.67-i686-1.txz Slackware x86_64 -current package: 3508b66e51e6391820f5c291760324a5 n/httpd-2.4.67-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg httpd-2.4.67-i586-1_slack15.0.txz Then, restart Apache httpd: # /etc/rc.d/rc.httpd stop # /etc/rc.d/rc.httpd start +-----+ . New Slackware httpd update addresses critical issues including memory disclosure and potential DoS threats.. Slacker security slackware httpd update critical fix. . Severity: Critical. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.