Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 21 articles for you...
89
security advisoryfedoraaccess controlFedora 41: httpd 2.4.64 Critical Security Fixes CVE-2024-42516
New version 2.4.64 and security fixes. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-f94e6fe0b4 2025-10-16 01:34:27.713863+00:00 -------------------------------------------------------------------------------- Name : httpd Product : Fedora 41 Version : 2.4.64 Release : 1.fc41 URL : https://httpd.apache.org/ Summary : Apache HTTP Server Description : The Apache HTTP Server is a powerful, efficient, and extensible web server. -------------------------------------------------------------------------------- Update Information: New version 2.4.64 and security fixes -------------------------------------------------------------------------------- ChangeLog: * Fri Jul 11 2025 Lubo\u0161 Uhliarik - 2.4.64-1 - new version 2.4.64 * Tue Jun 24 2025 Joe Orton - 2.4.63-4 - mod_dav: add dav_get_base_path() API * Mon Feb 10 2025 Joe Orton - 2.4.63-3 - sync default httpd.conf with upstream * Sat Feb 1 2025 Bjrn Esser - 2.4.63-2 - Add explicit BR: libxcrypt-devel -------------------------------------------------------------------------------- References: [ 1 ] Bug #2379862 - CVE-2024-42516 httpd: incomplete fix for CVE-2023-38709 [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2379862 [ 2 ] Bug #2379864 - CVE-2024-43204 httpd: SSRF in Apache HTTP Server with mod_proxy loaded [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2379864 [ 3 ] Bug #2379866 - CVE-2024-47252 httpd: insufficient escaping of user-supplied data in mod_ssl [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2379866 [ 4 ] Bug #2379868 - CVE-2025-23048 httpd: access control bypass by trusted clients is possible using TLS 1.3 session resumption [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2379868 [ 5 ] Bug #2382578 - CVE-2025-49812 httpd: HTTP Session Hijack via a TLS upgrade [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2382578 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-f94e6fe0b4' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . New httpd version 2.4.64 for Fedora 41 with critical security fixes outlined. Ensure security compliance promptly.. Apache HTTP Server security update, Fedora package management, critical web server vulnerabilities. . Severity: Critical. LinuxSecurity.com Team
Oct 16, 2025
•Critical
Fedora
217
security advisorymoderateaccess controlOracle Linux 8 ELSA-2025-15123 httpd Moderate Session Hijack Risk
The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network: . Oracle Linux Security Advisory ELSA-2025-15123 http://linux.oracle.com/errata/ELSA-2025-15123.html The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable LinuxNetwork: x86_64: httpd-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.x86_64.rpm httpd-devel-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.x86_64.rpm httpd-filesystem-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.noarch.rpm httpd-manual-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.noarch.rpm httpd-tools-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.x86_64.rpm mod_http2-1.15.7-10.module+el8.10.0+90652+bef864ba.4.x86_64.rpm mod_ldap-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.x86_64.rpm mod_md-2.0.8-8.module+el8.9.0+90011+2f9c6a23.x86_64.rpm mod_proxy_html-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.x86_64.rpm mod_session-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.x86_64.rpm mod_ssl-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.x86_64.rpm aarch64: httpd-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.aarch64.rpm httpd-devel-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.aarch64.rpm httpd-filesystem-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.noarch.rpm httpd-manual-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.noarch.rpm httpd-tools-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.aarch64.rpm mod_http2-1.15.7-10.module+el8.10.0+90652+bef864ba.4.aarch64.rpm mod_ldap-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.aarch64.rpm mod_md-2.0.8-8.module+el8.9.0+90011+2f9c6a23.aarch64.rpm mod_proxy_html-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.aarch64.rpm mod_session-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.aarch64.rpm mod_ssl-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.aarch64.rpm SRPMS: http://oss.oracle.com/ol8/SRPMS-updates/httpd-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.src.rpm http://oss.oracle.com/ol8/SRPMS-updates/mod_http2-1.15.7-10.module+el8.10.0+90652+bef864ba.4.src.rpm http://oss.oracle.com/ol8/SRPMS-updates/mod_md-2.0.8-8.module+el8.9.0+90011+2f9c6a23.src.rpm Related CVEs: CVE-2024-47252 CVE-2025-23048 CVE-2025-49630 CVE-2025-49812 Description of changes: httpd [2.4.37-65.5.0.1] - Replace index.html with Oracle's index page oracle_index.html [2.4.37-65.5] -Resolves: RHEL-99944 - CVE-2025-49812 httpd: HTTP Session Hijack via a TLS upgrade - Resolves: RHEL-99969 - CVE-2024-47252 httpd: insufficient escaping of user-supplied data in mod_ssl - Resolves: RHEL-99961 - CVE-2025-23048 httpd: access control bypass by trusted clients is possible using TLS 1.3 session resumption [2.4.37-65.4] - Resolves: RHEL-87641 - apache Bug 63192 - mod_ratelimit breaks HEAD requests [2.4.37-65.3] - Resolves: RHEL-56068 - Apache HTTPD no longer parse PHP files with unicode characters in the name [2.4.37-65.2] - Resolves: RHEL-46040 - httpd:2.4/httpd: Security issues via backend applications whose response headers are malicious or exploitable (CVE-2024-38476) - Resolves: RHEL-53022 - Regression introduced by CVE-2024-38474 fix [2.4.37-65.1] - Resolves: RHEL-45812 - httpd:2.4/httpd: Substitution encoding issue in mod_rewrite (CVE-2024-38474) - Resolves: RHEL-45785 - httpd:2.4/httpd: Encoding problem in mod_proxy (CVE-2024-38473) - Resolves: RHEL-45777 - httpd:2.4/httpd: Improper escaping of output in mod_rewrite (CVE-2024-38475) - Resolves: RHEL-45758 - httpd:2.4/httpd: null pointer dereference in mod_proxy (CVE-2024-38477) - Resolves: RHEL-45743 - httpd:2.4/httpd: Potential SSRF in mod_rewrite (CVE-2024-39573) mod_http2 [1.15.7-10.4] - Resolves: RHEL-105186 - httpd:2.4/httpd: untrusted input from a client causes an assertion to fail in the Apache mod_proxy_http2 module (CVE-2025-49630) [1.15.7-10.3] - Resolves: RHEL-58454 - mod_proxy_http2 failures after CVE-2024-38477 fix - Resolves: RHEL-59017 - random failures in other requests on http/2 stream when client resets one request [1.15.7-10.2] - Resolves: RHEL-71575: Wrong Content-Type when proxying using H2 protocol [1.15.7-10.1] - Resolves: RHEL-46214 - Access logs and ErrorDocument don't work when HTTP431 occurs using http/2 on RHEL8 mod_md _______________________________________________ El-errata mailing list
Sep 05, 2025
Oracle
217
security advisorymoderateaccess controlOracle Linux 9: ELSA-2025-15023 httpd Moderate Access Control Bypass
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: . Oracle Linux Security Advisory ELSA-2025-15023 http://linux.oracle.com/errata/ELSA-2025-15023.html The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: x86_64: httpd-2.4.62-4.0.1.el9_6.4.x86_64.rpm httpd-core-2.4.62-4.0.1.el9_6.4.x86_64.rpm httpd-devel-2.4.62-4.0.1.el9_6.4.x86_64.rpm httpd-filesystem-2.4.62-4.0.1.el9_6.4.noarch.rpm httpd-manual-2.4.62-4.0.1.el9_6.4.noarch.rpm httpd-tools-2.4.62-4.0.1.el9_6.4.x86_64.rpm mod_ldap-2.4.62-4.0.1.el9_6.4.x86_64.rpm mod_lua-2.4.62-4.0.1.el9_6.4.x86_64.rpm mod_proxy_html-2.4.62-4.0.1.el9_6.4.x86_64.rpm mod_session-2.4.62-4.0.1.el9_6.4.x86_64.rpm mod_ssl-2.4.62-4.0.1.el9_6.4.x86_64.rpm aarch64: httpd-2.4.62-4.0.1.el9_6.4.aarch64.rpm httpd-core-2.4.62-4.0.1.el9_6.4.aarch64.rpm httpd-devel-2.4.62-4.0.1.el9_6.4.aarch64.rpm httpd-filesystem-2.4.62-4.0.1.el9_6.4.noarch.rpm httpd-manual-2.4.62-4.0.1.el9_6.4.noarch.rpm httpd-tools-2.4.62-4.0.1.el9_6.4.aarch64.rpm mod_ldap-2.4.62-4.0.1.el9_6.4.aarch64.rpm mod_lua-2.4.62-4.0.1.el9_6.4.aarch64.rpm mod_proxy_html-2.4.62-4.0.1.el9_6.4.aarch64.rpm mod_session-2.4.62-4.0.1.el9_6.4.aarch64.rpm mod_ssl-2.4.62-4.0.1.el9_6.4.aarch64.rpm SRPMS: http://oss.oracle.com/ol9/SRPMS-updates/httpd-2.4.62-4.0.1.el9_6.4.src.rpm Related CVEs: CVE-2024-47252 CVE-2025-23048 CVE-2025-49812 Description of changes: [2.4.62-4.0.1.4] - Replace index.html with Oracle's index page oracle_index.html. [2.4.62-4.4] - Resolves: RHEL-99949 - CVE-2025-49812 httpd: HTTP Session Hijack via a TLS upgrade [2.4.62-4.1] - Resolves: RHEL-99972 - CVE-2024-47252 httpd: insufficient escaping of user-supplied data in mod_ssl - Resolves: RHEL-99963 - CVE-2025-23048 httpd: access control bypass by trusted clients is possible using TLS 1.3 session resumption - Resolves: RHEL-102079 - stickysession field does not work when specifying it in the query parameter after upgrade to 9.5 [2.4.62-4] - Resolves:RHEL-66488 - Apache HTTPD no longer parse PHP files with unicode characters in the name [2.4.62-3] - Resolves: RHEL-68660 - RewriteRule proxying to UDS (unix domain socket) configured in .htaccess doesn't work on httpd-2.4.62-1 [2.4.62-2] - mod_ssl: fix loading keys via ENGINE API Resolves: RHEL-36755 [2.4.62-1] - new version 2.4.62 - Resolves: RHEL-52724 - Regression introduced by CVE-2024-38474 fix [2.4.59-7] - Resolves: RHEL-49856: htcacheclean.service missing [Install] section [2.4.59-6] - mod_ssl: restore SSL_OP_NO_RENEGOTIATE support Related: RHEL-14668 [2.4.59-5] - mod_ssl: defer ENGINE_finish() calls to a cleanup Resolves: RHEL-36755 [2.4.59-4] - Resolves: RHEL-6575 - [RFE] httpd use systemd-sysusers [2.4.59-3] - Related: RHEL-14668 - RFE: httpd rebase to 2.4.59 [2.4.59-2] - Resolves: RHEL-35870 - httpd mod_cgi/cgid unification [2.4.59-1] - new version 2.4.59 - Resolves: RHEL-14668 - RFE: httpd rebase to 2.4.59 - Resolves: RHEL-31856 - httpd: HTTP response splitting (CVE-2023-38709) - Resolves: RHEL-31859 - httpd: HTTP Response Splitting in multiple modules (CVE-2024-24795) [2.4.57-8] - mod_xml2enc: fix media type handling Resolves: RHEL-17686 - mod_dav: add DavBasePath Resolves: RHEL-6600 [2.4.57-7] - Resolves: RHEL-14447 - httpd: mod_macro: out-of-bounds read vulnerability (CVE-2023-31122) [2.4.57-6] - Resolves: RHEL-5071 - mod_dav_fs: add DavLockDBType - mod_dav_fs: add global mutex around lockdb interaction _______________________________________________ El-errata mailing list
Sep 03, 2025
Oracle
197
security advisorycriticaldebianDebian 11: DLA-4113-1 critical: php-horde-imp XSS session hijack
An XSS vulnerability was discovered in Horde IMP, the webmail component of the Horde groupware platform. An attacker could hijack a user session by sending a crafted e-mail to an IMP user. . - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4113-1
Apr 03, 2025
•Critical
Debian LTS
172
security advisorydenial of servicesession hijackUbuntu 18.04 ESM USN-6076-1 Critical: Matrix-Synapse Session Hijack
Several security issues were fixed in Synapse.. =========================================================================Ubuntu Security Notice USN-6076-1 May 16, 2023 matrix-synapse vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 ESM Summary: Several security issues were fixed in Synapse. Software Description: - matrix-synapse: Synapse: Matrix homeserver written in Python/Twisted. Details: It was discovered that Synapse incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. (CVE-2019-18835, CVE-2018-12291, CVE-2018-10657) It was discovered that Synapse incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to hijack the session. (CVE-2019-11842, CVE-2018-12423) It was discovered that Synapse incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to perform spoofing or user impersonation. (CVE-2019-5885, CVE-2018-16515) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 ESM: matrix-synapse 0.24.0+dfsg-1ubuntu0.1~esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6076-1 CVE-2018-10657, CVE-2018-12291, CVE-2018-12423, CVE-2018-16515, CVE-2019-11842, CVE-2019-18835, CVE-2019-5885 . Multiple security flaws were resolved in Synapse for Ubuntu 18.04 ESM, targeting issues related to denial of service and session takeover.. matrix-synapse vulnerabilities, Ubuntu ESM,Synapse security issues. . Severity: Critical. LinuxSecurity.com Team
May 16, 2023
•Critical
Ubuntu
100
security advisorysecurity updateimportantSUSE: 2023:2084-2 critical: bci/dotnet-aspnet security update
The container bci/dotnet-aspnet was updated. The following patches have been included in this update:. SUSE Container Update Advisory: bci/dotnet-aspnet ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2022:1062-1 Container Tags : bci/dotnet-aspnet:6.0 , bci/dotnet-aspnet:6.0-18.7 , bci/dotnet-aspnet:6.0.5 , bci/dotnet-aspnet:6.0.5-18.7 , bci/dotnet-aspnet:latest Container Release : 18.7 Severity : important Type : security References : 1197771 1197794 1198446 1198614 1198723 1198766 1199240 CVE-2022-1304 CVE-2022-22576 CVE-2022-27775 CVE-2022-27776 CVE-2022-29155 ----------------------------------------------------------------- The container bci/dotnet-aspnet was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1655-1 Released: Fri May 13 15:36:10 2022 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1197794 This update for pam fixes the following issue: - Do not include obsolete header files (bsc#1197794) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1657-1 Released: Fri May 13 15:39:07 2022 Summary: Security update for curl Type: security Severity: moderate References: 1198614,1198723,1198766,CVE-2022-22576,CVE-2022-27775,CVE-2022-27776 This update for curl fixes the following issues: - CVE-2022-27776: Fixed auth/cookie leak on redirect (bsc#1198766) - CVE-2022-27775: Fixed bad local IPv6 connection reuse (bsc#1198723) - CVE-2022-22576: Fixed OAUTH2 bearer bypass in connection re-use (bsc#1198614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1658-1 Released: Fri May 13 15:40:20 2022 Summary: Recommended update for libpsl Type: recommended Severity: important References: 1197771 This updatefor libpsl fixes the following issues: - Fix libpsl compilation issues (bsc#1197771) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1670-1 Released: Mon May 16 10:06:30 2022 Summary: Security update for openldap2 Type: security Severity: important References: 1199240,CVE-2022-29155 This update for openldap2 fixes the following issues: - CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1688-1 Released: Mon May 16 14:02:49 2022 Summary: Security update for e2fsprogs Type: security Severity: important References: 1198446,CVE-2022-1304 This update for e2fsprogs fixes the following issues: - CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault and possibly arbitrary code execution. (bsc#1198446) The following package changes have been done: - libldap-data-2.4.46-150200.14.8.1 updated - libcom_err2-1.43.8-150000.4.33.1 updated - libpsl5-0.20.1-150000.3.3.1 updated - libldap-2_4-2-2.4.46-150200.14.8.1 updated - libcurl4-7.66.0-150200.4.30.1 updated - pam-1.3.0-150000.6.58.3 updated - container:sles15-image-15.0.0-17.14.16 updated . The latest container security release for bci/dotnet-aspnet introduces vital updates aimed at enhancing the protection and reliability of the system.. Container Update Advisory,bci,dotnet-aspnet,security update,patching. . Severity: Important. LinuxSecurity.com Team
May 18, 2022
•Important
SuSE
100
security advisorymoderatedirectory traversalSUSE: 2020:2678-1 Moderate: Rubygem-Rack Updates for Multiple Issues
An update that fixes three vulnerabilities is now available. . SUSE Security Update: Security update for rubygem-rack ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:2678-1 Rating: moderate References: #1159548 #1172037 #1173351 Cross-References: CVE-2019-16782 CVE-2020-8161 CVE-2020-8184 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 7 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for rubygem-rack to version 1.6.13 fixes the following issues: - CVE-2020-8184: Fixed an issue where percent-encoded cookies could have been used to overwrite existing prefixed cookie names (bsc#1173351). - CVE-2020-8161: Fixed a directory traversal (bsc#1172037). - CVE-2019-16782: Fixed an information leak / session hijack vulnerability (bsc#1159548). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-2678=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-2678=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-2678=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): ruby2.1-rubygem-rack-1.6.13-3.8.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): ruby2.1-rubygem-rack-1.6.13-3.8.1 - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64): ruby2.1-rubygem-rack-1.6.13-3.8.1 References: https://www.suse.com/security/cve/CVE-2019-16782.html https://www.suse.com/security/cve/CVE-2020-8161.html https://www.suse.com/security/cve/CVE-2020-8184.html https://bugzilla.suse.com/1159548 https://bugzilla.suse.com/1172037 https://bugzilla.suse.com/1173351 _______________________________________________ sle-security-updates mailing list
Sep 18, 2020
SuSE
203
security advisorythreatinfo leakMageia: 2020-0252 Moderate: ruby-rack Session Hijack Issue
Updated ruby-rack packages fix security vulnerabilities: There's a possible information leak / session hijack vulnerability in Rack(RubyGem rack). Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually . MGASA-2020-0252 - Updated ruby-rack packages fix security vulnerability Publication date: 10 Jun 2020 URL: https://advisories.mageia.org/MGASA-2020-0252.html Type: security Affected Mageia releases: 7 CVE: CVE-2020-8161, CVE-2019-16782 Updated ruby-rack packages fix security vulnerabilities: There's a possible information leak / session hijack vulnerability in Rack(RubyGem rack). Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison (CVE-2019-16782). If certain directories exist in a director that is managed by Rack::Directory, an attacker could, using this vulnerability, read the contents of files on the server that were outside of the root specified in the Rack::Directory initializer (CVE-2020-8161). References: - https://bugs.mageia.org/show_bug.cgi?id=26688 - https://bugs.mageia.org/show_bug.cgi?id=25915 - https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3 - https://lists.fedoraproject.org/archives/list/
Jun 10, 2020
Mageia
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!