ELSA-2025-15123

Описание

httpd [2.4.37-65.5.0.1]

• Replace index.html with Oracle's index page oracle_index.html

[2.4.37-65.5]

• Resolves: RHEL-99944 - CVE-2025-49812 httpd: HTTP Session Hijack via a TLS upgrade
• Resolves: RHEL-99969 - CVE-2024-47252 httpd: insufficient escaping of user-supplied data in mod_ssl
• Resolves: RHEL-99961 - CVE-2025-23048 httpd: access control bypass by trusted clients is possible using TLS 1.3 session resumption

[2.4.37-65.4]

• Resolves: RHEL-87641 - apache Bug 63192 - mod_ratelimit breaks HEAD requests

[2.4.37-65.3]

• Resolves: RHEL-56068 - Apache HTTPD no longer parse PHP files with unicode characters in the name

[2.4.37-65.2]

• Resolves: RHEL-46040 - httpd:2.4/httpd: Security issues via backend applications whose response headers are malicious or exploitable (CVE-2024-38476)
• Resolves: RHEL-53022 - Regression introduced by CVE-2024-38474 fix

[2.4.37-65.1]

• Resolves: RHEL-45812 - httpd:2.4/httpd: Substitution encoding issue in mod_rewrite (CVE-2024-38474)
• Resolves: RHEL-45785 - httpd:2.4/httpd: Encoding problem in mod_proxy (CVE-2024-38473)
• Resolves: RHEL-45777 - httpd:2.4/httpd: Improper escaping of output in mod_rewrite (CVE-2024-38475)
• Resolves: RHEL-45758 - httpd:2.4/httpd: null pointer dereference in mod_proxy (CVE-2024-38477)
• Resolves: RHEL-45743 - httpd:2.4/httpd: Potential SSRF in mod_rewrite (CVE-2024-39573)

mod_http2 [1.15.7-10.4]

• Resolves: RHEL-105186 - httpd:2.4/httpd: untrusted input from a client causes an assertion to fail in the Apache mod_proxy_http2 module (CVE-2025-49630)

[1.15.7-10.3]

• Resolves: RHEL-58454 - mod_proxy_http2 failures after CVE-2024-38477 fix
• Resolves: RHEL-59017 - random failures in other requests on http/2 stream when client resets one request

[1.15.7-10.2]

• Resolves: RHEL-71575: Wrong Content-Type when proxying using H2 protocol

[1.15.7-10.1]

• Resolves: RHEL-46214 - Access logs and ErrorDocument don't work when HTTP431 occurs using http/2 on RHEL8

mod_md