Описание
ELSA-2025-23732: httpd:2.4 security update (IMPORTANT)
httpd [2.4.37-65.0.1.7]
- Replace index.html with Oracle's index page oracle_index.html
[2.4.37-65.7]
- Resolves: RHEL-135054 - httpd: Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo (CVE-2025-66200)
- Resolves: RHEL-135039 - httpd: Apache HTTP Server: CGI environment variable override (CVE-2025-65082)
- Resolves: RHEL-134471 - httpd: Apache HTTP Server: Server Side Includes adds query string to #exec cmd=... (CVE-2025-58098)
[2.4.37-65.6]
- Resolves: RHEL-127073 - mod_ssl: allow more fine grained SSL SNI vhost check to avoid unnecessary 421 errors after CVE-2025-23048 fix
- mod_ssl: add conf.d/snipolicy.conf to set 'SSLVHostSNIPolicy authonly' default
[2.4.37-65.5]
- Resolves: RHEL-99944 - CVE-2025-49812 httpd: HTTP Session Hijack via a TLS upgrade
- Resolves: RHEL-99969 - CVE-2024-47252 httpd: insufficient escaping of user-supplied data in mod_ssl
- Resolves: RHEL-99961 - CVE-2025-23048 httpd: access control bypass by trusted clients is possible using TLS 1.3 session resumption
[2.4.37-65.4]
- Resolves: RHEL-87641 - apache Bug 63192 - mod_ratelimit breaks HEAD requests
[2.4.37-65.3]
- Resolves: RHEL-56068 - Apache HTTPD no longer parse PHP files with unicode characters in the name
[2.4.37-65.2]
- Resolves: RHEL-46040 - httpd:2.4/httpd: Security issues via backend applications whose response headers are malicious or exploitable (CVE-2024-38476)
- Resolves: RHEL-53022 - Regression introduced by CVE-2024-38474 fix
[2.4.37-65.1]
- Resolves: RHEL-45812 - httpd:2.4/httpd: Substitution encoding issue in mod_rewrite (CVE-2024-38474)
- Resolves: RHEL-45785 - httpd:2.4/httpd: Encoding problem in mod_proxy (CVE-2024-38473)
- Resolves: RHEL-45777 - httpd:2.4/httpd: Improper escaping of output in mod_rewrite (CVE-2024-38475)
- Resolves: RHEL-45758 - httpd:2.4/httpd: null pointer dereference in mod_proxy (CVE-2024-38477)
- Resolves: RHEL-45743 - httpd:2.4/httpd: Potential SSRF in mod_rewrite (CVE-2024-39573)
[2.4.37-65]
- Resolves: RHEL-31857 - httpd:2.4/httpd: HTTP response splitting (CVE-2023-38709)
[2.4.37-64]
- Resolves: RHEL-14448 - httpd: mod_macro: out-of-bounds read vulnerability (CVE-2023-31122)
mod_http2 [1.15.7-10.4]
- Resolves: RHEL-105186 - httpd:2.4/httpd: untrusted input from a client causes an assertion to fail in the Apache mod_proxy_http2 module (CVE-2025-49630)
[1.15.7-10.3]
- Resolves: RHEL-58454 - mod_proxy_http2 failures after CVE-2024-38477 fix
- Resolves: RHEL-59017 - random failures in other requests on http/2 stream when client resets one request
[1.15.7-10.2]
- Resolves: RHEL-71575: Wrong Content-Type when proxying using H2 protocol
[1.15.7-10.1]
- Resolves: RHEL-46214 - Access logs and ErrorDocument don't work when HTTP431 occurs using http/2 on RHEL8
[1.15.7-10]
- Resolves: RHEL-29817 - httpd:2.4/mod_http2: httpd: CONTINUATION frames DoS (CVE-2024-27316)
[1.15.7-9.3]
- Resolves: RHEL-13367 - httpd:2.4/mod_http2: reset requests exhaust memory (incomplete fix of CVE-2023-44487)(CVE-2023-45802)
[1.15.7-8.3]
- Resolves: #2177748 - CVE-2023-25690 httpd:2.4/httpd: HTTP request splitting with mod_rewrite and mod_proxy
[1.15.7-7]
- Resolves: #2095650 - Dependency from mod_http2 on httpd broken
[1.15.7-6]
- Backport SNI feature refactor
- Resolves: rhbz#2137257
[1.15.7-5]
- Resolves: #2035030 - CVE-2021-44224 httpd:2.4/httpd: possible NULL dereference or SSRF in forward proxy configurations
mod_md [1:2.0.8-8.2]
- Resolves: RHEL-134487 - httpd:2.4/httpd: Apache HTTP Server: mod_md (ACME), unintended retry intervals (CVE-2025-55753)
[1:2.0.8-8]
- Resolves: #1832844 - mod_md does not work with ACME server that does not provide keyChange or revokeCert resources
[1:2.0.8-7]
- Resolves: #1747912 - add a2md(1) documentation
[1:2.0.8-6]
- Resolves: #1781263 - mod_md ACMEv1 crash
[1:2.0.8-5]
- Resolves: #1747898 - add mod_md package
[1:2.0.8-4]
- require mod_ssl, update package description
[1:2.0.8-3]
- rebuild against 2.4.41
[1:2.0.8-2]
[1:2.0.8-1]
- update to 2.0.8
[2.0.3-1]
- Initial import (#1719248).
Обновленные пакеты
Oracle Linux 8
Oracle Linux aarch64
Module httpd:2.4 is enabled
httpd
2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7
httpd-devel
2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7
httpd-filesystem
2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7
httpd-manual
2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7
httpd-tools
2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7
mod_http2
1.15.7-10.module+el8.10.0+90652+bef864ba.4
mod_ldap
2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7
mod_md
2.0.8-8.module+el8.10.0+90740+3332f30e.2
mod_proxy_html
2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7
mod_session
2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7
mod_ssl
2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7
Oracle Linux x86_64
Module httpd:2.4 is enabled
httpd
2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7
httpd-devel
2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7
httpd-filesystem
2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7
httpd-manual
2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7
httpd-tools
2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7
mod_http2
1.15.7-10.module+el8.10.0+90652+bef864ba.4
mod_ldap
2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7
mod_md
2.0.8-8.module+el8.10.0+90740+3332f30e.2
mod_proxy_html
2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7
mod_session
2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7
mod_ssl
2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7
