ELSA-2026-0075

Описание

[2.4.6-99.0.9.1]

• Fix CVE-2025-58098 [Orabug: 38816066]

[2.4.6-99.0.7.1]

• Fixed security update CVE-2024-47252 CVE-2025-49812 [Orabug: 38378160]

[2.4.6-99.0.5.1]

• Differentiate trusted sources [Orabug: 37100272][CVE-2024-38476]

[2.4.6-99.0.3.1]

• Opt-ins for unsafe prefix_stat and %3f [Orabug: 36904263][CVE-2024-38474][CVE-2024-38475]
• mod_proxy: validate hostname [Orabug: 36904263][CVE-2024-38477]

[2.4.6-99.1.0.1]

• mod_proxy: ap_proxy_http_request() to clear hop-by-hop first and fixup last [CVE-2022-31813][Orabug: 34381850]
• mod_session: save one apr_strtok() [Orabug: 33338149][CVE-2021-26690]
• replace index.html with Oracle's index page oracle_index.html

[2.4.6-99.1]

• Resolves: #2190143 - mod_rewrite regression with CVE-2023-25690

[2.4.6-97.7]

• Resolves: #2177742 - CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy

[2.4.6-97.6]

• Resolves: #2101997 - HEAD request with a 404 and custom ErrorPage causes corrupt and mixed-up responses

[2.4.6-97.5]

• Resolves: #2065243 - CVE-2022-22720 httpd: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier

[2.4.6-97.4]

• Resolves: #2031072 - CVE-2021-34798 httpd: NULL pointer dereference via malformed requests
• Resolves: #2031074 - CVE-2021-39275 httpd: out-of-bounds write in ap_escape_quotes() via malicious input
• Resolves: #1969226 - CVE-2021-26691 httpd: Heap overflow in mod_session