Source: apache2
Version: 2.4.67-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for apache2.
CVE-2026-29167[0]:
| Use After Free vulnerability in Apache HTTP Server with mod_ldap in
| per-directory configuration This issue affects Apache HTTP Server:
| from 2.4.0 through 2.4.67. Users are recommended to upgrade to
| version 2.4.68, which fixes the issue.
CVE-2026-29170[1]:
| A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML
| directory list generation in Apache HTTP Server 2.4.67 and earlier
| when listing FTP directory contents either via forward or reverse
| proxy configuration. Users are recommended to upgrade to version
| 2.4.68, which fixes this issue.
CVE-2026-34355[2]:
| A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and
| earlier allows an attack by an untrusted backend. Users are
| recommended to upgrade to version 2.4.68, which fixes this issue.
CVE-2026-34356[3]:
| Heap-based Buffer Overflow vulnerability in Apache HTTP Server with
| malicious backend servers and ProxyPassReverseCookie* This issue
| affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are
| recommended to upgrade to version 2.4.68, which fixes the issue.
CVE-2026-42535[4]:
| A path handling issue in mod_dav_fs in Apache 2.4.67 and
| earlier allows a WebDAV content author to directly manipulate
| trusted DAV property databases, potentially causing child process
| crashes. Users are recommended to upgrade to version 2.4.68, which
| fixes this issue.
CVE-2026-42536[5]:
| Heap-based Buffer Overflow vulnerability in Apache HTTP Server
| with mod_xml2enc, xml2StartParse, and untrusted content This issue
| affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are
| recommended to upgrade to version 2.4.68, which fixes the issue.
CVE-2026-43951[6]:
| Out-of-bounds Read vulnerability in Apache HTTP Server with
| mod_headers and mod_mime and multiple response languages. This
| issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.
CVE-2026-44119[7]:
| Improper Privilege Management vulnerability in Apache HTTP Server
| 2.4.67 and earlier allows local .htaccess authors to read files with
| the privileges of the httpd user. This issue affects Apache HTTP
| Server: from through 2.4.67. Users are recommended to upgrade to
| version 2.4.68, which fixes the issue.
CVE-2026-44185[8]:
| Buffer Over-read vulnerability in Apache HTTP Server via outbound
| OCSP requests to an attacker controlled OCSP server This issue
| affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are
| recommended to upgrade to version 2.4.68, which fixes the issue.
CVE-2026-44186[9]:
| Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability
| in the mod_proxy_ftp module in Apache HTTP Server with an attacker
| controlled backend FTP server. This issue affects undefined: from
| 2.4.0 through 2.4.67. Users are recommended to upgrade to version
| 2.4.68, which fixes the issue.
CVE-2026-44631[10]:
| Buffer Underwrite vulnerability in Apache HTTP Server on crafted
| regular expressions in the configuration. This issue affects Apache
| HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to
| upgrade to version 2.4.68, which fixes the issue.
CVE-2026-48913[11]:
| Use After Free vulnerability in Apache HTTP Server module mod_http2
| when file handles are already exhausted. This issue affects Apache
| HTTP Server: from 2.4.55 through 2.4.67.
Note that CVE-2026-49975 was already fixed, so not listed here.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-29167
https://www.cve.org/CVERecord?id=CVE-2026-29167
[1] https://security-tracker.debian.org/tracker/CVE-2026-29170
https://www.cve.org/CVERecord?id=CVE-2026-29170
[2] https://security-tracker.debian.org/tracker/CVE-2026-34355
https://www.cve.org/CVERecord?id=CVE-2026-34355
[3] https://security-tracker.debian.org/tracker/CVE-2026-34356
https://www.cve.org/CVERecord?id=CVE-2026-34356
[4] https://security-tracker.debian.org/tracker/CVE-2026-42535
https://www.cve.org/CVERecord?id=CVE-2026-42535
[5] https://security-tracker.debian.org/tracker/CVE-2026-42536
https://www.cve.org/CVERecord?id=CVE-2026-42536
[6] https://security-tracker.debian.org/tracker/CVE-2026-43951
https://www.cve.org/CVERecord?id=CVE-2026-43951
[7] https://security-tracker.debian.org/tracker/CVE-2026-44119
https://www.cve.org/CVERecord?id=CVE-2026-44119
[8] https://security-tracker.debian.org/tracker/CVE-2026-44185
https://www.cve.org/CVERecord?id=CVE-2026-44185
[9] https://security-tracker.debian.org/tracker/CVE-2026-44186
https://www.cve.org/CVERecord?id=CVE-2026-44186
[10] https://security-tracker.debian.org/tracker/CVE-2026-44631
https://www.cve.org/CVERecord?id=CVE-2026-44631
[11] https://security-tracker.debian.org/tracker/CVE-2026-48913
https://www.cve.org/CVERecord?id=CVE-2026-48913
Regards,
Salvatore
