Your message dated Tue, 05 May 2026 21:32:05 +0000
with message-id <[email protected]>
and subject line Bug#1135737: fixed in apache2 2.4.67-1~deb13u1
has caused the Debian Bug report #1135737,
regarding apache2: CVE-2026-23918 CVE-2026-24072 CVE-2026-29169 CVE-2026-33006
CVE-2026-33007 CVE-2026-33523 CVE-2026-33857 CVE-2026-34032 CVE-2026-34059
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135737: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135737
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: apache2
Version: 2.4.66-8
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 2.4.66-1~deb13u2
Control: found -1 2.4.66-1~deb13u1
Control: found -1 2.4.66-1~deb12u2
Control: found -1 2.4.66-1~deb12u1
Hi,
The following vulnerabilities were published for apache2. I'm making
this RC because of CVE-2026-23918. On 16th may there is a point
release for both bookworm and trixie. We were pondering about either a
DSA or point release update. Assuming the SRM do not have problem
with it, uploading the fixed version to unstable soonish, followed
with pu updates to get the updae exposed to public would be nice.
CVE-2026-23918[0]:
| Double Free and possible RCE vulnerability in Apache HTTP Server
| with the HTTP/2 protocol. This issue affects Apache HTTP Server:
| 2.4.66. Users are recommended to upgrade to version 2.4.67, which
| fixes the issue.
CVE-2026-24072[1]:
| An escalation of privilege bug in various modules in Apache HTTP
| 2.4.66 and earlier allows local .htaccess authors to read files with
| the privileges of the httpd user. Users are recommended to upgrade
| to version 2.4.67, which fixes this issue.
CVE-2026-29169[2]:
| A NULL pointer dereference in mod_dav_lock in Apache HTTP Server
| 2.4.66 and earlier may allow an attacker to crash the server with a
| malicious request.mod_dav_lock is not used internally by mod_dav or
| mod_dav_fs. The only known use-case for mod_dav_lock was
| mod_dav_svn from Apache Subversion earlier than version 1.2.0.
| Users are recommended to upgrade to version 2.4.66, which fixes this
| issue, or remove mod_dav_lock.
CVE-2026-33006[3]:
| A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66
| allows a bypass of Digest authentication by a remote attacker.
| Users are recommended to upgrade to version 2.4.67, which fixes this
| issue.
CVE-2026-33007[4]:
| A NULL pointer dereference in the mod_authn_socache in Apache HTTP
| Server 2.4.66 and earlier allows an unauthenticated remote user to
| crash a child process in a caching forward proxy configuration.
| Users are recommended to upgrade to version 2.4.67, which fixes this
| issue.
CVE-2026-33523[5]:
| HTTP response splitting vulnerability in multiple Apache HTTP Server
| modules with untrusted or compromised backend servers. This issue
| affects Apache HTTP Server: from through 2.4.66. Users are
| recommended to upgrade to version 2.4.67, which fixes the issue.
CVE-2026-33857[6]:
| Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP
| Server. This issue affects Apache HTTP Server: through 2.4.66.
| Users are recommended to upgrade to version 2.4.67, which fixes the
| issue.
CVE-2026-34032[7]:
| Improper Null Termination, Out-of-bounds Read vulnerability in
| Apache HTTP Server. This issue affects Apache HTTP Server: through
| 2.4.66. Users are recommended to upgrade to version 2.4.67, which
| fixes the issue.
CVE-2026-34059[8]:
| Buffer Over-read vulnerability in Apache HTTP Server. This issue
| affects Apache HTTP Server: through 2.4.66. Users are recommended
| to upgrade to version 2.4.67, which fixes the issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-23918
https://www.cve.org/CVERecord?id=CVE-2026-23918
[1] https://security-tracker.debian.org/tracker/CVE-2026-24072
https://www.cve.org/CVERecord?id=CVE-2026-24072
[2] https://security-tracker.debian.org/tracker/CVE-2026-29169
https://www.cve.org/CVERecord?id=CVE-2026-29169
[3] https://security-tracker.debian.org/tracker/CVE-2026-33006
https://www.cve.org/CVERecord?id=CVE-2026-33006
[4] https://security-tracker.debian.org/tracker/CVE-2026-33007
https://www.cve.org/CVERecord?id=CVE-2026-33007
[5] https://security-tracker.debian.org/tracker/CVE-2026-33523
https://www.cve.org/CVERecord?id=CVE-2026-33523
[6] https://security-tracker.debian.org/tracker/CVE-2026-33857
https://www.cve.org/CVERecord?id=CVE-2026-33857
[7] https://security-tracker.debian.org/tracker/CVE-2026-34032
https://www.cve.org/CVERecord?id=CVE-2026-34032
[8] https://security-tracker.debian.org/tracker/CVE-2026-34059
https://www.cve.org/CVERecord?id=CVE-2026-34059
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.67-1~deb13u1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 05 May 2026 16:40:42 +0200
Source: apache2
Architecture: source
Version: 2.4.67-1~deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Apache Maintainers <[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1135737
Changes:
apache2 (2.4.67-1~deb13u1) trixie; urgency=medium
.
* New upstream release (Closes: #1135737, CVE-2026-23918, CVE-2026-24072,
CVE-2026-29169, CVE-2026-33006, CVE-2026-33007, CVE-2026-33523,
CVE-2026-33857, CVE-2026-34032, CVE-2026-34059)
* Refresh patches
Checksums-Sha1:
471e5ac237ea581a3a1b3e88bb638fd4407e95f6 3526 apache2_2.4.67-1~deb13u1.dsc
46e72f3395f75d49d6c8ab20c31521bf1a3d8107 9714011 apache2_2.4.67.orig.tar.gz
837c2618ed0b131cdab25466f45bceb7fb73c291 870 apache2_2.4.67.orig.tar.gz.asc
e2b0a14e67e15a6a0329f057aae3e8a0a4bdc9f3 827484
apache2_2.4.67-1~deb13u1.debian.tar.xz
Checksums-Sha256:
f7d43b29fcf251b9506940f8d5377840e7c9acb9bef4c9cb80fd46611f7e3518 3526
apache2_2.4.67-1~deb13u1.dsc
10a578d199c3930250534fac629995f34ef7571709a7c88c45239e1fdc88cf77 9714011
apache2_2.4.67.orig.tar.gz
d8a6e18c2f892aa901121d14852717bddf42e430b0f48f853a4effce7b89f348 870
apache2_2.4.67.orig.tar.gz.asc
cf961d8ed39bdfe0caf3069426409cb3fcb9ae9bb77224f30aa605b19488419a 827484
apache2_2.4.67-1~deb13u1.debian.tar.xz
Files:
54ccbb8268a9aef732f935591b9a7a1f 3526 httpd optional
apache2_2.4.67-1~deb13u1.dsc
cf51fc1963b35360240f4225c2921d4b 9714011 httpd optional
apache2_2.4.67.orig.tar.gz
8831f0957bcf06bb810d7def20d5d790 870 httpd optional
apache2_2.4.67.orig.tar.gz.asc
6b3d6d3d292a799accd35a4aa5083199 827484 httpd optional
apache2_2.4.67-1~deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmn6Is4ACgkQ9tdMp8mZ
7ul5cBAAgI+/rWB5b0eNT9usH8m5v2Z9+hwb5yjPd28wbnZamUt3JjcbtIsXwx6G
qXOpbJKKAVG5UK+hU3Qa4gCWUHmZj/bTmbbd25yrLtLRFuiAbSAzQKkrS/j6kfUb
5gYqjVrUEQwCoVW8rGapFSviAvT7j5QE7JHPO5xbb4I+TR7Hw5XFT+UOBiNx9zNx
d0xk02vzAWMB2dV3rJkZyW+RNhGu+1K6BlVUsUM1671/pMiUqGp/45R43ma/Ckbw
L/PuVdZyWpWCAv1ktIiP/Bl8VowMjw/DtSuoHlhq/NXTf72xdISx4SkzbJXRzUeA
Pb2Myc0ED3PZPhyFTyA3Erf9gUnYRC2SnabUqltDvpTEP98vBYbzHCKzgqHE1Qt4
hxGZB4OCHu85UuD1MoEb7oxYadrP6CMYgHZb7ha74WC9tlSHIVlK4A0BH05yRapa
gQ+jWBwSmPhFnJVaNMW5bBQ2UE1c1TAX8ecpf0anozRFiFDvJRPgQqRppHO3BEjH
1pda5+IPv9Xd7mWsRufzc/ZQ3qCWni+H4pi9hOT9MyfryOOdRRukfaNA75Y1FyvS
fg4GmKWK/q4TZdRVJr9YGO81vKTRCN1LgbVbJuAv2fFjjL66nemyYWy2D1hvO+S+
wc6Z9aXpf01pYY+peHr5dfrpCzyIGOAdeTQ2d0ntmzn0/x6G2pU=
=LmZP
-----END PGP SIGNATURE-----
pgpxRxzdZCTHG.pgp
Description: PGP signature
--- End Message ---
