Release date:
2026-07-08 15:38:16 UTC
Description:
* SECURITY UPDATE: memory allocation with excessive size value (DoS) in
mod_http2 HTTP/2 cookie header merging
- debian/patches/CVE-2026-49975.patch: count merged cookie headers as an
add so they keep counting against LimitRequestFields, and ignore
duplicate empty cookie headers, in req_add_header() in
modules/http2/h2_util.c; otherwise repeated HTTP/2 cookie headers merge
into one growing value without tripping the LimitRequestFields guard,
letting a single stream drive unbounded memory allocation. Upstream fix
35c6e405390ed361189a82acd96675401ea5947c (SVN r1934882).
- CVE-2026-49975
Updated packages:
-
apache2_2.4.59-1~deb10u1+tuxcare.els11_amd64.deb
sha:c3579aaacf1e823a5c62ec3264b73ff70cdaf458
-
apache2-bin_2.4.59-1~deb10u1+tuxcare.els11_amd64.deb
sha:d29335411a8b5c9140ed2401e30ea589ee3a1a24
-
apache2-data_2.4.59-1~deb10u1+tuxcare.els11_all.deb
sha:985e176cd7f161e48550639d1a8151a2646b0c11
-
apache2-dev_2.4.59-1~deb10u1+tuxcare.els11_amd64.deb
sha:01084f04af3441e57a63aa6de5e7495543020d17
-
apache2-doc_2.4.59-1~deb10u1+tuxcare.els11_all.deb
sha:dce2c85a3f329bb01d2b57b7c96c19201012f546
-
apache2-ssl-dev_2.4.59-1~deb10u1+tuxcare.els11_amd64.deb
sha:01914b1f9e3c38fdd33947bcf6dc1258a7f63246
-
apache2-suexec-custom_2.4.59-1~deb10u1+tuxcare.els11_amd64.deb
sha:85d5a88cd87308abd1477d72dbf59f56c70987cb
-
apache2-suexec-pristine_2.4.59-1~deb10u1+tuxcare.els11_amd64.deb
sha:0e7c13aa7fd2c240c4dd94be62e7e81df01d46e3
-
apache2-utils_2.4.59-1~deb10u1+tuxcare.els11_amd64.deb
sha:eccd36d02f3d3f2837474f251da7eef7390b2e05
-
libapache2-mod-md_2.4.59-1~deb10u1+tuxcare.els11_amd64.deb
sha:379da7a96e2bdc5c2a230433d2ce400baee4bfdb
-
libapache2-mod-proxy-uwsgi_2.4.59-1~deb10u1+tuxcare.els11_amd64.deb
sha:5e0c92dbe7196b04ead71d2607b893265dcd004c
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.