[CLSA-2026:1779119053] Fix of 8 CVEs

Type:

security

Severity:

Important

Release date:

2026-05-18 15:44:17 UTC

Description:

   * SECURITY UPDATE: mod_proxy_ajp heap buffer over-read in ajp_msg_get_string
     - debian/patches/CVE-2026-34032.patch: add buffer checks in
       modules/proxy/ajp_msg.c.
     - CVE-2026-34032
   * SECURITY UPDATE: AJP getter functions off-by-one out-of-bounds reads
     - debian/patches/CVE-2026-33857.patch: fix length checks in AJP msg_get
       functions in modules/proxy/ajp_msg.c.
     - CVE-2026-33857
   * SECURITY UPDATE: mod_proxy_ajp heap over-read in ajp_parse_data
     - debian/patches/CVE-2026-34059.patch: fix message length check in
       modules/proxy/ajp_header.c.
     - CVE-2026-34059
   * SECURITY UPDATE: mod_authn_socache crash in caching forward proxy
     - debian/patches/CVE-2026-33007.patch: validate URL earlier in
       modules/aaa/mod_authn_socache.c.
     - CVE-2026-33007
   * SECURITY UPDATE: HTTP response splitting via malicious backend status line
     - debian/patches/CVE-2026-33523.patch: scan outgoing status line for
       newlines and controls in modules/http/http_filters.c.
     - CVE-2026-33523
   * SECURITY UPDATE: mod_rewrite elevation of privileges via ap_expr in
     .htaccess
     - debian/patches/CVE-2026-24072.patch: use AP_EXPR_FLAG_RESTRICTED in
       htaccess context in modules/mappers/mod_rewrite.c and
       modules/metadata/mod_setenvif.c. mod_proxy_fcgi hunk omitted —
       ProxyFCGISetEnvIf was added in 2.4.26, after this source.
     - CVE-2026-24072
   * SECURITY UPDATE: mod_auth_digest timing attack allowing Digest auth bypass
     - debian/patches/CVE-2026-33006.patch: use a constant-time comparison
       helper for nonce hash and digest checks, add VALID_NONCE validation
       and MD5_DIGEST_LEN length check in get_digest_rec, in
       modules/aaa/mod_auth_digest.c. Inline ap_crypto_equals_const_time()
       replaces apr_crypto_equals (added in apr-util 1.6, not in xenial's
       apr-util 1.5.4); the upstream apr-util version bump and the
       apr_crypto.h include are omitted accordingly.
     - CVE-2026-33006
   * SECURITY UPDATE: mod_proxy_ajp ajp_msg_check_header bounds-check fix
     - debian/patches/CVE-2026-28780.patch: tighten the upper-bound check in
       ajp_msg_check_header() to reserve AJP_HEADER_LEN bytes of headroom in
       modules/proxy/ajp_msg.c (companion to CVE-2026-33857/34032).
     - CVE-2026-28780

Updated packages:

apache2_2.4.18-2ubuntu3.17+tuxcare.els19_amd64.deb
sha:7ee70702e33147eed28677c4c0845b6fa0da598d
apache2-bin_2.4.18-2ubuntu3.17+tuxcare.els19_amd64.deb
sha:b087dac7730906656f1fbd6e1384cdecb907cff7
apache2-data_2.4.18-2ubuntu3.17+tuxcare.els19_all.deb
sha:31893f046fd3517f8b76055e71981600863a028a
apache2-dev_2.4.18-2ubuntu3.17+tuxcare.els19_amd64.deb
sha:cc1d4482f63f567da042f03b79a261e602f171e3
apache2-doc_2.4.18-2ubuntu3.17+tuxcare.els19_all.deb
sha:0cfa75c90ceb73a21f48a2ac7b3fedb279ab51c0
apache2-suexec-custom_2.4.18-2ubuntu3.17+tuxcare.els19_amd64.deb
sha:dddeb88bb828bf0e1d555dc0c8c9b8ea655630a1
apache2-suexec-pristine_2.4.18-2ubuntu3.17+tuxcare.els19_amd64.deb
sha:9a5496c07bcad53eca3ff52e16f258ab1af05fe1
apache2-utils_2.4.18-2ubuntu3.17+tuxcare.els19_amd64.deb
sha:5e1ecc05fdb26551acf8864419aa0165e9b9afff

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.