ELSA-2025-15023

ELSA-2025-15023 - httpd security update

Type:SECURITY
Impact:MODERATE
Release Date:2025-09-02

Description


[2.4.62-4.0.1.4]
- Replace index.html with Oracle's index page oracle_index.html.

[2.4.62-4.4]
- Resolves: RHEL-99949 - CVE-2025-49812 httpd: HTTP Session Hijack via a TLS upgrade

[2.4.62-4.1]
- Resolves: RHEL-99972 - CVE-2024-47252 httpd: insufficient escaping of
user-supplied data in mod_ssl
- Resolves: RHEL-99963 - CVE-2025-23048 httpd: access control bypass by trusted
clients is possible using TLS 1.3 session resumption
- Resolves: RHEL-102079 - stickysession field does not work when specifying it
in the query parameter after upgrade to 9.5

[2.4.62-4]
- Resolves: RHEL-66488 - Apache HTTPD no longer parse PHP files with unicode
characters in the name

[2.4.62-3]
- Resolves: RHEL-68660 - RewriteRule proxying to UDS (unix domain socket)
configured in .htaccess doesn't work on httpd-2.4.62-1

[2.4.62-2]
- mod_ssl: fix loading keys via ENGINE API
Resolves: RHEL-36755

[2.4.62-1]
- new version 2.4.62
- Resolves: RHEL-52724 - Regression introduced by CVE-2024-38474 fix

[2.4.59-7]
- Resolves: RHEL-49856: htcacheclean.service missing [Install] section

[2.4.59-6]
- mod_ssl: restore SSL_OP_NO_RENEGOTIATE support
Related: RHEL-14668

[2.4.59-5]
- mod_ssl: defer ENGINE_finish() calls to a cleanup
Resolves: RHEL-36755

[2.4.59-4]
- Resolves: RHEL-6575 - [RFE] httpd use systemd-sysusers

[2.4.59-3]
- Related: RHEL-14668 - RFE: httpd rebase to 2.4.59

[2.4.59-2]
- Resolves: RHEL-35870 - httpd mod_cgi/cgid unification

[2.4.59-1]
- new version 2.4.59
- Resolves: RHEL-14668 - RFE: httpd rebase to 2.4.59
- Resolves: RHEL-31856 - httpd: HTTP response splitting
(CVE-2023-38709)
- Resolves: RHEL-31859 - httpd: HTTP Response Splitting in multiple
modules (CVE-2024-24795)

[2.4.57-8]
- mod_xml2enc: fix media type handling
Resolves: RHEL-17686
- mod_dav: add DavBasePath
Resolves: RHEL-6600

[2.4.57-7]
- Resolves: RHEL-14447 - httpd: mod_macro: out-of-bounds read
vulnerability (CVE-2023-31122)

[2.4.57-6]
- Resolves: RHEL-5071 - mod_dav_fs: add DavLockDBType
- mod_dav_fs: add global mutex around lockdb interaction


Related CVEs


CVE-2024-47252
CVE-2025-49812
CVE-2025-23048

Updated Packages


Release/ArchitectureFilenamesha256Superseded By AdvisoryChannel Label
Oracle Linux 9 (aarch64) httpd-2.4.62-4.0.1.el9_6.4.src.rpm073bb7ea92a286781c6ff0c9b9d9b1002cdf8feb3edbbfd10b41854fc79349dc-ol9_aarch64_appstream
httpd-2.4.62-4.0.1.el9_6.4.aarch64.rpm5e719e37b31cfa6f21ea84499499998283384edeb29096b54ef25cdec4083ad9-ol9_aarch64_appstream
httpd-core-2.4.62-4.0.1.el9_6.4.aarch64.rpm05b3f72d50174f6001a0ec975c79bd952a931854031cadb9ee4df382d07fae18-ol9_aarch64_appstream
httpd-devel-2.4.62-4.0.1.el9_6.4.aarch64.rpm4cd27bf4a217ed6e4034410a37c1159ffa152380e90908a242ac894cdb4ade2c-ol9_aarch64_appstream
httpd-filesystem-2.4.62-4.0.1.el9_6.4.noarch.rpmfb1144cac38ed1bfb6c386145203876bd664b22bdd6a466d288048025ba58d19-ol9_aarch64_appstream
httpd-manual-2.4.62-4.0.1.el9_6.4.noarch.rpm8a81cb703f2ef2cc165142ccf7550b2c0fe18c91d3da1545db400d1dce22eb49-ol9_aarch64_appstream
httpd-tools-2.4.62-4.0.1.el9_6.4.aarch64.rpm224bfc5d7f8fb85721c06b7e79b5740ab9227e9633c2398c78fc73d01eac55d3-ol9_aarch64_appstream
mod_ldap-2.4.62-4.0.1.el9_6.4.aarch64.rpm0775fa1a9a876f5b349d28df078725e270bfce0f6d39ea3d6f4507e276ff3b49-ol9_aarch64_appstream
mod_lua-2.4.62-4.0.1.el9_6.4.aarch64.rpmb45966aa49b44cdd8894ccd7856e10a4d9a541a6fca6464efb8425822789879a-ol9_aarch64_appstream
mod_proxy_html-2.4.62-4.0.1.el9_6.4.aarch64.rpm1a0b4f5ffddbdcbce42bbbff17416ac71cafdba231b050111efdb47c49bfdf76-ol9_aarch64_appstream
mod_session-2.4.62-4.0.1.el9_6.4.aarch64.rpm28072a2e16041e770a2a92bd6ed6259a7470e011339b0e297121f19529f92a15-ol9_aarch64_appstream
mod_ssl-2.4.62-4.0.1.el9_6.4.aarch64.rpmdef104d79ed9a96d4b238ae463386d2b1c5e3f9ce0f3aa688bf6329c661fbd4c-ol9_aarch64_appstream
Oracle Linux 9 (x86_64) httpd-2.4.62-4.0.1.el9_6.4.src.rpm073bb7ea92a286781c6ff0c9b9d9b1002cdf8feb3edbbfd10b41854fc79349dc-ol9_x86_64_appstream
httpd-2.4.62-4.0.1.el9_6.4.x86_64.rpm9b2e212068b1328ee3289592936b8126766e130cb2e2dca87a9fb60add9975a6-ol9_x86_64_appstream
httpd-core-2.4.62-4.0.1.el9_6.4.x86_64.rpmec823d963ee1a22bf4e48a06f6a7445e86fb2cc29076262ee3882f04e524d199-ol9_x86_64_appstream
httpd-devel-2.4.62-4.0.1.el9_6.4.x86_64.rpmd296adaca2d2dd27506c5dfa4df644a3185a14d743c2266d9f9dce230b2d9144-ol9_x86_64_appstream
httpd-filesystem-2.4.62-4.0.1.el9_6.4.noarch.rpmfb1144cac38ed1bfb6c386145203876bd664b22bdd6a466d288048025ba58d19-ol9_x86_64_appstream
httpd-manual-2.4.62-4.0.1.el9_6.4.noarch.rpm8a81cb703f2ef2cc165142ccf7550b2c0fe18c91d3da1545db400d1dce22eb49-ol9_x86_64_appstream
httpd-tools-2.4.62-4.0.1.el9_6.4.x86_64.rpm3216feb94b370c2862021832425fb09f751bf4bdf2e155a76023920e4a9741fd-ol9_x86_64_appstream
mod_ldap-2.4.62-4.0.1.el9_6.4.x86_64.rpm126ccb505fcab753cf2a732563f6a9872a4baecd29b0f61e21bd27b54eaafc02-ol9_x86_64_appstream
mod_lua-2.4.62-4.0.1.el9_6.4.x86_64.rpmc8f68239daf781f3c3dfd2bbd38071b6f5ebe2ef7a8a98db74ec76f59dc1b88d-ol9_x86_64_appstream
mod_proxy_html-2.4.62-4.0.1.el9_6.4.x86_64.rpm7af7c91e1255092d2c5a34592a4c90fd93dfb607e9c48c6e47b51166fc05f2af-ol9_x86_64_appstream
mod_session-2.4.62-4.0.1.el9_6.4.x86_64.rpm258f4af56d356ef359ff200c104486f92cd2d1229423adc59a55400e568f142e-ol9_x86_64_appstream
mod_ssl-2.4.62-4.0.1.el9_6.4.x86_64.rpmddea2b825ffa623545ba3f288b4d87f002de090074271d12edb2011ed4a989e1-ol9_x86_64_appstream



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete