ELSA-2025-15023

ULN >
Oracle Linux Errata repository >
ELSA-2025-15023

ELSA-2025-15023 - httpd security update

Type:	SECURITY
Impact:	MODERATE
Release Date:	2025-09-02

Description

[2.4.62-4.0.1.4]
- Replace index.html with Oracle's index page oracle_index.html.

[2.4.62-4.4]
- Resolves: RHEL-99949 - CVE-2025-49812 httpd: HTTP Session Hijack via a TLS upgrade

[2.4.62-4.1]
- Resolves: RHEL-99972 - CVE-2024-47252 httpd: insufficient escaping of
user-supplied data in mod_ssl
- Resolves: RHEL-99963 - CVE-2025-23048 httpd: access control bypass by trusted
clients is possible using TLS 1.3 session resumption
- Resolves: RHEL-102079 - stickysession field does not work when specifying it
in the query parameter after upgrade to 9.5

[2.4.62-4]
- Resolves: RHEL-66488 - Apache HTTPD no longer parse PHP files with unicode
characters in the name

[2.4.62-3]
- Resolves: RHEL-68660 - RewriteRule proxying to UDS (unix domain socket)
configured in .htaccess doesn't work on httpd-2.4.62-1

[2.4.62-2]
- mod_ssl: fix loading keys via ENGINE API
Resolves: RHEL-36755

[2.4.62-1]
- new version 2.4.62
- Resolves: RHEL-52724 - Regression introduced by CVE-2024-38474 fix

[2.4.59-7]
- Resolves: RHEL-49856: htcacheclean.service missing [Install] section

[2.4.59-6]
- mod_ssl: restore SSL_OP_NO_RENEGOTIATE support
Related: RHEL-14668

[2.4.59-5]
- mod_ssl: defer ENGINE_finish() calls to a cleanup
Resolves: RHEL-36755

[2.4.59-4]
- Resolves: RHEL-6575 - [RFE] httpd use systemd-sysusers

[2.4.59-3]
- Related: RHEL-14668 - RFE: httpd rebase to 2.4.59

[2.4.59-2]
- Resolves: RHEL-35870 - httpd mod_cgi/cgid unification

[2.4.59-1]
- new version 2.4.59
- Resolves: RHEL-14668 - RFE: httpd rebase to 2.4.59
- Resolves: RHEL-31856 - httpd: HTTP response splitting
(CVE-2023-38709)
- Resolves: RHEL-31859 - httpd: HTTP Response Splitting in multiple
modules (CVE-2024-24795)

[2.4.57-8]
- mod_xml2enc: fix media type handling
Resolves: RHEL-17686
- mod_dav: add DavBasePath
Resolves: RHEL-6600

[2.4.57-7]
- Resolves: RHEL-14447 - httpd: mod_macro: out-of-bounds read
vulnerability (CVE-2023-31122)

[2.4.57-6]
- Resolves: RHEL-5071 - mod_dav_fs: add DavLockDBType
- mod_dav_fs: add global mutex around lockdb interaction

Related CVEs

CVE-2024-47252

CVE-2025-49812

CVE-2025-23048

Updated Packages

Release/Architecture	Filename	sha256	Superseded By Advisory	Channel Label

Oracle Linux 9 (aarch64)	httpd-2.4.62-4.0.1.el9_6.4.src.rpm	073bb7ea92a286781c6ff0c9b9d9b1002cdf8feb3edbbfd10b41854fc79349dc	-	ol9_aarch64_appstream
	httpd-2.4.62-4.0.1.el9_6.4.aarch64.rpm	5e719e37b31cfa6f21ea84499499998283384edeb29096b54ef25cdec4083ad9	-	ol9_aarch64_appstream
	httpd-core-2.4.62-4.0.1.el9_6.4.aarch64.rpm	05b3f72d50174f6001a0ec975c79bd952a931854031cadb9ee4df382d07fae18	-	ol9_aarch64_appstream
	httpd-devel-2.4.62-4.0.1.el9_6.4.aarch64.rpm	4cd27bf4a217ed6e4034410a37c1159ffa152380e90908a242ac894cdb4ade2c	-	ol9_aarch64_appstream
	httpd-filesystem-2.4.62-4.0.1.el9_6.4.noarch.rpm	fb1144cac38ed1bfb6c386145203876bd664b22bdd6a466d288048025ba58d19	-	ol9_aarch64_appstream
	httpd-manual-2.4.62-4.0.1.el9_6.4.noarch.rpm	8a81cb703f2ef2cc165142ccf7550b2c0fe18c91d3da1545db400d1dce22eb49	-	ol9_aarch64_appstream
	httpd-tools-2.4.62-4.0.1.el9_6.4.aarch64.rpm	224bfc5d7f8fb85721c06b7e79b5740ab9227e9633c2398c78fc73d01eac55d3	-	ol9_aarch64_appstream
	mod_ldap-2.4.62-4.0.1.el9_6.4.aarch64.rpm	0775fa1a9a876f5b349d28df078725e270bfce0f6d39ea3d6f4507e276ff3b49	-	ol9_aarch64_appstream
	mod_lua-2.4.62-4.0.1.el9_6.4.aarch64.rpm	b45966aa49b44cdd8894ccd7856e10a4d9a541a6fca6464efb8425822789879a	-	ol9_aarch64_appstream
	mod_proxy_html-2.4.62-4.0.1.el9_6.4.aarch64.rpm	1a0b4f5ffddbdcbce42bbbff17416ac71cafdba231b050111efdb47c49bfdf76	-	ol9_aarch64_appstream
	mod_session-2.4.62-4.0.1.el9_6.4.aarch64.rpm	28072a2e16041e770a2a92bd6ed6259a7470e011339b0e297121f19529f92a15	-	ol9_aarch64_appstream
	mod_ssl-2.4.62-4.0.1.el9_6.4.aarch64.rpm	def104d79ed9a96d4b238ae463386d2b1c5e3f9ce0f3aa688bf6329c661fbd4c	-	ol9_aarch64_appstream

Oracle Linux 9 (x86_64)	httpd-2.4.62-4.0.1.el9_6.4.src.rpm	073bb7ea92a286781c6ff0c9b9d9b1002cdf8feb3edbbfd10b41854fc79349dc	-	ol9_x86_64_appstream
	httpd-2.4.62-4.0.1.el9_6.4.x86_64.rpm	9b2e212068b1328ee3289592936b8126766e130cb2e2dca87a9fb60add9975a6	-	ol9_x86_64_appstream
	httpd-core-2.4.62-4.0.1.el9_6.4.x86_64.rpm	ec823d963ee1a22bf4e48a06f6a7445e86fb2cc29076262ee3882f04e524d199	-	ol9_x86_64_appstream
	httpd-devel-2.4.62-4.0.1.el9_6.4.x86_64.rpm	d296adaca2d2dd27506c5dfa4df644a3185a14d743c2266d9f9dce230b2d9144	-	ol9_x86_64_appstream
	httpd-filesystem-2.4.62-4.0.1.el9_6.4.noarch.rpm	fb1144cac38ed1bfb6c386145203876bd664b22bdd6a466d288048025ba58d19	-	ol9_x86_64_appstream
	httpd-manual-2.4.62-4.0.1.el9_6.4.noarch.rpm	8a81cb703f2ef2cc165142ccf7550b2c0fe18c91d3da1545db400d1dce22eb49	-	ol9_x86_64_appstream
	httpd-tools-2.4.62-4.0.1.el9_6.4.x86_64.rpm	3216feb94b370c2862021832425fb09f751bf4bdf2e155a76023920e4a9741fd	-	ol9_x86_64_appstream
	mod_ldap-2.4.62-4.0.1.el9_6.4.x86_64.rpm	126ccb505fcab753cf2a732563f6a9872a4baecd29b0f61e21bd27b54eaafc02	-	ol9_x86_64_appstream
	mod_lua-2.4.62-4.0.1.el9_6.4.x86_64.rpm	c8f68239daf781f3c3dfd2bbd38071b6f5ebe2ef7a8a98db74ec76f59dc1b88d	-	ol9_x86_64_appstream
	mod_proxy_html-2.4.62-4.0.1.el9_6.4.x86_64.rpm	7af7c91e1255092d2c5a34592a4c90fd93dfb607e9c48c6e47b51166fc05f2af	-	ol9_x86_64_appstream
	mod_session-2.4.62-4.0.1.el9_6.4.x86_64.rpm	258f4af56d356ef359ff200c104486f92cd2d1229423adc59a55400e568f142e	-	ol9_x86_64_appstream
	mod_ssl-2.4.62-4.0.1.el9_6.4.x86_64.rpm	ddea2b825ffa623545ba3f288b4d87f002de090074271d12edb2011ed4a989e1	-	ol9_x86_64_appstream

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

Technical information

Oracle Linux Support

Connect

Contact Us

Global contacts
Oracle 1-800-633-0691