ELSA-2025-15123

ULN >
Oracle Linux Errata repository >
ELSA-2025-15123

ELSA-2025-15123 - httpd:2.4 security update

Type:	SECURITY
Impact:	MODERATE
Release Date:	2025-09-04

Description

httpd
[2.4.37-65.5.0.1]
- Replace index.html with Oracle's index page oracle_index.html

[2.4.37-65.5]
- Resolves: RHEL-99944 - CVE-2025-49812 httpd: HTTP Session Hijack via a TLS upgrade
- Resolves: RHEL-99969 - CVE-2024-47252 httpd: insufficient escaping of
user-supplied data in mod_ssl
- Resolves: RHEL-99961 - CVE-2025-23048 httpd: access control bypass by trusted
clients is possible using TLS 1.3 session resumption

[2.4.37-65.4]
- Resolves: RHEL-87641 - apache Bug 63192 - mod_ratelimit breaks HEAD requests

[2.4.37-65.3]
- Resolves: RHEL-56068 - Apache HTTPD no longer parse PHP files with
unicode characters in the name

[2.4.37-65.2]
- Resolves: RHEL-46040 - httpd:2.4/httpd: Security issues via backend
applications whose response headers are malicious or exploitable (CVE-2024-38476)
- Resolves: RHEL-53022 - Regression introduced by CVE-2024-38474 fix

[2.4.37-65.1]
- Resolves: RHEL-45812 - httpd:2.4/httpd: Substitution encoding issue
in mod_rewrite (CVE-2024-38474)
- Resolves: RHEL-45785 - httpd:2.4/httpd: Encoding problem in
mod_proxy (CVE-2024-38473)
- Resolves: RHEL-45777 - httpd:2.4/httpd: Improper escaping of output
in mod_rewrite (CVE-2024-38475)
- Resolves: RHEL-45758 - httpd:2.4/httpd: null pointer dereference
in mod_proxy (CVE-2024-38477)
- Resolves: RHEL-45743 - httpd:2.4/httpd: Potential SSRF
in mod_rewrite (CVE-2024-39573)

mod_http2
[1.15.7-10.4]
- Resolves: RHEL-105186 - httpd:2.4/httpd: untrusted input from a client causes
an assertion to fail in the Apache mod_proxy_http2 module (CVE-2025-49630)

[1.15.7-10.3]
- Resolves: RHEL-58454 - mod_proxy_http2 failures after CVE-2024-38477 fix
- Resolves: RHEL-59017 - random failures in other requests on http/2 stream
when client resets one request

[1.15.7-10.2]
- Resolves: RHEL-71575: Wrong Content-Type when proxying using H2 protocol

[1.15.7-10.1]
- Resolves: RHEL-46214 - Access logs and ErrorDocument don't work when HTTP431
occurs using http/2 on RHEL8

mod_md

Related CVEs

Updated Packages

Release/Architecture	Filename	sha256	Superseded By Advisory	Channel Label

Oracle Linux 8 (aarch64)	httpd-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.src.rpm	29c25f959cbf04759c8d2c9b3ff0bb75242b7da761ac54e19c136559f006936f	-	ol8_aarch64_appstream
	mod_http2-1.15.7-10.module+el8.10.0+90652+bef864ba.4.src.rpm	b5447e310ce463e53bdf76d4ca1f712a77fbe31b954d7e8dee4c9b16ce347b96	-	ol8_aarch64_appstream
	mod_md-2.0.8-8.module+el8.9.0+90011+2f9c6a23.src.rpm	b87cd8c00082bf38a8aefb4fbac1eab758639da7e4dfe2387c661fb396a928c0	-	ol8_aarch64_appstream
	httpd-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.aarch64.rpm	80f60b1740cf31391cf2e7880428a7a98f484a5573edef3b90706529c6ec37dc	-	ol8_aarch64_appstream
	httpd-devel-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.aarch64.rpm	b65085a411e109dfe9c503c752216b51881203c8c3e4c490423a7f1d5234153c	-	ol8_aarch64_appstream
	httpd-filesystem-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.noarch.rpm	e54a79410ceaff15b46981fa3c3378eeff42b21147e2b649be6ea8b8c0ed9322	-	ol8_aarch64_appstream
	httpd-manual-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.noarch.rpm	2966a7c95e3f43dd47477feb0eb061b5c55a66434963462502c00ed32fbb7fc7	-	ol8_aarch64_appstream
	httpd-tools-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.aarch64.rpm	4d1fa10ab634bc173881153d19382b63eb25188dbf473e74215fd7315026ec6c	-	ol8_aarch64_appstream
	mod_http2-1.15.7-10.module+el8.10.0+90652+bef864ba.4.aarch64.rpm	a8905b42332ca9b0038fc5d8a0e278495633a9fa1952e9f3099ac8e81d5fa7bc	-	ol8_aarch64_appstream
	mod_ldap-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.aarch64.rpm	9716a5d6a84eaac7faf8b3d0f256c5beb127472e627162481c9a396daee43541	-	ol8_aarch64_appstream
	mod_md-2.0.8-8.module+el8.9.0+90011+2f9c6a23.aarch64.rpm	09a6be461741ad2673d307ce619821ea92b3acadfc247ab13d17267c1c6011a6	-	ol8_aarch64_appstream
	mod_proxy_html-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.aarch64.rpm	576068e1bcb02bda04527014b680919d09d092b144d73893c8da8aa853fa6571	-	ol8_aarch64_appstream
	mod_session-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.aarch64.rpm	18d146a6a25c9867f8f1013aeec6bf871907f790eb6f391e3987e3dabf8b1497	-	ol8_aarch64_appstream
	mod_ssl-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.aarch64.rpm	cc1299e0e2a35785e4a542da48fd7bd39496b25ad10498f2ba03188fd0b44536	-	ol8_aarch64_appstream

Oracle Linux 8 (x86_64)	httpd-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.src.rpm	29c25f959cbf04759c8d2c9b3ff0bb75242b7da761ac54e19c136559f006936f	-	ol8_x86_64_appstream
	mod_http2-1.15.7-10.module+el8.10.0+90652+bef864ba.4.src.rpm	b5447e310ce463e53bdf76d4ca1f712a77fbe31b954d7e8dee4c9b16ce347b96	-	ol8_x86_64_appstream
	mod_md-2.0.8-8.module+el8.9.0+90011+2f9c6a23.src.rpm	b87cd8c00082bf38a8aefb4fbac1eab758639da7e4dfe2387c661fb396a928c0	-	ol8_x86_64_appstream
	httpd-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.x86_64.rpm	ceb068e481d662d19a63d7dc5e3d55cdda411be058718b67dfc6f014cd102bd8	-	ol8_x86_64_appstream
	httpd-devel-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.x86_64.rpm	5789f04d789069bf89e65556eb93529f7ec3e264cfe0f73877259ee2e7313e11	-	ol8_x86_64_appstream
	httpd-filesystem-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.noarch.rpm	e54a79410ceaff15b46981fa3c3378eeff42b21147e2b649be6ea8b8c0ed9322	-	ol8_x86_64_appstream
	httpd-manual-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.noarch.rpm	2966a7c95e3f43dd47477feb0eb061b5c55a66434963462502c00ed32fbb7fc7	-	ol8_x86_64_appstream
	httpd-tools-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.x86_64.rpm	f56e51de9884875687f8e0bee05efa85e2bc27482a5b9a4e8d1a743d4f70e78c	-	ol8_x86_64_appstream
	mod_http2-1.15.7-10.module+el8.10.0+90652+bef864ba.4.x86_64.rpm	65e56ad2dcda84643ba43f0141c76732c518331ac718f75c072835b21121fd5a	-	ol8_x86_64_appstream
	mod_ldap-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.x86_64.rpm	311972b5ed695d9dec744f1716428424375c9732229408a3c9d6671eaf42965c	-	ol8_x86_64_appstream
	mod_md-2.0.8-8.module+el8.9.0+90011+2f9c6a23.x86_64.rpm	48e6e9c15ca6394c944f472135dd176c00267760d8f627ddb37e95407ebacbbb	-	ol8_x86_64_appstream
	mod_proxy_html-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.x86_64.rpm	925c375e08da68105eaf2c74bfeaef38911202fe8543c72a897312d42f0589d4	-	ol8_x86_64_appstream
	mod_session-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.x86_64.rpm	a1b96afd34a32eb10f6cf9a0a0602ca04932194c91d758cb137c7d6f5762d015	-	ol8_x86_64_appstream
	mod_ssl-2.4.37-65.0.1.module+el8.10.0+90652+bef864ba.5.x86_64.rpm	2c6f0c95457b28f801a1a620a3511bbb4e5957d833ce9956b3a821ed811d5934	-	ol8_x86_64_appstream

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

Technical information

Oracle Linux Support

Connect

Contact Us

Global contacts
Oracle 1-800-633-0691