ELSA-2025-23732
- ULN >
- Oracle Linux Errata repository >
- ELSA-2025-23732
ELSA-2025-23732 - httpd:2.4 security update
| Type: | SECURITY |
| Impact: | IMPORTANT |
| Release Date: | 2025-12-24 |
Description
httpd
[2.4.37-65.0.1.7]
- Replace index.html with Oracle's index page oracle_index.html
[2.4.37-65.7]
- Resolves: RHEL-135054 - httpd: Apache HTTP Server: mod_userdir+suexec bypass
via AllowOverride FileInfo (CVE-2025-66200)
- Resolves: RHEL-135039 - httpd: Apache HTTP Server: CGI environment variable
override (CVE-2025-65082)
- Resolves: RHEL-134471 - httpd: Apache HTTP Server: Server Side Includes adds
query string to #exec cmd=... (CVE-2025-58098)
[2.4.37-65.6]
- Resolves: RHEL-127073 - mod_ssl: allow more fine grained SSL SNI vhost check
to avoid unnecessary 421 errors after CVE-2025-23048 fix
- mod_ssl: add conf.d/snipolicy.conf to set 'SSLVHostSNIPolicy authonly' default
[2.4.37-65.5]
- Resolves: RHEL-99944 - CVE-2025-49812 httpd: HTTP Session Hijack via a TLS upgrade
- Resolves: RHEL-99969 - CVE-2024-47252 httpd: insufficient escaping of
user-supplied data in mod_ssl
- Resolves: RHEL-99961 - CVE-2025-23048 httpd: access control bypass by trusted
clients is possible using TLS 1.3 session resumption
[2.4.37-65.4]
- Resolves: RHEL-87641 - apache Bug 63192 - mod_ratelimit breaks HEAD requests
[2.4.37-65.3]
- Resolves: RHEL-56068 - Apache HTTPD no longer parse PHP files with
unicode characters in the name
[2.4.37-65.2]
- Resolves: RHEL-46040 - httpd:2.4/httpd: Security issues via backend
applications whose response headers are malicious or exploitable (CVE-2024-38476)
- Resolves: RHEL-53022 - Regression introduced by CVE-2024-38474 fix
[2.4.37-65.1]
- Resolves: RHEL-45812 - httpd:2.4/httpd: Substitution encoding issue
in mod_rewrite (CVE-2024-38474)
- Resolves: RHEL-45785 - httpd:2.4/httpd: Encoding problem in
mod_proxy (CVE-2024-38473)
- Resolves: RHEL-45777 - httpd:2.4/httpd: Improper escaping of output
in mod_rewrite (CVE-2024-38475)
- Resolves: RHEL-45758 - httpd:2.4/httpd: null pointer dereference
in mod_proxy (CVE-2024-38477)
- Resolves: RHEL-45743 - httpd:2.4/httpd: Potential SSRF
in mod_rewrite (CVE-2024-39573)
[2.4.37-65]
- Resolves: RHEL-31857 - httpd:2.4/httpd: HTTP response
splitting (CVE-2023-38709)
[2.4.37-64]
- Resolves: RHEL-14448 - httpd: mod_macro: out-of-bounds read
vulnerability (CVE-2023-31122)
mod_http2
[1.15.7-10.4]
- Resolves: RHEL-105186 - httpd:2.4/httpd: untrusted input from a client causes
an assertion to fail in the Apache mod_proxy_http2 module (CVE-2025-49630)
[1.15.7-10.3]
- Resolves: RHEL-58454 - mod_proxy_http2 failures after CVE-2024-38477 fix
- Resolves: RHEL-59017 - random failures in other requests on http/2 stream
when client resets one request
[1.15.7-10.2]
- Resolves: RHEL-71575: Wrong Content-Type when proxying using H2 protocol
[1.15.7-10.1]
- Resolves: RHEL-46214 - Access logs and ErrorDocument don't work when HTTP431
occurs using http/2 on RHEL8
[1.15.7-10]
- Resolves: RHEL-29817 - httpd:2.4/mod_http2: httpd: CONTINUATION frames
DoS (CVE-2024-27316)
[1.15.7-9.3]
- Resolves: RHEL-13367 - httpd:2.4/mod_http2: reset requests exhaust memory
(incomplete fix of CVE-2023-44487)(CVE-2023-45802)
[1.15.7-8.3]
- Resolves: #2177748 - CVE-2023-25690 httpd:2.4/httpd: HTTP request splitting
with mod_rewrite and mod_proxy
[1.15.7-7]
- Resolves: #2095650 - Dependency from mod_http2 on httpd broken
[1.15.7-6]
- Backport SNI feature refactor
- Resolves: rhbz#2137257
[1.15.7-5]
- Resolves: #2035030 - CVE-2021-44224 httpd:2.4/httpd: possible NULL dereference
or SSRF in forward proxy configurations
mod_md
[1:2.0.8-8.2]
- Resolves: RHEL-134487 - httpd:2.4/httpd: Apache HTTP Server: mod_md (ACME),
unintended retry intervals (CVE-2025-55753)
[1:2.0.8-8]
- Resolves: #1832844 - mod_md does not work with ACME server that does not
provide keyChange or revokeCert resources
[1:2.0.8-7]
- Resolves: #1747912 - add a2md(1) documentation
[1:2.0.8-6]
- Resolves: #1781263 - mod_md ACMEv1 crash
[1:2.0.8-5]
- Resolves: #1747898 - add mod_md package
[1:2.0.8-4]
- require mod_ssl, update package description
[1:2.0.8-3]
- rebuild against 2.4.41
[1:2.0.8-2]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
[1:2.0.8-1]
- update to 2.0.8
[2.0.3-1]
- Initial import (#1719248).
Related CVEs
| CVE-2025-55753 |
| CVE-2025-58098 |
| CVE-2025-65082 |
| CVE-2025-66200 |
Updated Packages
| Release/Architecture | Filename | sha256 | Superseded By Advisory | Channel Label |
| Oracle Linux 8 (aarch64) | httpd-2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7.src.rpm | ecf6690a9bd1b6636564aae49b28ca3dae772bbeabcf349ed8dcb64f6254fae8 | - | ol8_aarch64_appstream |
| mod_http2-1.15.7-10.module+el8.10.0+90652+bef864ba.4.src.rpm | b5447e310ce463e53bdf76d4ca1f712a77fbe31b954d7e8dee4c9b16ce347b96 | - | ol8_aarch64_appstream | |
| mod_md-2.0.8-8.module+el8.10.0+90740+3332f30e.2.src.rpm | b252ff17822f08ee5a5c21e97b299079e4857c1e8133de3d5cb6ee642e52919b | - | ol8_aarch64_appstream | |
| httpd-2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7.aarch64.rpm | b1b910fcf6c98e1b21f547d09048b4372d870f42ef217a7116471695ba09a97a | - | ol8_aarch64_appstream | |
| httpd-devel-2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7.aarch64.rpm | 4f14cbcdf0c8863774cb5df19d07a575ae249d581ffb89253b5110b0074b0c85 | - | ol8_aarch64_appstream | |
| httpd-filesystem-2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7.noarch.rpm | 25d0101cf844ddd12337df21d5ec874e41180488feaf04660f4ea9a838b190d6 | - | ol8_aarch64_appstream | |
| httpd-manual-2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7.noarch.rpm | f5074f783ce11bd4e2b7f1a6b62e8ede15d433ee4f55132ca376832dc46ea356 | - | ol8_aarch64_appstream | |
| httpd-tools-2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7.aarch64.rpm | 2e577a70ab830439706fd922dcb6ac0f8a3b6020b0dcbc3e8e3ff81b2912233d | - | ol8_aarch64_appstream | |
| mod_http2-1.15.7-10.module+el8.10.0+90652+bef864ba.4.aarch64.rpm | a8905b42332ca9b0038fc5d8a0e278495633a9fa1952e9f3099ac8e81d5fa7bc | - | ol8_aarch64_appstream | |
| mod_ldap-2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7.aarch64.rpm | 8303eef8edef3319e5bf4e32fdaa40e74d6975bb52246b48ba20bedb9b145eb6 | - | ol8_aarch64_appstream | |
| mod_md-2.0.8-8.module+el8.10.0+90740+3332f30e.2.aarch64.rpm | af21c2784a50f8c70dfb886cf552348086392805b6ff79c9002cd4abc5e77166 | - | ol8_aarch64_appstream | |
| mod_proxy_html-2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7.aarch64.rpm | 1b222a4e7da7e1b97c44d3cc1cd5a7ba0e59035d3c572f0f770e421397d729fe | - | ol8_aarch64_appstream | |
| mod_session-2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7.aarch64.rpm | 8717b23b1b5995b9f5bab7a6d325a2900d9c88df1f2ff26c6de42de0fe2eb534 | - | ol8_aarch64_appstream | |
| mod_ssl-2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7.aarch64.rpm | 456da9ee075bb2159943e6d109494af429d7e6420c9d32289d79e27cde7565af | - | ol8_aarch64_appstream | |
| Oracle Linux 8 (x86_64) | httpd-2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7.src.rpm | ecf6690a9bd1b6636564aae49b28ca3dae772bbeabcf349ed8dcb64f6254fae8 | - | ol8_x86_64_appstream |
| mod_http2-1.15.7-10.module+el8.10.0+90652+bef864ba.4.src.rpm | b5447e310ce463e53bdf76d4ca1f712a77fbe31b954d7e8dee4c9b16ce347b96 | - | ol8_x86_64_appstream | |
| mod_md-2.0.8-8.module+el8.10.0+90740+3332f30e.2.src.rpm | b252ff17822f08ee5a5c21e97b299079e4857c1e8133de3d5cb6ee642e52919b | - | ol8_x86_64_appstream | |
| httpd-2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7.x86_64.rpm | febbda47c3c7da4579d02c74ababeb5ee0c997969aadff083eb0930d1f4d0be4 | - | ol8_x86_64_appstream | |
| httpd-devel-2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7.x86_64.rpm | 2c485871515edbb29ac1e2ec565b63fdea4de12bbf1ea40b18cb8fc7b1f27f83 | - | ol8_x86_64_appstream | |
| httpd-filesystem-2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7.noarch.rpm | 25d0101cf844ddd12337df21d5ec874e41180488feaf04660f4ea9a838b190d6 | - | ol8_x86_64_appstream | |
| httpd-manual-2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7.noarch.rpm | f5074f783ce11bd4e2b7f1a6b62e8ede15d433ee4f55132ca376832dc46ea356 | - | ol8_x86_64_appstream | |
| httpd-tools-2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7.x86_64.rpm | 30d112b7157d53d09a01931391e348c97e6efdf9c057c898030bab131dc380cc | - | ol8_x86_64_appstream | |
| mod_http2-1.15.7-10.module+el8.10.0+90652+bef864ba.4.x86_64.rpm | 65e56ad2dcda84643ba43f0141c76732c518331ac718f75c072835b21121fd5a | - | ol8_x86_64_appstream | |
| mod_ldap-2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7.x86_64.rpm | 1ff05283de82e06dd30445ed5dc8b19d7bb15947fe74348ec5db98a8fdfccdaa | - | ol8_x86_64_appstream | |
| mod_md-2.0.8-8.module+el8.10.0+90740+3332f30e.2.x86_64.rpm | 5c58d5f887b2971c09c17b2c369714ec08c398ce0289dcaa473f407119f35bf1 | - | ol8_x86_64_appstream | |
| mod_proxy_html-2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7.x86_64.rpm | 30dbfe22dfc850ff3895261ba11f363fe926f9eb13251e53f43725688462704a | - | ol8_x86_64_appstream | |
| mod_session-2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7.x86_64.rpm | 6bbbe10e69120c745d642348668a3cf113633ceeb0aa35955c0e444c09769cb1 | - | ol8_x86_64_appstream | |
| mod_ssl-2.4.37-65.0.1.module+el8.10.0+90740+3332f30e.7.x86_64.rpm | dd7aba9df7bb5ea9e264459c26d579a446bc07b8570867312cd7a05431b559d1 | - | ol8_x86_64_appstream | |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team
