ELSA-2026-21433

ELSA-2026-21433 - httpd security update

Type:SECURITY
Impact:IMPORTANT
Release Date:2026-07-17

Description


[2.4.63-13.0.1.el10_2.4]
- Replace index.html with Oracle's index page oracle_index.html.

[2.4.63-13.4]
- Resolves: RHEL-186221 - httpd: Apache HTTP Server: Heap-based Buffer Overflow
via malicious backend servers (CVE-2026-34356)
- Resolves: RHEL-186195 - httpd: Apache HTTP Server: Heap-based Buffer Overflow
via untrusted content in mod_xml2enc (CVE-2026-42536)
- Resolves: RHEL-186182 - httpd: Apache HTTP Server: Buffer overflow in
mod_proxy_html allows security bypass (CVE-2026-34355)
- Resolves: RHEL-186158 - httpd: Apache HTTP Server: Buffer Over-read via
outbound OCSP requests to attacker-controlled server (CVE-2026-44185)
- Resolves: RHEL-184305 - httpd: Apache HTTP Server: Denial of Service via
crafted regular expressions (CVE-2026-44631)
- Resolves : RHEL-182581 - httpd: incomplete fix for
CVE-2023-38709 (CVE-2024-42516)
- Resolves: RHEL-175621 - httpd: NULL pointer dereference via specially crafted
request (CVE-2026-29169)
- Also addresses CVE-2026-44119, CVE-2026-44186, CVE-2026-42535,
CVE-2026-24072, CVE-2026-33006, CVE-2026-43951

[2.4.63-13.1]
- Resolves: RHEL-173549 - httpd: Apache HTTP Server mod_proxy_ajp: Arbitrary
code execution via heap-based buffer overflow (CVE-2026-28780)
- Resolves: RHEL-175065 - httpd: NULL pointer dereference can cause a child
process crash (CVE-2026-33007)
- Resolves: RHEL-175095 - httpd: off-by-one out-of-bounds reads in AJP getter
functions (CVE-2026-33857)
- Resolves: RHEL-175039 - httpd: heap-based buffer over-read due to missing
null-termination check (CVE-2026-34032)
- Resolves: RHEL-175050 - httpd: heap-based buffer over-read and memory
disclosure in ajp_parse_data() (CVE-2026-34059)


Related CVEs


CVE-2026-28780
CVE-2026-33007
CVE-2026-33857
CVE-2026-34032
CVE-2026-34059

Updated Packages


Release/ArchitectureFilenamesha256Superseded By AdvisoryChannel Label
Oracle Linux 10 (aarch64) httpd-2.4.63-13.0.1.el10_2.4.src.rpm266b929dfaf62347d462f51b59434385714fa8aeafc1c75cfd2e887fcf0f1670-ol10_aarch64_appstream
httpd-2.4.63-13.0.1.el10_2.4.aarch64.rpma8f66649d10d12659cb94701fde9992a561d693fcc4ca3395b1000ca6eab6cd9-ol10_aarch64_appstream
httpd-core-2.4.63-13.0.1.el10_2.4.aarch64.rpm9946ad963a31fdfc2bb099f4b26e6758b0ea419af675c4da95b79140d10f5398-ol10_aarch64_appstream
httpd-devel-2.4.63-13.0.1.el10_2.4.aarch64.rpm674f05a3321bf9b74ab1ee875c0e2f44e27e15d9d11c6df4cc8a9f9089598f6d-ol10_aarch64_appstream
httpd-filesystem-2.4.63-13.0.1.el10_2.4.noarch.rpm6f715efe515bdfcd877d425b03ad92bcb2c78cd6c53ae7ea7f45271a65f1145c-ol10_aarch64_appstream
httpd-manual-2.4.63-13.0.1.el10_2.4.noarch.rpmaf164e164a3fed56ee58a234538f84f4145d9f9b17d6e21349477868f7f2dae7-ol10_aarch64_appstream
httpd-tools-2.4.63-13.0.1.el10_2.4.aarch64.rpm13bf5709b84480a245f8a0ae289bdebfa2a91c6742031f3a6e68a059c12db5e6-ol10_aarch64_appstream
mod_ldap-2.4.63-13.0.1.el10_2.4.aarch64.rpm9961c118c854a297eb5a9c496fe14b7054ee245ee140cf601e3b74f085841e46-ol10_aarch64_appstream
mod_lua-2.4.63-13.0.1.el10_2.4.aarch64.rpmfdac716198ff0ba4fa6ec6ca0ce93f614d8cfc1d43129dbf9c072f75b67c0600-ol10_aarch64_appstream
mod_proxy_html-2.4.63-13.0.1.el10_2.4.aarch64.rpmc798242db5c7d3adc7d7f78a3297fc1629e0469619bd6979f1398ae8976827d4-ol10_aarch64_appstream
mod_session-2.4.63-13.0.1.el10_2.4.aarch64.rpmfa4a6421c214eea9e5d9060c8b5e3cd0627fbabd652e5e9d0e94a1439ba5c4e9-ol10_aarch64_appstream
mod_ssl-2.4.63-13.0.1.el10_2.4.aarch64.rpma63108ad391ede65559f10596a4dd7173daf7991d83873de64a76d2156e0c243-ol10_aarch64_appstream
Oracle Linux 10 (x86_64) httpd-2.4.63-13.0.1.el10_2.4.src.rpm266b929dfaf62347d462f51b59434385714fa8aeafc1c75cfd2e887fcf0f1670-ol10_x86_64_appstream
httpd-2.4.63-13.0.1.el10_2.4.x86_64.rpm08aece80e064d1fd9bed0425de4901da697e103f8370e09aab0eb32f255a4067-ol10_x86_64_appstream
httpd-core-2.4.63-13.0.1.el10_2.4.x86_64.rpm673158fe31d0298999ee8929b4862c926a3299c6e045f41b1a990c819194e4c9-ol10_x86_64_appstream
httpd-devel-2.4.63-13.0.1.el10_2.4.x86_64.rpmd54dc1d3ebd9b4f75ee68d1ab58c2c9a412684e28915c70f2469d3abb871092f-ol10_x86_64_appstream
httpd-filesystem-2.4.63-13.0.1.el10_2.4.noarch.rpm6f715efe515bdfcd877d425b03ad92bcb2c78cd6c53ae7ea7f45271a65f1145c-ol10_x86_64_appstream
httpd-manual-2.4.63-13.0.1.el10_2.4.noarch.rpmaf164e164a3fed56ee58a234538f84f4145d9f9b17d6e21349477868f7f2dae7-ol10_x86_64_appstream
httpd-tools-2.4.63-13.0.1.el10_2.4.x86_64.rpmc6e88161a94b3adaaf625cb67edb669b0e720144c35c6ff2dd5ebd0e1da56431-ol10_x86_64_appstream
mod_ldap-2.4.63-13.0.1.el10_2.4.x86_64.rpma0bc5eef13a452857fc7a3a85c18fdafca3f99c6a7e0b1e0ad1f83d5a351925c-ol10_x86_64_appstream
mod_lua-2.4.63-13.0.1.el10_2.4.x86_64.rpm9605eac1f463fbae5c3870540b763b3aa3ac0ceb8d85c3ae79a65c08739d132d-ol10_x86_64_appstream
mod_proxy_html-2.4.63-13.0.1.el10_2.4.x86_64.rpmada964e2346d238becce5213ab26ae3c0994c4c93d6cf63803125cef23667b15-ol10_x86_64_appstream
mod_session-2.4.63-13.0.1.el10_2.4.x86_64.rpm0374e10cdd63bc51a049ddfefe26bde0e2e5bd44c748f0f766044b2bcd3072f5-ol10_x86_64_appstream
mod_ssl-2.4.63-13.0.1.el10_2.4.x86_64.rpm0af71e61892bfe4e9cc78b847ff1e58a26c5ec4119c67ff53775de5443d4ec20-ol10_x86_64_appstream



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete