httpd-2.4.62-4.el9_6.4

エラータID: AXSA:2025-10819:07

Release date: 
Wednesday, September 3, 2025 - 14:07
Subject: 
httpd-2.4.62-4.el9_6.4
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es):

* httpd: insufficient escaping of user-supplied data in mod_ssl (CVE-2024-47252)
* httpd: mod_ssl: access control bypass by trusted clients is possible using TLS 1.3 session resumption (CVE-2025-23048)
* httpd: HTTP Session Hijack via a TLS upgrade (CVE-2025-49812)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-47252
Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.
CVE-2025-23048
In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.
CVE-2025-49812
In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.

Solution: 

Update packages.

CVEs: 
CVE-2024-47252
Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.
CVE-2025-23048
In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.
CVE-2025-49812
In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.
Additional Info: 

N/A

Download: 

SRPMS
  1. httpd-2.4.62-4.el9_6.4.src.rpm
    MD5: 9ab4acb6e3a9f0cbb545d5ebe7baa5c0
    SHA-256: e4c698cf96031dfb187ad436d6ebb500dd16c17d10e0d8bd47b8bea7de11d763
    Size: 7.63 MB

Asianux Server 9 for x86_64
  1. httpd-2.4.62-4.el9_6.4.x86_64.rpm
    MD5: edb7352e70a77fd8486dbf045f6607db
    SHA-256: b4b0c4cb6469afe53c73c7cfcec0eedb98d7466086edf471062f86c78c3aed1d
    Size: 49.89 kB
  2. httpd-core-2.4.62-4.el9_6.4.x86_64.rpm
    MD5: c378372cbf59b7432deb8878a6c1b82a
    SHA-256: c72aabbe7a10fe93f4c6af1501cc419a1046c8bac12b930301d9f0ebdc641d82
    Size: 1.48 MB
  3. httpd-devel-2.4.62-4.el9_6.4.x86_64.rpm
    MD5: b1c69d779071f3048700501a2ac84abf
    SHA-256: 3518dd7431bcd09f8e9ecd5a5571a9afd1032a1e8caac2195b66749448c13f1d
    Size: 210.25 kB
  4. httpd-filesystem-2.4.62-4.el9_6.4.noarch.rpm
    MD5: f2bb90930930d941e39c629d77d38521
    SHA-256: d0a12dfb6c1aa67e37111fa405ea08fff3ea714e9bc83050c601e73d95f03446
    Size: 11.42 kB
  5. httpd-manual-2.4.62-4.el9_6.4.noarch.rpm
    MD5: e50fe0661991e623eec6ce699d4be1e0
    SHA-256: 26f0d862f5d22b043bd0f0a7c5ecec77f224d8693375fd001a422afe7159622f
    Size: 2.30 MB
  6. httpd-tools-2.4.62-4.el9_6.4.x86_64.rpm
    MD5: 177b11657becfc77dce6f8a5063b2366
    SHA-256: 4a7a3a7c757bb07e024c3a7794b076db6ce20b050aa13475694deeb04b743646
    Size: 83.50 kB
  7. mod_ldap-2.4.62-4.el9_6.4.x86_64.rpm
    MD5: 55123a94d3fd88e08a4cde3cc6867640
    SHA-256: c0262442d4ed7b4e61998f9ee055996de2e8dd0674458a0396a774242addd2f9
    Size: 59.14 kB
  8. mod_lua-2.4.62-4.el9_6.4.x86_64.rpm
    MD5: 48987bdf89f06c94e496c20c5a7f1592
    SHA-256: 34ba5e3071550ecdff635c79e72ada98ea2a3a0593d0810459fb95627cca46ea
    Size: 58.21 kB
  9. mod_proxy_html-2.4.62-4.el9_6.4.x86_64.rpm
    MD5: d48be9215bc2161980798b17b3cd487d
    SHA-256: 0777576a7ecb531cd506d969c9c4f87cd3e3e4ba02c7decb1f6206bd5d7c4dff
    Size: 34.03 kB
  10. mod_session-2.4.62-4.el9_6.4.x86_64.rpm
    MD5: 12b5f82f3a59b3f46bc893862d20e33c
    SHA-256: 6f1edeb180d2282554d60eede66270dedc3cca8469d62843ed2de5c3f9138bca
    Size: 46.05 kB
  11. mod_ssl-2.4.62-4.el9_6.4.x86_64.rpm
    MD5: 66b0637ba5e88d103755de7759b35789
    SHA-256: 3db8d1a221fb37a30122fccb6f1bbde9582a8e3c5cd089d802eaf8cd47b6a3d1
    Size: 107.98 kB