httpd:2.4 security update

エラータID: AXSA:2025-10834:01

Release date: 
Friday, September 5, 2025 - 16:38
Subject: 
httpd:2.4 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es):

* httpd: insufficient escaping of user-supplied data in mod_ssl (CVE-2024-47252)
* httpd: mod_ssl: access control bypass by trusted clients is possible using TLS 1.3 session resumption (CVE-2025-23048)
* httpd: mod_proxy_http2: untrusted input from a client causes an assertion to fail in the Apache mod_proxy_http2 module (CVE-2025-49630)
* httpd: HTTP Session Hijack via a TLS upgrade (CVE-2025-49812)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-47252
Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.
CVE-2025-23048
In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.
CVE-2025-49630
In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".
CVE-2025-49812
In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.

Modularity name: "httpd"
Stream name: "2.4"

Solution: 

Update packages.

CVEs: 
CVE-2024-47252
Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.
CVE-2025-23048
In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.
CVE-2025-49630
In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".
CVE-2025-49812
In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.
Additional Info: 

N/A

Download: 

SRPMS
  1. httpd-2.4.37-65.module+el8+1904+a733c437.5.ML.1.src.rpm
    MD5: bac426117ff33a86d7f6bb1dfd61c49c
    SHA-256: ebd610eb01a45d656ef6e07c4df708295fb48413ce6210183bec0100deef0367
    Size: 6.98 MB
  2. mod_http2-1.15.7-10.module+el8+1904+a733c437.4.src.rpm
    MD5: a689f95206a917ced3765d81c9d885c4
    SHA-256: 653110a86ea3bd5f9a5af898c1b73f1d81b3b35babae981b2ff2ed34171fbdcb
    Size: 1.02 MB
  3. mod_md-2.0.8-8.module+el8+1904+a733c437.src.rpm
    MD5: da2c7812a0dbbc9e6d3c11fc717ecac4
    SHA-256: 5eabb1319062f2569e443b6bcdd987e4bf145ad5f821aedd15c423a818c9f3cd
    Size: 635.32 kB

Asianux Server 8 for x86_64
  1. httpd-2.4.37-65.module+el8+1904+a733c437.5.ML.1.x86_64.rpm
    MD5: 11af451387e2630187def43eac8f6f7c
    SHA-256: 08859edfcc3ba570f21a05c8fde7d4108b1b4501b9df3e08586f25598753686e
    Size: 1.42 MB
  2. httpd-debugsource-2.4.37-65.module+el8+1904+a733c437.5.ML.1.x86_64.rpm
    MD5: f796952bad6c8863c118786946d08961
    SHA-256: 15c3cf9f9c7a6f27db422fad7e34be9488cc936a610f02914ab850814d5fabc3
    Size: 1.46 MB
  3. httpd-devel-2.4.37-65.module+el8+1904+a733c437.5.ML.1.x86_64.rpm
    MD5: 950652b1bf1ed7f5b5dc9e11b46941f5
    SHA-256: dfbcc77c6d23b5674ef3835b957bbc16c31aa8a6dce869f4f2774f1449581830
    Size: 228.74 kB
  4. httpd-filesystem-2.4.37-65.module+el8+1904+a733c437.5.ML.1.noarch.rpm
    MD5: c08c6e79c76f1d31e19948892084f31b
    SHA-256: 90d3b251d7eb258e0545ed01d036c2d33365eb7fd550bd5fb2feb8fe76b990ae
    Size: 44.89 kB
  5. httpd-manual-2.4.37-65.module+el8+1904+a733c437.5.ML.1.noarch.rpm
    MD5: 16feed122f0e013472b32e6feeb07426
    SHA-256: a889b2dc9a6b9d52ce6cc803decd11430d33a75a40ea2539877c9d2223e16b79
    Size: 2.38 MB
  6. httpd-tools-2.4.37-65.module+el8+1904+a733c437.5.ML.1.x86_64.rpm
    MD5: bedd287a46416af418517b65f0bad5af
    SHA-256: c3cafaca54d67501e8bacfa764f4c439abab03c12bac8ecb44e395cb7c2201a9
    Size: 112.07 kB
  7. mod_http2-1.15.7-10.module+el8+1904+a733c437.4.x86_64.rpm
    MD5: 0cf0a34c9f4c87dff100da1553702f86
    SHA-256: 446b12c3c6c789a9f3fc418ca003ab01d623e3844320c6a8c88c4a09218b944e
    Size: 155.00 kB
  8. mod_http2-debugsource-1.15.7-10.module+el8+1904+a733c437.4.x86_64.rpm
    MD5: 7bbf68136278393ef1cd59af36cdad7b
    SHA-256: 2f0eac5e81832987d286242b78e78da06f46845bb1c1a8ee63f85e5ac42b1799
    Size: 148.67 kB
  9. mod_ldap-2.4.37-65.module+el8+1904+a733c437.5.ML.1.x86_64.rpm
    MD5: cefeedd84319fb423c3d4c2ca759847b
    SHA-256: 578734d9e3a4d49898fc2c8ac63b527cd0e0f53f6ae9d93ccad9f75d34d4b406
    Size: 90.20 kB
  10. mod_md-2.0.8-8.module+el8+1904+a733c437.x86_64.rpm
    MD5: f1a4cf2465cbb3b0eb618accafa722d0
    SHA-256: c2b1c7af5c28a02e0359a7d84fea10d5bdad00521ad2df5bacecc2bd8695b163
    Size: 183.66 kB
  11. mod_md-debugsource-2.0.8-8.module+el8+1904+a733c437.x86_64.rpm
    MD5: f4b87a6a8bd7b8fd91c0e572b4adfa56
    SHA-256: ec9640e154e9cc7c0df49e61a695ecc125b561bc4049895bacf027c5141f4cd3
    Size: 126.24 kB
  12. mod_proxy_html-2.4.37-65.module+el8+1904+a733c437.5.ML.1.x86_64.rpm
    MD5: c915f67cd12f8d7d8947bd31a55346d5
    SHA-256: 24fb5de29b741b9ec9d68041c81161c32cf005df718143337d2d10852ff7922d
    Size: 67.39 kB
  13. mod_session-2.4.37-65.module+el8+1904+a733c437.5.ML.1.x86_64.rpm
    MD5: eb405fc475cae9164b11cccda928cce2
    SHA-256: 7e1aa34ddb368b00eb94e897a350e33792990faee48367bb46fa65f366e1fb92
    Size: 78.98 kB
  14. mod_ssl-2.4.37-65.module+el8+1904+a733c437.5.ML.1.x86_64.rpm
    MD5: def338b3d9211b873db317ce8d65e36b
    SHA-256: ff84de925d94faff979a763b6e26393fe621249bef1a8e9ef77274d1e1fb0bf4
    Size: 141.40 kB