httpd-2.4.6-99.1.0.10.el7.AXS7

エラータID: AXSA:2025-10901:08

Release date: 
Monday, September 29, 2025 - 10:56
Subject: 
httpd-2.4.6-99.1.0.10.el7.AXS7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

The Apache HTTP Server is a powerful, efficient, and extensible
web server.

Security Fix(es):

* CVE-2024-47252: escape user-supplied data in mod_ssl to prevent untrusted
SSL/TLS clients from inserting escape characters into log files
* CVE-2025-49812: remove support for TLS upgrade to prevent HTTP
desynchronisation attack

CVE(s):
CVE-2025-49812
In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.
CVE-2024-47252
Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.

Solution: 

Update packages.

CVEs: 
CVE-2024-47252
Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.
CVE-2025-49812
In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.
Additional Info: 

N/A

Download: 

Asianux Server 7 for x86_64
  1. httpd-2.4.6-99.1.0.10.el7.AXS7.x86_64.rpm
    MD5: 636e3728d9f9f3987706a93c4cdf55c5
    SHA-256: b553d31c00cc80f48b6b8f3767d3647e58d6bc22a08bc559d067fed6df5053d2
    Size: 1.20 MB
  2. httpd-devel-2.4.6-99.1.0.10.el7.AXS7.x86_64.rpm
    MD5: 394f23b884254c89b38bbe899c8565b7
    SHA-256: 8554c3294e41c725fd231b7413e79f9fd4d0b40e9041bd2ab60a7298857cfb0d
    Size: 202.79 kB
  3. httpd-manual-2.4.6-99.1.0.10.el7.AXS7.noarch.rpm
    MD5: 7f0e76a55cb51ec84af05bb6a8723606
    SHA-256: 74ad8c68587e4e276d0c06b3f9ef98d47aa055706babafa25c7b1054bd680944
    Size: 1.35 MB
  4. httpd-tools-2.4.6-99.1.0.10.el7.AXS7.x86_64.rpm
    MD5: 316386c99224101524cf6c5005f16b03
    SHA-256: cf5eca2a0859903e38420c597bddb9fdf578515781e72a0d033c47c29ed20ec3
    Size: 95.76 kB
  5. mod_session-2.4.6-99.1.0.10.el7.AXS7.x86_64.rpm
    MD5: 5133e30170de418a0bad134970f6292f
    SHA-256: 60d0d03e3f7e02901d85d65f27f69f652914cb392b76ce6670711877fee9b8c8
    Size: 65.82 kB
  6. mod_ssl-2.4.6-99.1.0.10.el7.AXS7.x86_64.rpm
    MD5: 1f40a864932721f9fe6abe41858904f6
    SHA-256: 814ac5c01804fe6b06bb7d7102ba509d65502649c3c9e36ecdbc9f8118655fcb
    Size: 116.50 kB