[security - high] httpd:2.4 security update

エラータID: AXSA:2026-762:01

Release date: 
Monday, June 8, 2026 - 19:28
Subject: 
[security - high] httpd:2.4 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.

Security Fix(es):

* httpd: Apache HTTP Server: HTTP/2 DoS by Memory Increase (CVE-2025-53020)
* httpd: mod_proxy_ajp: heap-based buffer over-read and memory disclosure in ajp_parse_data() (CVE-2026-34059)
* httpd: mod_proxy_ajp: heap-based buffer over-read due to missing null-termination check (CVE-2026-34032)
* httpd: mod_proxy_ajp: off-by-one out-of-bounds reads in AJP getter functions (CVE-2026-33857)
* httpd: mod_authn_socache: NULL pointer dereference can cause a child process crash (CVE-2026-33007)
* Apache HTTP Server: mod_proxy_ajp: Apache HTTP Server mod_proxy_ajp: Arbitrary code execution via heap-based buffer overflow (CVE-2026-28780)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-53020
Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue.
CVE-2026-28780
Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
CVE-2026-33007
A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue.
CVE-2026-33857
Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
CVE-2026-34032
Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
CVE-2026-34059
Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Modularity name: "httpd"
Stream name: "2.4"

Solution: 

Update packages.

CVEs: 
CVE-2025-53020
Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue.
CVE-2026-28780
Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
CVE-2026-33007
A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue.
CVE-2026-33857
Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
CVE-2026-34032
Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
CVE-2026-34059
Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Additional Info: 

N/A

Download: 

SRPMS
  1. httpd-2.4.37-65.module+el8+1987+b530058c.8.ML.1.src.rpm
    MD5: 03b0e1c5a05b72c971ba30046f6f60a8
    SHA-256: 19e6666efa643d2b028b1a7290c2e28f15e4ffd39b867307eb48ef08c041319d
    Size: 7.00 MB
  2. mod_http2-1.15.7-10.module+el8+1987+b530058c.5.src.rpm
    MD5: 50b1c522f70b719bcf9504ee7e29f558
    SHA-256: 88066a750b7bb5b58deda0c7693f9aa682289da1b81baf54d229f09d9da34cc0
    Size: 1.03 MB
  3. mod_md-2.0.8-8.module+el8+1987+b530058c.2.src.rpm
    MD5: b7a704bde44a3485f41bf0d1a76525fe
    SHA-256: a507e7cab23db2ae3f5e78c9e6d7e3002f96f9020ddb3667be3ea772f9df513d
    Size: 636.08 kB

Asianux Server 8 for x86_64
  1. httpd-2.4.37-65.module+el8+1987+b530058c.8.ML.1.x86_64.rpm
    MD5: ab88f4d26d8d86036efe87094e74454f
    SHA-256: 4ceb472f076d70de3cce43cdc305ac71a3bc5e76c474553e07bcc93aa4f2fd2f
    Size: 1.42 MB
  2. httpd-debugsource-2.4.37-65.module+el8+1987+b530058c.8.ML.1.x86_64.rpm
    MD5: 5c6bb63955e14795484929557dfa4800
    SHA-256: 5a474c6729f3fb3cde608e82453e45f4d32cee549a3e8e533e340ffec98e7396
    Size: 1.46 MB
  3. httpd-devel-2.4.37-65.module+el8+1987+b530058c.8.ML.1.x86_64.rpm
    MD5: 52466bbe73884d11731d86330698b09b
    SHA-256: aa6cd02d1314693c913f54f97118bb94cc95eb58662c1c30f33aa94a1c38d4a2
    Size: 230.08 kB
  4. httpd-filesystem-2.4.37-65.module+el8+1987+b530058c.8.ML.1.noarch.rpm
    MD5: 27ca423ddd2bb2cba6d8d6e7b11331b3
    SHA-256: 980bc3ccc6194ddeba5495e7e39a4803d0489ff4e9fa5a1a49fd3532e2d7839e
    Size: 46.23 kB
  5. httpd-manual-2.4.37-65.module+el8+1987+b530058c.8.ML.1.noarch.rpm
    MD5: 6791cededfbc78ebb65b2eac35b57508
    SHA-256: fa7d1814996c3426f912a9c21738b70a48c127da5606871120e0ee5369e65fff
    Size: 2.38 MB
  6. httpd-tools-2.4.37-65.module+el8+1987+b530058c.8.ML.1.x86_64.rpm
    MD5: 2348e91feebeaa0a0ad4d2dce28cacc5
    SHA-256: a50db4c7c065609ded29be8d46e8c98b3c6b379256ae4d1533f24faa09de8865
    Size: 113.40 kB
  7. mod_http2-1.15.7-10.module+el8+1987+b530058c.5.x86_64.rpm
    MD5: ac6fb5777367c2175116aa4938c8dfd5
    SHA-256: c99ea76fce736b708e764c93c05c84590d12af25d89bbc24ba36c512cb1e2b59
    Size: 155.58 kB
  8. mod_http2-debugsource-1.15.7-10.module+el8+1987+b530058c.5.x86_64.rpm
    MD5: aed02ab4a647ddcf5540fe8dccae17c8
    SHA-256: 768d79a03c14005704cdebb0a6da0f1a860679a2157311e7ba8c86b0bff559a8
    Size: 149.51 kB
  9. mod_ldap-2.4.37-65.module+el8+1987+b530058c.8.ML.1.x86_64.rpm
    MD5: 7455bffdba0cf8f9e98be1e6fc1d97f5
    SHA-256: dbd92be154e53c575f9cfde8739d63810303336a2173eee3c25d45a0e844a2b4
    Size: 91.55 kB
  10. mod_md-2.0.8-8.module+el8+1987+b530058c.2.x86_64.rpm
    MD5: 75f2c91329ae94e9e0f741dd7d1bc601
    SHA-256: f3f5dfbe321e480fa02e3d45225004b4ad7da1f1b0e365e711dd29b6b155fd78
    Size: 183.58 kB
  11. mod_md-debugsource-2.0.8-8.module+el8+1987+b530058c.2.x86_64.rpm
    MD5: 49840a3d8531107dbf4350a3a0793a2c
    SHA-256: 9761b2df7ffe6ea6092e089b2a403dcd7064a6e0ef6301a44262b31f87c74a76
    Size: 126.48 kB
  12. mod_proxy_html-2.4.37-65.module+el8+1987+b530058c.8.ML.1.x86_64.rpm
    MD5: 1ebde973ff91e5cbfce6671e922670f4
    SHA-256: c2460bd44b46f5378ab74d72f0d7cc8b4afb4ecdd309490ef2aad257e5d85b5f
    Size: 68.74 kB
  13. mod_session-2.4.37-65.module+el8+1987+b530058c.8.ML.1.x86_64.rpm
    MD5: dc2d8f91dc6c9690494f50ac89152501
    SHA-256: 10048a2745f9a2b207ccd0935c772c008671d207d90d01dcc38c51a3c93a8c29
    Size: 80.28 kB
  14. mod_ssl-2.4.37-65.module+el8+1987+b530058c.8.ML.1.x86_64.rpm
    MD5: cdf6db96f02b059771350f4ee5b909eb
    SHA-256: 21b4aa18df96eceb4bc9a3c6dbcf9c515c52da0bf6cd63de68ba3b770ed1f70d
    Size: 143.70 kB