httpd security update

2.4.6-99.0.9.1 - Fix CVE-2025-58098 Orabug: 38816066 2.4.6-99.0.7.1 - Fixed security update CVE-2024-47252 CVE-2025-49812 Orabug: 38378160 2.4.6-99.0.5.1 - Differentiate trusted sources Orabug: 37100272CVE-2024-38476 2.4.6-99.0.3.1 - Opt-ins for unsafe prefixstat and %3f Orabug:...

CLSA-2024-1735125596 Update of httpd

modsession: Fix separator parsing...

SUSE CVE-2016-0736

In Apache HTTP Server versions 2.4.0 to 2.4.23, modsessioncrypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation AES256-CBC by default, hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle...

SUSE CVE-2018-1283

In Apache httpd 2.4.0 to 2.4.29, when modsession is configured to forward its session data to CGI applications SessionEnv on, not the default, a remote user may influence their content by using a "Session" header. This comes from the "HTTPSESSION" variable name used by modsession to forward its...

SUSE CVE-2018-17199

In Apache HTTP Server 2.4 release 2.4.37 and prior, modsession checks the session expiry time before decoding the session. This causes session expiry time to be ignored for modsessioncookie sessions since the expiry time is loaded when the session is decoded...

SUSE CVE-2021-26690

Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by modsession can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service...

VulnCheck KEV: CVE-2016-0736

In Apache HTTP Server versions 2.4.0 to 2.4.23, modsessioncrypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation AES256-CBC by default, hence no selectable or builtin authenticated encryption. This made it vulnerable to padding...

CLSA-2022-1643747448 Fix of CVE: CVE-2021-26690, CVE-2021-30641, CVE-2021-40438

CVE-2021-40438: modproxy: SSRF via a crafted request uri-path - CVE-2021-30641: MergeSlashes regression - CVE-2021-26690: modsession NULL pointer dereference in parser...

httpd: mod_session: Heap overflow via a crafted SessionHeader value

A heap overflow flaw was found In Apache httpd modsession. The highest threat from this vulnerability is to system availability...

httpd: mod_session: NULL pointer dereference when parsing Cookie header

A NULL pointer dereference was found in Apache httpd modsession. The highest threat from this vulnerability is to system availability...

httpd: mod_session: Heap overflow via a crafted SessionHeader value

A heap overflow flaw was found In Apache httpd modsession. The highest threat from this vulnerability is to system availability...

httpd: mod_session: NULL pointer dereference when parsing Cookie header

A NULL pointer dereference was found in Apache httpd modsession. The highest threat from this vulnerability is to system availability...

httpd: mod_session: NULL pointer dereference when parsing Cookie header

A NULL pointer dereference was found in Apache httpd modsession. The highest threat from this vulnerability is to system availability...

Apache HTTP Server mod_session response handling heap overflow

...

mod_session NULL pointer dereference

...

AZL-6476 CVE-2021-26690 affecting package httpd for versions less than 2.4.46-10

Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by modsession can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service...

httpd: mod_session_cookie does not respect expiry time

In Apache HTTP Server 2.4 release 2.4.37 and prior, modsession checks the session expiry time before decoding the session. This causes session expiry time to be ignored for modsessioncookie sessions since the expiry time is loaded when the session is decoded...

PT-2021-3579 · Apache +9 · Apache Http Server +9

Name of the Vulnerable Software and Affected Versions: Apache HTTP Server versions 2.4.0 through 2.4.46 Description: The issue is related to a NULL pointer dereference caused by a specially crafted Cookie header handled by mod session, which can lead to a crash and a possible Denial Of Service...

httpd: mod_session_cookie does not respect expiry time

In Apache HTTP Server 2.4 release 2.4.37 and prior, modsession checks the session expiry time before decoding the session. This causes session expiry time to be ignored for modsessioncookie sessions since the expiry time is loaded when the session is decoded...

httpd: mod_session_cookie does not respect expiry time

In Apache HTTP Server 2.4 release 2.4.37 and prior, modsession checks the session expiry time before decoding the session. This causes session expiry time to be ignored for modsessioncookie sessions since the expiry time is loaded when the session is decoded...