Your message dated Tue, 05 May 2026 12:18:36 +0000
with message-id <[email protected]>
and subject line Bug#1135737: fixed in apache2 2.4.67-1
has caused the Debian Bug report #1135737,
regarding apache2: CVE-2026-23918 CVE-2026-24072 CVE-2026-29169 CVE-2026-33006
CVE-2026-33007 CVE-2026-33523 CVE-2026-33857 CVE-2026-34032 CVE-2026-34059
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135737: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135737
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: apache2
Version: 2.4.66-8
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 2.4.66-1~deb13u2
Control: found -1 2.4.66-1~deb13u1
Control: found -1 2.4.66-1~deb12u2
Control: found -1 2.4.66-1~deb12u1
Hi,
The following vulnerabilities were published for apache2. I'm making
this RC because of CVE-2026-23918. On 16th may there is a point
release for both bookworm and trixie. We were pondering about either a
DSA or point release update. Assuming the SRM do not have problem
with it, uploading the fixed version to unstable soonish, followed
with pu updates to get the updae exposed to public would be nice.
CVE-2026-23918[0]:
| Double Free and possible RCE vulnerability in Apache HTTP Server
| with the HTTP/2 protocol. This issue affects Apache HTTP Server:
| 2.4.66. Users are recommended to upgrade to version 2.4.67, which
| fixes the issue.
CVE-2026-24072[1]:
| An escalation of privilege bug in various modules in Apache HTTP
| 2.4.66 and earlier allows local .htaccess authors to read files with
| the privileges of the httpd user. Users are recommended to upgrade
| to version 2.4.67, which fixes this issue.
CVE-2026-29169[2]:
| A NULL pointer dereference in mod_dav_lock in Apache HTTP Server
| 2.4.66 and earlier may allow an attacker to crash the server with a
| malicious request.mod_dav_lock is not used internally by mod_dav or
| mod_dav_fs. The only known use-case for mod_dav_lock was
| mod_dav_svn from Apache Subversion earlier than version 1.2.0.
| Users are recommended to upgrade to version 2.4.66, which fixes this
| issue, or remove mod_dav_lock.
CVE-2026-33006[3]:
| A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66
| allows a bypass of Digest authentication by a remote attacker.
| Users are recommended to upgrade to version 2.4.67, which fixes this
| issue.
CVE-2026-33007[4]:
| A NULL pointer dereference in the mod_authn_socache in Apache HTTP
| Server 2.4.66 and earlier allows an unauthenticated remote user to
| crash a child process in a caching forward proxy configuration.
| Users are recommended to upgrade to version 2.4.67, which fixes this
| issue.
CVE-2026-33523[5]:
| HTTP response splitting vulnerability in multiple Apache HTTP Server
| modules with untrusted or compromised backend servers. This issue
| affects Apache HTTP Server: from through 2.4.66. Users are
| recommended to upgrade to version 2.4.67, which fixes the issue.
CVE-2026-33857[6]:
| Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP
| Server. This issue affects Apache HTTP Server: through 2.4.66.
| Users are recommended to upgrade to version 2.4.67, which fixes the
| issue.
CVE-2026-34032[7]:
| Improper Null Termination, Out-of-bounds Read vulnerability in
| Apache HTTP Server. This issue affects Apache HTTP Server: through
| 2.4.66. Users are recommended to upgrade to version 2.4.67, which
| fixes the issue.
CVE-2026-34059[8]:
| Buffer Over-read vulnerability in Apache HTTP Server. This issue
| affects Apache HTTP Server: through 2.4.66. Users are recommended
| to upgrade to version 2.4.67, which fixes the issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-23918
https://www.cve.org/CVERecord?id=CVE-2026-23918
[1] https://security-tracker.debian.org/tracker/CVE-2026-24072
https://www.cve.org/CVERecord?id=CVE-2026-24072
[2] https://security-tracker.debian.org/tracker/CVE-2026-29169
https://www.cve.org/CVERecord?id=CVE-2026-29169
[3] https://security-tracker.debian.org/tracker/CVE-2026-33006
https://www.cve.org/CVERecord?id=CVE-2026-33006
[4] https://security-tracker.debian.org/tracker/CVE-2026-33007
https://www.cve.org/CVERecord?id=CVE-2026-33007
[5] https://security-tracker.debian.org/tracker/CVE-2026-33523
https://www.cve.org/CVERecord?id=CVE-2026-33523
[6] https://security-tracker.debian.org/tracker/CVE-2026-33857
https://www.cve.org/CVERecord?id=CVE-2026-33857
[7] https://security-tracker.debian.org/tracker/CVE-2026-34032
https://www.cve.org/CVERecord?id=CVE-2026-34032
[8] https://security-tracker.debian.org/tracker/CVE-2026-34059
https://www.cve.org/CVERecord?id=CVE-2026-34059
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: apache2
Source-Version: 2.4.67-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 05 May 2026 13:50:27 +0200
Source: apache2
Architecture: source
Version: 2.4.67-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1135737
Changes:
apache2 (2.4.67-1) unstable; urgency=medium
.
* New upstream release (Closes: #1135737, CVE-2026-23918, CVE-2026-24072,
CVE-2026-29169, CVE-2026-33006, CVE-2026-33007, CVE-2026-33523,
CVE-2026-33857, CVE-2026-34032, CVE-2026-34059)
* Refresh patches
Checksums-Sha1:
03abe5d1064ac826d3568486ef66db8eb5d49058 3582 apache2_2.4.67-1.dsc
46e72f3395f75d49d6c8ab20c31521bf1a3d8107 9714011 apache2_2.4.67.orig.tar.gz
837c2618ed0b131cdab25466f45bceb7fb73c291 870 apache2_2.4.67.orig.tar.gz.asc
a3774522e2c454c9ad65c1afe61481c62d9e13cb 832384 apache2_2.4.67-1.debian.tar.xz
Checksums-Sha256:
871f0d5de873916eeb3cd7a9d99777ceb8e0c14f3d92e8ae6ade6186c39618e7 3582
apache2_2.4.67-1.dsc
10a578d199c3930250534fac629995f34ef7571709a7c88c45239e1fdc88cf77 9714011
apache2_2.4.67.orig.tar.gz
d8a6e18c2f892aa901121d14852717bddf42e430b0f48f853a4effce7b89f348 870
apache2_2.4.67.orig.tar.gz.asc
1a4b30dcc19dd70b76f1014c376a6290bfdc4ba98d0f86016ded200cc9d2c8fe 832384
apache2_2.4.67-1.debian.tar.xz
Files:
d4889b32754733ba60218148977cb3a8 3582 httpd optional apache2_2.4.67-1.dsc
cf51fc1963b35360240f4225c2921d4b 9714011 httpd optional
apache2_2.4.67.orig.tar.gz
8831f0957bcf06bb810d7def20d5d790 870 httpd optional
apache2_2.4.67.orig.tar.gz.asc
a51aef09ccda5c52b7211fac1406698e 832384 httpd optional
apache2_2.4.67-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmn52xkACgkQ9tdMp8mZ
7unuIA//ReQWhEjBzu0ewssapXzXdn7BzV4sJlQq+ddeZb3H6+ZjKllBHwx611ug
kB4oWmAh6VN9b9hLBbTTN3eDeH/Sx8KZR0incG3BdYwDhvF1C6INlpx1+6oj2xPy
K1ntrjvGijRNGiW8iJ1CSNwQOR8LaGGFQcyPznDBvXTKrFpxN1F8t2ruQ44o4A+k
ufJXYK5rVGhG9bPDRFRyeQkzo1IcR0KdBiG6tQ2TUgbJNzAIHc9y4gk07hZm0hMn
oZYYHoFC0L2MjxJouiJ01dgdMEQxahiKLIJ/BgFbNAdBng8HcuV82mgQdUTZMePw
NHJMHuV5vK3vhaw7ktpJA8y82ahj6t4n0Di8w7VSerSzrI58ZNAfvs4UG4x/07xC
y325jND1rA+k7bmLzZjd4mGIhRMFp1vc7OALiIh0tALC6q3FnoGo2FT3nVvEeNDb
HgcheP4PmH6tG+QRZTY653fwD+JciZMN8ROYMOgLjcoRnMHE7/NVwDAgJfOyFFE6
aFIJgmENF+s81MYMqazCcJ8ssMFIs10daYeTpL1B+SDkSHDR21gefxJDZG7oSpu6
1lWX/mHyfoToqZgEDDYRxDN2Fz1fNNax3pS8BVfnxcNHbbZOg0Wu9it/MLuLSOan
D2KuQ+E/xfZoLiJkeIoimPizJCCse9aDoO4fhDKZQQtDwfmzNhM=
=GYMD
-----END PGP SIGNATURE-----
pgpCssMV4KNDQ.pgp
Description: PGP signature
--- End Message ---
