Source: apache2 Version: 2.4.66-8 Severity: grave Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 2.4.66-1~deb13u2 Control: found -1 2.4.66-1~deb13u1 Control: found -1 2.4.66-1~deb12u2 Control: found -1 2.4.66-1~deb12u1
Hi, The following vulnerabilities were published for apache2. I'm making this RC because of CVE-2026-23918. On 16th may there is a point release for both bookworm and trixie. We were pondering about either a DSA or point release update. Assuming the SRM do not have problem with it, uploading the fixed version to unstable soonish, followed with pu updates to get the updae exposed to public would be nice. CVE-2026-23918[0]: | Double Free and possible RCE vulnerability in Apache HTTP Server | with the HTTP/2 protocol. This issue affects Apache HTTP Server: | 2.4.66. Users are recommended to upgrade to version 2.4.67, which | fixes the issue. CVE-2026-24072[1]: | An escalation of privilege bug in various modules in Apache HTTP | 2.4.66 and earlier allows local .htaccess authors to read files with | the privileges of the httpd user. Users are recommended to upgrade | to version 2.4.67, which fixes this issue. CVE-2026-29169[2]: | A NULL pointer dereference in mod_dav_lock in Apache HTTP Server | 2.4.66 and earlier may allow an attacker to crash the server with a | malicious request.mod_dav_lock is not used internally by mod_dav or | mod_dav_fs. The only known use-case for mod_dav_lock was | mod_dav_svn from Apache Subversion earlier than version 1.2.0. | Users are recommended to upgrade to version 2.4.66, which fixes this | issue, or remove mod_dav_lock. CVE-2026-33006[3]: | A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 | allows a bypass of Digest authentication by a remote attacker. | Users are recommended to upgrade to version 2.4.67, which fixes this | issue. CVE-2026-33007[4]: | A NULL pointer dereference in the mod_authn_socache in Apache HTTP | Server 2.4.66 and earlier allows an unauthenticated remote user to | crash a child process in a caching forward proxy configuration. | Users are recommended to upgrade to version 2.4.67, which fixes this | issue. CVE-2026-33523[5]: | HTTP response splitting vulnerability in multiple Apache HTTP Server | modules with untrusted or compromised backend servers. This issue | affects Apache HTTP Server: from through 2.4.66. Users are | recommended to upgrade to version 2.4.67, which fixes the issue. CVE-2026-33857[6]: | Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP | Server. This issue affects Apache HTTP Server: through 2.4.66. | Users are recommended to upgrade to version 2.4.67, which fixes the | issue. CVE-2026-34032[7]: | Improper Null Termination, Out-of-bounds Read vulnerability in | Apache HTTP Server. This issue affects Apache HTTP Server: through | 2.4.66. Users are recommended to upgrade to version 2.4.67, which | fixes the issue. CVE-2026-34059[8]: | Buffer Over-read vulnerability in Apache HTTP Server. This issue | affects Apache HTTP Server: through 2.4.66. Users are recommended | to upgrade to version 2.4.67, which fixes the issue. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-23918 https://www.cve.org/CVERecord?id=CVE-2026-23918 [1] https://security-tracker.debian.org/tracker/CVE-2026-24072 https://www.cve.org/CVERecord?id=CVE-2026-24072 [2] https://security-tracker.debian.org/tracker/CVE-2026-29169 https://www.cve.org/CVERecord?id=CVE-2026-29169 [3] https://security-tracker.debian.org/tracker/CVE-2026-33006 https://www.cve.org/CVERecord?id=CVE-2026-33006 [4] https://security-tracker.debian.org/tracker/CVE-2026-33007 https://www.cve.org/CVERecord?id=CVE-2026-33007 [5] https://security-tracker.debian.org/tracker/CVE-2026-33523 https://www.cve.org/CVERecord?id=CVE-2026-33523 [6] https://security-tracker.debian.org/tracker/CVE-2026-33857 https://www.cve.org/CVERecord?id=CVE-2026-33857 [7] https://security-tracker.debian.org/tracker/CVE-2026-34032 https://www.cve.org/CVERecord?id=CVE-2026-34032 [8] https://security-tracker.debian.org/tracker/CVE-2026-34059 https://www.cve.org/CVERecord?id=CVE-2026-34059 Regards, Salvatore
