Release date:
2026-06-22 19:49:10 UTC
Description:
* SECURITY UPDATE: NULL pointer dereference in mod_dav_lock indirect-lock
refresh
- debian/patches/CVE-2026-29169.patch: replace all six dp-> reads in
the indirect-lock branch of dav_generic_refresh_locks() with the
resolved dp_scan->... values in modules/dav/lock/locks.c so a crafted
WebDAV LOCK refresh against a resource that only inherits an indirect
lock from a parent no longer dereferences NULL via dp->locktoken /
dp->f.scope / dp->owner. Upstream fix
225dc070adba11040b774cf641e1d8bc79941643 (SVN r1933354).
- CVE-2026-29169
Updated packages:
-
apache2_2.4.18-2ubuntu3.17+tuxcare.els21_amd64.deb
sha:70bc07705ee116c4c3891ec8f2b9b0729eb35bc7
-
apache2-bin_2.4.18-2ubuntu3.17+tuxcare.els21_amd64.deb
sha:82bc68ac5c506a169861170aac4e3f91b58bf391
-
apache2-data_2.4.18-2ubuntu3.17+tuxcare.els21_all.deb
sha:47ababde182844db19654107b769eb3aadce9ba1
-
apache2-dev_2.4.18-2ubuntu3.17+tuxcare.els21_amd64.deb
sha:391fc0c39acfd003ef916f20960af5fa2b3ce1c4
-
apache2-doc_2.4.18-2ubuntu3.17+tuxcare.els21_all.deb
sha:c7aa206270c693ffb8e5e6457ec7fc53ab50867c
-
apache2-suexec-custom_2.4.18-2ubuntu3.17+tuxcare.els21_amd64.deb
sha:d55c41b2424e0af47f77b4476ff6106fe3936238
-
apache2-suexec-pristine_2.4.18-2ubuntu3.17+tuxcare.els21_amd64.deb
sha:3f41a5d27acd89c299ba72328afbe71125c7eef8
-
apache2-utils_2.4.18-2ubuntu3.17+tuxcare.els21_amd64.deb
sha:019995ab3249815661731d39d6b972cadbd2bf18
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.