Release date:
2026-06-24 09:33:40 UTC
Description:
* SECURITY UPDATE: mod_proxy_ftp infinite loop in Retry-After parsing
- debian/patches/CVE-2026-44186.patch: advance secs_str in the
digit-scan loop in modules/proxy/mod_proxy_ftp.c.
- CVE-2026-44186
* SECURITY UPDATE: mod_ssl OCSP request corruption on short socket write
- debian/patches/CVE-2026-44185.patch: advance the write buffer by the
bytes actually sent (wlen) in modules/ssl/ssl_util_ocsp.c.
- CVE-2026-44185
* SECURITY UPDATE: ap_regname unbounded capture-group allocation (DoS)
- debian/patches/CVE-2026-44631.patch: read capture index bytes as
unsigned and reject captures > 1024 in server/util_pcre.c, and treat
a negative ap_regname() return as an error in server/core.c and
modules/proxy/mod_proxy.c.
- CVE-2026-44631
* SECURITY UPDATE: ap_expr file functions exposable from .htaccess
- debian/patches/CVE-2026-44119.patch: restrict file functions/tests
centrally in ap_expr_parse_cmd_mi() via a new
AP_EXPR_FLAG_RESTRICTED_FILE_FUNC flag in include/ap_expr.h and
server/util_expr_eval.c, dropping the per-module restriction in
modules/mappers/mod_rewrite.c and modules/metadata/mod_setenvif.c.
- CVE-2026-44119
Updated packages:
-
apache2_2.4.18-2ubuntu3.17+tuxcare.els22_amd64.deb
sha:a1ddcdad9b3bf680a9e08b9ecbfe275a4d8434ea
-
apache2-bin_2.4.18-2ubuntu3.17+tuxcare.els22_amd64.deb
sha:03529de79a6a5f235f2b5b50aca5ce34f81338ae
-
apache2-data_2.4.18-2ubuntu3.17+tuxcare.els22_all.deb
sha:6d7a1a794c424a97d50a2421f4ef6d1b7b91bf12
-
apache2-dev_2.4.18-2ubuntu3.17+tuxcare.els22_amd64.deb
sha:56c3cd92424e0c252b6fa338ea5e9599f4d9c12f
-
apache2-doc_2.4.18-2ubuntu3.17+tuxcare.els22_all.deb
sha:97d676498cb3bf1a80e92da8c3e33a33fc46220c
-
apache2-suexec-custom_2.4.18-2ubuntu3.17+tuxcare.els22_amd64.deb
sha:cf233e6869562168b4e973727821b85babf1cb94
-
apache2-suexec-pristine_2.4.18-2ubuntu3.17+tuxcare.els22_amd64.deb
sha:67f39f17665cdd5cf3fc95f64f62aedcfb3b81fc
-
apache2-utils_2.4.18-2ubuntu3.17+tuxcare.els22_amd64.deb
sha:f14f3e07a7e017b937790b0660226ad4fab42cfd
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.