[CLSA-2026:1782987076] Fix CVE(s): CVE-2026-44186, CVE-2026-44631
Type:
security
Severity:
Important
Release date:
2026-07-02 10:11:35 UTC
Description:
* SECURITY UPDATE: Buffer underwrite in ap_regname() on crafted regular expressions in the configuration - debian/patches/CVE-2026-44631.patch: cast the capture-index bytes to unsigned char and reject capture group numbers greater than 1024 in ap_regname() in server/util_pcre.c, so a crafted regex in a , , or section can no longer produce a negative capture index and underwrite the names array; also check the ap_regname() return value in dirsection(), urlsection() and filesection() in server/core.c and proxysection() in modules/proxy/mod_proxy.c. Upstream fix 7d9f3cfb10b0fe70df7358d26d7b1f374ea1a0cb (SVN r1935015). - CVE-2026-44631
Updated packages:
  • apache2_2.4.29-1ubuntu4.27+tuxcare.els13_amd64.deb
    sha:a3294b8c484027fd65fb06082c409afdc709d93d
  • apache2-bin_2.4.29-1ubuntu4.27+tuxcare.els13_amd64.deb
    sha:9f61962e8363f3ec152964bdabd4915819f25536
  • apache2-data_2.4.29-1ubuntu4.27+tuxcare.els13_all.deb
    sha:fc0c09c62f22124455e65ac65787cf1072dc35d8
  • apache2-dev_2.4.29-1ubuntu4.27+tuxcare.els13_amd64.deb
    sha:6b4942a04e9a8d073b14d2576f88dc6a79b3a5a8
  • apache2-doc_2.4.29-1ubuntu4.27+tuxcare.els13_all.deb
    sha:e1fa33692a0908b8ac528a0ccccb6ac9611d6ccd
  • apache2-ssl-dev_2.4.29-1ubuntu4.27+tuxcare.els13_amd64.deb
    sha:8321ea52334475c67f254d2b53ec60c2a30809e9
  • apache2-suexec-custom_2.4.29-1ubuntu4.27+tuxcare.els13_amd64.deb
    sha:e1678dc20d6d4ff717c3930a66ce62cac05e023a
  • apache2-suexec-pristine_2.4.29-1ubuntu4.27+tuxcare.els13_amd64.deb
    sha:d9fdc2b1b9401944c7b1cbb8390a82a4bbd7bfa7
  • apache2-utils_2.4.29-1ubuntu4.27+tuxcare.els13_amd64.deb
    sha:2db6129f502c0381ce945d0e6ab8636dc0340f71
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.