[CLSA-2026:1781557190] Fix CVE(s): CVE-2026-28780, CVE-2026-44186
Type:
security
Severity:
Important
Release date:
2026-06-15 21:01:38 UTC
Description:
* SECURITY UPDATE: heap buffer overflow in mod_proxy_ajp message header length check - debian/patches/CVE-2026-28780.patch: account for the AJP header bytes in the incoming-message size check (msglen > max_size - AJP_HEADER_LEN) in ajp_msg_check_header() so a crafted length can no longer let msg->len exceed the allocated buffer and overflow the heap in modules/proxy/ajp_msg.c. Upstream fix d04119e6e591f7b21222e749387a8b39e9092a1b (SVN r1935348). - CVE-2026-28780 * SECURITY UPDATE: infinite loop (DoS) in mod_proxy_ftp Retry-After parsing - debian/patches/CVE-2026-44186.patch: advance secs_str inside the scan loop (add the missing secs_str++) in proxy_ftp_handler() so the Retry-After number search makes progress instead of spinning forever on a malicious backend FTP response in modules/proxy/mod_proxy_ftp.c. Upstream fix 414de374a06549b2c6710cbcff81c3821379f75c (SVN r1935004). - CVE-2026-44186
Updated packages:
  • apache2_2.4.41-4ubuntu3.23+tuxcare.els6_amd64.deb
    sha:50ad0a667149ed8f095ed4e089a2b34b51323ae7
  • apache2-bin_2.4.41-4ubuntu3.23+tuxcare.els6_amd64.deb
    sha:df5cc7b6a6f2605208b7270e1df8e7bd104dbac9
  • apache2-data_2.4.41-4ubuntu3.23+tuxcare.els6_all.deb
    sha:d687f1f84198a0abf783c31120743beab0f34a47
  • apache2-dev_2.4.41-4ubuntu3.23+tuxcare.els6_amd64.deb
    sha:aa24fda977fc5c3353ada84f7b677c8bde2afef6
  • apache2-doc_2.4.41-4ubuntu3.23+tuxcare.els6_all.deb
    sha:3d1777dc2106f503705731ef2131f69a1218818f
  • apache2-ssl-dev_2.4.41-4ubuntu3.23+tuxcare.els6_amd64.deb
    sha:3112078ddef44c9a5e1c0fe51542e24b78230688
  • apache2-suexec-custom_2.4.41-4ubuntu3.23+tuxcare.els6_amd64.deb
    sha:30cfbf0690fce33b641056af912d567e6bcbc74e
  • apache2-suexec-pristine_2.4.41-4ubuntu3.23+tuxcare.els6_amd64.deb
    sha:4ca735a9b32a2be4f7cd12837a8841ad026c4982
  • apache2-utils_2.4.41-4ubuntu3.23+tuxcare.els6_amd64.deb
    sha:d5953b919585e8d8325cf4b445f4aaaa4ed9935f
  • libapache2-mod-md_2.4.41-4ubuntu3.23+tuxcare.els6_amd64.deb
    sha:f050457eb410b20b0b252283be78ed25be15247f
  • libapache2-mod-proxy-uwsgi_2.4.41-4ubuntu3.23+tuxcare.els6_amd64.deb
    sha:c57a671bebe381c1845873e54466ac74506dd93e
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.