Release date:
2026-06-22 18:42:31 UTC
Description:
* SECURITY UPDATE: memory allocation with excessive size value (DoS) in
mod_http2 HTTP/2 cookie header merging
- debian/patches/CVE-2026-49975.patch: count merged cookie headers as an
add so they keep counting against LimitRequestFields, and ignore
duplicate empty cookie headers, in req_add_header() in
modules/http2/h2_util.c; otherwise repeated HTTP/2 cookie headers merge
into one growing value without tripping the LimitRequestFields guard,
letting a single stream drive unbounded memory allocation. Upstream fix
35c6e405390ed361189a82acd96675401ea5947c (SVN r1934882).
- CVE-2026-49975
Updated packages:
-
apache2_2.4.41-4ubuntu3.23+tuxcare.els7_amd64.deb
sha:ede65c48ed67d2011b2a9cf8a94cbf96b16179f6
-
apache2-bin_2.4.41-4ubuntu3.23+tuxcare.els7_amd64.deb
sha:0fb7c7739d135ee6b2b914b6b347d91eff8a2c5a
-
apache2-data_2.4.41-4ubuntu3.23+tuxcare.els7_all.deb
sha:dea0825a24c71364435b598314abd1521e4a3e59
-
apache2-dev_2.4.41-4ubuntu3.23+tuxcare.els7_amd64.deb
sha:352e668047d4f13e2791cf1972147458a58461a2
-
apache2-doc_2.4.41-4ubuntu3.23+tuxcare.els7_all.deb
sha:92f895613533a22d5e0f1d6d0e58b37cec9b85fe
-
apache2-ssl-dev_2.4.41-4ubuntu3.23+tuxcare.els7_amd64.deb
sha:25abe42046e8a09f41373b9eabd95c9db2843acf
-
apache2-suexec-custom_2.4.41-4ubuntu3.23+tuxcare.els7_amd64.deb
sha:82cae661e5dada4f8553c4d2f1cb33392b3fe1f7
-
apache2-suexec-pristine_2.4.41-4ubuntu3.23+tuxcare.els7_amd64.deb
sha:31aa0cfe34ee6dcd8d2d75a1d74c21d7bef5a0f0
-
apache2-utils_2.4.41-4ubuntu3.23+tuxcare.els7_amd64.deb
sha:47981e6c323a4dc5297f8d7a65d125d356ab2047
-
libapache2-mod-md_2.4.41-4ubuntu3.23+tuxcare.els7_amd64.deb
sha:c9c9841959e226797f2ac4c06109c7b939d03db9
-
libapache2-mod-proxy-uwsgi_2.4.41-4ubuntu3.23+tuxcare.els7_amd64.deb
sha:bd0dd8a44588a21e4cd6993fddbf0e6846e64e30
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.