rpms/httpd
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

[security][CRITICAL] httpd 2.4.66: 7 CVE require triage #1

New issue
Open
opened 2026-05-25 00:46:41 +03:00 by sbelikov · 0 comments
sbelikov commented 2026-05-25 00:46:41 +03:00
Owner
Copy link

CVE triage request / Запрос на разбор CVE

Package / Пакет

  • Package: httpd
  • Version: 2.4.66
  • EVR: 2.4.66-1
  • Category: -
  • Policy class: -
  • NiceOS policy class: -
  • Owner: -
  • Severity: CRITICAL
  • Max CVSS: 9.8
  • CVE count: 7

LLM recommendation / Рекомендация LLM

RU

Для пакета httpd 2.4.66 найдены CVE-кандидаты по данным NVD/CPE: CVE-2025-3891, CVE-2026-23918, CVE-2026-24072, CVE-2026-28780, CVE-2026-29168, CVE-2026-29169, CVE-2026-34059. Требуется triage security-team.

Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета.

Рекомендуемое действие: needs_triage

Подсказка по целевой версии: -

Проверки: Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета.

Риски: Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС.

EN

NVD/CPE candidate CVEs were found for httpd 2.4.66: CVE-2025-3891, CVE-2026-23918, CVE-2026-24072, CVE-2026-28780, CVE-2026-29168, CVE-2026-29169, CVE-2026-34059. Security-team triage is required.

Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required.

Recommended action: needs_triage

Target version hint: -

Tests: Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests.

Risks: An automatic NVD/CPE match is not the final NiceOS vulnerability verdict.

CVE candidates from NVD/CPE

CVE Severity CVSS Match NiceOS status Reason
CVE-2026-28780 CRITICAL 9.8 cpe-range needs_triage package version is inside version range
CVE-2026-23918 HIGH 8.8 cpe-exact needs_triage exact CPE version match: package 2.4.66 == CPE 2.4.66
CVE-2026-24072 HIGH 8.8 cpe-range needs_triage package version is inside version range
CVE-2025-3891 HIGH 7.5 cpe-generic needs_triage generic CPE product match without version range; needs triage
CVE-2026-29169 HIGH 7.5 cpe-range needs_triage package version is inside version range
CVE-2026-34059 HIGH 7.5 cpe-range needs_triage package version is inside version range
CVE-2026-29168 HIGH 7.3 cpe-range needs_triage package version is inside version range

Descriptions

CVE-2026-28780

Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server.
If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer.

This issue affects Apache HTTP Server: through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

CVE-2026-23918

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.

This issue affects Apache HTTP Server: 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

CVE-2026-24072

An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.

Users are recommended to upgrade to version 2.4.67, which fixes this issue.

CVE-2025-3891

A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability.

CVE-2026-29169

A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs.

The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0.

Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock.

CVE-2026-34059

Buffer Over-read vulnerability in Apache HTTP Server.

This issue affects Apache HTTP Server: through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

CVE-2026-29168

Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data.

This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Maintainer checklist

  • Verify whether each CVE applies to the NiceOS build.
  • Compare NVD data with upstream/vendor advisory.
  • Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
  • If affected, decide update/backport strategy according to package policy class.
  • Run package-class-specific build, upgrade and regression tests.
  • Add/update niceos_cve_triage entry.
  • Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2025-3891",
    "CVE-2026-23918",
    "CVE-2026-24072",
    "CVE-2026-28780",
    "CVE-2026-29168",
    "CVE-2026-29169",
    "CVE-2026-34059"
  ],
  "fingerprint": "df3eb9094906e95427e9",
  "generated_at": "2026-05-24T21:46:41Z",
  "package": "httpd",
  "prompt_version": "niceos_cve_issue_analysis_v1",
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "1.0",
  "version": "2.4.66"
}
<!-- niceos-cve-fingerprint: df3eb9094906e95427e9 --> # CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `httpd` - Version: `2.4.66` - EVR: `2.4.66-1` - Category: `-` - Policy class: `-` - NiceOS policy class: `-` - Owner: `-` - Severity: `CRITICAL` - Max CVSS: `9.8` - CVE count: `7` ## LLM recommendation / Рекомендация LLM ### RU Для пакета httpd 2.4.66 найдены CVE-кандидаты по данным NVD/CPE: CVE-2025-3891, CVE-2026-23918, CVE-2026-24072, CVE-2026-28780, CVE-2026-29168, CVE-2026-29169, CVE-2026-34059. Требуется triage security-team. Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета. **Рекомендуемое действие:** `needs_triage` **Подсказка по целевой версии:** `-` **Проверки:** Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета. **Риски:** Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС. ### EN NVD/CPE candidate CVEs were found for httpd 2.4.66: CVE-2025-3891, CVE-2026-23918, CVE-2026-24072, CVE-2026-28780, CVE-2026-29168, CVE-2026-29169, CVE-2026-34059. Security-team triage is required. Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required. **Recommended action:** `needs_triage` **Target version hint:** `-` **Tests:** Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests. **Risks:** An automatic NVD/CPE match is not the final NiceOS vulnerability verdict. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | NiceOS status | Reason | |---|---|---:|---|---|---| | CVE-2026-28780 | CRITICAL | 9.8 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-23918 | HIGH | 8.8 | cpe-exact | needs_triage | exact CPE version match: package 2.4.66 == CPE 2.4.66 | | CVE-2026-24072 | HIGH | 8.8 | cpe-range | needs_triage | package version is inside version range | | CVE-2025-3891 | HIGH | 7.5 | cpe-generic | needs_triage | generic CPE product match without version range; needs triage | | CVE-2026-29169 | HIGH | 7.5 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-34059 | HIGH | 7.5 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-29168 | HIGH | 7.3 | cpe-range | needs_triage | package version is inside version range | ## Descriptions ### CVE-2026-28780 Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. ### CVE-2026-23918 Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. ### CVE-2026-24072 An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue. ### CVE-2025-3891 A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability. ### CVE-2026-29169 A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0. Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock. ### CVE-2026-34059 Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. ### CVE-2026-29168 Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2025-3891", "CVE-2026-23918", "CVE-2026-24072", "CVE-2026-28780", "CVE-2026-29168", "CVE-2026-29169", "CVE-2026-34059" ], "fingerprint": "df3eb9094906e95427e9", "generated_at": "2026-05-24T21:46:41Z", "package": "httpd", "prompt_version": "niceos_cve_issue_analysis_v1", "tool": "niceos_cve_create_issues.py", "tool_version": "1.0", "version": "2.4.66" } ```
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
niceos-5.2
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
rpms/httpd#1
No description provided.