CLSA-2026-1778934210

See a problem?

Import Source

https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1778934210.json

JSON Data

https://api.osv.dev/v1/vulns/CLSA-2026-1778934210

Upstream

CVE-2026-24072

CVE-2026-33006

CVE-2026-33007

CVE-2026-33523

CVE-2026-33857

CVE-2026-34032

CVE-2026-34059

Published

2026-05-16T14:38:58Z

Modified

2026-06-04T10:03:43.834126642Z

Summary

Fix of 7 CVEs

Details

SECURITY UPDATE: off-by-one OOB read in modproxyajp message getters
- debian/patches/CVE-2026-33857.patch: tighten length checks (> msg->len -> >= msg->len) in ajpmsggetuint8/16/32 and ajpmsgpeekuint8/16 in modules/proxy/ajp_msg.c.
- CVE-2026-33857
SECURITY UPDATE: heap over-read in modproxyajp via missing null-termination check in ajpmsggetstring()
- debian/patches/CVE-2026-34032.patch: switch the buffer overflow check to compare against msg->len and verify the expected null terminator is present before returning the pointer in modules/proxy/ajpmsg.c.
- CVE-2026-34032
SECURITY UPDATE: heap over-read and memory disclosure in modproxyajp ajpparsedata() via missing minimum message-length validation
- debian/patches/CVE-2026-34059.patch: reject AJP data messages whose msg->len is smaller than AJPHEADERLEN + AJPHEADERSZLEN + 1 + 1 before computing expectedlen in modules/proxy/ajp_header.c.
- CVE-2026-34059
SECURITY UPDATE: local information disclosure via .htaccess / mod_setenvif / ProxyFCGISetEnvIf, where a non-privileged user with .htaccess write access could read files accessible to the httpd service account
- debian/patches/CVE-2026-24072.patch: pass APEXPRFLAGRESTRICTED when parsing apexpr expressions from htaccess context in modules/mappers/modrewrite.c, modules/metadata/modsetenvif.c, and modules/proxy/modproxyfcgi.c.
- CVE-2026-24072
SECURITY UPDATE: timing attack against modauthdigest allowing bypass of Digest authentication
- debian/patches/CVE-2026-33006.patch: validate nonce and digest lengths earlier and replace the strcmp of the nonce hash with the constant-time aprcryptoequals (apr-util >= 1.6) in modules/aaa/modauthdigest.c; bump APU minimum to 1.6 in configure.in.
- CVE-2026-33006
SECURITY UPDATE: NULL pointer dereference in modauthnsocache crashes the child process in a caching forward proxy setup
- debian/patches/CVE-2026-33007.patch: validate the URL before using the cache hash in constructkey() in modules/aaa/modauthn_socache.c.
- CVE-2026-33007
SECURITY UPDATE: HTTP response splitting via newline/control characters in an outgoing status line forwarded from a compromised backend
- debian/patches/CVE-2026-33523.patch: reject status reason strings that contain newlines or control characters in modules/http/http_filters.c.
- CVE-2026-33523

References

https://errata.tuxcare.com/els_os/ubuntu20.04els/CLSA-2026-1778934210.html

Affected packages

TuxCare:Ubuntu:20.04

apache2

Package

Name: apache2
Purl: pkg:deb/tuxcare/apache2?distro=ubuntu-20.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.41-4ubuntu3.23+tuxcare.els4

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1778934210.json"

apache2-bin

Package

Name: apache2-bin
Purl: pkg:deb/tuxcare/apache2-bin?distro=ubuntu-20.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.41-4ubuntu3.23+tuxcare.els4

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1778934210.json"

apache2-data

Package

Name: apache2-data
Purl: pkg:deb/tuxcare/apache2-data?distro=ubuntu-20.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.41-4ubuntu3.23+tuxcare.els4

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1778934210.json"

apache2-dev

Package

Name: apache2-dev
Purl: pkg:deb/tuxcare/apache2-dev?distro=ubuntu-20.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.41-4ubuntu3.23+tuxcare.els4

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1778934210.json"

apache2-doc

Package

Name: apache2-doc
Purl: pkg:deb/tuxcare/apache2-doc?distro=ubuntu-20.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.41-4ubuntu3.23+tuxcare.els4

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1778934210.json"

apache2-ssl-dev

Package

Name: apache2-ssl-dev
Purl: pkg:deb/tuxcare/apache2-ssl-dev?distro=ubuntu-20.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.41-4ubuntu3.23+tuxcare.els4

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1778934210.json"

apache2-suexec-custom

Package

Name: apache2-suexec-custom
Purl: pkg:deb/tuxcare/apache2-suexec-custom?distro=ubuntu-20.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.41-4ubuntu3.23+tuxcare.els4

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1778934210.json"

apache2-suexec-pristine

Package

Name: apache2-suexec-pristine
Purl: pkg:deb/tuxcare/apache2-suexec-pristine?distro=ubuntu-20.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.41-4ubuntu3.23+tuxcare.els4

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1778934210.json"

apache2-utils

Package

Name: apache2-utils
Purl: pkg:deb/tuxcare/apache2-utils?distro=ubuntu-20.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.41-4ubuntu3.23+tuxcare.els4

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1778934210.json"

libapache2-mod-md

Package

Name: libapache2-mod-md
Purl: pkg:deb/tuxcare/libapache2-mod-md?distro=ubuntu-20.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.41-4ubuntu3.23+tuxcare.els4

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1778934210.json"

libapache2-mod-proxy-uwsgi

Package

Name: libapache2-mod-proxy-uwsgi
Purl: pkg:deb/tuxcare/libapache2-mod-proxy-uwsgi?distro=ubuntu-20.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.41-4ubuntu3.23+tuxcare.els4

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1778934210.json"