CLSA-2026-1779119053

See a problem?

Import Source

https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu16.04els/CLSA-2026-1779119053.json

JSON Data

https://api.osv.dev/v1/vulns/CLSA-2026-1779119053

Upstream

CVE-2026-24072

CVE-2026-28780

CVE-2026-33006

CVE-2026-33007

CVE-2026-33523

CVE-2026-33857

CVE-2026-34032

CVE-2026-34059

Published

2026-05-18T15:44:17Z

Modified

2026-06-04T10:04:29.025560128Z

Summary

Fix of 8 CVEs

Details

SECURITY UPDATE: modproxyajp heap buffer over-read in ajpmsggetstring
- debian/patches/CVE-2026-34032.patch: add buffer checks in modules/proxy/ajpmsg.c.
- CVE-2026-34032
SECURITY UPDATE: AJP getter functions off-by-one out-of-bounds reads
- debian/patches/CVE-2026-33857.patch: fix length checks in AJP msgget functions in modules/proxy/ajpmsg.c.
- CVE-2026-33857
SECURITY UPDATE: modproxyajp heap over-read in ajpparsedata
- debian/patches/CVE-2026-34059.patch: fix message length check in modules/proxy/ajp_header.c.
- CVE-2026-34059
SECURITY UPDATE: modauthnsocache crash in caching forward proxy
- debian/patches/CVE-2026-33007.patch: validate URL earlier in modules/aaa/modauthnsocache.c.
- CVE-2026-33007
SECURITY UPDATE: HTTP response splitting via malicious backend status line
- debian/patches/CVE-2026-33523.patch: scan outgoing status line for newlines and controls in modules/http/http_filters.c.
- CVE-2026-33523
SECURITY UPDATE: modrewrite elevation of privileges via apexpr in .htaccess
- debian/patches/CVE-2026-24072.patch: use APEXPRFLAGRESTRICTED in htaccess context in modules/mappers/modrewrite.c and modules/metadata/modsetenvif.c. modproxy_fcgi hunk omitted — ProxyFCGISetEnvIf was added in 2.4.26, after this source.
- CVE-2026-24072
SECURITY UPDATE: modauthdigest timing attack allowing Digest auth bypass
- debian/patches/CVE-2026-33006.patch: use a constant-time comparison helper for nonce hash and digest checks, add VALIDNONCE validation and MD5DIGESTLEN length check in getdigestrec, in modules/aaa/modauthdigest.c. Inline apcryptoequalsconsttime() replaces aprcryptoequals (added in apr-util 1.6, not in xenial's apr-util 1.5.4); the upstream apr-util version bump and the aprcrypto.h include are omitted accordingly.
- CVE-2026-33006
SECURITY UPDATE: modproxyajp ajpmsgcheck_header bounds-check fix
- debian/patches/CVE-2026-28780.patch: tighten the upper-bound check in ajpmsgcheckheader() to reserve AJPHEADERLEN bytes of headroom in modules/proxy/ajpmsg.c (companion to CVE-2026-33857/34032).
- CVE-2026-28780

References

https://errata.tuxcare.com/els_os/ubuntu16.04els/CLSA-2026-1779119053.html

Affected packages

TuxCare:Ubuntu:16.04

apache2

Package

Name: apache2
Purl: pkg:deb/tuxcare/apache2?distro=ubuntu-16.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.4.18-2ubuntu3.17+tuxcare.els19

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu16.04els/CLSA-2026-1779119053.json"

apache2-bin

Package

Name: apache2-bin
Purl: pkg:deb/tuxcare/apache2-bin?distro=ubuntu-16.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.4.18-2ubuntu3.17+tuxcare.els19

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu16.04els/CLSA-2026-1779119053.json"

apache2-data

Package

Name: apache2-data
Purl: pkg:deb/tuxcare/apache2-data?distro=ubuntu-16.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.4.18-2ubuntu3.17+tuxcare.els19

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu16.04els/CLSA-2026-1779119053.json"

apache2-dev

Package

Name: apache2-dev
Purl: pkg:deb/tuxcare/apache2-dev?distro=ubuntu-16.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.4.18-2ubuntu3.17+tuxcare.els19

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu16.04els/CLSA-2026-1779119053.json"

apache2-doc

Package

Name: apache2-doc
Purl: pkg:deb/tuxcare/apache2-doc?distro=ubuntu-16.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.4.18-2ubuntu3.17+tuxcare.els19

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu16.04els/CLSA-2026-1779119053.json"

apache2-suexec-custom

Package

Name: apache2-suexec-custom
Purl: pkg:deb/tuxcare/apache2-suexec-custom?distro=ubuntu-16.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.4.18-2ubuntu3.17+tuxcare.els19

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu16.04els/CLSA-2026-1779119053.json"

apache2-suexec-pristine

Package

Name: apache2-suexec-pristine
Purl: pkg:deb/tuxcare/apache2-suexec-pristine?distro=ubuntu-16.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.4.18-2ubuntu3.17+tuxcare.els19

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu16.04els/CLSA-2026-1779119053.json"

apache2-utils

Package

Name: apache2-utils
Purl: pkg:deb/tuxcare/apache2-utils?distro=ubuntu-16.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:2.4.18-2ubuntu3.17+tuxcare.els19

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu16.04els/CLSA-2026-1779119053.json"