OESA-2026-2401

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2401
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2026-2401.json
JSON Data
https://api.osv.dev/v1/vulns/OESA-2026-2401
Upstream
  • CVE-2026-24072
  • CVE-2026-29168
  • CVE-2026-29169
  • CVE-2026-33006
  • CVE-2026-33007
  • CVE-2026-33523
  • CVE-2026-33857
  • CVE-2026-34032
  • CVE-2026-34059
Published
2026-05-22T13:18:43Z
Modified
2026-05-22T13:30:19.678230790Z
Summary
httpd security update
Details

Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server.

Security Fix(es):

An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.

Users are recommended to upgrade to version 2.4.67, which fixes this issue.(CVE-2026-24072)

Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data.

This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.(CVE-2026-29168)

A NULL pointer dereference in moddavlock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.moddavlock is not used internally by moddav or moddav_fs.

The only known use-case for moddavlock was moddavsvn from Apache Subversion earlier than version 1.2.0.

Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove moddavlock.(CVE-2026-29169)

A timing attack against modauthdigest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker.

Users are recommended to upgrade to version 2.4.67, which fixes this issue.(CVE-2026-33006)

A NULL pointer dereference in the modauthnsocache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration.

Users are recommended to upgrade to version 2.4.67, which fixes this issue.(CVE-2026-33007)

HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers.

This issue affects Apache HTTP Server: from through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.(CVE-2026-33523)

Out-of-bounds Read vulnerability in modproxyajp of

Apache HTTP Server.

This issue affects Apache HTTP Server: through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.(CVE-2026-33857)

Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server.

This issue affects Apache HTTP Server: through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.(CVE-2026-34032)

Buffer Over-read vulnerability in Apache HTTP Server.

This issue affects Apache HTTP Server: through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.(CVE-2026-34059)

Database specific 
{
    "severity": "High"
}
References

Affected packages

openEuler:20.03-LTS-SP4 / httpd

Package

Name
httpd
Purl
pkg:rpm/openEuler/httpd&distro=openEuler-20.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.43-35.oe2003sp4

Ecosystem specific 

{
    "src": [
        "httpd-2.4.43-35.oe2003sp4.src.rpm"
    ],
    "aarch64": [
        "httpd-2.4.43-35.oe2003sp4.aarch64.rpm",
        "httpd-debuginfo-2.4.43-35.oe2003sp4.aarch64.rpm",
        "httpd-debugsource-2.4.43-35.oe2003sp4.aarch64.rpm",
        "httpd-devel-2.4.43-35.oe2003sp4.aarch64.rpm",
        "httpd-tools-2.4.43-35.oe2003sp4.aarch64.rpm",
        "mod_ldap-2.4.43-35.oe2003sp4.aarch64.rpm",
        "mod_md-2.4.43-35.oe2003sp4.aarch64.rpm",
        "mod_proxy_html-2.4.43-35.oe2003sp4.aarch64.rpm",
        "mod_session-2.4.43-35.oe2003sp4.aarch64.rpm",
        "mod_ssl-2.4.43-35.oe2003sp4.aarch64.rpm"
    ],
    "x86_64": [
        "httpd-2.4.43-35.oe2003sp4.x86_64.rpm",
        "httpd-debuginfo-2.4.43-35.oe2003sp4.x86_64.rpm",
        "httpd-debugsource-2.4.43-35.oe2003sp4.x86_64.rpm",
        "httpd-devel-2.4.43-35.oe2003sp4.x86_64.rpm",
        "httpd-tools-2.4.43-35.oe2003sp4.x86_64.rpm",
        "mod_ldap-2.4.43-35.oe2003sp4.x86_64.rpm",
        "mod_md-2.4.43-35.oe2003sp4.x86_64.rpm",
        "mod_proxy_html-2.4.43-35.oe2003sp4.x86_64.rpm",
        "mod_session-2.4.43-35.oe2003sp4.x86_64.rpm",
        "mod_ssl-2.4.43-35.oe2003sp4.x86_64.rpm"
    ],
    "noarch": [
        "httpd-filesystem-2.4.43-35.oe2003sp4.noarch.rpm",
        "httpd-help-2.4.43-35.oe2003sp4.noarch.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-2401.json"