Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN451 _____________________________________________________________________ DATE : 04/05/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache HTTP Server versions prior to 2.4.67. ===================================================================== https://lists.apache.org/thread/otwt07gfnp6x2b58hnbghgs9r4ovy3yf https://lists.apache.org/thread/5tg6pwqr0z9hh0v8x9h0ywgs1z3x26l2 https://lists.apache.org/thread/ro2mhvozhdp1j5d8w68nwgyzr9fy2s7y https://lists.apache.org/thread/k97f307d4xgsxthgf5fzf03m9qdkvgzy https://lists.apache.org/thread/7dnmy4cxb8qfdgr8bs9jrn0vr0pylwkd https://lists.apache.org/thread/2m26t0c1zhrz0wxpxdx6t1g999415yk7 https://lists.apache.org/thread/0wlowdb6ydgdtxspx8og5x72bgdzgfx1 https://lists.apache.org/thread/4qokdcgl8q6tl3b594v72sr52g7wrbd4 https://lists.apache.org/thread/88f06q3opz3snbsfbyj4x6zqrzkklto6 _____________________________________________________________________ CVE-2026-23918: Apache HTTP Server: http2: double free and possible RCE on early reset Severity: important Affected versions: - Apache HTTP Server 2.4.66 Description: Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credit: Bartlomiej Dmitruk, striga.ai (finder) Stanislaw Strzalkowski, isec.pl (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-23918 Timeline: 2025-12-10: reported in PR 69899 2025-12-11: fixed in r1930444, r1930796 _____________________________________________________________________ CVE-2026-24072: Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr Severity: moderate Affected versions: - Apache HTTP Server through 2.4.66 Description: An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue. Credit: y7syeu (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-24072 Timeline: 2026-01-20: Report received 2026-05-04: fixed in 2.4.x by r1933350 _____________________________________________________________________ CVE-2026-33006: Apache HTTP Server: mod_auth_digest timing attack Severity: moderate Affected versions: - Apache HTTP Server through 2.4.66 Description: A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue. Credit: Nitescu Lucian (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-33006 Timeline: 2026-03-09: Report received 2026-05-04: 2.4.67 released 2026-05-04: fixed in 2.4.x by r1933356 _____________________________________________________________________ CVE-2026-33857: Apache HTTP Server: Off-by-one OOB reads in AJP getter functions Severity: low Affected versions: - Apache HTTP Server through 2.4.66 Description: Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credit: Elhanan Haenel (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-33857 Timeline: 2026-03-20: Reported 2026-05-04: fixed by r1933341 in 2.4.x _____________________________________________________________________ CVE-2026-34032: Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string) Severity: low Affected versions: - Apache HTTP Server through 2.4.66 Description: Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credit: Tianshuo Han () (finder) Jérôme Djouder (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-34032 Timeline: 2026-03-01: Report received 2026-05-04: fixed in 2.4.x by r1933343 _____________________________________________________________________ CVE-2026-34059: Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data() Severity: low Affected versions: - Apache HTTP Server through 2.4.66 Description: Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credit: Elhanan Haenel (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-34059 Timeline: 2026-03-20: Report received 2026-05-04: fixed in 2.4.x by r1933346 _____________________________________________________________________ CVE-2026-29169: Apache HTTP Server: mod_dav_lock indirect lock crash Severity: low Affected versions: - Apache HTTP Server through 2.4.66 Description: A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0. Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock. Credit: Pavel Kohout, Aisle Research, Aisle.com (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-29169 Timeline: 2026-03-04: Report received 2026-05-04: 2.4.67 released 2026-05-04: fixed in 2.4.x by r1933354 _____________________________________________________________________ CVE-2026-33007: Apache HTTP Server: mod_authn_socache crash Severity: low Affected versions: - Apache HTTP Server 2.4.0 through 2.4.66 Description: A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue. Credit: Pavel Kohout, Aisle Research, Aisle.com (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-33007 Timeline: 2026-03-04: Report received 2026-05-04: 2.4.67 released 2026-05-04: fixed in 2.4.x by r1933358 _____________________________________________________________________ CVE-2026-33523: Apache HTTP Server: multiple modules: HTTP response splitting forwarding malicious status line Severity: low Affected versions: - Apache HTTP Server 2.4.0 through 2.4.66 Description: HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. Credit: Haruki Oyama (Waseda University) (finder) Merih Mengisteab (finder) Dawit Jeong (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-33523 Timeline: 2026-03-05: reported 2026-05-04: 2.4.67 released 2026-05-04: fixed in 2.4.x by r1933360 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================