Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN605 _____________________________________________________________________ DATE : 09/06/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache HTTP Server versions prior to 2.4.68. ===================================================================== https://lists.apache.org/thread/j4spvgx2g8f5xtq2j5180f34hm4skxqm https://lists.apache.org/thread/8kv27hxg3hw8n8q570d414vd9rv3f6dw https://lists.apache.org/thread/l9dqh7pyclbgbfo4bc2ho514kbjb58y2 https://lists.apache.org/thread/3448kkqmyhdx3tq9phbzs3s6bd6y4hwr https://lists.apache.org/thread/vv7xqym0gbw5sjsd8mbt9tlqxo6854xw https://lists.apache.org/thread/rryfgyd16by1xos451ss9rcshlovv2nm https://lists.apache.org/thread/7qj3jlr2qqkq17s6o84vctkl6wg22f0d https://lists.apache.org/thread/7bfqlmbvpyvljmvfrvzy6r2jrks575dk https://lists.apache.org/thread/kn41o5y0583rpp0p42gqkgzygzh7bk1r https://lists.apache.org/thread/m2nkyqyz3kj755rzgnox463mc8nqgbf5 https://lists.apache.org/thread/q0o7l86o4py08txzht7gobrdpf46x1rj _____________________________________________________________________ CVE-2026-34355: Apache HTTP Server: mod_proxy_html buffer overflow Severity: moderate Affected versions: - Apache HTTP Server 2.4.0 through 2.4.67 Description: A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an untrusted backend. Users are recommended to upgrade to version 2.4.68, which fixes this issue. Credit: Elhanan Haenel (finder) Junhui Lee (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-34355 Timeline: 2026-03-21: Report received 2026-06-04: fixed in 2.4.x by r1934977 2026-06-08: 2.4.68 released _____________________________________________________________________ CVE-2026-42535: Apache HTTP Server: mod_dav_fs protected directory access Severity: moderate Affected versions: - Apache HTTP Server through 2.4.67 Description: A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV property databases, potentially causing child process crashes. Users are recommended to upgrade to version 2.4.68, which fixes this issue. Credit: Zhenpeng (Leo) Lin at depthfirst (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-42535 Timeline: 2026-04-27: Report received 2026-06-05: fixed in 2.4.x by r1935013 2026-06-08: 2.4.68 released _____________________________________________________________________ CVE-2026-43951: Apache HTTP Server: OOB Read in `merge_response_headers` can cause crash Severity: moderate Affected versions: - Apache HTTP Server 2.4.0 through 2.4.67 Description: Out-of-bounds Read vulnerability in Apache HTTP Server with mod_headers and mod_mime and multiple response languages. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Credit: Zhenpeng (Leo) Lin at depthfirst (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-43951 Timeline: 2026-04-27: reported 2026-06-05: fixed in 2.4.x by r1935006 2026-06-08: 2.4.68 released _____________________________________________________________________ CVE-2026-44186: Apache HTTP Server: Loop in `proxy_ftp_handler` in mod_proxy_ftp Severity: moderate Affected versions: - Apache HTTP Server 2.4.0 through 2.4.67 Description: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the mod_proxy_ftp module in Apache HTTP Server with an attacker controlled backend FTP server. This issue affects undefined: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue. Credit: Zhenpeng (Leo) Lin at depthfirst (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-44186 Timeline: 2026-04-27: reported 2026-06-05: fixed in 2.4.x by r1935004 2026-06-08: 2.4.68 released _____________________________________________________________________ CVE-2026-49975: Apache HTTP Server: mod_http2 denial of service Severity: moderate Affected versions: - Apache HTTP Server 2.4.17 through 2.4.67 Description: Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67. Credit: Quang Luong of Calif.IO in collaboration with OpenAI Codex (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-49975 Timeline: 2026-05-26: reported 2026-05-27: fixed upstream in mod_h2 https://github.com/icing/mod_h2/commit/35c6e405390ed361189a82acd96675401ea5947c 2026-06-02: fixed in 2.4.x by r1934882 2026-06-08: 2.4.68 released _____________________________________________________________________ CVE-2026-48913: Apache HTTP Server: mod_http2 memory corruption when file handles exhausted Severity: low Affected versions: - Apache HTTP Server 2.4.55 through 2.4.67 Description: Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already exhausted. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.67. Credit: Sam Lovejoy, IBM X-Force Offensive Research (XOR) (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-48913 Timeline: 2026-05-22: reported 2026-06-03: fixed in 2.4.x by r1934882 2026-06-08: 2.4.68 released _____________________________________________________________________ CVE-2026-44631: Apache HTTP Server: Heap Underflow in `ap_regname` via Signed Char Overflow Severity: low Affected versions: - Apache HTTP Server 2.4.0 through 2.4.67 Description: Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue. Credit: Zhenpeng (Leo) Lin at depthfirst (finder) Bartlomiej Dmitruk (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-44631 Timeline: 2026-04-27: reported 2026-06-05: fixed in 2.4.x by r1935015 2026-06-08: 2.4.68 released _____________________________________________________________________ CVE-2026-44185: Apache HTTP Server: Stack Buffer Over-Read in mod_ssl OCSP `send_request` Severity: low Affected versions: - Apache HTTP Server 2.4.0 through 2.4.67 Description: Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker controlled OCSP server This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue. Credit: Zhenpeng (Leo) Lin at depthfirst (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-44185 Timeline: 2026-04-27: reported 2026-06-03: fixed in 2.4.x by r1934919 2026-06-08: 2.4.68 released _____________________________________________________________________ CVE-2026-42536: Apache HTTP Server: mod_xml2enc heap overflow Severity: low Affected versions: - Apache HTTP Server 2.4.0 through 2.4.67 Description: Heap-based Buffer Overflow vulnerability in Apache HTTP Server with mod_xml2enc, xml2StartParse, and untrusted content This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue. Credit: Zhenpeng (Leo) Lin at depthfirst (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-42536 Timeline: 2026-04-27: reported 2026-06-04: fixed in 2.4.x by r1934971 2026-06-08: 2.4.68 released _____________________________________________________________________ CVE-2026-34356: Apache HTTP Server: ProxyPassReverseCookieMap buffer overflow Severity: low Affected versions: - Apache HTTP Server 2.4.0 through 2.4.67 Description: Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and ProxyPassReverseCookie* This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue. Credit: Arkadi Vainbrand (finder) depthfirst (depthfirst.com) (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-34356 Timeline: 2026-02-23: reported 2026-06-05: fixed in 2.4.x by r1935008 2026-06-08: 2.4.68 released _____________________________________________________________________ CVE-2026-29170: Apache HTTP Server: mod_proxy_ftp XSS Severity: low Affected versions: - Apache HTTP Server through 2.4.67 Description: A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP Server 2.4.67 and earlier when listing FTP directory contents either via forward or reverse proxy configuration. Users are recommended to upgrade to version 2.4.68, which fixes this issue. Credit: Pavel Kohout, Aisle Research, Aisle.com (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-29170 Timeline: 2026-03-04: Report received 2026-06-04: fixed in 2.4.x by r1934982 2026-06-08: 2.4.68 released ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================