mod_http2 v2.0.33 rpms released and added to all supported platforms.
Changes:
Fixes CVE-2025-53020 where a client can increase memory consumption for a HTTP/2 connection via repeated request header names, leading to denial of service.
Fixes CVE-2025-49630 where in certain proxy configurations whith mod_proxy_http2 as the backend, an assertion can be triggered by certain requests, leading to denial of service.
Apache httpd 2.4.64 added to the repository.
Changes:
*) SECURITY: CVE-2025-53020: Apache HTTP Server: HTTP/2 DoS by
Memory Increase (cve.mitre.org)
Late Release of Memory after Effective Lifetime vulnerability in
Apache HTTP Server.
This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63.
Users are recommended to upgrade to version 2.4.64, which fixes
the issue.
Credits: Gal Bar Nahum
*) SECURITY: CVE-2025-49812: Apache HTTP Server: mod_ssl TLS
upgrade attack (cve.mitre.org)
In some mod_ssl configurations on Apache HTTP Server versions
through to 2.4.63, an HTTP desynchronisation attack allows a
man-in-the-middle attacker to hijack an HTTP session via a TLS
upgrade.
Only configurations using "SSLEngine optional" to enable TLS
upgrades are affected. Users are recommended to upgrade to
version 2.4.64, which removes support for TLS upgrade.
Credits: Robert Merget (Technology Innovation Institute)
*) SECURITY: CVE-2025-49630: Apache HTTP Server: mod_proxy_http2
denial of service (cve.mitre.org)
In certain proxy configurations, a denial of service attack
against Apache HTTP Server versions 2.4.26 through to 2.4.63
can be triggered by untrusted clients causing an assertion in
mod_proxy_http2.
Configurations affected are a reverse proxy is configured for an
HTTP/2 backend, with ProxyPreserveHost set to "on".
Credits: Anthony CORSIEZ
*) SECURITY: CVE-2025-23048: Apache HTTP Server: mod_ssl access
control bypass with session resumption (cve.mitre.org)
In some mod_ssl configurations on Apache HTTP Server 2.4.35
through to 2.4.62, an access control bypass by trusted clients
is possible using TLS 1.3 session resumption.
Configurations are affected when mod_ssl is configured for
multiple virtual hosts, with each restricted to a different set
of trusted client certificates (for example with a different
SSLCACertificateFile/Path setting). In such a case, a client
trusted to access one virtual host may be able to access another
virtual host, if SSLStrictSNIVHostCheck is not enabled in either
virtual host.
Credits: Sven Hebrok, Felix Cramer, Tim Storm, Maximilian Radoy,
and Juraj Somorovsky at Paderborn University
*) SECURITY: CVE-2024-47252: Apache HTTP Server: mod_ssl error log
variable escaping (cve.mitre.org)
Insufficient escaping of user-supplied data in mod_ssl in Apache
HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS
client to insert escape characters into log files in some
configurations.
In a logging configuration where CustomLog is used with
"%{varname}x" or "%{varname}c" to log variables provided by
mod_ssl such as SSL_TLS_SNI, no escaping is performed by either
mod_log_config or mod_ssl and unsanitized data provided by the
client may appear in log files.
Credits: John Runyon
*) SECURITY: CVE-2024-43394: Apache HTTP Server: SSRF on Windows
due to UNC paths (cve.mitre.org)
Server-Side Request Forgery (SSRF) in Apache HTTP Server on
Windows allows to potentially leak NTLM hashes to a malicious
server via
mod_rewrite or apache expressions that pass unvalidated request
input.
This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63.
Note: The Apache HTTP Server Project will be setting a higher
bar for accepting vulnerability reports regarding SSRF via UNC
paths.
The server offers limited protection against administrators
directing the server to open UNC paths.
Windows servers should limit the hosts they will connect over
via SMB based on the nature of NTLM authentication.
Credits: Kainan Zhang (@4xpl0r3r) from Fortinet
*) SECURITY: CVE-2024-43204: Apache HTTP Server: SSRF with
mod_headers setting Content-Type header (cve.mitre.org)
SSRF in Apache HTTP Server with mod_proxy loaded allows an
attacker to send outbound proxy requests to a URL controlled by
the attacker. Requires an unlikely configuration where
mod_headers is configured to modify the Content-Type request or
response header with a value provided in the HTTP request.
Users are recommended to upgrade to version 2.4.64 which fixes
this issue.
*) SECURITY: CVE-2024-42516: Apache HTTP Server: HTTP response
splitting (cve.mitre.org)
HTTP response splitting in the core of Apache HTTP Server allows
an attacker who can manipulate the Content-Type response headers
of applications hosted or proxied by the server can split the
HTTP response.
This vulnerability was described as CVE-2023-38709 but the patch
included in Apache HTTP Server 2.4.59 did not address the issue.
Users are recommended to upgrade to version 2.4.64, which fixes
this issue.
*) mod_proxy_ajp: Use iobuffersize set on worker level for the IO buffer
size. PR 69402 [Jari Ahonen <[email protected]>]
*) mod_ssl: Drop $SSLKEYLOGFILE handling internally for OpenSSL 3.5
builds which enable it in libssl natively. [Joe Orton]
*) mod_asis: Fix the log level of the message AH01236.
Github #527 [Michael Kaufmann <mail michael-kaufmann.ch>]
*) mod_session_dbd: ensure format used with SessionDBDCookieName and
SessionDBDCookieName2 are correct.
Github #503 [Thomas Meyer <thomas m3y3r.de>]
*) mod_headers: 'RequestHeader set|edit|edit_r Content-Type X' could
inadvertently modify the Content-Type _response_ header. Applies to
Content-Type only and likely to only affect static file responses.
[Eric Covener]
*) mod_ssl: Remove warning over potential uninitialised value
for ssl protocol prior to protocol selection.
[Graham Leggett]
*) mod_proxy: Reuse ProxyRemote connections when possible, like prior
to 2.4.59. [Jean-Frederic Clere, Yann Ylavic]
*) mod_systemd: Add systemd socket activation support. [Paul Querna,
Jan Kaluza, Lubos Uhliarik <luhliari redhat.com>, Joe Orton]
*) mod_systemd: Log the SELinux context at startup if available and
enabled. [Joe Orton]
*) mod_http2: update to version 2.0.32
The code setting the connection window size was set wrong,
preventing `H2WindowSize` to work.
Fixed <https://github.com/icing/mod_h2/issues/300>.
[Stefan Eissing, Michael Kaufmann]
*) mod_http2: update to version 2.0.30
- Fixed bug in handling over long response headers. When the 64 KB limit
of nghttp2 was exceeded, the request was not reset and the client was
left hanging, waiting for it. Now the stream is reset.
- Added new directive `H2MaxHeaderBlockLen` to set the limit on response
header sizes.
- Fixed handling of Timeout vs. KeepAliveTimeout when first request on a
connection was reset.
*) mod_lua: Fix memory handling in LuaOutputFilter. PR 69590.
[Guillermo Grandes <guillermo.grandes gmail.com>]
* mod_proxy_http2: revert r1912193 for detecting broken backend connections
as this interferes with backend selection who a node is unresponsive.
PR69624.
*) mod_proxy_balancer: Fix a regression that caused stickysession keys no
longer be recognized if they are provided as query parameter in the URL.
PR 69443 [Ruediger Pluem]
*) mod_md: update to version 2.5.2
- Fixed TLS-ALPN-01 challenges when multiple `MDPrivateKeys` are specified
with EC keys before RSA ones. Fixes #377. [Stefan Eissing]
- Fixed missing newlines in the status page output. [Andreas Groth]
*) mod_dav: Add API to expose DavBasePath setting. [Joe Orton]
*) mod_md: update to version 2.5.1
- Added support for ACME profiles with new directives MDProfile and
MDProfileMandatory.
- When installing a custom CA file via `MDCACertificateFile`, also set the
libcurl option CURLSSLOPT_NO_REVOKE that suppresses complains by Schannel
(when curl is linked with it) about missing CRL/OCSP in certificates.
- Fixed handling of corrupted httpd.json and added test 300_30 for it.
File is removed on error and written again. Fixes #369.
- Added explanation in log for how to proceed when md_store.json could not be
parsed and prevented the server start.
- restored fixed to #336 and #337 which got lost in a sync with Apache svn
- Add Issue Name/Uris to certificate information in md-status handler
- MDomains with static certificate files have MDRenewMode "manual", unless
"always" is configured.
*) core: Report invalid Options= argument when parsing AllowOverride
directives.
Github #310 [Zhou Qingyang <zhou1615 umn.edu>]
*) scoreboard/mod_http2: record durations of HTTP/2 requests.
PR 69579 [Pierre Brochard <[email protected]>]mod_http2 v2.0.32 rpms released and added to all supported platforms.
Changes:
mod_http2 v2.0.31 rpms released and added to all supported platforms.
Changes:
mod_http2 v2.0.30 rpms released and added to all supported platforms.
Changes:
H2MaxHeaderBlockLen to set the limit on responseApache httpd 2.4.63 added to the repository.
Changes:
*) mod_dav: Update redirect-carefully example BrowserMatch config
to match more recent client versions. PR 66148, 67039.
[Michal Maloszewski <michal.maloszewski canonical.com>,
Romain Tartière <romain blogreen.org>]
*) mod_cache_socache: Fix possible crash on error path. PR 69358.
[Ruediger Pluem]
*) mod_ssl: Fail cleanly at startup if OpenSSL initialization fails.
[StephenWall]
*) mod_md: update to version 2.4.31
– Improved error reporting when waiting for ACME server to verify domains
or finalizing the order fails, e.g. times out.
– Increasing the timeouts to wait for ACME server to verify domain names
and issue the certificate from 30 seconds to 5 minutes.
– Change a log level from error to debug when Stapling is enabled but a
certificate carries no OCSP responder URL.
*) mod_proxy_balancer: Fix the handling of the stickysession configuration
parameter by the balancer manager. PR 69510
[Yutaka Tokunou <[email protected]>]
*) Add the ldap-search option to mod_authnz_ldap, allowing authorization
to be based on arbitrary expressions that do not include the username.
Make sure that when ldap searches are too long, we explicitly log the
error. [Graham Leggett]
*) mod_proxy: Honor parameters of ProxyPassMatch workers with substitution
in the host name or port. PR 69233. [Yann Ylavic]
*) mod_log_config: Fix merging for the “LogFormat” directive.
PR 65222. [Michael Kaufmann <mail michael-kaufmann.ch>]
*) mod_lua: Make r.ap_auth_type writable. PR 62497.
[Michael Osipov <michaelo apache.org>]
*) mod_md: update to version 2.4.29
– Fixed HTTP-01 challenges to not carry a final newline, as some ACME
server fail to ignore it. [Michael Kaufmann (@mkauf)]
– Fixed missing label+newline in server-status plain text output when
MDStapling is enabled.
*) mod_ssl: Restore support for loading PKCS#11 keys via ENGINE
without “SSLCryptoDevice” configured. [Joe Orton]
*) mod_authnz_ldap: Fix possible memory corruption if the
AuthLDAPSubGroupAttribute directive is configured. [Joe Orton]
*) mod_proxy_fcgi: Don’t re-encode SCRIPT_FILENAME when set via SetHandler.
PR 69203. [Yann Ylavic]
*) mod_rewrite, mod_proxy: mod_proxy to canonicalize rewritten [P] URLs,
including “unix:” ones. PR 69235, PR 69260. [Yann Ylavic, Ruediger Pluem]
*) mod_rewrite: Error out in case a RewriteRule in directory context uses the
proxy, but mod_proxy is not loaded. PR 56264.
[Christophe Jaillet, Michael Streeter <[email protected]>]
*) http: Remove support for Request-Range header sent by Navigator 2-3 and
MSIE 3. [Stefan Fritsch]
*) mod_rewrite: Don’t require [UNC] flag to preserve a leading //
added by applying the perdir prefix to the substitution.
[Ruediger Pluem, Eric Covener]
*) Windows: Restore the ability to “Include” configuration files on UNC
paths. PR 69313 [Eric Covener]
*) mod_proxy: Avoid AH01059 parsing error for SetHandler “unix:” URLs
in <Location> (incomplete fix in 2.4.62). PR 69160. [Yann Ylavic]
*) mod_md: update to version 2.4.28
– When the server starts, it looks for new, staged certificates to
activate. If the staged set of files in ‘md/staging/<domain>’ is messed
up, this could prevent further renewals to happen. Now, when the staging
set is present, but could not be activated due to an error, purge the
whole directory. [icing]
– Fix certificate retrieval on ACME renewal to not require a ‘Location:’
header returned by the ACME CA. This was the way it was done in ACME
before it became an IETF standard. Let’s Encrypt still supports this,
but other CAs do not. [icing]
– Restore compatibility with OpenSSL < 1.1. [ylavic]
*) mod_tls: removed the experimental module. It now is availble standalone
from https://github.com/icing/mod_tls. The rustls provided API is not
stable and does not align with the httpd release cycle.
[Stefan Eissing]
*) mod_rewrite: Better question mark tracking to avoid UnsafeAllow3F.
PR 69197. [Yann Ylavic, Eric Covener]
*) mod_http2: Return connection monitoring to the event MPM when blocking
on client updates. [Stefan Eissing, Yann Ylavic]
Apache httpd 2.4.62-2 added to the repository.
Changes:
Apache httpd 2.4.62-1 with brotli compression library from Google, TLS 1.3, http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS (including CentOS 7), Alma Linux, Rocky Linux 8/9 added to repository. mod_http2 2.0.29 and mod_ssl are built dynamically against OpenSSL 3.0.14.
Important security fixes: CVE-2024-40725: Apache HTTP Server: source code disclosure with handlers configured via AddType; CVE-2024-40898: Apache HTTP Server: SSRF with mod_rewrite in server/vhost context on Windows.
Brotli conf loading file is now separated to align with new fedora builds.
We build OpenSSL+QUIC separately since v2.4.56-2, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries. You can safely delete openssl111* packages. On EL8 and EL9 please enable httpd module:
dnf module enable httpd:codeit
Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+. brotli support is already included in base RPM file. All you need is to add filters like
AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript
mod_http2 v2.0.29 rpms released and added to all supported platforms.
Changes:
Apache httpd 2.4.61-1 with brotli compression library from Google, TLS 1.3, http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS (including CentOS 7), Alma Linux, Rocky Linux 8/9 added to repository. mod_http2 2.0.27 and mod_ssl are built dynamically against OpenSSL 3.0.14.
Important security fixes: CVE-2024-39884: Apache HTTP Server: source code disclosure with handlers configured via AddType.
We build OpenSSL+QUIC separately since v2.4.56-2, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries. You can safely delete openssl111* packages. On EL8 and EL9 please enable httpd module:
dnf module enable httpd:codeit
Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+. brotli support is already included in base RPM file. All you need is to add filters like
AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript