Oracle Linux Security Advisory ELSA-2025-15023 http://linux.oracle.com/errata/ELSA-2025-15023.html
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: x86_64: httpd-2.4.62-4.0.1.el9_6.4.x86_64.rpm httpd-core-2.4.62-4.0.1.el9_6.4.x86_64.rpm httpd-devel-2.4.62-4.0.1.el9_6.4.x86_64.rpm httpd-filesystem-2.4.62-4.0.1.el9_6.4.noarch.rpm httpd-manual-2.4.62-4.0.1.el9_6.4.noarch.rpm httpd-tools-2.4.62-4.0.1.el9_6.4.x86_64.rpm mod_ldap-2.4.62-4.0.1.el9_6.4.x86_64.rpm mod_lua-2.4.62-4.0.1.el9_6.4.x86_64.rpm mod_proxy_html-2.4.62-4.0.1.el9_6.4.x86_64.rpm mod_session-2.4.62-4.0.1.el9_6.4.x86_64.rpm mod_ssl-2.4.62-4.0.1.el9_6.4.x86_64.rpm aarch64: httpd-2.4.62-4.0.1.el9_6.4.aarch64.rpm httpd-core-2.4.62-4.0.1.el9_6.4.aarch64.rpm httpd-devel-2.4.62-4.0.1.el9_6.4.aarch64.rpm httpd-filesystem-2.4.62-4.0.1.el9_6.4.noarch.rpm httpd-manual-2.4.62-4.0.1.el9_6.4.noarch.rpm httpd-tools-2.4.62-4.0.1.el9_6.4.aarch64.rpm mod_ldap-2.4.62-4.0.1.el9_6.4.aarch64.rpm mod_lua-2.4.62-4.0.1.el9_6.4.aarch64.rpm mod_proxy_html-2.4.62-4.0.1.el9_6.4.aarch64.rpm mod_session-2.4.62-4.0.1.el9_6.4.aarch64.rpm mod_ssl-2.4.62-4.0.1.el9_6.4.aarch64.rpm SRPMS: http://oss.oracle.com/ol9/SRPMS-updates/httpd-2.4.62-4.0.1.el9_6.4.src.rpm Related CVEs: CVE-2024-47252 CVE-2025-23048 CVE-2025-49812 Description of changes: [2.4.62-4.0.1.4] - Replace index.html with Oracle's index page oracle_index.html. [2.4.62-4.4] - Resolves: RHEL-99949 - CVE-2025-49812 httpd: HTTP Session Hijack via a TLS upgrade [2.4.62-4.1] - Resolves: RHEL-99972 - CVE-2024-47252 httpd: insufficient escaping of user-supplied data in mod_ssl - Resolves: RHEL-99963 - CVE-2025-23048 httpd: access control bypass by trusted clients is possible using TLS 1.3 session resumption - Resolves: RHEL-102079 - stickysession field does not work when specifying it in the query parameter after upgrade to 9.5 [2.4.62-4] - Resolves: RHEL-66488 - Apache HTTPD no longer parse PHP files with unicode characters in the name [2.4.62-3] - Resolves: RHEL-68660 - RewriteRule proxying to UDS (unix domain socket) configured in .htaccess doesn't work on httpd-2.4.62-1 [2.4.62-2] - mod_ssl: fix loading keys via ENGINE API Resolves: RHEL-36755 [2.4.62-1] - new version 2.4.62 - Resolves: RHEL-52724 - Regression introduced by CVE-2024-38474 fix [2.4.59-7] - Resolves: RHEL-49856: htcacheclean.service missing [Install] section [2.4.59-6] - mod_ssl: restore SSL_OP_NO_RENEGOTIATE support Related: RHEL-14668 [2.4.59-5] - mod_ssl: defer ENGINE_finish() calls to a cleanup Resolves: RHEL-36755 [2.4.59-4] - Resolves: RHEL-6575 - [RFE] httpd use systemd-sysusers [2.4.59-3] - Related: RHEL-14668 - RFE: httpd rebase to 2.4.59 [2.4.59-2] - Resolves: RHEL-35870 - httpd mod_cgi/cgid unification [2.4.59-1] - new version 2.4.59 - Resolves: RHEL-14668 - RFE: httpd rebase to 2.4.59 - Resolves: RHEL-31856 - httpd: HTTP response splitting (CVE-2023-38709) - Resolves: RHEL-31859 - httpd: HTTP Response Splitting in multiple modules (CVE-2024-24795) [2.4.57-8] - mod_xml2enc: fix media type handling Resolves: RHEL-17686 - mod_dav: add DavBasePath Resolves: RHEL-6600 [2.4.57-7] - Resolves: RHEL-14447 - httpd: mod_macro: out-of-bounds read vulnerability (CVE-2023-31122) [2.4.57-6] - Resolves: RHEL-5071 - mod_dav_fs: add DavLockDBType - mod_dav_fs: add global mutex around lockdb interaction _______________________________________________ El-errata mailing list El-errata@oss.oracle.com https://oss.oracle.com/mailman/listinfo/el-errata
