[El-errata] ELSA-2025-23932 Important: Oracle Linux 10 httpd security update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Wed Dec 24 17:31:14 UTC 2025 

Oracle Linux Security Advisory ELSA-2025-23932

http://linux.oracle.com/errata/ELSA-2025-23932.html

The following updated rpms for Oracle Linux 10 have been uploaded to the Unbreakable Linux Network:

x86_64:
httpd-2.4.63-4.0.1.el10_1.3.x86_64.rpm
httpd-core-2.4.63-4.0.1.el10_1.3.x86_64.rpm
httpd-devel-2.4.63-4.0.1.el10_1.3.x86_64.rpm
httpd-filesystem-2.4.63-4.0.1.el10_1.3.noarch.rpm
httpd-manual-2.4.63-4.0.1.el10_1.3.noarch.rpm
httpd-tools-2.4.63-4.0.1.el10_1.3.x86_64.rpm
mod_ldap-2.4.63-4.0.1.el10_1.3.x86_64.rpm
mod_lua-2.4.63-4.0.1.el10_1.3.x86_64.rpm
mod_proxy_html-2.4.63-4.0.1.el10_1.3.x86_64.rpm
mod_session-2.4.63-4.0.1.el10_1.3.x86_64.rpm
mod_ssl-2.4.63-4.0.1.el10_1.3.x86_64.rpm

aarch64:
httpd-2.4.63-4.0.1.el10_1.3.aarch64.rpm
httpd-core-2.4.63-4.0.1.el10_1.3.aarch64.rpm
httpd-devel-2.4.63-4.0.1.el10_1.3.aarch64.rpm
httpd-filesystem-2.4.63-4.0.1.el10_1.3.noarch.rpm
httpd-manual-2.4.63-4.0.1.el10_1.3.noarch.rpm
httpd-tools-2.4.63-4.0.1.el10_1.3.aarch64.rpm
mod_ldap-2.4.63-4.0.1.el10_1.3.aarch64.rpm
mod_lua-2.4.63-4.0.1.el10_1.3.aarch64.rpm
mod_proxy_html-2.4.63-4.0.1.el10_1.3.aarch64.rpm
mod_session-2.4.63-4.0.1.el10_1.3.aarch64.rpm
mod_ssl-2.4.63-4.0.1.el10_1.3.aarch64.rpm


SRPMS:
http://oss.oracle.com/ol10/SRPMS-updates/httpd-2.4.63-4.0.1.el10_1.3.src.rpm

Related CVEs:

CVE-2025-58098
CVE-2025-65082
CVE-2025-66200




Description of changes:

[2.4.63-4.0.1.3]
- Replace index.html with Oracle's index page oracle_index.html.

[2.4.63-4.3]
- Resolves: RHEL-135052 - httpd: Apache HTTP Server: mod_userdir+suexec bypass
  via AllowOverride FileInfo (CVE-2025-66200)
- Resolves: RHEL-135035 - httpd: Apache HTTP Server: CGI environment variable
  override (CVE-2025-65082)
- Resolves: RHEL-134467 - httpd: Apache HTTP Server: Server Side Includes adds
  query string to #exec cmd=... (CVE-2025-58098)

[2.4.63-4.2]
- Resolves: RHEL-125894 - mod_ssl: allow more fine grained SSL SNI vhost check
  to avoid unnecessary 421 errors after CVE-2025-23048 fix

More information about the El-errata mailing list