[El-errata] ELSA-2025-15023 Moderate: Oracle Linux 9 httpd security update
Errata Announcements for Oracle Linux
el-errata at oss.oracle.com
Wed Sep 3 03:41:00 UTC 2025
Oracle Linux Security Advisory ELSA-2025-15023
http://linux.oracle.com/errata/ELSA-2025-15023.html
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:
x86_64:
httpd-2.4.62-4.0.1.el9_6.4.x86_64.rpm
httpd-core-2.4.62-4.0.1.el9_6.4.x86_64.rpm
httpd-devel-2.4.62-4.0.1.el9_6.4.x86_64.rpm
httpd-filesystem-2.4.62-4.0.1.el9_6.4.noarch.rpm
httpd-manual-2.4.62-4.0.1.el9_6.4.noarch.rpm
httpd-tools-2.4.62-4.0.1.el9_6.4.x86_64.rpm
mod_ldap-2.4.62-4.0.1.el9_6.4.x86_64.rpm
mod_lua-2.4.62-4.0.1.el9_6.4.x86_64.rpm
mod_proxy_html-2.4.62-4.0.1.el9_6.4.x86_64.rpm
mod_session-2.4.62-4.0.1.el9_6.4.x86_64.rpm
mod_ssl-2.4.62-4.0.1.el9_6.4.x86_64.rpm
aarch64:
httpd-2.4.62-4.0.1.el9_6.4.aarch64.rpm
httpd-core-2.4.62-4.0.1.el9_6.4.aarch64.rpm
httpd-devel-2.4.62-4.0.1.el9_6.4.aarch64.rpm
httpd-filesystem-2.4.62-4.0.1.el9_6.4.noarch.rpm
httpd-manual-2.4.62-4.0.1.el9_6.4.noarch.rpm
httpd-tools-2.4.62-4.0.1.el9_6.4.aarch64.rpm
mod_ldap-2.4.62-4.0.1.el9_6.4.aarch64.rpm
mod_lua-2.4.62-4.0.1.el9_6.4.aarch64.rpm
mod_proxy_html-2.4.62-4.0.1.el9_6.4.aarch64.rpm
mod_session-2.4.62-4.0.1.el9_6.4.aarch64.rpm
mod_ssl-2.4.62-4.0.1.el9_6.4.aarch64.rpm
SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/httpd-2.4.62-4.0.1.el9_6.4.src.rpm
Related CVEs:
CVE-2024-47252
CVE-2025-23048
CVE-2025-49812
Description of changes:
[2.4.62-4.0.1.4]
- Replace index.html with Oracle's index page oracle_index.html.
[2.4.62-4.4]
- Resolves: RHEL-99949 - CVE-2025-49812 httpd: HTTP Session Hijack via a TLS upgrade
[2.4.62-4.1]
- Resolves: RHEL-99972 - CVE-2024-47252 httpd: insufficient escaping of
user-supplied data in mod_ssl
- Resolves: RHEL-99963 - CVE-2025-23048 httpd: access control bypass by trusted
clients is possible using TLS 1.3 session resumption
- Resolves: RHEL-102079 - stickysession field does not work when specifying it
in the query parameter after upgrade to 9.5
[2.4.62-4]
- Resolves: RHEL-66488 - Apache HTTPD no longer parse PHP files with unicode
characters in the name
[2.4.62-3]
- Resolves: RHEL-68660 - RewriteRule proxying to UDS (unix domain socket)
configured in .htaccess doesn't work on httpd-2.4.62-1
[2.4.62-2]
- mod_ssl: fix loading keys via ENGINE API
Resolves: RHEL-36755
[2.4.62-1]
- new version 2.4.62
- Resolves: RHEL-52724 - Regression introduced by CVE-2024-38474 fix
[2.4.59-7]
- Resolves: RHEL-49856: htcacheclean.service missing [Install] section
[2.4.59-6]
- mod_ssl: restore SSL_OP_NO_RENEGOTIATE support
Related: RHEL-14668
[2.4.59-5]
- mod_ssl: defer ENGINE_finish() calls to a cleanup
Resolves: RHEL-36755
[2.4.59-4]
- Resolves: RHEL-6575 - [RFE] httpd use systemd-sysusers
[2.4.59-3]
- Related: RHEL-14668 - RFE: httpd rebase to 2.4.59
[2.4.59-2]
- Resolves: RHEL-35870 - httpd mod_cgi/cgid unification
[2.4.59-1]
- new version 2.4.59
- Resolves: RHEL-14668 - RFE: httpd rebase to 2.4.59
- Resolves: RHEL-31856 - httpd: HTTP response splitting
(CVE-2023-38709)
- Resolves: RHEL-31859 - httpd: HTTP Response Splitting in multiple
modules (CVE-2024-24795)
[2.4.57-8]
- mod_xml2enc: fix media type handling
Resolves: RHEL-17686
- mod_dav: add DavBasePath
Resolves: RHEL-6600
[2.4.57-7]
- Resolves: RHEL-14447 - httpd: mod_macro: out-of-bounds read
vulnerability (CVE-2023-31122)
[2.4.57-6]
- Resolves: RHEL-5071 - mod_dav_fs: add DavLockDBType
- mod_dav_fs: add global mutex around lockdb interaction
More information about the El-errata
mailing list