[El-errata] ELSA-2026-21391 Important: Oracle Linux 9 httpd security update
Errata Announcements for Oracle Linux
el-errata at oss.oracle.com
Thu Jun 25 01:09:50 UTC 2026
Oracle Linux Security Advisory ELSA-2026-21391
http://linux.oracle.com/errata/ELSA-2026-21391.html
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:
x86_64:
httpd-2.4.62-13.0.1.el9_8.1.x86_64.rpm
httpd-core-2.4.62-13.0.1.el9_8.1.x86_64.rpm
httpd-devel-2.4.62-13.0.1.el9_8.1.x86_64.rpm
httpd-filesystem-2.4.62-13.0.1.el9_8.1.noarch.rpm
httpd-manual-2.4.62-13.0.1.el9_8.1.noarch.rpm
httpd-tools-2.4.62-13.0.1.el9_8.1.x86_64.rpm
mod_ldap-2.4.62-13.0.1.el9_8.1.x86_64.rpm
mod_lua-2.4.62-13.0.1.el9_8.1.x86_64.rpm
mod_proxy_html-2.4.62-13.0.1.el9_8.1.x86_64.rpm
mod_session-2.4.62-13.0.1.el9_8.1.x86_64.rpm
mod_ssl-2.4.62-13.0.1.el9_8.1.x86_64.rpm
aarch64:
httpd-2.4.62-13.0.1.el9_8.1.aarch64.rpm
httpd-core-2.4.62-13.0.1.el9_8.1.aarch64.rpm
httpd-devel-2.4.62-13.0.1.el9_8.1.aarch64.rpm
httpd-filesystem-2.4.62-13.0.1.el9_8.1.noarch.rpm
httpd-manual-2.4.62-13.0.1.el9_8.1.noarch.rpm
httpd-tools-2.4.62-13.0.1.el9_8.1.aarch64.rpm
mod_ldap-2.4.62-13.0.1.el9_8.1.aarch64.rpm
mod_lua-2.4.62-13.0.1.el9_8.1.aarch64.rpm
mod_proxy_html-2.4.62-13.0.1.el9_8.1.aarch64.rpm
mod_session-2.4.62-13.0.1.el9_8.1.aarch64.rpm
mod_ssl-2.4.62-13.0.1.el9_8.1.aarch64.rpm
SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/httpd-2.4.62-13.0.1.el9_8.1.src.rpm
Related CVEs:
CVE-2026-28780
CVE-2026-33007
CVE-2026-33857
CVE-2026-34032
CVE-2026-34059
Description of changes:
[2.4.62-13.0.1.el9_8.1]
- Replace index.html with Oracle's index page oracle_index.html.
[2.4.62-13.1]
- Resolves: RHEL-173555 - httpd: Apache HTTP Server mod_proxy_ajp: Arbitrary
code execution via heap-based buffer overflow (CVE-2026-28780)
- Resolves: RHEL-175080 - httpd: NULL pointer dereference can cause a child
process crash (CVE-2026-33007)
- Resolves: RHEL-175100 - httpd: off-by-one out-of-bounds reads in AJP getter
functions (CVE-2026-33857)
- Resolves: RHEL-175028 - httpd: heap-based buffer over-read due to missing
null-termination check (CVE-2026-34032)
- Resolves: RHEL-175062 - httpd: heap-based buffer over-read and memory
disclosure in ajp_parse_data() (CVE-2026-34059)
More information about the El-errata
mailing list