Release of Apache 2.4.64 http server with elimination of 8 vulnerabilities

Apache HTTP Server 2.4.64 has been released, fixing 8 vulnerabilities and introducing 19 changes.

Fixed vulnerabilities (the first 4 are of moderate severity, the rest are of low severity):

  • CVE-2024-42516 - An HTTP response splitting attack is possible on frontend-backend systems, allowing the Content-Type header content in a response to be split in order to inject content into responses to other users processed in the same thread between the frontend and backend.
  • CVE-2024-43394 - Platform Specific Windows SSRF (Server-Side Request Forgery) vulnerability, which, when sending specially crafted requests, can lead to the leak of NTLM hashes on server, controlled by the attacker.
  • CVE-2025-53020 - HTTP/2 denial of service vulnerability resulting in excessive memory consumption.
  • CVE-2025-49812 - A vulnerability in mod_ssl allows a man-in-the-middle (MITM) attacker to perform HTTP session substitution by interfering with the transition from HTTP to HTTPS.
  • CVE-2025-23048 - Bypass of access restrictions in mod_ssl when restoring an interrupted session.
  • CVE-2025-49630 - Denial of service vulnerability in mod_proxy_http2 module causing crash.
  • CVE-2024-47252 - Incorrect character escaping in mod_ssl error log information.
  • CVE-2024-43204 - An SSRF vulnerability in mod_headers allows mod_proxy to send an outgoing request to an address specified by the attacker.

Non-security improvements include:

  • Added socket activation support to mod_systemd.
  • The mod_http2 module has been updated with the H2MaxHeaderBlockLen directive to limit the size of HTTP headers in a response.
  • mod_http2 provides recording of information about the duration of HTTP/2 requests.
  • The mod_md module has been updated with the DProfile and MDProfileMandatory directives to support an extension of the ACME protocol that implements certificate profiles.

Source: opennet.ru

Buy reliable hosting for sites with DDoS protection, VPS VDS servers πŸ”₯ Buy reliable website hosting with DDoS protection, VPS VDS servers | ProHoster