Apache HTTP Server 2.4.64 has been released, fixing 8 vulnerabilities and introducing 19 changes.
Fixed vulnerabilities (the first 4 are of moderate severity, the rest are of low severity):
- CVE-2024-42516 - An HTTP response splitting attack is possible on frontend-backend systems, allowing the Content-Type header content in a response to be split in order to inject content into responses to other users processed in the same thread between the frontend and backend.
- CVE-2024-43394 - Platform Specific Windows SSRF (Server-Side Request Forgery) vulnerability, which, when sending specially crafted requests, can lead to the leak of NTLM hashes on server, controlled by the attacker.
- CVE-2025-53020 - HTTP/2 denial of service vulnerability resulting in excessive memory consumption.
- CVE-2025-49812 - A vulnerability in mod_ssl allows a man-in-the-middle (MITM) attacker to perform HTTP session substitution by interfering with the transition from HTTP to HTTPS.
- CVE-2025-23048 - Bypass of access restrictions in mod_ssl when restoring an interrupted session.
- CVE-2025-49630 - Denial of service vulnerability in mod_proxy_http2 module causing crash.
- CVE-2024-47252 - Incorrect character escaping in mod_ssl error log information.
- CVE-2024-43204 - An SSRF vulnerability in mod_headers allows mod_proxy to send an outgoing request to an address specified by the attacker.
Non-security improvements include:
- Added socket activation support to mod_systemd.
- The mod_http2 module has been updated with the H2MaxHeaderBlockLen directive to limit the size of HTTP headers in a response.
- mod_http2 provides recording of information about the duration of HTTP/2 requests.
- The mod_md module has been updated with the DProfile and MDProfileMandatory directives to support an extension of the ACME protocol that implements certificate profiles.
Source: opennet.ru
