SUSE-CU-2026:6645-1: Security update of suse/manager/4.3/proxy-httpd
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Wed Jul 1 10:03:11 UTC 2026
SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:6645-1
Container Tags : suse/manager/4.3/proxy-httpd:4.3.18 , suse/manager/4.3/proxy-httpd:4.3.18.9.79.15 , suse/manager/4.3/proxy-httpd:latest
Container Release : 9.79.15
Severity : important
Type : security
References : 1207327 1208708 1214357 1263935 1263950 1263951 1263952 1263953
1263954 1263955 1263956 1263957 1264150 1264163 1267503 1267955
1267956 1267962 1267963 1267965 1267969 1267970 1267971 1267972
1267976 1267977 1267978 690734 CVE-2006-20001 CVE-2021-44224
CVE-2021-44790 CVE-2022-22719 CVE-2022-22720 CVE-2022-22721 CVE-2022-23943
CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522
CVE-2022-30556 CVE-2022-31813 CVE-2022-36760 CVE-2022-37436 CVE-2023-25690
CVE-2023-27522 CVE-2023-31122 CVE-2023-38709 CVE-2023-45802 CVE-2024-24795
CVE-2024-27316 CVE-2024-38473 CVE-2024-38474 CVE-2024-38475 CVE-2024-38476
CVE-2024-38477 CVE-2024-39573 CVE-2024-39884 CVE-2024-40725 CVE-2024-42516
CVE-2024-43204 CVE-2024-47252 CVE-2025-23048 CVE-2025-49630 CVE-2025-49812
CVE-2025-53020 CVE-2025-55753 CVE-2025-58098 CVE-2025-65082 CVE-2025-66200
CVE-2026-23918 CVE-2026-24072 CVE-2026-28780 CVE-2026-29167 CVE-2026-29168
CVE-2026-29169 CVE-2026-29170 CVE-2026-33006 CVE-2026-33007 CVE-2026-33523
CVE-2026-33857 CVE-2026-34032 CVE-2026-34059 CVE-2026-34355 CVE-2026-34356
CVE-2026-42535 CVE-2026-42536 CVE-2026-43951 CVE-2026-44119 CVE-2026-44185
CVE-2026-44186 CVE-2026-44631 CVE-2026-48913 CVE-2026-49975
-----------------------------------------------------------------
The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2686-1
Released: Tue Jun 30 00:35:37 2026
Summary: Security update for apache2
Type: security
Severity: important
References: 1207327,1208708,1214357,1263935,1263950,1263951,1263952,1263953,1263954,1263955,1263956,1263957,1264150,1264163,1267503,1267955,1267956,1267962,1267963,1267965,1267969,1267970,1267971,1267972,1267976,1267977,1267978,690734,CVE-2006-20001,CVE-2021-44224,CVE-2021-44790,CVE-2022-22719,CVE-2022-22720,CVE-2022-22721,CVE-2022-23943,CVE-2022-26377,CVE-2022-28614,CVE-2022-28615,CVE-2022-29404,CVE-2022-30522,CVE-2022-30556,CVE-2022-31813,CVE-2022-36760,CVE-2022-37436,CVE-2023-25690,CVE-2023-27522,CVE-2023-31122,CVE-2023-38709,CVE-2023-45802,CVE-2024-24795,CVE-2024-27316,CVE-2024-38473,CVE-2024-38474,CVE-2024-38475,CVE-2024-38476,CVE-2024-38477,CVE-2024-39573,CVE-2024-39884,CVE-2024-40725,CVE-2024-42516,CVE-2024-43204,CVE-2024-47252,CVE-2025-23048,CVE-2025-49630,CVE-2025-49812,CVE-2025-53020,CVE-2025-55753,CVE-2025-58098,CVE-2025-65082,CVE-2025-66200,CVE-2026-23918,CVE-2026-24072,CVE-2026-28780,CVE-2026-29167,CVE-2026-29168,CVE-2026-29169,CVE-2026-29170,CVE-2026-33006,CVE-2026-330
07,CVE-2026-33523,CVE-2026-33857,CVE-2026-34032,CVE-2026-34059,CVE-2026-34355,CVE-2026-34356,CVE-2026-42535,CVE-2026-42536,CVE-2026-43951,CVE-2026-44119,CVE-2026-44185,CVE-2026-44186,CVE-2026-44631,CVE-2026-48913,CVE-2026-49975
This update for apache2 fixes the following issues
- CVE-2026-23918: http2: double free and possible RCE on early reset (bsc#1263957).
- CVE-2026-24072: mod_rewrite elevation of privileges via ap_expr (bsc#1263935).
- CVE-2026-28780: heap buffer overflow in `mod_proxy_ajp` via `ajp_msg_check_header()` (bsc#1264163).
- CVE-2026-29167: mod_ldap per-dir use-after-free (bsc#1267976).
- CVE-2026-29168: allocation of resources without limits in `mod_md` via OCSP response (bsc#1264150).
- CVE-2026-29169: NULL pointer dereference in `mod_dav_lock` allows server crash via malicious requests (bsc#1263956).
- CVE-2026-29170: mod_proxy_ftp XSS (bsc#1267977).
- CVE-2026-33006: `mod_auth_digest` timing attack allows bypass of Digest authentication (bsc#1263955).
- CVE-2026-33007: NULL pointer dereference in `mod_authn_socache` allows unauthenticated remote user to crash a child
processes (bsc#1263954).
- CVE-2026-33523: HTTP response splitting forwarding malicious status line (bsc#1263953).
- CVE-2026-33857: off-by-one OOB reads in AJP getter functions (bsc#1263952).
- CVE-2026-34032: heap buffer overread in `mod_proxy_ajp` due to missing null-termination check (bsc#1263951).
- CVE-2026-34059: heap buffer overread and memory disclosure via `ajp_parse_data()` (bsc#1263950).
- CVE-2026-34355: mod_proxy_html buffer overflow (bsc#1267978).
- CVE-2026-34356: malicious backend servers can lead to a heap-based buffer overflow (bsc#1267955).
- CVE-2026-42535: malicious path manipulation can lead to child process crashes (bsc#1267956).
- CVE-2026-42536: processing untrusted content can lead to a heap-based buffer overflow (bsc#1267962).
- CVE-2026-43951: out-of-bound read in `merge_response_headers` can cause crash (bsc#1267963).
- CVE-2026-44119: improper privilege management can lead to an unauthorized read (bsc#1267965).
- CVE-2026-44185: Stack Buffer Over-Read in mod_ssl OCSP `send_request` (bsc#1267969).
- CVE-2026-44186: responses from an attacker-controlled FTP backend can lead to resource exhaustion and a denial of
service (bsc#1267970).
- CVE-2026-44631: crafted regular expression can lead to a buffer underwrite (bsc#1267971).
- CVE-2026-48913: file handle exhaustion during request processing in mod_http2 can lead to a use-after-free
(bsc#1267972).
- CVE-2026-49975: Fix cookie header accounting against LimitRequestFields (bsc#1267503).
Non security issue:
- Update to 2.4.66 (jsc#PED-16334).
The following package changes have been done:
- apache2-utils-2.4.66-150400.6.57.1 updated
- apache2-2.4.66-150400.6.57.1 updated
- apache2-prefork-2.4.66-150400.6.57.1 updated
More information about the sle-container-updates
mailing list