ALINUX3-SA-2026:0148
摘要
Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2025-53020: Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue. CVE-2026-28780: Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. CVE-2026-33007: A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue. CVE-2026-33857: Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. CVE-2026-34032: Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. CVE-2026-34059: Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. **Solution**: 请您尽快将升级到修复后的版本。修复命令如下: yum update --advisory ALINUX3-SA-2026:0148 **Affected Products**: Alinux 3.2104, Alinux 3 Pro
正文
Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2025-53020: Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue. CVE-2026-28780: Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. CVE-2026-33007: A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue. CVE-2026-33857: Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. CVE-2026-34032: Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. CVE-2026-34059: Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
标签
- cve:cve-2025-53020
- cve:cve-2026-28780
- cve:cve-2026-33007
- cve:cve-2026-33857
- cve:cve-2026-34032
- cve:cve-2026-34059
- severity:important
- type:advisory
- vendor:alibaba
扩展字段
{
"advisory_id": "ALINUX3-SA-2026:0148",
"affected_products": [
"Alinux 3.2104",
"Alinux 3 Pro"
],
"cve_ids": [
"CVE-2025-53020",
"CVE-2026-28780",
"CVE-2026-33007",
"CVE-2026-33857",
"CVE-2026-34032",
"CVE-2026-34059"
],
"raw_pub_date": "Thu, 11 Jun 2026 17:35:43 +0800",
"solution": "请您尽快将升级到修复后的版本。修复命令如下:\nyum update --advisory ALINUX3-SA-2026:0148"
}