A security update for Apache HTTP Server (httpd) is available in Fedora 41, upgrading it to version 2.4.64 with various bug fixes and security patches. The new version addresses several vulnerabilities, including CVE-2024-42516, CVE-2024-43204, CVE-2024-47252, CVE-2025-23048, and CVE-2025-49812.

Fedora 41 Update: httpd-2.4.64-1.fc41

[SECURITY] Fedora 41 Update: httpd-2.4.64-1.fc41

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2025-f94e6fe0b4
2025-10-16 01:34:27.713863+00:00
--------------------------------------------------------------------------------

Name : httpd
Product : Fedora 41
Version : 2.4.64
Release : 1.fc41
URL : https://httpd.apache.org/
Summary : Apache HTTP Server
Description :
The Apache HTTP Server is a powerful, efficient, and extensible
web server.

--------------------------------------------------------------------------------
Update Information:

New version 2.4.64 and security fixes
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jul 11 2025 Lubo?? Uhliarik [luhliari@redhat.com] - 2.4.64-1
- new version 2.4.64
* Tue Jun 24 2025 Joe Orton [jorton@redhat.com] - 2.4.63-4
- mod_dav: add dav_get_base_path() API
* Mon Feb 10 2025 Joe Orton [jorton@redhat.com] - 2.4.63-3
- sync default httpd.conf with upstream
* Sat Feb 1 2025 Bj??rn Esser [besser82@fedoraproject.org] - 2.4.63-2
- Add explicit BR: libxcrypt-devel
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2379862 - CVE-2024-42516 httpd: incomplete fix for CVE-2023-38709 [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2379862
[ 2 ] Bug #2379864 - CVE-2024-43204 httpd: SSRF in Apache HTTP Server with mod_proxy loaded [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2379864
[ 3 ] Bug #2379866 - CVE-2024-47252 httpd: insufficient escaping of user-supplied data in mod_ssl [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2379866
[ 4 ] Bug #2379868 - CVE-2025-23048 httpd: access control bypass by trusted clients is possible using TLS 1.3 session resumption [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2379868
[ 5 ] Bug #2382578 - CVE-2025-49812 httpd: HTTP Session Hijack via a TLS upgrade [fedora-41]
https://bugzilla.redhat.com/show_bug.cgi?id=2382578
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2025-f94e6fe0b4' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------