1. A delayed memory release issue that could compromise HTTP sessions via TLS upgrades (CVE-2025-53020).
2. A mod_ssl vulnerability allowing man-in-the-middle attackers to hijack sessions during TLS upgrades (CVE-2025-49812).
3. A flaw in mod_ssl that permits trusted clients to bypass access control using TLS 1.3 session resumption (CVE-2025-23048).
4. A server-side request forgery (SSRF) on Windows linked to UNC paths, potentially exposing NTLM hashes (CVE-2024-43394).
5. An HTTP response splitting vulnerability affecting applications hosted or proxied by the server (CVE-2024-42516).
This update also includes various enhancements and bug fixes across multiple modules, such as mod_proxy, mod_ssl, and mod_http2, ensuring improved performance and security.
Extended Summary
The release of Apache HTTP Server 2.4.64 is significant not only because of the security vulnerabilities it addresses, but also due to the overall improvements it brings to the server's functionality. The vulnerabilities fixed in this release highlight the ongoing need for vigilance in web server security, particularly in configurations that involve TLS.
In addition to fixing critical security issues, the new version introduces enhancements aimed at optimizing performance. For instance, improvements in mod_proxy allow for better connection management, while updates in mod_http2 address previous bugs that could lead to server hangs under specific conditions. The release also refines logging capabilities and error handling, contributing to a more robust administrative experience.
Furthermore, the Apache HTTP Server Project has committed to raising the standards for vulnerability reporting, particularly concerning SSRF vulnerabilities involving UNC paths, which can pose significant risks to server security. Users are actively encouraged to upgrade to this latest version to ensure their server configurations are fortified against the identified vulnerabilities, as well as to benefit from the latest features and performance improvements.
Overall, the release exemplifies the Apache Software Foundation's dedication to maintaining a secure and efficient web server environment, which is crucial as web technologies evolve and new threats emerge. Users are advised to remain informed about updates and best practices to enhance their server security and performance continually
Apache HTTP Server 2.4.64 released
Apache HTTP Server 2.4.64 has been released to resolve multiple security vulnerabilities. The initial issue pertains to the delayed memory release following a vulnerability related to effective lifetime in Apache HTTP Server, impacting versions 2.4.17 through 2.4.63. This vulnerability allows an attacker to compromise an HTTP session by using a TLS upgrade. The second issue pertains to the mod_ssl TLS upgrade attack, which enables a man-in-the-middle attacker to compromise an HTTP session through a TLS upgrade. The third issue is about a problem with mod_ssl that allows trusted clients to skip access control by using TLS 1.3 session resumption.
The fourth issue pertains to server-side request forgery (SSRF) on Windows as a result of UNC paths. This vulnerability allows a harmful server to possibly reveal NTLM hashes to an unauthorized server by using mod_rewrite or Apache commands that process unchecked request input. The server provides limited safeguards against administrators instructing it to access UNC paths. Windows servers must restrict the hosts they connect to via SMB, taking into account the characteristics of NTLM authentication.
