Apache 2.4.64 Update Fixes 8 Vulnerabilities

The release of the Apache 2.4.64 HTTP server presented by Apache, eliminates 8 vulnerabilities and introduces 19 changes. You can read more about it here.

Eliminated vulnerabilities (the first 4 have a moderate level of danger, and the rest are low):

  • CVE-2024-42516 – The vulnerability allowed attacks on the separation of HTTP responses on front-end system systems, potentially breaking down contents between users.
  • CVE-2024-43394 – A specific vulnerability on the Windows platform known as SSRF (Server-side Request Forgery) could lead to a server-controlled NTLM-Hash leak.
  • CVE-2025-53020 – This vulnerability involved denial to maintain through HTTP/2, resulting in excessive memory consumption.
  • CVE-2025-49812 – Vulnerability in Mod_ssl could allow attackers to control traffic and substitute HTTP sessions.
  • CVE-2025-23048 – Access restriction bypass in Mod_SSL was possible when restoring interrupted sessions.
  • CVE-2025-49630 – A maintenance refusal led to an emergency completion of the Mod_Proxy_http2 module.
  • CVE-2024-47252 – Incorrect shielding of symbols in error information recorded in Mod_ssl logs.
  • CVE-2024-43204 – A SSRF vulnerability in Mod_headers allowed outgoing requests to attacker-specified addresses.

Among the improvements not related to safety:

  • In Mod_Systemd, support is added for activation on the socket.
  • The Mod_http2 module added the H2MaxheaderbLocklen directive to limit the size of HTTP headers in the response.
  • Information about the duration of HTTP/2 queries was added in Mod_HTTP2.
  • The Mod_MD module added DPROFILE and MDPROFILEMANDATORY directives to support ACME protocol extensions for implementing certificates.
/Reports, release notes, official announcements.