<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/meta-openembedded.git/meta-webserver/recipes-httpd/apache2, branch scarthgap</title>
<subtitle>Mirror of git.openembedded.org/meta-openembedded</subtitle>
<id>https://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=scarthgap</id>
<link rel='self' href='https://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=scarthgap'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/'/>
<updated>2026-05-21T03:27:44+00:00</updated>
<entry>
<title>apache2: upgrade 2.4.66 -&gt; 2.4.67</title>
<updated>2026-05-21T03:27:44+00:00</updated>
<author>
<name>Liyin Zhang</name>
<email>liyin.zhang.cn@windriver.com</email>
</author>
<published>2026-05-13T05:04:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=9f64ff03f593165af924356556614db2bf0d0c57'/>
<id>urn:sha1:9f64ff03f593165af924356556614db2bf0d0c57</id>
<content type='text'>
Security fixes:
- CVE-2026-34059
- CVE-2026-34032
- CVE-2026-33857
- CVE-2026-33523
- CVE-2026-33007
- CVE-2026-33006
- CVE-2026-29169
- CVE-2026-29168
- CVE-2026-28780
- CVE-2026-24072
- CVE-2026-23918

See: https://archive.apache.org/dist/httpd/CHANGES_2.4.67

Signed-off-by: Liyin Zhang &lt;liyin.zhang.cn@windriver.com&gt;
Signed-off-by: Ankur Tyagi &lt;ankur.tyagi85@gmail.com&gt;
Signed-off-by: Anuj Mittal &lt;anuj.mittal@oss.qualcomm.com&gt;
</content>
</entry>
<entry>
<title>apache2: upgrade 2.4.65 -&gt; 2.4.66</title>
<updated>2025-12-11T02:30:53+00:00</updated>
<author>
<name>Valeria Petrov</name>
<email>valeria.petrov@spinetix.com</email>
</author>
<published>2025-12-08T20:51:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=c223262bd7e275a8518a3524e51ff616cad70aab'/>
<id>urn:sha1:c223262bd7e275a8518a3524e51ff616cad70aab</id>
<content type='text'>
Security fixes:
- CVE-2025-66200
- CVE-2025-65082
- CVE-2025-59775
- CVE-2025-58098
- CVE-2025-55753

See: http://www.apache.org/dist/httpd/CHANGES_2.4.66

Signed-off-by: Valeria Petrov &lt;valeria.petrov@spinetix.com&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
Signed-off-by: Anuj Mittal &lt;anuj.mittal@oss.qualcomm.com&gt;
</content>
</entry>
<entry>
<title>apache2: ignore CVE-2025-3891</title>
<updated>2025-11-19T03:16:55+00:00</updated>
<author>
<name>Gyorgy Sarvari</name>
<email>skandigraun@gmail.com</email>
</author>
<published>2025-11-18T05:50:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=e8eea380c9fb3b6e1a7f1446f2c9f199a5fb9dcb'/>
<id>urn:sha1:e8eea380c9fb3b6e1a7f1446f2c9f199a5fb9dcb</id>
<content type='text'>
The vulnerability was reported against mod_auth_openidc, which module
is a 3rd party one, and not part of the apache2 source distribution.

The affected module is not part of the meta-oe universe currently,
so ignore the CVE.

Signed-off-by: Gyorgy Sarvari &lt;skandigraun@gmail.com&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
(cherry picked from commit 11fc309ae95bc221d44fb85515ab5df7afd59c26)
Signed-off-by: Ankur Tyagi &lt;ankur.tyagi85@gmail.com&gt;
Signed-off-by: Anuj Mittal &lt;anuj.mittal@oss.qualcomm.com&gt;
</content>
</entry>
<entry>
<title>apache2: ignore irrelevant CVEs</title>
<updated>2025-10-06T08:10:21+00:00</updated>
<author>
<name>Gyorgy Sarvari</name>
<email>skandigraun@gmail.com</email>
</author>
<published>2025-10-04T18:18:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=baf3635c7df7db493597f43d6c737061b247a07a'/>
<id>urn:sha1:baf3635c7df7db493597f43d6c737061b247a07a</id>
<content type='text'>
Ignore a number of CVEs for this recipe (because they are for another software,
outdated version, or because they affect only non-Linux platforms). This commit
is a backport of a number of commits from the master branch (which uses the same
version of the recipe):

0e7733f1b8f51949ec91d82267d5d864ac0be16a
1b86a60f6283b08acadc50914075d93dd362700b
59d3949e3ed673bd049aadfd2238213b550f1461
1b86a60f6283b08acadc50914075d93dd362700b
da2b5e8b93c248363581b1bd4ff67ff1d8357c41
0e7733f1b8f51949ec91d82267d5d864ac0be16a

Signed-off-by: Gyorgy Sarvari &lt;skandigraun@gmail.com&gt;
Signed-off-by: Anuj Mittal &lt;anuj.mittal@intel.com&gt;
</content>
</entry>
<entry>
<title>apache2: upgrade 2.4.64 - 2.4.65</title>
<updated>2025-09-23T02:09:56+00:00</updated>
<author>
<name>Archana Polampalli</name>
<email>archana.polampalli@windriver.com</email>
</author>
<published>2025-09-19T11:04:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=a5de2a57285b1332983d92e5c2cd0c9cb0a8e382'/>
<id>urn:sha1:a5de2a57285b1332983d92e5c2cd0c9cb0a8e382</id>
<content type='text'>
fixes CVE-2025-54090

Changelog:
https://downloads.apache.org/httpd/CHANGES_2.4.65

Signed-off-by: Archana Polampalli &lt;archana.polampalli@windriver.com&gt;
Signed-off-by: Anuj Mittal &lt;anuj.mittal@intel.com&gt;
</content>
</entry>
<entry>
<title>apache2: Upgrade 2.4.62 -&gt; 2.4.64</title>
<updated>2025-08-02T17:13:10+00:00</updated>
<author>
<name>Vijay Anusuri</name>
<email>vanusuri@mvista.com</email>
</author>
<published>2025-07-15T10:03:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=c672757f81486136f053d11395dec8e25c38e2d7'/>
<id>urn:sha1:c672757f81486136f053d11395dec8e25c38e2d7</id>
<content type='text'>
This upgrade incorporates the fixes for CVE-2025-53020, CVE-2025-49812,
CVE-2025-49630, CVE-2025-23048, CVE-2024-47252, CVE-2024-43394,
CVE-2024-43204, CVE-2024-42516 and other bugfixes.

Changelog:
https://downloads.apache.org/httpd/CHANGES_2.4.64

Signed-off-by: Vijay Anusuri &lt;vanusuri@mvista.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>apache2: use update-alternatives for httpd</title>
<updated>2024-10-06T11:26:19+00:00</updated>
<author>
<name>Trevor Woerner</name>
<email>twoerner@gmail.com</email>
</author>
<published>2024-09-26T22:45:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=62b7dc247bdfd908abd6bbfc1c79a45358fb8e54'/>
<id>urn:sha1:62b7dc247bdfd908abd6bbfc1c79a45358fb8e54</id>
<content type='text'>
Busybox can optionally provide an httpd server, but by default The Yocto
Project defconfig for busybox does not enable it. If it is enabled,
busybox puts the resulting /usr/sbin/httpd object under the control of
update-alternatives.

apache2, on the other hand, does not put /usr/sbin/httpd under the control
of update-alternatives. Therefore, in the off chance a user enables the
busybox httpd server, it does not play well with apache2.

Add update-alternatives information to apache2 so that it plays nicely with
busybox which can optionally provide an httpd server at /usr/sbin/httpd.

Signed-off-by: Trevor Woerner &lt;twoerner@gmail.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>apache2: Upgrade 2.4.60 -&gt; 2.4.62</title>
<updated>2024-08-03T15:51:25+00:00</updated>
<author>
<name>Siddharth Doshi</name>
<email>sdoshi@mvista.com</email>
</author>
<published>2024-07-20T05:27:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=408fc15c230df469fe9b56499c5a9fb36d06cfd6'/>
<id>urn:sha1:408fc15c230df469fe9b56499c5a9fb36d06cfd6</id>
<content type='text'>
CVE's Fixed by upgrade:
CVE-2024-39884 httpd: source code disclosure with handlers configured via AddType
CVE-2024-40725 httpd: source code disclosure with handlers configured via AddType

Other Changes between 2.4.60 -&gt; 2.4.62
======================================
https://github.com/apache/httpd/blob/2.4.62/CHANGES

Signed-off-by: Siddharth Doshi &lt;sdoshi@mvista.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>apache2: Upgrade 2.4.59 -&gt; 2.4.60</title>
<updated>2024-07-09T12:14:43+00:00</updated>
<author>
<name>Siddharth Doshi</name>
<email>sdoshi@mvista.com</email>
</author>
<published>2024-07-02T18:08:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=0cbf21fd5138ef97b7fdbab3e9cc64066f95e84a'/>
<id>urn:sha1:0cbf21fd5138ef97b7fdbab3e9cc64066f95e84a</id>
<content type='text'>
CVE's Fixed by upgrade:
CVE-2024-36387 apache2/httpd: DoS by null pointer in websocket over HTTP/2
CVE-2024-38472 apache2/httpd: UNC SSRF on WIndows
CVE-2024-38473 apache2/httpd: Encoding problem in mod_proxy
CVE-2024-38474 apache2/httpd: Substitution encoding issue in mod_rewrite
CVE-2024-38475 apache2/httpd: Improper escaping of output in mod_rewrite
CVE-2024-38476 apache2/httpd: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect
CVE-2024-38477 apache2/httpd: null pointer dereference in mod_proxy
CVE-2024-39573 apache2/httpd: Potential SSRF in mod_rewrite

Other Changes between 2.4.59 -&gt; 2.4.60
======================================
https://github.com/apache/httpd/blob/2.4.60/CHANGES

Signed-off-by: Siddharth Doshi &lt;sdoshi@mvista.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>apache2: Upgrade v2.4.58 -&gt; v2.4.59</title>
<updated>2024-04-21T17:52:49+00:00</updated>
<author>
<name>Soumya Sambu</name>
<email>soumya.sambu@windriver.com</email>
</author>
<published>2024-04-19T13:22:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-openembedded.git/commit/?id=47d001b2fd63057c2210ee7b740dd38acd755e5c'/>
<id>urn:sha1:47d001b2fd63057c2210ee7b740dd38acd755e5c</id>
<content type='text'>
This upgrade incorporates the fixes for CVE-2024-27316,
CVE-2024-24795,CVE-2023-38709 and other bugfixes.

Adjusted 0004-apache2-log-the-SELinux-context-at-startup.patch
and 0007-apache2-allow-to-disable-selinux-support.patch to
align with upgraded version.

Changelog:
https://downloads.apache.org/httpd/CHANGES_2.4.59

Signed-off-by: Soumya Sambu &lt;soumya.sambu@windriver.com&gt;
Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
</content>
</entry>
</feed>
