HCE1-SA-2025-0050

Details

Security Fix(es):

Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations.

In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files. (CVE-2024-47252)

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.

Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade. (CVE-2025-49812)

Affected Packages

httpd

HCE 1.1

Fixed in:

2.4.6-99.hce1c.4

httpd-devel

HCE 1.1

Fixed in:

2.4.6-99.hce1c.4

httpd-manual

HCE 1.1

Fixed in:

2.4.6-99.hce1c.4

httpd-tools

HCE 1.1

Fixed in:

2.4.6-99.hce1c.4

mod_session

HCE 1.1

Fixed in:

2.4.6-99.hce1c.4

mod_ssl

HCE 1.1

Fixed in:

2.4.6-99.hce1c.4

References

ADVISORY

https://mirrors.huaweicloud.com/hce/1.1/sa/HCE1-SA-2025-0050.xml