SUSE-SU-2026:2103-1

Description of the patch:

This update for apache2 fixes the following issues

• CVE-2026-23918: http2: double free and possible RCE on early reset (bsc#1263957).
• CVE-2026-24072: mod_rewrite elevation of privileges via ap_expr (bsc#1263935).
• CVE-2026-28780: heap buffer overflow in mod_proxy_ajp via ajp_msg_check_header() (bsc#1264163).
• CVE-2026-29168: allocation of resources without limits in mod_md via OCSP response (bsc#1264150).
• CVE-2026-29169: NULL pointer dereference in mod_dav_lock allows server crash via malicious requests (bsc#1263956).
• CVE-2026-33006: mod_auth_digest timing attack allows bypass of Digest authentication (bsc#1263955).
• CVE-2026-33007: NULL pointer dereference in mod_authn_socache allows unauthenticated remote user to crash a child processes (bsc#1263954).
• CVE-2026-33523: HTTP response splitting forwarding malicious status line (bsc#1263953).
• CVE-2026-33857: off-by-one OOB reads in AJP getter functions (bsc#1263952).
• CVE-2026-34032: heap buffer overread in mod_proxy_ajp due to missing null-termination check (bsc#1263951).
• CVE-2026-34059: heap buffer overread and memory disclosure via ajp_parse_data() (bsc#1263950).