RE: https://chaos.social/@icing/116526903529846107

Aftermath: people, running Debian httpd 2.4.66, started complaining when they’ll get the 2.4.67 update to fix this RCE vulnerability. Which they already were protected from, but did not know. Because the CVE was not public at the time the fix was shipped.

[...]

Two security researchers found the vulnerability independently. Just scanning the 2.4.66 source code. This means the bad guys can no longer be kept in the dark. Coordinated disclosure no longer works.

#CVE_2026_23918

#Debian stable #apache2 package 2.4.66-1~deb13u2 already includes the fix for CVE-2026-23918.

You an verify this by apt-get source apache2 and then checking out apache2-2.4.66/debian/patches/bug1125368.patch

The security tracker at https://security-tracker.debian.org/tracker/CVE-2026-23918 currently has wrong information. This is likely due to automation based on version numbers alone.

#CVE_2026_23918

DigitalOcean: Hey that Apache vuln thing needs upgrade on your droplet.

Me: Thanks! Are your distro repos updated to contain the patched version?

DO: lol no

[Edit: to be fair, this is Debian's fault, not DOs (see screenshot). At least DO told me!]

[Edit 2: that specific vuln was quietly fixed on Debian specifically well before this version?? Would be advisable for them to have said that now?
https://infosec.exchange/@tychotithonus/116527548611779862 ]

#CVE_2026_23918

Several vulnerabilities in #Apache HTTP Server 2.4 have been fixed in release 2.4.67. The most severe of these are:

- CVE-2026-23918: Apache HTTP Server: http2: double free and possible RCE on early reset

- CVE-2026-24072: Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr

- CVE-2026-33006: Apache HTTP Server: mod_auth_digest timing attack

https://httpd.apache.org/security/vulnerabilities_24.html

#CVE_2026_23918 #CVE_2026_24072 #CVE_2026_33006 #infosec #cybersecurity