How to upgrade apache httpd to 2.4.64 to remediate vulnerabilties

Rocky Linux Help & Support
1
Vulnerability Info

Apache 2.4.x < 2.4.64 Multiple Vulnerabilities

CVE CVE-2025-53020, CVE-2025-49812, CVE-2025-49630, CVE-2025-23048, CVE-2024-47252, CVE-2024-43394, CVE-2024-43204, CVE-2024-42516
CVSS Vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score 7.5
Vulnerability Solution

Upgrade to Apache version 2.4.64 or later.

DNF info doesn’t have 2.4.64 version.
$ sudo dnf info httpd
Last metadata expiration check: 0:26:25 ago on Wed Jul 30 10:26:49 2025.
Installed Packages
Name         : httpd
Version      : 2.4.62
Release      : 4.el9
Architecture : x86_64
Size         : 59 k
Source       : httpd-2.4.62-4.el9.src.rpm
Repository   : @System
From repo    : appstream
Summary      : Apache HTTP Server
URL          : https://httpd.apache.org/
License      : ASL 2.0
Description  : The Apache HTTP Server is a powerful, efficient, and extensible
             : web server.

Could anyone provide the solution for this?

2

First of all, you need to know RedHat’s backporting policy to understand that merely the package version will not tell you if the package has already been fixed in RedHat/Rocky.

And as Rocky rebuilds RedHat’s packages, you can check the errata to see if the package is affected by the vulnerability and if there is a fix available. For example those CVE-2025-53020, CVE-2025-23048, CVE-2025-49812 have not been fixed yet. And example of RedHat 9 /Rocky 9 being not affected by a CVE CVE-2024-43394.

3 Likes
3

As said above, there are four things:

  • Do not stare at the version number. The 2.4.62-4.el9 differs from upstream Apache “2.4.62”
  • dnf up
    You get what you get and that is what you should have
  • rpm -q --changelog httpd
    If that output already mentions CVE, then that CVE is (mostly) fixed in the package
  • Look at those Red Hat CVE pages. There is usually suggested mitigation, if there is no fix (yet)
1 Like
4

Thank you for your response. As you said CVE-2025-53020, CVE-2025-23048, CVE-2025-49812 are not fixed yet, Could we know the status of these vulnerability fixes somewhere? When will it be released?

As I checked rpm -q --changelog httpd
There is no update since Jan 29 2025.

5

If we look at the cve-2025-53020, we see that:
a) Red Hat has classified as “Fix referred”, i.e.

A deferred status means that a fix for an affected product version is not guaranteed due to higher-priority development work.

b) They offer no mitigation for it

The description of the CVE states:

In some instances, the Apache HTTP server fails to free memory. Given sufficient time, this may lead to the host operating system killing the web server in order to reclaim memory.

The questions are, what are “some instances” and how long is “sufficient time”?

Rocky 9 has received (security) updates quite frequently (just not for all components).
Update of some packages requires a reboot (for the new version to get into use). See Identify packages that will require a system reboot after an update - Red Hat Customer Portal

Such reboots could occur more frequently than the “sufficient time” for that CVE.
(You do run dnf up frequently and do reboot when necessary, don’t you?)

Red Hat has assigned low priority to this CVE. They don’t deem it very serious.

If the issue does affect you, then you could restart the httpd.service frequently, or something.

Do similar study of every CVE.

6

You would have to ask Red Hat those questions. Rocky is based on Red Hat, so we have the same bugs. When Red Hat fix it, then we will have it as well.

Or as @jlehtone suggested, you can follow the CVE’s regularly and check them yourself for updates and see when they start fixing them.