Question CVE-2026-23918, CVE-2026-24072 and update to Apache 2.4.67

[iainh]

Server operating system version

AlmaLinux 9.7 (Moss Jungle Cat)

Plesk version and microupdate number

Plesk Obsidian 18.0.77 Update #2

Is there any advice on updating from Apache/2.4.62 (AlmaLinux) to 2.4.67 to mitigate CVE-2026-23918 and CVE-2026-24072?

Would using:

sudo dnf clean all
sudo dnf makecache
sudo dnf -y update httpd

break all manner of things, or will Plesk magically bring along an emergency update to mitigate these CVE and make the issue go away (as is so often the case?)

Thanks for any advice

 

[iainh]

Is there any advice on updating from Apache/2.4.62 (AlmaLinux) to 2.4.67 to mitigate CVE-2026-23918 and CVE-2026-24072?

As a little further info...

CVE-2026-23918 (CVSS score: 8.8) only applies to 2.4.66 and is in http/2 support, so I presume 2.4.62 and not enabling http/2 mean this shouldn't be an issue.

And CVE-2026-24072 (also CVSS score: 8.8) permits local .htaccess authors to read files with the privileges of the httpd user, so it all depends on whether a box has numerous users with the ability to save/update .htaccess files as to whether this is a realistic threat?