HCE1-SA-2025-0050 Important HCE 1.1 Security Fix(es): Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files. (CVE-2024-47252) In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade. (CVE-2025-49812) HCE 1.1 httpd-2.4.6-99.hce1c.4.x86_64.rpm httpd-devel-2.4.6-99.hce1c.4.x86_64.rpm httpd-manual-2.4.6-99.hce1c.4.noarch.rpm httpd-tools-2.4.6-99.hce1c.4.x86_64.rpm mod_session-2.4.6-99.hce1c.4.x86_64.rpm mod_ssl-2.4.6-99.hce1c.4.x86_64.rpm