import UBI httpd-2.4.62-13.el9_8.1

SOURCES/httpd-2.4.62-CVE-2026-28780.patch

@@ -0,0 +1,33 @@
+From d04119e6e591f7b21222e749387a8b39e9092a1b Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Sun, 26 Apr 2026 15:57:55 +0000
+Subject: [PATCH] Merge r1933347 from trunk:
+
+fix ajp_msg_check_header check
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933348 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/proxy/ajp_msg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
+index 3d4186a521c..3454f621828 100644
+--- a/modules/proxy/ajp_msg.c
++++ b/modules/proxy/ajp_msg.c
+@@ -166,11 +166,11 @@ apr_status_t ajp_msg_check_header(ajp_msg_t *msg, apr_size_t *len)
+     msglen  = ((head[2] & 0xff) << 8);
+     msglen += (head[3] & 0xFF);
+ 
+-    if (msglen > msg->max_size) {
++    if (msglen > (msg->max_size - AJP_HEADER_LEN)) {
+         ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, APLOGNO(01081)
+                      "ajp_msg_check_header() incoming message is "
+                      "too big %" APR_SIZE_T_FMT ", max is %" APR_SIZE_T_FMT,
+-                     msglen, msg->max_size);
++                     msglen, msg->max_size - AJP_HEADER_LEN);
+         return AJP_ETOBIG;
+     }
+ 
+

SOURCES/httpd-2.4.62-CVE-2026-33007.patch

@@ -0,0 +1,33 @@
+From d80685a9e0241d99e94aa2fc0aa491d90c4ae9e8 Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Sun, 26 Apr 2026 16:29:24 +0000
+Subject: [PATCH] Merge r1933357 from trunk:
+
+mod_authn_socache: validate URL earlier
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933358 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/aaa/mod_authn_socache.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/modules/aaa/mod_authn_socache.c b/modules/aaa/mod_authn_socache.c
+index 0e4454a4b12..0834ab43d32 100644
+--- a/modules/aaa/mod_authn_socache.c
++++ b/modules/aaa/mod_authn_socache.c
+@@ -266,11 +266,10 @@ static const command_rec authn_cache_cmds[] =
+ static const char *construct_key(request_rec *r, const char *context,
+                                  const char *user, const char *realm)
+ {
++    const char *slash = ap_strrchr_c(r->uri, '/');
+     /* handle "special" context values */
+-    if (!strcmp(context, directory)) {
+-        /* FIXME: are we at risk of this blowing up? */
++    if (!strcmp(context, directory) && slash) {
+         char *new_context;
+-        char *slash = strrchr(r->uri, '/');
+         new_context = apr_palloc(r->pool, slash - r->uri +
+                                  strlen(r->server->server_hostname) + 1);
+         strcpy(new_context, r->server->server_hostname);
+

SOURCES/httpd-2.4.62-CVE-2026-33857.patch

@@ -0,0 +1,64 @@
+From 493eb23e5cc18c3a7be53977c182ff5d1360c64c Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Sun, 26 Apr 2026 15:48:41 +0000
+Subject: [PATCH] Merge r1933340 from trunk:
+
+fix length checks in  AJP msg_get functions
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933341 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/proxy/ajp_msg.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
+index 3367b5df4aa..36533c59059 100644
+--- a/modules/proxy/ajp_msg.c
++++ b/modules/proxy/ajp_msg.c
+@@ -395,7 +395,7 @@ apr_status_t ajp_msg_get_uint32(ajp_msg_t *msg, apr_uint32_t *rvalue)
+ {
+     apr_uint32_t value;
+ 
+-    if ((msg->pos + 3) > msg->len) {
++    if ((msg->pos + 3) >= msg->len) {
+         return ajp_log_overflow(msg, "ajp_msg_get_uint32");
+     }
+ 
+@@ -420,7 +420,7 @@ apr_status_t ajp_msg_get_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
+ {
+     apr_uint16_t value;
+ 
+-    if ((msg->pos + 1) > msg->len) {
++    if ((msg->pos + 1) >= msg->len) {
+         return ajp_log_overflow(msg, "ajp_msg_get_uint16");
+     }
+ 
+@@ -443,7 +443,7 @@ apr_status_t ajp_msg_peek_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
+ {
+     apr_uint16_t value;
+ 
+-    if ((msg->pos + 1) > msg->len) {
++    if ((msg->pos + 1) >= msg->len) {
+         return ajp_log_overflow(msg, "ajp_msg_peek_uint16");
+     }
+ 
+@@ -464,7 +464,7 @@ apr_status_t ajp_msg_peek_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
+  */
+ apr_status_t ajp_msg_peek_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
+ {
+-    if (msg->pos > msg->len) {
++    if (msg->pos >= msg->len) {
+         return ajp_log_overflow(msg, "ajp_msg_peek_uint8");
+     }
+ 
+@@ -482,7 +482,7 @@ apr_status_t ajp_msg_peek_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
+ apr_status_t ajp_msg_get_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
+ {
+ 
+-    if (msg->pos > msg->len) {
++    if (msg->pos >= msg->len) {
+         return ajp_log_overflow(msg, "ajp_msg_get_uint8");
+     }
+ 
+

SOURCES/httpd-2.4.62-CVE-2026-34032.patch

@@ -0,0 +1,33 @@
+From b8def8fe323f7f67d0e03bb83c67d66bd8d7fcb2 Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Sun, 26 Apr 2026 15:50:50 +0000
+Subject: [PATCH] Merge r1933342 from trunk:
+
+fix ajp_msg_get_string buffer checks
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933343 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/proxy/ajp_msg.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
+index 36533c59059..3d4186a521c 100644
+--- a/modules/proxy/ajp_msg.c
++++ b/modules/proxy/ajp_msg.c
+@@ -507,7 +507,12 @@ apr_status_t ajp_msg_get_string(ajp_msg_t *msg, const char **rvalue)
+     status = ajp_msg_get_uint16(msg, &size);
+     start = msg->pos;
+ 
+-    if ((status != APR_SUCCESS) || (size + start > msg->max_size)) {
++    if ((status != APR_SUCCESS) || (size + start >= msg->len)) {
++        return ajp_log_overflow(msg, "ajp_msg_get_string");
++    }
++
++    /* Verify that the expected null terminator is actually present */
++    if (msg->buf[start + size] != '\0') {
+         return ajp_log_overflow(msg, "ajp_msg_get_string");
+     }
+ 
+

SOURCES/httpd-2.4.62-CVE-2026-34059.patch

@@ -0,0 +1,32 @@
+From a3d32288317a87b1398825f2167e0ae083ed43da Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Sun, 26 Apr 2026 15:55:26 +0000
+Subject: [PATCH] Merge r1933344 from trunk:
+
+fix ajp_parse_data message len check
++lognos
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933346 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/proxy/ajp_header.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/modules/proxy/ajp_header.c b/modules/proxy/ajp_header.c
+index 00db324e426..334d0aebb12 100644
+--- a/modules/proxy/ajp_header.c
++++ b/modules/proxy/ajp_header.c
+@@ -835,6 +835,11 @@ apr_status_t  ajp_parse_data(request_rec  *r, ajp_msg_t *msg,
+      * 1                 : The last byte of this message always seems to be
+      *                     0x00 and is not part of the chunk.
+      */
++    if (msg->len < AJP_HEADER_LEN + AJP_HEADER_SZ_LEN + 1 + 1) {
++        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10546)
++               "ajp_parse_data: Message too small");
++        return AJP_EBAD_HEADER;
++    }
+     expected_len = msg->len - (AJP_HEADER_LEN + AJP_HEADER_SZ_LEN + 1 + 1);
+     if (*len != expected_len) {
+         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00998)
+

SPECS/httpd.spec

@@ -14,7 +14,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.62
-Release: 13%{?dist}
+Release: 13%{?dist}.1
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@@ -135,7 +135,16 @@ Patch204: httpd-2.4.62-CVE-2025-66200.patch
 Patch205: httpd-2.4.62-CVE-2025-65082.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2419365
 Patch206: httpd-2.4.62-CVE-2025-58098.patch
-
+# https://bugzilla.redhat.com/show_bug.cgi?id=2466913
+Patch207: httpd-2.4.62-CVE-2026-28780.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2465299
+Patch208: httpd-2.4.62-CVE-2026-33007.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2464953
+Patch209: httpd-2.4.62-CVE-2026-33857.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2464952
+Patch210: httpd-2.4.62-CVE-2026-34032.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2464940
+Patch211: httpd-2.4.62-CVE-2026-34059.patch
 
 License: ASL 2.0
 BuildRequires: gcc, autoconf, pkgconfig, findutils, xmlto
@@ -308,6 +317,11 @@ written in the Lua programming language.
 %patch204 -p1 -b .CVE-2025-66200
 %patch205 -p1 -b .CVE-2025-65082
 %patch206 -p1 -b .CVE-2025-58098
+%patch207 -p1 -b .CVE-2026-28780
+%patch208 -p1 -b .CVE-2026-33007
+%patch209 -p1 -b .CVE-2026-33857
+%patch210 -p1 -b .CVE-2026-34032
+%patch211 -p1 -b .CVE-2026-34059
 
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -873,6 +887,18 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Mon May 11 2026 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-13.1
+- Resolves: RHEL-173555 - httpd: Apache HTTP Server mod_proxy_ajp: Arbitrary
+  code execution via heap-based buffer overflow (CVE-2026-28780)
+- Resolves: RHEL-175080 - httpd: NULL pointer dereference can cause a child
+  process crash (CVE-2026-33007)
+- Resolves: RHEL-175100 - httpd: off-by-one out-of-bounds reads in AJP getter
+  functions (CVE-2026-33857)
+- Resolves: RHEL-175028 - httpd: heap-based buffer over-read due to missing
+  null-termination check (CVE-2026-34032)
+- Resolves: RHEL-175062 - httpd: heap-based buffer over-read and memory
+  disclosure in ajp_parse_data() (CVE-2026-34059)
+
 * Thu Feb 12 2026 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-13
 - Resolves: RHEL-129692 - [RFE] Need miliseconds time stamp in ErrorLogFormat