diff --git a/SOURCES/httpd-2.4.62-CVE-2026-28780.patch b/SOURCES/httpd-2.4.62-CVE-2026-28780.patch new file mode 100644 index 0000000..2ad495b --- /dev/null +++ b/SOURCES/httpd-2.4.62-CVE-2026-28780.patch @@ -0,0 +1,33 @@ +From d04119e6e591f7b21222e749387a8b39e9092a1b Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Sun, 26 Apr 2026 15:57:55 +0000 +Subject: [PATCH] Merge r1933347 from trunk: + +fix ajp_msg_check_header check + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933348 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/proxy/ajp_msg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c +index 3d4186a521c..3454f621828 100644 +--- a/modules/proxy/ajp_msg.c ++++ b/modules/proxy/ajp_msg.c +@@ -166,11 +166,11 @@ apr_status_t ajp_msg_check_header(ajp_msg_t *msg, apr_size_t *len) + msglen = ((head[2] & 0xff) << 8); + msglen += (head[3] & 0xFF); + +- if (msglen > msg->max_size) { ++ if (msglen > (msg->max_size - AJP_HEADER_LEN)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, APLOGNO(01081) + "ajp_msg_check_header() incoming message is " + "too big %" APR_SIZE_T_FMT ", max is %" APR_SIZE_T_FMT, +- msglen, msg->max_size); ++ msglen, msg->max_size - AJP_HEADER_LEN); + return AJP_ETOBIG; + } + + diff --git a/SOURCES/httpd-2.4.62-CVE-2026-33007.patch b/SOURCES/httpd-2.4.62-CVE-2026-33007.patch new file mode 100644 index 0000000..1b99993 --- /dev/null +++ b/SOURCES/httpd-2.4.62-CVE-2026-33007.patch @@ -0,0 +1,33 @@ +From d80685a9e0241d99e94aa2fc0aa491d90c4ae9e8 Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Sun, 26 Apr 2026 16:29:24 +0000 +Subject: [PATCH] Merge r1933357 from trunk: + +mod_authn_socache: validate URL earlier + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933358 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/aaa/mod_authn_socache.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/modules/aaa/mod_authn_socache.c b/modules/aaa/mod_authn_socache.c +index 0e4454a4b12..0834ab43d32 100644 +--- a/modules/aaa/mod_authn_socache.c ++++ b/modules/aaa/mod_authn_socache.c +@@ -266,11 +266,10 @@ static const command_rec authn_cache_cmds[] = + static const char *construct_key(request_rec *r, const char *context, + const char *user, const char *realm) + { ++ const char *slash = ap_strrchr_c(r->uri, '/'); + /* handle "special" context values */ +- if (!strcmp(context, directory)) { +- /* FIXME: are we at risk of this blowing up? */ ++ if (!strcmp(context, directory) && slash) { + char *new_context; +- char *slash = strrchr(r->uri, '/'); + new_context = apr_palloc(r->pool, slash - r->uri + + strlen(r->server->server_hostname) + 1); + strcpy(new_context, r->server->server_hostname); + diff --git a/SOURCES/httpd-2.4.62-CVE-2026-33857.patch b/SOURCES/httpd-2.4.62-CVE-2026-33857.patch new file mode 100644 index 0000000..9c118a9 --- /dev/null +++ b/SOURCES/httpd-2.4.62-CVE-2026-33857.patch @@ -0,0 +1,64 @@ +From 493eb23e5cc18c3a7be53977c182ff5d1360c64c Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Sun, 26 Apr 2026 15:48:41 +0000 +Subject: [PATCH] Merge r1933340 from trunk: + +fix length checks in AJP msg_get functions + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933341 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/proxy/ajp_msg.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c +index 3367b5df4aa..36533c59059 100644 +--- a/modules/proxy/ajp_msg.c ++++ b/modules/proxy/ajp_msg.c +@@ -395,7 +395,7 @@ apr_status_t ajp_msg_get_uint32(ajp_msg_t *msg, apr_uint32_t *rvalue) + { + apr_uint32_t value; + +- if ((msg->pos + 3) > msg->len) { ++ if ((msg->pos + 3) >= msg->len) { + return ajp_log_overflow(msg, "ajp_msg_get_uint32"); + } + +@@ -420,7 +420,7 @@ apr_status_t ajp_msg_get_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue) + { + apr_uint16_t value; + +- if ((msg->pos + 1) > msg->len) { ++ if ((msg->pos + 1) >= msg->len) { + return ajp_log_overflow(msg, "ajp_msg_get_uint16"); + } + +@@ -443,7 +443,7 @@ apr_status_t ajp_msg_peek_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue) + { + apr_uint16_t value; + +- if ((msg->pos + 1) > msg->len) { ++ if ((msg->pos + 1) >= msg->len) { + return ajp_log_overflow(msg, "ajp_msg_peek_uint16"); + } + +@@ -464,7 +464,7 @@ apr_status_t ajp_msg_peek_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue) + */ + apr_status_t ajp_msg_peek_uint8(ajp_msg_t *msg, apr_byte_t *rvalue) + { +- if (msg->pos > msg->len) { ++ if (msg->pos >= msg->len) { + return ajp_log_overflow(msg, "ajp_msg_peek_uint8"); + } + +@@ -482,7 +482,7 @@ apr_status_t ajp_msg_peek_uint8(ajp_msg_t *msg, apr_byte_t *rvalue) + apr_status_t ajp_msg_get_uint8(ajp_msg_t *msg, apr_byte_t *rvalue) + { + +- if (msg->pos > msg->len) { ++ if (msg->pos >= msg->len) { + return ajp_log_overflow(msg, "ajp_msg_get_uint8"); + } + + diff --git a/SOURCES/httpd-2.4.62-CVE-2026-34032.patch b/SOURCES/httpd-2.4.62-CVE-2026-34032.patch new file mode 100644 index 0000000..49aae66 --- /dev/null +++ b/SOURCES/httpd-2.4.62-CVE-2026-34032.patch @@ -0,0 +1,33 @@ +From b8def8fe323f7f67d0e03bb83c67d66bd8d7fcb2 Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Sun, 26 Apr 2026 15:50:50 +0000 +Subject: [PATCH] Merge r1933342 from trunk: + +fix ajp_msg_get_string buffer checks + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933343 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/proxy/ajp_msg.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c +index 36533c59059..3d4186a521c 100644 +--- a/modules/proxy/ajp_msg.c ++++ b/modules/proxy/ajp_msg.c +@@ -507,7 +507,12 @@ apr_status_t ajp_msg_get_string(ajp_msg_t *msg, const char **rvalue) + status = ajp_msg_get_uint16(msg, &size); + start = msg->pos; + +- if ((status != APR_SUCCESS) || (size + start > msg->max_size)) { ++ if ((status != APR_SUCCESS) || (size + start >= msg->len)) { ++ return ajp_log_overflow(msg, "ajp_msg_get_string"); ++ } ++ ++ /* Verify that the expected null terminator is actually present */ ++ if (msg->buf[start + size] != '\0') { + return ajp_log_overflow(msg, "ajp_msg_get_string"); + } + + diff --git a/SOURCES/httpd-2.4.62-CVE-2026-34059.patch b/SOURCES/httpd-2.4.62-CVE-2026-34059.patch new file mode 100644 index 0000000..564e159 --- /dev/null +++ b/SOURCES/httpd-2.4.62-CVE-2026-34059.patch @@ -0,0 +1,32 @@ +From a3d32288317a87b1398825f2167e0ae083ed43da Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Sun, 26 Apr 2026 15:55:26 +0000 +Subject: [PATCH] Merge r1933344 from trunk: + +fix ajp_parse_data message len check ++lognos + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933346 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/proxy/ajp_header.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/modules/proxy/ajp_header.c b/modules/proxy/ajp_header.c +index 00db324e426..334d0aebb12 100644 +--- a/modules/proxy/ajp_header.c ++++ b/modules/proxy/ajp_header.c +@@ -835,6 +835,11 @@ apr_status_t ajp_parse_data(request_rec *r, ajp_msg_t *msg, + * 1 : The last byte of this message always seems to be + * 0x00 and is not part of the chunk. + */ ++ if (msg->len < AJP_HEADER_LEN + AJP_HEADER_SZ_LEN + 1 + 1) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10546) ++ "ajp_parse_data: Message too small"); ++ return AJP_EBAD_HEADER; ++ } + expected_len = msg->len - (AJP_HEADER_LEN + AJP_HEADER_SZ_LEN + 1 + 1); + if (*len != expected_len) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00998) + diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec index 032f33c..5829b0f 100644 --- a/SPECS/httpd.spec +++ b/SPECS/httpd.spec @@ -14,7 +14,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.62 -Release: 13%{?dist} +Release: 13%{?dist}.1 URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc @@ -135,7 +135,16 @@ Patch204: httpd-2.4.62-CVE-2025-66200.patch Patch205: httpd-2.4.62-CVE-2025-65082.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2419365 Patch206: httpd-2.4.62-CVE-2025-58098.patch - +# https://bugzilla.redhat.com/show_bug.cgi?id=2466913 +Patch207: httpd-2.4.62-CVE-2026-28780.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2465299 +Patch208: httpd-2.4.62-CVE-2026-33007.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2464953 +Patch209: httpd-2.4.62-CVE-2026-33857.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2464952 +Patch210: httpd-2.4.62-CVE-2026-34032.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2464940 +Patch211: httpd-2.4.62-CVE-2026-34059.patch License: ASL 2.0 BuildRequires: gcc, autoconf, pkgconfig, findutils, xmlto @@ -308,6 +317,11 @@ written in the Lua programming language. %patch204 -p1 -b .CVE-2025-66200 %patch205 -p1 -b .CVE-2025-65082 %patch206 -p1 -b .CVE-2025-58098 +%patch207 -p1 -b .CVE-2026-28780 +%patch208 -p1 -b .CVE-2026-33007 +%patch209 -p1 -b .CVE-2026-33857 +%patch210 -p1 -b .CVE-2026-34032 +%patch211 -p1 -b .CVE-2026-34059 # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -873,6 +887,18 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Mon May 11 2026 Luboš Uhliarik - 2.4.62-13.1 +- Resolves: RHEL-173555 - httpd: Apache HTTP Server mod_proxy_ajp: Arbitrary + code execution via heap-based buffer overflow (CVE-2026-28780) +- Resolves: RHEL-175080 - httpd: NULL pointer dereference can cause a child + process crash (CVE-2026-33007) +- Resolves: RHEL-175100 - httpd: off-by-one out-of-bounds reads in AJP getter + functions (CVE-2026-33857) +- Resolves: RHEL-175028 - httpd: heap-based buffer over-read due to missing + null-termination check (CVE-2026-34032) +- Resolves: RHEL-175062 - httpd: heap-based buffer over-read and memory + disclosure in ajp_parse_data() (CVE-2026-34059) + * Thu Feb 12 2026 Luboš Uhliarik - 2.4.62-13 - Resolves: RHEL-129692 - [RFE] Need miliseconds time stamp in ErrorLogFormat