rpms/httpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: RHEL-173563 - httpd: Apache HTTP Server mod_proxy_ajp: Arbitrary

Browse Source 
code execution via heap-based buffer overflow (CVE-2026-28780)
Resolves: RHEL-175078 - httpd: NULL pointer dereference can cause a child
  process crash (CVE-2026-33007)
Resolves: RHEL-175099 - httpd: off-by-one out-of-bounds reads in AJP getter
  functions (CVE-2026-33857)
Resolves: RHEL-175035 - httpd: heap-based buffer over-read due to missing
  null-termination check (CVE-2026-34032)
Resolves: RHEL-175063 - httpd: heap-based buffer over-read and memory
  disclosure in ajp_parse_data() (CVE-2026-34059)
This commit is contained in:
Luboš Uhliarik 2026-05-29 12:31:49 +02:00
parent 5a5bae5744
commit 5599b29caf
6 changed files with 223 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
httpd-2.4.62-CVE-2026-28780.patch Normal file
View File

@ -0,0 +1,33 @@
From d04119e6e591f7b21222e749387a8b39e9092a1b Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Sun, 26 Apr 2026 15:57:55 +0000
Subject: [PATCH] Merge r1933347 from trunk:
fix ajp_msg_check_header check
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933348 13f79535-47bb-0310-9956-ffa450edef68
---
modules/proxy/ajp_msg.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
index 3d4186a521c..3454f621828 100644
--- a/modules/proxy/ajp_msg.c
+++ b/modules/proxy/ajp_msg.c
@@ -166,11 +166,11 @@ apr_status_t ajp_msg_check_header(ajp_msg_t *msg, apr_size_t *len)
msglen = ((head[2] & 0xff) << 8);
msglen += (head[3] & 0xFF);
- if (msglen > msg->max_size) {
+ if (msglen > (msg->max_size - AJP_HEADER_LEN)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, APLOGNO(01081)
"ajp_msg_check_header() incoming message is "
"too big %" APR_SIZE_T_FMT ", max is %" APR_SIZE_T_FMT,
- msglen, msg->max_size);
+ msglen, msg->max_size - AJP_HEADER_LEN);
return AJP_ETOBIG;
}

33
httpd-2.4.62-CVE-2026-33007.patch Normal file
View File

@ -0,0 +1,33 @@
From d80685a9e0241d99e94aa2fc0aa491d90c4ae9e8 Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Sun, 26 Apr 2026 16:29:24 +0000
Subject: [PATCH] Merge r1933357 from trunk:
mod_authn_socache: validate URL earlier
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933358 13f79535-47bb-0310-9956-ffa450edef68
---
modules/aaa/mod_authn_socache.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/modules/aaa/mod_authn_socache.c b/modules/aaa/mod_authn_socache.c
index 0e4454a4b12..0834ab43d32 100644
--- a/modules/aaa/mod_authn_socache.c
+++ b/modules/aaa/mod_authn_socache.c
@@ -266,11 +266,10 @@ static const command_rec authn_cache_cmds[] =
static const char *construct_key(request_rec *r, const char *context,
const char *user, const char *realm)
{
+ const char *slash = ap_strrchr_c(r->uri, '/');
/* handle "special" context values */
- if (!strcmp(context, directory)) {
- /* FIXME: are we at risk of this blowing up? */
+ if (!strcmp(context, directory) && slash) {
char *new_context;
- char *slash = strrchr(r->uri, '/');
new_context = apr_palloc(r->pool, slash - r->uri +
strlen(r->server->server_hostname) + 1);
strcpy(new_context, r->server->server_hostname);

64
httpd-2.4.62-CVE-2026-33857.patch Normal file
View File

@ -0,0 +1,64 @@
From 493eb23e5cc18c3a7be53977c182ff5d1360c64c Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Sun, 26 Apr 2026 15:48:41 +0000
Subject: [PATCH] Merge r1933340 from trunk:
fix length checks in AJP msg_get functions
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933341 13f79535-47bb-0310-9956-ffa450edef68
---
modules/proxy/ajp_msg.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
index 3367b5df4aa..36533c59059 100644
--- a/modules/proxy/ajp_msg.c
+++ b/modules/proxy/ajp_msg.c
@@ -395,7 +395,7 @@ apr_status_t ajp_msg_get_uint32(ajp_msg_t *msg, apr_uint32_t *rvalue)
{
apr_uint32_t value;
- if ((msg->pos + 3) > msg->len) {
+ if ((msg->pos + 3) >= msg->len) {
return ajp_log_overflow(msg, "ajp_msg_get_uint32");
}
@@ -420,7 +420,7 @@ apr_status_t ajp_msg_get_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
{
apr_uint16_t value;
- if ((msg->pos + 1) > msg->len) {
+ if ((msg->pos + 1) >= msg->len) {
return ajp_log_overflow(msg, "ajp_msg_get_uint16");
}
@@ -443,7 +443,7 @@ apr_status_t ajp_msg_peek_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
{
apr_uint16_t value;
- if ((msg->pos + 1) > msg->len) {
+ if ((msg->pos + 1) >= msg->len) {
return ajp_log_overflow(msg, "ajp_msg_peek_uint16");
}
@@ -464,7 +464,7 @@ apr_status_t ajp_msg_peek_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
*/
apr_status_t ajp_msg_peek_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
{
- if (msg->pos > msg->len) {
+ if (msg->pos >= msg->len) {
return ajp_log_overflow(msg, "ajp_msg_peek_uint8");
}
@@ -482,7 +482,7 @@ apr_status_t ajp_msg_peek_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
apr_status_t ajp_msg_get_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
{
- if (msg->pos > msg->len) {
+ if (msg->pos >= msg->len) {
return ajp_log_overflow(msg, "ajp_msg_get_uint8");
}

33
httpd-2.4.62-CVE-2026-34032.patch Normal file
View File

@ -0,0 +1,33 @@
From b8def8fe323f7f67d0e03bb83c67d66bd8d7fcb2 Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Sun, 26 Apr 2026 15:50:50 +0000
Subject: [PATCH] Merge r1933342 from trunk:
fix ajp_msg_get_string buffer checks
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933343 13f79535-47bb-0310-9956-ffa450edef68
---
modules/proxy/ajp_msg.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
index 36533c59059..3d4186a521c 100644
--- a/modules/proxy/ajp_msg.c
+++ b/modules/proxy/ajp_msg.c
@@ -507,7 +507,12 @@ apr_status_t ajp_msg_get_string(ajp_msg_t *msg, const char **rvalue)
status = ajp_msg_get_uint16(msg, &size);
start = msg->pos;
- if ((status != APR_SUCCESS) || (size + start > msg->max_size)) {
+ if ((status != APR_SUCCESS) || (size + start >= msg->len)) {
+ return ajp_log_overflow(msg, "ajp_msg_get_string");
+ }
+
+ /* Verify that the expected null terminator is actually present */
+ if (msg->buf[start + size] != '\0') {
return ajp_log_overflow(msg, "ajp_msg_get_string");
}

32
httpd-2.4.62-CVE-2026-34059.patch Normal file
View File

@ -0,0 +1,32 @@
From a3d32288317a87b1398825f2167e0ae083ed43da Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Sun, 26 Apr 2026 15:55:26 +0000
Subject: [PATCH] Merge r1933344 from trunk:
fix ajp_parse_data message len check
+lognos
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933346 13f79535-47bb-0310-9956-ffa450edef68
---
modules/proxy/ajp_header.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/modules/proxy/ajp_header.c b/modules/proxy/ajp_header.c
index 00db324e426..334d0aebb12 100644
--- a/modules/proxy/ajp_header.c
+++ b/modules/proxy/ajp_header.c
@@ -835,6 +835,11 @@ apr_status_t ajp_parse_data(request_rec *r, ajp_msg_t *msg,
* 1 : The last byte of this message always seems to be
* 0x00 and is not part of the chunk.
*/
+ if (msg->len < AJP_HEADER_LEN + AJP_HEADER_SZ_LEN + 1 + 1) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10546)
+ "ajp_parse_data: Message too small");
+ return AJP_EBAD_HEADER;
+ }
expected_len = msg->len - (AJP_HEADER_LEN + AJP_HEADER_SZ_LEN + 1 + 1);
if (*len != expected_len) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00998)

29
httpd.spec
View File

@ -14,7 +14,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.62
Release: 13%{?dist}
Release: 14%{?dist}
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@ -135,6 +135,16 @@ Patch204: httpd-2.4.62-CVE-2025-66200.patch
Patch205: httpd-2.4.62-CVE-2025-65082.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2419365
Patch206: httpd-2.4.62-CVE-2025-58098.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2466913
Patch207: httpd-2.4.62-CVE-2026-28780.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2465299
Patch208: httpd-2.4.62-CVE-2026-33007.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2464953
Patch209: httpd-2.4.62-CVE-2026-33857.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2464952
Patch210: httpd-2.4.62-CVE-2026-34032.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2464940
Patch211: httpd-2.4.62-CVE-2026-34059.patch
License: ASL 2.0
@ -308,6 +318,11 @@ written in the Lua programming language.
%patch204 -p1 -b .CVE-2025-66200
%patch205 -p1 -b .CVE-2025-65082
%patch206 -p1 -b .CVE-2025-58098
%patch207 -p1 -b .CVE-2026-28780
%patch208 -p1 -b .CVE-2026-33007
%patch209 -p1 -b .CVE-2026-33857
%patch210 -p1 -b .CVE-2026-34032
%patch211 -p1 -b .CVE-2026-34059
# Patch in the vendor string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -873,6 +888,18 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Fri May 29 2026 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-14
- Resolves: RHEL-173563 - httpd: Apache HTTP Server mod_proxy_ajp: Arbitrary
code execution via heap-based buffer overflow (CVE-2026-28780)
- Resolves: RHEL-175078 - httpd: NULL pointer dereference can cause a child
process crash (CVE-2026-33007)
- Resolves: RHEL-175099 - httpd: off-by-one out-of-bounds reads in AJP getter
functions (CVE-2026-33857)
- Resolves: RHEL-175035 - httpd: heap-based buffer over-read due to missing
null-termination check (CVE-2026-34032)
- Resolves: RHEL-175063 - httpd: heap-based buffer over-read and memory
disclosure in ajp_parse_data() (CVE-2026-34059)
* Thu Feb 12 2026 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-13
- Resolves: RHEL-129692 - [RFE] Need miliseconds time stamp in ErrorLogFormat