From 6b1ccdd7336b29c85eb404a8fe40741a67bbdb08 Mon Sep 17 00:00:00 2001
From: AlmaLinux RelEng Bot <eabdullin@almalinux.org>
Date: Sun, 31 May 2026 23:26:45 -0400
Subject: [PATCH] import CS git httpd-2.4.37-65.el8.8

---
 SOURCES/httpd-2.4.37-CVE-2026-28780.patch | 33 +++++++++++++++
 SOURCES/httpd-2.4.37-CVE-2026-33007.patch | 18 +++++++++
 SOURCES/httpd-2.4.37-CVE-2026-33857.patch | 49 +++++++++++++++++++++++
 SOURCES/httpd-2.4.37-CVE-2026-34032.patch | 18 +++++++++
 SOURCES/httpd-2.4.37-CVE-2026-34059.patch | 16 ++++++++
 SPECS/httpd.spec                          | 29 +++++++++++++-
 6 files changed, 162 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/httpd-2.4.37-CVE-2026-28780.patch
 create mode 100644 SOURCES/httpd-2.4.37-CVE-2026-33007.patch
 create mode 100644 SOURCES/httpd-2.4.37-CVE-2026-33857.patch
 create mode 100644 SOURCES/httpd-2.4.37-CVE-2026-34032.patch
 create mode 100644 SOURCES/httpd-2.4.37-CVE-2026-34059.patch

diff --git a/SOURCES/httpd-2.4.37-CVE-2026-28780.patch b/SOURCES/httpd-2.4.37-CVE-2026-28780.patch
new file mode 100644
index 0000000..2ad495b
--- /dev/null
+++ b/SOURCES/httpd-2.4.37-CVE-2026-28780.patch
@@ -0,0 +1,33 @@
+From d04119e6e591f7b21222e749387a8b39e9092a1b Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Sun, 26 Apr 2026 15:57:55 +0000
+Subject: [PATCH] Merge r1933347 from trunk:
+
+fix ajp_msg_check_header check
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933348 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/proxy/ajp_msg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
+index 3d4186a521c..3454f621828 100644
+--- a/modules/proxy/ajp_msg.c
++++ b/modules/proxy/ajp_msg.c
+@@ -166,11 +166,11 @@ apr_status_t ajp_msg_check_header(ajp_msg_t *msg, apr_size_t *len)
+     msglen  = ((head[2] & 0xff) << 8);
+     msglen += (head[3] & 0xFF);
+ 
+-    if (msglen > msg->max_size) {
++    if (msglen > (msg->max_size - AJP_HEADER_LEN)) {
+         ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, APLOGNO(01081)
+                      "ajp_msg_check_header() incoming message is "
+                      "too big %" APR_SIZE_T_FMT ", max is %" APR_SIZE_T_FMT,
+-                     msglen, msg->max_size);
++                     msglen, msg->max_size - AJP_HEADER_LEN);
+         return AJP_ETOBIG;
+     }
+ 
+
diff --git a/SOURCES/httpd-2.4.37-CVE-2026-33007.patch b/SOURCES/httpd-2.4.37-CVE-2026-33007.patch
new file mode 100644
index 0000000..1978ce2
--- /dev/null
+++ b/SOURCES/httpd-2.4.37-CVE-2026-33007.patch
@@ -0,0 +1,18 @@
+diff --git a/modules/aaa/mod_authn_socache.c b/modules/aaa/mod_authn_socache.c
+index 550bc66..9b921b8 100644
+--- a/modules/aaa/mod_authn_socache.c
++++ b/modules/aaa/mod_authn_socache.c
+@@ -266,11 +266,10 @@ static const command_rec authn_cache_cmds[] =
+ static const char *construct_key(request_rec *r, const char *context,
+                                  const char *user, const char *realm)
+ {
++    const char *slash = ap_strrchr_c(r->uri, '/');
+     /* handle "special" context values */
+-    if (!strcmp(context, directory)) {
+-        /* FIXME: are we at risk of this blowing up? */
++    if (!strcmp(context, directory) && slash) {
+         char *new_context;
+-        char *slash = strrchr(r->uri, '/');
+         new_context = apr_palloc(r->pool, slash - r->uri +
+                                  strlen(r->server->server_hostname) + 1);
+         strcpy(new_context, r->server->server_hostname);
diff --git a/SOURCES/httpd-2.4.37-CVE-2026-33857.patch b/SOURCES/httpd-2.4.37-CVE-2026-33857.patch
new file mode 100644
index 0000000..4f3f886
--- /dev/null
+++ b/SOURCES/httpd-2.4.37-CVE-2026-33857.patch
@@ -0,0 +1,49 @@
+diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
+index a1c009f..6443b36 100644
+--- a/modules/proxy/ajp_msg.c
++++ b/modules/proxy/ajp_msg.c
+@@ -395,7 +395,7 @@ apr_status_t ajp_msg_get_uint32(ajp_msg_t *msg, apr_uint32_t *rvalue)
+ {
+     apr_uint32_t value;
+ 
+-    if ((msg->pos + 3) > msg->len) {
++    if ((msg->pos + 3) >= msg->len) {
+         return ajp_log_overflow(msg, "ajp_msg_get_uint32");
+     }
+ 
+@@ -420,7 +420,7 @@ apr_status_t ajp_msg_get_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
+ {
+     apr_uint16_t value;
+ 
+-    if ((msg->pos + 1) > msg->len) {
++    if ((msg->pos + 1) >= msg->len) {
+         return ajp_log_overflow(msg, "ajp_msg_get_uint16");
+     }
+ 
+@@ -443,7 +443,7 @@ apr_status_t ajp_msg_peek_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
+ {
+     apr_uint16_t value;
+ 
+-    if ((msg->pos + 1) > msg->len) {
++    if ((msg->pos + 1) >= msg->len) {
+         return ajp_log_overflow(msg, "ajp_msg_peek_uint16");
+     }
+ 
+@@ -464,7 +464,7 @@ apr_status_t ajp_msg_peek_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
+  */
+ apr_status_t ajp_msg_peek_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
+ {
+-    if (msg->pos > msg->len) {
++    if (msg->pos >= msg->len) {
+         return ajp_log_overflow(msg, "ajp_msg_peek_uint8");
+     }
+ 
+@@ -482,7 +482,7 @@ apr_status_t ajp_msg_peek_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
+ apr_status_t ajp_msg_get_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
+ {
+ 
+-    if (msg->pos > msg->len) {
++    if (msg->pos >= msg->len) {
+         return ajp_log_overflow(msg, "ajp_msg_get_uint8");
+     }
+ 
diff --git a/SOURCES/httpd-2.4.37-CVE-2026-34032.patch b/SOURCES/httpd-2.4.37-CVE-2026-34032.patch
new file mode 100644
index 0000000..f326832
--- /dev/null
+++ b/SOURCES/httpd-2.4.37-CVE-2026-34032.patch
@@ -0,0 +1,18 @@
+diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
+index 6443b36..3454f62 100644
+--- a/modules/proxy/ajp_msg.c
++++ b/modules/proxy/ajp_msg.c
+@@ -507,7 +507,12 @@ apr_status_t ajp_msg_get_string(ajp_msg_t *msg, const char **rvalue)
+     status = ajp_msg_get_uint16(msg, &size);
+     start = msg->pos;
+ 
+-    if ((status != APR_SUCCESS) || (size + start > msg->max_size)) {
++    if ((status != APR_SUCCESS) || (size + start >= msg->len)) {
++        return ajp_log_overflow(msg, "ajp_msg_get_string");
++    }
++
++    /* Verify that the expected null terminator is actually present */
++    if (msg->buf[start + size] != '\0') {
+         return ajp_log_overflow(msg, "ajp_msg_get_string");
+     }
+ 
diff --git a/SOURCES/httpd-2.4.37-CVE-2026-34059.patch b/SOURCES/httpd-2.4.37-CVE-2026-34059.patch
new file mode 100644
index 0000000..5c1bc7d
--- /dev/null
+++ b/SOURCES/httpd-2.4.37-CVE-2026-34059.patch
@@ -0,0 +1,16 @@
+diff --git a/modules/proxy/ajp_header.c b/modules/proxy/ajp_header.c
+index 680a8f3..768ffbb 100644
+--- a/modules/proxy/ajp_header.c
++++ b/modules/proxy/ajp_header.c
+@@ -817,6 +817,11 @@ apr_status_t  ajp_parse_data(request_rec  *r, ajp_msg_t *msg,
+      * 1                 : The last byte of this message always seems to be
+      *                     0x00 and is not part of the chunk.
+      */
++    if (msg->len < AJP_HEADER_LEN + AJP_HEADER_SZ_LEN + 1 + 1) {
++        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10546)
++               "ajp_parse_data: Message too small");
++        return AJP_EBAD_HEADER;
++    }
+     expected_len = msg->len - (AJP_HEADER_LEN + AJP_HEADER_SZ_LEN + 1 + 1);
+     if (*len != expected_len) {
+         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00998)
diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec
index c709360..3ad4ca7 100644
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@@ -14,7 +14,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.37
-Release: 65%{?dist}.7
+Release: 65%{?dist}.8
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source2: httpd.logrotate
@@ -299,6 +299,16 @@ Patch252: httpd-2.4.37-CVE-2025-66200.patch
 Patch253: httpd-2.4.37-CVE-2025-65082.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2419365
 Patch254: httpd-2.4.37-CVE-2025-58098.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2466913
+Patch255: httpd-2.4.37-CVE-2026-28780.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2465299
+Patch256: httpd-2.4.37-CVE-2026-33007.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2464953
+Patch257: httpd-2.4.37-CVE-2026-33857.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2464952
+Patch258: httpd-2.4.37-CVE-2026-34032.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2464940
+Patch259: httpd-2.4.37-CVE-2026-34059.patch
 
 License: ASL 2.0
 Group: System Environment/Daemons
@@ -543,6 +553,11 @@ interface for storing and accessing per-user session data.
 %patch252 -p1 -b .CVE-2025-66200
 %patch253 -p1 -b .CVE-2025-65082
 %patch254 -p1 -b .CVE-2025-58098
+%patch255 -p1 -b .CVE-2026-28780
+%patch256 -p1 -b .CVE-2026-33007
+%patch257 -p1 -b .CVE-2026-33857
+%patch258 -p1 -b .CVE-2026-34032
+%patch259 -p1 -b .CVE-2026-34059
 
 %patch96 -p1 -b .r1922080
 
@@ -1054,6 +1069,18 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Tue May 12 2026 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-65.8
+- Resolves: RHEL-173558 - httpd:2.4/httpd: Apache HTTP Server mod_proxy_ajp:
+  Arbitrary code execution via heap-based buffer overflow (CVE-2026-28780)
+- Resolves: RHEL-175074 - httpd:2.4/httpd: NULL pointer dereference can
+  cause a child process crash (CVE-2026-33007)
+- Resolves: RHEL-175088 - httpd:2.4/httpd: off-by-one out-of-bounds reads
+  in AJP getter functions (CVE-2026-33857)
+- Resolves: RHEL-175620 - httpd:2.4/httpd: NULL pointer dereference via
+  specially crafted request (CVE-2026-29169)
+- Resolves: RHEL-175055 - httpd: heap-based buffer over-read and memory
+  disclosure in ajp_parse_data() (CVE-2026-34059)
+
 * Fri Dec 12 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-65.7
 - Resolves: RHEL-135054 - httpd: Apache HTTP Server: mod_userdir+suexec bypass
   via AllowOverride FileInfo (CVE-2025-66200)