Resolves: RHEL-173558 - httpd:2.4/httpd: Apache HTTP Server mod_proxy_ajp:

Arbitrary code execution via heap-based buffer overflow (CVE-2026-28780)
2026-05-12 10:04:15 +02:00 · 2026-05-12 10:04:15 +02:00 · 9dc3c4f021
commit 9dc3c4f021
parent e191e5355e
2 changed files with 41 additions and 1 deletions
--- a/httpd-2.4.37-CVE-2026-28780.patch
+++ b/httpd-2.4.37-CVE-2026-28780.patch
@ -0,0 +1,33 @@
+From d04119e6e591f7b21222e749387a8b39e9092a1b Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Sun, 26 Apr 2026 15:57:55 +0000
+Subject: [PATCH] Merge r1933347 from trunk:
+
+fix ajp_msg_check_header check
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933348 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/proxy/ajp_msg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
+index 3d4186a521c..3454f621828 100644
+--- a/modules/proxy/ajp_msg.c
+++ b/modules/proxy/ajp_msg.c
+@@ -166,11 +166,11 @@ apr_status_t ajp_msg_check_header(ajp_msg_t *msg, apr_size_t *len)
+     msglen  = ((head[2] & 0xff) << 8);
+     msglen += (head[3] & 0xFF);
+ 
+-    if (msglen > msg->max_size) {
+    if (msglen > (msg->max_size - AJP_HEADER_LEN)) {
+         ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, APLOGNO(01081)
+                      "ajp_msg_check_header() incoming message is "
+                      "too big %" APR_SIZE_T_FMT ", max is %" APR_SIZE_T_FMT,
+-                     msglen, msg->max_size);
+                     msglen, msg->max_size - AJP_HEADER_LEN);
+         return AJP_ETOBIG;
+     }
+ 
+
--- a/httpd.spec
+++ b/httpd.spec
@ -14,7 +14,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.37
-Release: 65%{?dist}.7
+Release: 65%{?dist}.8
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source2: httpd.logrotate
@ -299,6 +299,8 @@ Patch252: httpd-2.4.37-CVE-2025-66200.patch
 Patch253: httpd-2.4.37-CVE-2025-65082.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2419365
 Patch254: httpd-2.4.37-CVE-2025-58098.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2466913
+Patch255: httpd-2.4.37-CVE-2026-28780.patch

 License: ASL 2.0
 Group: System Environment/Daemons
@ -543,6 +545,7 @@ interface for storing and accessing per-user session data.
 %patch252 -p1 -b .CVE-2025-66200
 %patch253 -p1 -b .CVE-2025-65082
 %patch254 -p1 -b .CVE-2025-58098
+%patch255 -p1 -b .CVE-2026-28780

 %patch96 -p1 -b .r1922080

@ -1054,6 +1057,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd

 %changelog
+* Tue May 12 2026 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-65.8
+- Resolves: RHEL-173558 - httpd:2.4/httpd: Apache HTTP Server mod_proxy_ajp:
+  Arbitrary code execution via heap-based buffer overflow (CVE-2026-28780)
+
 * Fri Dec 12 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-65.7
 - Resolves: RHEL-135054 - httpd: Apache HTTP Server: mod_userdir+suexec bypass
  via AllowOverride FileInfo (CVE-2025-66200)