From c33900c646ae901101c7ed9b9dc9e47f1a0b6661 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 13 May 2026 16:06:01 +0200 Subject: [PATCH] Resolves: RHEL-175055 - httpd: heap-based buffer over-read and memory disclosure in ajp_parse_data() (CVE-2026-34059) --- httpd-2.4.37-CVE-2026-34059.patch | 16 ++++++++++++++++ httpd.spec | 5 +++++ 2 files changed, 21 insertions(+) create mode 100644 httpd-2.4.37-CVE-2026-34059.patch diff --git a/httpd-2.4.37-CVE-2026-34059.patch b/httpd-2.4.37-CVE-2026-34059.patch new file mode 100644 index 0000000..5c1bc7d --- /dev/null +++ b/httpd-2.4.37-CVE-2026-34059.patch @@ -0,0 +1,16 @@ +diff --git a/modules/proxy/ajp_header.c b/modules/proxy/ajp_header.c +index 680a8f3..768ffbb 100644 +--- a/modules/proxy/ajp_header.c ++++ b/modules/proxy/ajp_header.c +@@ -817,6 +817,11 @@ apr_status_t ajp_parse_data(request_rec *r, ajp_msg_t *msg, + * 1 : The last byte of this message always seems to be + * 0x00 and is not part of the chunk. + */ ++ if (msg->len < AJP_HEADER_LEN + AJP_HEADER_SZ_LEN + 1 + 1) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10546) ++ "ajp_parse_data: Message too small"); ++ return AJP_EBAD_HEADER; ++ } + expected_len = msg->len - (AJP_HEADER_LEN + AJP_HEADER_SZ_LEN + 1 + 1); + if (*len != expected_len) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00998) diff --git a/httpd.spec b/httpd.spec index 2dce73e..3ad4ca7 100644 --- a/httpd.spec +++ b/httpd.spec @@ -307,6 +307,8 @@ Patch256: httpd-2.4.37-CVE-2026-33007.patch Patch257: httpd-2.4.37-CVE-2026-33857.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2464952 Patch258: httpd-2.4.37-CVE-2026-34032.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2464940 +Patch259: httpd-2.4.37-CVE-2026-34059.patch License: ASL 2.0 Group: System Environment/Daemons @@ -555,6 +557,7 @@ interface for storing and accessing per-user session data. %patch256 -p1 -b .CVE-2026-33007 %patch257 -p1 -b .CVE-2026-33857 %patch258 -p1 -b .CVE-2026-34032 +%patch259 -p1 -b .CVE-2026-34059 %patch96 -p1 -b .r1922080 @@ -1075,6 +1078,8 @@ rm -rf $RPM_BUILD_ROOT in AJP getter functions (CVE-2026-33857) - Resolves: RHEL-175620 - httpd:2.4/httpd: NULL pointer dereference via specially crafted request (CVE-2026-29169) +- Resolves: RHEL-175055 - httpd: heap-based buffer over-read and memory + disclosure in ajp_parse_data() (CVE-2026-34059) * Fri Dec 12 2025 Luboš Uhliarik - 2.4.37-65.7 - Resolves: RHEL-135054 - httpd: Apache HTTP Server: mod_userdir+suexec bypass