diff --git a/httpd-2.4.37-CVE-2026-34032.patch b/httpd-2.4.37-CVE-2026-34032.patch new file mode 100644 index 0000000..f326832 --- /dev/null +++ b/httpd-2.4.37-CVE-2026-34032.patch @@ -0,0 +1,18 @@ +diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c +index 6443b36..3454f62 100644 +--- a/modules/proxy/ajp_msg.c ++++ b/modules/proxy/ajp_msg.c +@@ -507,7 +507,12 @@ apr_status_t ajp_msg_get_string(ajp_msg_t *msg, const char **rvalue) + status = ajp_msg_get_uint16(msg, &size); + start = msg->pos; + +- if ((status != APR_SUCCESS) || (size + start > msg->max_size)) { ++ if ((status != APR_SUCCESS) || (size + start >= msg->len)) { ++ return ajp_log_overflow(msg, "ajp_msg_get_string"); ++ } ++ ++ /* Verify that the expected null terminator is actually present */ ++ if (msg->buf[start + size] != '\0') { + return ajp_log_overflow(msg, "ajp_msg_get_string"); + } + diff --git a/httpd.spec b/httpd.spec index 4c2e36b..2dce73e 100644 --- a/httpd.spec +++ b/httpd.spec @@ -305,6 +305,8 @@ Patch255: httpd-2.4.37-CVE-2026-28780.patch Patch256: httpd-2.4.37-CVE-2026-33007.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2464953 Patch257: httpd-2.4.37-CVE-2026-33857.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2464952 +Patch258: httpd-2.4.37-CVE-2026-34032.patch License: ASL 2.0 Group: System Environment/Daemons @@ -552,6 +554,7 @@ interface for storing and accessing per-user session data. %patch255 -p1 -b .CVE-2026-28780 %patch256 -p1 -b .CVE-2026-33007 %patch257 -p1 -b .CVE-2026-33857 +%patch258 -p1 -b .CVE-2026-34032 %patch96 -p1 -b .r1922080 @@ -1070,6 +1073,8 @@ rm -rf $RPM_BUILD_ROOT cause a child process crash (CVE-2026-33007) - Resolves: RHEL-175088 - httpd:2.4/httpd: off-by-one out-of-bounds reads in AJP getter functions (CVE-2026-33857) +- Resolves: RHEL-175620 - httpd:2.4/httpd: NULL pointer dereference via + specially crafted request (CVE-2026-29169) * Fri Dec 12 2025 Luboš Uhliarik - 2.4.37-65.7 - Resolves: RHEL-135054 - httpd: Apache HTTP Server: mod_userdir+suexec bypass