import UBI mod_http2-2.0.26-6.el9_8.1

2026-06-10 08:01:14 -04:00 · 2026-06-10 08:01:14 -04:00 · 0d24cbd6e9
commit 0d24cbd6e9
parent 40bd35498e
2 changed files with 44 additions and 1 deletions
--- a/SOURCES/mod_http2-2.0.26-CVE-2026-49975.patch
+++ b/SOURCES/mod_http2-2.0.26-CVE-2026-49975.patch
@ -0,0 +1,36 @@
+From 35c6e405390ed361189a82acd96675401ea5947c Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <icing@users.noreply.github.com>
+Date: Wed, 27 May 2026 11:27:30 +0200
+Subject: [PATCH] cookie reqest header counting (#324)
+
+* cookie reqest header counting
+
+Account merged cookie headers as an "add" to keep LimitRequestFields effective.
+
+* ignore duplicate empty cookie headers
+---
+ mod_http2/h2_util.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/mod_http2/h2_util.c b/mod_http2/h2_util.c
+index 605c348..58a143b 100644
+--- a/mod_http2/h2_util.c
+++ b/mod_http2/h2_util.c
+@@ -1708,6 +1708,8 @@ static apr_status_t req_add_header(apr_table_t *headers, apr_pool_t *pool,
+              && !ap_cstr_casecmp("cookie", (const char *)nv->name)) {
+         existing = apr_table_get(headers, "cookie");
+         if (existing) {
+            if (!nv->valuelen)
+                return APR_SUCCESS;
+             /* Cookie header come separately in HTTP/2, but need
+              * to be merged by "; " (instead of default ", ")
+              */
+@@ -1719,6 +1721,8 @@ static apr_status_t req_add_header(apr_table_t *headers, apr_pool_t *pool,
+             apr_table_setn(headers, "Cookie",
+                            apr_psprintf(pool, "%s; %.*s", existing,
+                                         (int)nv->valuelen, nv->value));
+            /* Treat the merge as an "add" to not escape LimitRequestFields */
+            *pwas_added = 1;
+             return APR_SUCCESS;
+         }
+     }
--- a/SPECS/mod_http2.spec
+++ b/SPECS/mod_http2.spec
@ -3,7 +3,7 @@

 Name:		mod_http2
 Version:	2.0.26
-Release:	6%{?dist}
+Release:	6%{?dist}.1
 Summary:	module implementing HTTP/2 for Apache 2
 License:	ASL 2.0
 URL:		https://icing.github.io/mod_h2/
@ -22,6 +22,9 @@ Patch101:      mod_http2-2.0.26-CVE-2024-36387.patch
 Patch102:      mod_http2-2.0.26-CVE-2025-49630.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2379343
 Patch103:      mod_http2-2.0.26-CVE-2025-53020.patch
+# https://redhat.atlassian.net/browse/RHEL-182418
+Patch104:      mod_http2-2.0.26-CVE-2026-49975.patch
+

 BuildRequires: make
 BuildRequires:  gcc
@ -61,6 +64,10 @@ echo "LoadModule proxy_http2_module modules/mod_proxy_http2.so" > %{buildroot}%{
 %{_httpd_moddir}/mod_proxy_http2.so

 %changelog
+* Fri Jun 05 2026 Luboš Uhliarik <luhliari@redhat.com> - 2.0.26-6.1
+- Resolves: RHEL-182417 - mod_http2: HTTP/2: Remote Denial of Service via
+  compression bomb and Slowloris-style attack (CVE-2026-49975)
+
 * Tue May 05 2026 Luboš Uhliarik <luhliari@redhat.com> - 2.0.26-6
 - Resolves: RHEL-166293 - httpd: Apache HTTP Server: HTTP/2 DoS by Memory
  Increase (CVE-2025-53020)