import CS git mod_http2-1.15.7-10.el8.6

2026-06-10 13:24:21 -04:00 · 2026-06-10 13:24:21 -04:00 · 20cbd708ab
commit 20cbd708ab
parent d00cc596dd
2 changed files with 47 additions and 1 deletions
--- a/SOURCES/mod_http2-1.15.7-CVE-2026-49975.patch
+++ b/SOURCES/mod_http2-1.15.7-CVE-2026-49975.patch
@ -0,0 +1,39 @@
+From 07a4759c5942074d3bd62636847f778f0bb0815a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
+Date: Fri, 5 Jun 2026 20:37:29 +0200
+Subject: [PATCH] cookie reqest header counting (#324)
+
+* cookie reqest header counting
+
+Account merged cookie headers as an "add" to keep LimitRequestFields effective.
+
+* ignore duplicate empty cookie headers
+---
+ mod_http2/h2_util.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/mod_http2/h2_util.c b/mod_http2/h2_util.c
+index c20e879..6b683ab 100644
+--- a/mod_http2/h2_util.c
+++ b/mod_http2/h2_util.c
+@@ -1816,6 +1816,8 @@ apr_status_t h2_req_add_header(apr_table_t *headers, apr_pool_t *pool,
+     else if (H2_HD_MATCH_LIT("cookie", name, nlen)) {
+         existing = apr_table_get(headers, "Cookie");
+         if (existing) {
+            if (!vlen)
+                return APR_SUCCESS;
+             /* Cookie headers come separately in HTTP/2, but need
+              * to be merged by "; " (instead of default ", ")
+              */
+@@ -1827,6 +1829,8 @@ apr_status_t h2_req_add_header(apr_table_t *headers, apr_pool_t *pool,
+             apr_table_setn(headers, "Cookie",
+                            apr_psprintf(pool, "%s; %.*s", existing,
+                                         (int)vlen, value));
+            /* Treat the merge as an "add" to not escape LimitRequestFields */
+            *pwas_added = 1;
+             return APR_SUCCESS;
+         }
+     }
+-- 
+2.44.0
+
--- a/SPECS/mod_http2.spec
+++ b/SPECS/mod_http2.spec
@ -3,7 +3,7 @@

 Name:		mod_http2
 Version:	1.15.7
-Release:	10%{?dist}.5
+Release:	10%{?dist}.6
 Summary:	module implementing HTTP/2 for Apache 2
 Group:		System Environment/Daemons
 License:	ASL 2.0
@ -32,6 +32,8 @@ Patch12:	mod_http2-1.15.7-fix-mood-change.patch
 Patch13:	mod_http2-1.15.7-CVE-2025-49630.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2379343
 Patch14:	mod_http2-1.15.7-CVE-2025-53020.patch
+# https://redhat.atlassian.net/browse/RHEL-182418
+Patch15:	mod_http2-1.15.7-CVE-2026-49975.patch

 BuildRequires:	pkgconfig, httpd-devel >= 2.4.20, libnghttp2-devel >= 1.7.0, openssl-devel >= 1.0.2
 Requires:	httpd-mmn = %{_httpd_mmn}
@ -57,6 +59,7 @@ top of libnghttp2 for httpd 2.4 servers.
 %patch12 -p1 -b .fix-mood-change
 %patch13 -p1 -b .CVE-2025-49630
 %patch14 -p1 -b .CVE-2025-53020
+%patch15 -p1 -b .CVE-2026-49975

 %build
 %configure
@ -83,6 +86,10 @@ make check
 %{_httpd_moddir}/mod_proxy_http2.so

 %changelog
+* Fri Jun 05 2026 Luboš Uhliarik <luhliari@redhat.com> - 1.15.7-10.6
+- Resolves: RHEL-182418 - mod_http2: HTTP/2: Remote Denial of Service via
+  compression bomb and Slowloris-style attack (CVE-2026-49975)
+
 * Tue May 05 2026 Luboš Uhliarik <luhliari@redhat.com> - 1.15.7-10.5
 - Resolves: RHEL-166277 - httpd:2.4/httpd: Apache HTTP Server: HTTP/2 DoS by
  Memory Increase (CVE-2025-53020)