From 20cbd708ab3f554f9d466e8e2a5572f4fce207fe Mon Sep 17 00:00:00 2001
From: AlmaLinux RelEng Bot <eabdullin@almalinux.org>
Date: Wed, 10 Jun 2026 13:24:21 -0400
Subject: [PATCH] import CS git mod_http2-1.15.7-10.el8.6

---
 SOURCES/mod_http2-1.15.7-CVE-2026-49975.patch | 39 +++++++++++++++++++
 SPECS/mod_http2.spec                          |  9 ++++-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/mod_http2-1.15.7-CVE-2026-49975.patch

diff --git a/SOURCES/mod_http2-1.15.7-CVE-2026-49975.patch b/SOURCES/mod_http2-1.15.7-CVE-2026-49975.patch
new file mode 100644
index 0000000..4919de4
--- /dev/null
+++ b/SOURCES/mod_http2-1.15.7-CVE-2026-49975.patch
@@ -0,0 +1,39 @@
+From 07a4759c5942074d3bd62636847f778f0bb0815a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
+Date: Fri, 5 Jun 2026 20:37:29 +0200
+Subject: [PATCH] cookie reqest header counting (#324)
+
+* cookie reqest header counting
+
+Account merged cookie headers as an "add" to keep LimitRequestFields effective.
+
+* ignore duplicate empty cookie headers
+---
+ mod_http2/h2_util.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/mod_http2/h2_util.c b/mod_http2/h2_util.c
+index c20e879..6b683ab 100644
+--- a/mod_http2/h2_util.c
++++ b/mod_http2/h2_util.c
+@@ -1816,6 +1816,8 @@ apr_status_t h2_req_add_header(apr_table_t *headers, apr_pool_t *pool,
+     else if (H2_HD_MATCH_LIT("cookie", name, nlen)) {
+         existing = apr_table_get(headers, "Cookie");
+         if (existing) {
++            if (!vlen)
++                return APR_SUCCESS;
+             /* Cookie headers come separately in HTTP/2, but need
+              * to be merged by "; " (instead of default ", ")
+              */
+@@ -1827,6 +1829,8 @@ apr_status_t h2_req_add_header(apr_table_t *headers, apr_pool_t *pool,
+             apr_table_setn(headers, "Cookie",
+                            apr_psprintf(pool, "%s; %.*s", existing,
+                                         (int)vlen, value));
++            /* Treat the merge as an "add" to not escape LimitRequestFields */
++            *pwas_added = 1;
+             return APR_SUCCESS;
+         }
+     }
+-- 
+2.44.0
+
diff --git a/SPECS/mod_http2.spec b/SPECS/mod_http2.spec
index f0f5ab5..df554ba 100644
--- a/SPECS/mod_http2.spec
+++ b/SPECS/mod_http2.spec
@@ -3,7 +3,7 @@
 
 Name:		mod_http2
 Version:	1.15.7
-Release:	10%{?dist}.5
+Release:	10%{?dist}.6
 Summary:	module implementing HTTP/2 for Apache 2
 Group:		System Environment/Daemons
 License:	ASL 2.0
@@ -32,6 +32,8 @@ Patch12:	mod_http2-1.15.7-fix-mood-change.patch
 Patch13:	mod_http2-1.15.7-CVE-2025-49630.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2379343
 Patch14:	mod_http2-1.15.7-CVE-2025-53020.patch
+# https://redhat.atlassian.net/browse/RHEL-182418
+Patch15:	mod_http2-1.15.7-CVE-2026-49975.patch
 
 BuildRequires:	pkgconfig, httpd-devel >= 2.4.20, libnghttp2-devel >= 1.7.0, openssl-devel >= 1.0.2
 Requires:	httpd-mmn = %{_httpd_mmn}
@@ -57,6 +59,7 @@ top of libnghttp2 for httpd 2.4 servers.
 %patch12 -p1 -b .fix-mood-change
 %patch13 -p1 -b .CVE-2025-49630
 %patch14 -p1 -b .CVE-2025-53020
+%patch15 -p1 -b .CVE-2026-49975
 
 %build
 %configure
@@ -83,6 +86,10 @@ make check
 %{_httpd_moddir}/mod_proxy_http2.so
 
 %changelog
+* Fri Jun 05 2026 Luboš Uhliarik <luhliari@redhat.com> - 1.15.7-10.6
+- Resolves: RHEL-182418 - mod_http2: HTTP/2: Remote Denial of Service via
+  compression bomb and Slowloris-style attack (CVE-2026-49975)
+
 * Tue May 05 2026 Luboš Uhliarik <luhliari@redhat.com> - 1.15.7-10.5
 - Resolves: RHEL-166277 - httpd:2.4/httpd: Apache HTTP Server: HTTP/2 DoS by
   Memory Increase (CVE-2025-53020)