rpms/mod_http2
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI mod_http2-1.15.7-10.module+el8.10.0+23369+11a81384.4

Browse Source
This commit is contained in:
eabdullin 2025-09-03 13:29:09 +00:00
parent a2da4096b5
commit 2c099b23f2
2 changed files with 41 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
SOURCES/mod_http2-1.15.7-CVE-2025-49630.patch Normal file
View File

@ -0,0 +1,33 @@
From 349248060f2bff5f4592fda1917f83ba9e70bf3f Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Mon, 7 Jul 2025 11:53:43 +0000
Subject: [PATCH] tolerate missing host header in h2 proxy
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1927036 13f79535-47bb-0310-9956-ffa450edef68
---
mod_http2/h2_proxy_session.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/mod_http2/h2_proxy_session.c b/mod_http2/h2_proxy_session.c
index 5f64dbc..4effb36 100644
--- a/mod_http2/h2_proxy_session.c
+++ b/mod_http2/h2_proxy_session.c
@@ -738,6 +738,18 @@ static apr_status_t open_stream(h2_proxy_session *session, const char *url,
dconf = ap_get_module_config(r->per_dir_config, &proxy_module);
if (dconf->preserve_host) {
authority = r->hostname;
+ if (!authority) {
+ /* Duplicate mod_proxy behaviour if ProxyPreserveHost is
+ * used but an "HTTP/0.9" request is received without a
+ * Host: header */
+ authority = r->server->server_hostname;
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(10511)
+ "HTTP/0.9 request (with no host line) "
+ "on incoming request and preserve host set "
+ "forcing hostname to be %s for uri %s",
+ authority, r->uri);
+ apr_table_setn(r->headers_in, "Host", authority);
+ }
}
else {
authority = puri.hostname;

9
SPECS/mod_http2.spec
View File

@ -3,7 +3,7 @@
Name: mod_http2 Name: mod_http2
Version: 1.15.7 Version: 1.15.7
Release: 10%{?dist}.3 Release: 10%{?dist}.4
Summary: module implementing HTTP/2 for Apache 2 Summary: module implementing HTTP/2 for Apache 2
Group: System Environment/Daemons Group: System Environment/Daemons
License: ASL 2.0 License: ASL 2.0
@ -28,6 +28,8 @@ Patch10: mod_http2-1.15.7-wrong-cl-proxy-resp-handling.patch
Patch11: mod_http2-1.15.7-r1918628.patch Patch11: mod_http2-1.15.7-r1918628.patch
# https://issues.redhat.com/browse/RHEL-59017 # https://issues.redhat.com/browse/RHEL-59017
Patch12: mod_http2-1.15.7-fix-mood-change.patch Patch12: mod_http2-1.15.7-fix-mood-change.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2374578
Patch13: mod_http2-1.15.7-CVE-2025-49630.patch
BuildRequires: pkgconfig, httpd-devel >= 2.4.20, libnghttp2-devel >= 1.7.0, openssl-devel >= 1.0.2 BuildRequires: pkgconfig, httpd-devel >= 2.4.20, libnghttp2-devel >= 1.7.0, openssl-devel >= 1.0.2
Requires: httpd-mmn = %{_httpd_mmn} Requires: httpd-mmn = %{_httpd_mmn}
@ -51,6 +53,7 @@ top of libnghttp2 for httpd 2.4 servers.
%patch10 -p1 -b .wrong-cl-proxy-resp-handling %patch10 -p1 -b .wrong-cl-proxy-resp-handling
%patch11 -p1 -b .r1918628 %patch11 -p1 -b .r1918628
%patch12 -p1 -b .fix-mood-change %patch12 -p1 -b .fix-mood-change
%patch13 -p1 -b .CVE-2025-49630
%build %build
%configure %configure
@ -77,6 +80,10 @@ make check
%{_httpd_moddir}/mod_proxy_http2.so %{_httpd_moddir}/mod_proxy_http2.so
%changelog %changelog
* Mon Jul 28 2025 Luboš Uhliarik <luhliari@redhat.com> - 1.15.7-10.4
- Resolves: RHEL-105186 - httpd:2.4/httpd: untrusted input from a client causes
an assertion to fail in the Apache mod_proxy_http2 module (CVE-2025-49630)
* Tue Jan 28 2025 Luboš Uhliarik <luhliari@redhat.com> - 1.15.7-10.3 * Tue Jan 28 2025 Luboš Uhliarik <luhliari@redhat.com> - 1.15.7-10.3
- Resolves: RHEL-58454 - mod_proxy_http2 failures after CVE-2024-38477 fix - Resolves: RHEL-58454 - mod_proxy_http2 failures after CVE-2024-38477 fix
- Resolves: RHEL-59017 - random failures in other requests on http/2 stream - Resolves: RHEL-59017 - random failures in other requests on http/2 stream