Resolves: RHEL-191279 - mod_http2: Apache HTTP Server: Out-of-bounds
Read in mod_headers and mod_mime (CVE-2026-43951)
This commit is contained in:
parent
aa463ee2f5
commit
9a0b7a21b4
16
mod_http2-1.15.7-CVE-2026-43951.patch
Normal file
16
mod_http2-1.15.7-CVE-2026-43951.patch
Normal file
@ -0,0 +1,16 @@
|
||||
diff --git a/mod_http2/h2_from_h1.c b/mod_http2/h2_from_h1.c
|
||||
index edb1d8e..d2c91aa 100644
|
||||
--- a/mod_http2/h2_from_h1.c
|
||||
+++ b/mod_http2/h2_from_h1.c
|
||||
@@ -234,10 +234,10 @@ static h2_headers *create_response(h2_task *task, request_rec *r)
|
||||
if (!apr_is_empty_array(r->content_languages)) {
|
||||
unsigned int i;
|
||||
char *token;
|
||||
- char **languages = (char **)(r->content_languages->elts);
|
||||
const char *field = apr_table_get(r->headers_out, "Content-Language");
|
||||
|
||||
while (field && (token = ap_get_list_item(r->pool, &field)) != NULL) {
|
||||
+ char **languages = (char **)(r->content_languages->elts);
|
||||
for (i = 0; i < r->content_languages->nelts; ++i) {
|
||||
if (!apr_strnatcasecmp(token, languages[i]))
|
||||
break;
|
||||
@ -3,7 +3,7 @@
|
||||
|
||||
Name: mod_http2
|
||||
Version: 1.15.7
|
||||
Release: 10%{?dist}.6
|
||||
Release: 10%{?dist}.7
|
||||
Summary: module implementing HTTP/2 for Apache 2
|
||||
Group: System Environment/Daemons
|
||||
License: ASL 2.0
|
||||
@ -34,6 +34,8 @@ Patch13: mod_http2-1.15.7-CVE-2025-49630.patch
|
||||
Patch14: mod_http2-1.15.7-CVE-2025-53020.patch
|
||||
# https://redhat.atlassian.net/browse/RHEL-182418
|
||||
Patch15: mod_http2-1.15.7-CVE-2026-49975.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2486415
|
||||
Patch16: mod_http2-1.15.7-CVE-2026-43951.patch
|
||||
|
||||
BuildRequires: pkgconfig, httpd-devel >= 2.4.20, libnghttp2-devel >= 1.7.0, openssl-devel >= 1.0.2
|
||||
Requires: httpd-mmn = %{_httpd_mmn}
|
||||
@ -60,6 +62,7 @@ top of libnghttp2 for httpd 2.4 servers.
|
||||
%patch13 -p1 -b .CVE-2025-49630
|
||||
%patch14 -p1 -b .CVE-2025-53020
|
||||
%patch15 -p1 -b .CVE-2026-49975
|
||||
%patch16 -p1 -b .CVE-2026-43951
|
||||
|
||||
%build
|
||||
%configure
|
||||
@ -86,6 +89,10 @@ make check
|
||||
%{_httpd_moddir}/mod_proxy_http2.so
|
||||
|
||||
%changelog
|
||||
* Tue Jul 14 2026 Luboš Uhliarik <luhliari@redhat.com> - 1.15.7-10.7
|
||||
- Resolves: RHEL-191279 - mod_http2: Apache HTTP Server: Out-of-bounds
|
||||
Read in mod_headers and mod_mime (CVE-2026-43951)
|
||||
|
||||
* Fri Jun 05 2026 Luboš Uhliarik <luhliari@redhat.com> - 1.15.7-10.6
|
||||
- Resolves: RHEL-182418 - mod_http2: HTTP/2: Remote Denial of Service via
|
||||
compression bomb and Slowloris-style attack (CVE-2026-49975)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user