From 9a0b7a21b439dfa2adc71d9799a33487fd2fc5d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 14 Jul 2026 19:47:16 +0200 Subject: [PATCH] Resolves: RHEL-191279 - mod_http2: Apache HTTP Server: Out-of-bounds Read in mod_headers and mod_mime (CVE-2026-43951) --- mod_http2-1.15.7-CVE-2026-43951.patch | 16 ++++++++++++++++ mod_http2.spec | 9 ++++++++- 2 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 mod_http2-1.15.7-CVE-2026-43951.patch diff --git a/mod_http2-1.15.7-CVE-2026-43951.patch b/mod_http2-1.15.7-CVE-2026-43951.patch new file mode 100644 index 0000000..d0950c5 --- /dev/null +++ b/mod_http2-1.15.7-CVE-2026-43951.patch @@ -0,0 +1,16 @@ +diff --git a/mod_http2/h2_from_h1.c b/mod_http2/h2_from_h1.c +index edb1d8e..d2c91aa 100644 +--- a/mod_http2/h2_from_h1.c ++++ b/mod_http2/h2_from_h1.c +@@ -234,10 +234,10 @@ static h2_headers *create_response(h2_task *task, request_rec *r) + if (!apr_is_empty_array(r->content_languages)) { + unsigned int i; + char *token; +- char **languages = (char **)(r->content_languages->elts); + const char *field = apr_table_get(r->headers_out, "Content-Language"); + + while (field && (token = ap_get_list_item(r->pool, &field)) != NULL) { ++ char **languages = (char **)(r->content_languages->elts); + for (i = 0; i < r->content_languages->nelts; ++i) { + if (!apr_strnatcasecmp(token, languages[i])) + break; diff --git a/mod_http2.spec b/mod_http2.spec index df554ba..8e5ae03 100644 --- a/mod_http2.spec +++ b/mod_http2.spec @@ -3,7 +3,7 @@ Name: mod_http2 Version: 1.15.7 -Release: 10%{?dist}.6 +Release: 10%{?dist}.7 Summary: module implementing HTTP/2 for Apache 2 Group: System Environment/Daemons License: ASL 2.0 @@ -34,6 +34,8 @@ Patch13: mod_http2-1.15.7-CVE-2025-49630.patch Patch14: mod_http2-1.15.7-CVE-2025-53020.patch # https://redhat.atlassian.net/browse/RHEL-182418 Patch15: mod_http2-1.15.7-CVE-2026-49975.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2486415 +Patch16: mod_http2-1.15.7-CVE-2026-43951.patch BuildRequires: pkgconfig, httpd-devel >= 2.4.20, libnghttp2-devel >= 1.7.0, openssl-devel >= 1.0.2 Requires: httpd-mmn = %{_httpd_mmn} @@ -60,6 +62,7 @@ top of libnghttp2 for httpd 2.4 servers. %patch13 -p1 -b .CVE-2025-49630 %patch14 -p1 -b .CVE-2025-53020 %patch15 -p1 -b .CVE-2026-49975 +%patch16 -p1 -b .CVE-2026-43951 %build %configure @@ -86,6 +89,10 @@ make check %{_httpd_moddir}/mod_proxy_http2.so %changelog +* Tue Jul 14 2026 Luboš Uhliarik - 1.15.7-10.7 +- Resolves: RHEL-191279 - mod_http2: Apache HTTP Server: Out-of-bounds + Read in mod_headers and mod_mime (CVE-2026-43951) + * Fri Jun 05 2026 Luboš Uhliarik - 1.15.7-10.6 - Resolves: RHEL-182418 - mod_http2: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack (CVE-2026-49975)