import UBI mod_http2-2.0.26-2.el9_4.1

2024-10-31 02:17:34 +00:00 · 2024-10-31 02:17:34 +00:00 · b6289a6cdb
commit b6289a6cdb
parent 76352c0488
2 changed files with 24 additions and 1 deletions
--- a/SOURCES/mod_http2-2.0.26-CVE-2024-36387.patch
+++ b/SOURCES/mod_http2-2.0.26-CVE-2024-36387.patch
@ -0,0 +1,17 @@
+--- a/mod_http2/h2_c2.c	2024/06/24 17:34:59	1918556
+++ b/mod_http2/h2_c2.c	2024/06/24 17:51:42	1918557
+@@ -370,6 +370,13 @@
+     h2_conn_ctx_t *conn_ctx = h2_conn_ctx_get(f->c);
+     apr_status_t rv;
+ 
+   if (bb == NULL) {
+#if !AP_MODULE_MAGIC_AT_LEAST(20180720, 1)
+        f->c->data_in_output_filters = 0;
+#endif
+        return APR_SUCCESS;
+    }
+
+     ap_assert(conn_ctx);
+ #if AP_HAS_RESPONSE_BUCKETS
+     if (!conn_ctx->has_final_response) {
+
--- a/SPECS/mod_http2.spec
+++ b/SPECS/mod_http2.spec
@ -3,7 +3,7 @@

 Name:		mod_http2
 Version:	2.0.26
-Release:	2%{?dist}
+Release:	2%{?dist}.1
 Summary:	module implementing HTTP/2 for Apache 2
 License:	ASL 2.0
 URL:		https://icing.github.io/mod_h2/
@ -14,6 +14,8 @@ Source0:	https://github.com/icing/mod_h2/releases/download/v%{version}/mod_http2
 #
 # https://bugzilla.redhat.com/show_bug.cgi?id=2268277
 Patch100:      mod_http2-2.0.26-CVE-2024-27316.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2295006
+Patch101:      mod_http2-2.0.26-CVE-2024-36387.patch

 BuildRequires: make
 BuildRequires:  gcc
@ -53,6 +55,10 @@ echo "LoadModule proxy_http2_module modules/mod_proxy_http2.so" > %{buildroot}%{
 %{_httpd_moddir}/mod_proxy_http2.so

 %changelog
+* Tue Jul 09 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.0.26-2.1
+- Resolves: RHEL-45803 - mod_http2: DoS by null pointer in websocket
+  over HTTP/2 (CVE-2024-36387)
+
 * Fri Apr 05 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.0.26-2
 - Resolves: RHEL-31855 - mod_http2: httpd: CONTINUATION frames
  DoS (CVE-2024-27316)