Resolves: RHEL-106263 - CVE-2025-49630 httpd: untrusted input from a client

causes an assertion to fail in the Apache mod_proxy_http2 module
2025-08-20 13:39:39 +02:00 · 2025-08-20 13:39:39 +02:00 · d9670f5294
commit d9670f5294
parent aeb0afca4e
2 changed files with 45 additions and 2 deletions
--- a/mod_http2-2.0.29-CVE-2025-49630.patch
+++ b/mod_http2-2.0.29-CVE-2025-49630.patch
@ -0,0 +1,34 @@
+From 349248060f2bff5f4592fda1917f83ba9e70bf3f Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Mon, 7 Jul 2025 11:53:43 +0000
+Subject: [PATCH] tolerate missing host header in h2 proxy
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1927036 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/http2/h2_proxy_session.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/mod_http2/h2_proxy_session.c b/mod_http2/h2_proxy_session.c
+index d5d0f9bc6bc..2cfbb5f5d4b 100644
+--- a/mod_http2/h2_proxy_session.c
+++ b/mod_http2/h2_proxy_session.c
+@@ -850,6 +850,18 @@ static apr_status_t open_stream(h2_proxy_session *session, const char *url,
+     dconf = ap_get_module_config(r->per_dir_config, &proxy_module);
+     if (dconf->preserve_host) {
+         authority = orig_host;
+        if (!authority) {
+            /* Duplicate mod_proxy behaviour if ProxyPreserveHost is
+             * used but an "HTTP/0.9" request is received without a
+             * Host: header */
+            authority = r->server->server_hostname;
+            ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(10511)
+                          "HTTP/0.9 request (with no host line) "
+                          "on incoming request and preserve host set "
+                          "forcing hostname to be %s for uri %s",
+                          authority, r->uri);
+            apr_table_setn(r->headers_in, "Host", authority);
+        }
+     }
+     else {
+         authority = puri.hostname;
+
--- a/mod_http2.spec
+++ b/mod_http2.spec
@ -3,7 +3,7 @@

 Name:		mod_http2
 Version:	2.0.29
-Release:	2%{?dist}
+Release:	3%{?dist}
 Summary:	module implementing HTTP/2 for Apache 2
 License:	Apache-2.0
 URL:		https://icing.github.io/mod_h2/
@ -17,12 +17,17 @@ Conflicts:      httpd < 2.4.48
 # https://bugzilla.redhat.com/show_bug.cgi?id=2131458
 Conflicts:      libnghttp2 < 1.50.0-1

+# Security patches:
+#
+# https://bugzilla.redhat.com/show_bug.cgi?id=2374578
+Patch100:      mod_http2-2.0.29-CVE-2025-49630.patch
+
 %description
 The mod_h2 Apache httpd module implements the HTTP2 protocol (h2+h2c) on
 top of libnghttp2 for httpd 2.4 servers.

 %prep
-%setup -q
+%autosetup -p1

 %build
 autoreconf -i
@ -47,6 +52,10 @@ echo "LoadModule proxy_http2_module modules/mod_proxy_http2.so" > %{buildroot}%{
 %{_httpd_moddir}/mod_proxy_http2.so

 %changelog
+* Wed Aug 20 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.0.29-3
+- Resolves: RHEL-106263 - CVE-2025-49630 httpd: untrusted input from a client
+  causes an assertion to fail in the Apache mod_proxy_http2 module
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.0.29-2
 - Bump release for October 2024 mass rebuild:
  Resolves: RHEL-64018