import UBI mod_http2-2.0.29-4.el10_2.1

2026-06-11 12:20:35 -04:00 · 2026-06-11 12:20:35 -04:00 · dfa3be6e43
commit dfa3be6e43
parent b93022b9fc
2 changed files with 43 additions and 1 deletions
--- a/mod_http2-2.0.29-CVE-2026-49975.patch
+++ b/mod_http2-2.0.29-CVE-2026-49975.patch
@ -0,0 +1,36 @@
+From 35c6e405390ed361189a82acd96675401ea5947c Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <icing@users.noreply.github.com>
+Date: Wed, 27 May 2026 11:27:30 +0200
+Subject: [PATCH] cookie reqest header counting (#324)
+
+* cookie reqest header counting
+
+Account merged cookie headers as an "add" to keep LimitRequestFields effective.
+
+* ignore duplicate empty cookie headers
+---
+ mod_http2/h2_util.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/mod_http2/h2_util.c b/mod_http2/h2_util.c
+index 605c348..58a143b 100644
+--- a/mod_http2/h2_util.c
+++ b/mod_http2/h2_util.c
+@@ -1708,6 +1708,8 @@ static apr_status_t req_add_header(apr_table_t *headers, apr_pool_t *pool,
+              && !ap_cstr_casecmp("cookie", (const char *)nv->name)) {
+         existing = apr_table_get(headers, "cookie");
+         if (existing) {
+            if (!nv->valuelen)
+                return APR_SUCCESS;
+             /* Cookie header come separately in HTTP/2, but need
+              * to be merged by "; " (instead of default ", ")
+              */
+@@ -1719,6 +1721,8 @@ static apr_status_t req_add_header(apr_table_t *headers, apr_pool_t *pool,
+             apr_table_setn(headers, "Cookie",
+                            apr_psprintf(pool, "%s; %.*s", existing,
+                                         (int)nv->valuelen, nv->value));
+            /* Treat the merge as an "add" to not escape LimitRequestFields */
+            *pwas_added = 1;
+             return APR_SUCCESS;
+         }
+     }
--- a/mod_http2.spec
+++ b/mod_http2.spec
@ -3,7 +3,7 @@

 Name:		mod_http2
 Version:	2.0.29
-Release:	4%{?dist}
+Release:	4%{?dist}.1
 Summary:	module implementing HTTP/2 for Apache 2
 License:	Apache-2.0
 URL:		https://icing.github.io/mod_h2/
@ -23,6 +23,8 @@ Conflicts:      libnghttp2 < 1.50.0-1
 Patch100:      mod_http2-2.0.29-CVE-2025-49630.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2379343
 Patch101:      mod_http2-2.0.29-CVE-2025-53020.patch
+# https://redhat.atlassian.net/browse/RHEL-182418
+Patch102:      mod_http2-2.0.29-CVE-2026-49975.patch

 %description
 The mod_h2 Apache httpd module implements the HTTP2 protocol (h2+h2c) on
@ -54,6 +56,10 @@ echo "LoadModule proxy_http2_module modules/mod_proxy_http2.so" > %{buildroot}%{
 %{_httpd_moddir}/mod_proxy_http2.so

 %changelog
+* Fri Jun 05 2026 Luboš Uhliarik <luhliari@redhat.com> - 2.0.29-4.1
+- Resolves: RHEL-182410 - mod_http2: HTTP/2: Remote Denial of Service via
+  compression bomb and Slowloris-style attack (CVE-2026-49975)
+
 * Tue May 05 2026 Luboš Uhliarik <luhliari@redhat.com> - 2.0.29-4
 - Resolves: RHEL-166269 - httpd: Apache HTTP Server: HTTP/2 DoS by Memory
  Increase (CVE-2025-53020)