From dfa3be6e43fbb34934ab540447957513383f8526 Mon Sep 17 00:00:00 2001
From: AlmaLinux RelEng Bot <eabdullin@almalinux.org>
Date: Thu, 11 Jun 2026 12:20:35 -0400
Subject: [PATCH] import UBI mod_http2-2.0.29-4.el10_2.1

---
 mod_http2-2.0.29-CVE-2026-49975.patch | 36 +++++++++++++++++++++++++++
 mod_http2.spec                        |  8 +++++-
 2 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 mod_http2-2.0.29-CVE-2026-49975.patch

diff --git a/mod_http2-2.0.29-CVE-2026-49975.patch b/mod_http2-2.0.29-CVE-2026-49975.patch
new file mode 100644
index 0000000..846d137
--- /dev/null
+++ b/mod_http2-2.0.29-CVE-2026-49975.patch
@@ -0,0 +1,36 @@
+From 35c6e405390ed361189a82acd96675401ea5947c Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <icing@users.noreply.github.com>
+Date: Wed, 27 May 2026 11:27:30 +0200
+Subject: [PATCH] cookie reqest header counting (#324)
+
+* cookie reqest header counting
+
+Account merged cookie headers as an "add" to keep LimitRequestFields effective.
+
+* ignore duplicate empty cookie headers
+---
+ mod_http2/h2_util.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/mod_http2/h2_util.c b/mod_http2/h2_util.c
+index 605c348..58a143b 100644
+--- a/mod_http2/h2_util.c
++++ b/mod_http2/h2_util.c
+@@ -1708,6 +1708,8 @@ static apr_status_t req_add_header(apr_table_t *headers, apr_pool_t *pool,
+              && !ap_cstr_casecmp("cookie", (const char *)nv->name)) {
+         existing = apr_table_get(headers, "cookie");
+         if (existing) {
++            if (!nv->valuelen)
++                return APR_SUCCESS;
+             /* Cookie header come separately in HTTP/2, but need
+              * to be merged by "; " (instead of default ", ")
+              */
+@@ -1719,6 +1721,8 @@ static apr_status_t req_add_header(apr_table_t *headers, apr_pool_t *pool,
+             apr_table_setn(headers, "Cookie",
+                            apr_psprintf(pool, "%s; %.*s", existing,
+                                         (int)nv->valuelen, nv->value));
++            /* Treat the merge as an "add" to not escape LimitRequestFields */
++            *pwas_added = 1;
+             return APR_SUCCESS;
+         }
+     }
diff --git a/mod_http2.spec b/mod_http2.spec
index 07a7ab2..5a60728 100644
--- a/mod_http2.spec
+++ b/mod_http2.spec
@@ -3,7 +3,7 @@
 
 Name:		mod_http2
 Version:	2.0.29
-Release:	4%{?dist}
+Release:	4%{?dist}.1
 Summary:	module implementing HTTP/2 for Apache 2
 License:	Apache-2.0
 URL:		https://icing.github.io/mod_h2/
@@ -23,6 +23,8 @@ Conflicts:      libnghttp2 < 1.50.0-1
 Patch100:      mod_http2-2.0.29-CVE-2025-49630.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2379343
 Patch101:      mod_http2-2.0.29-CVE-2025-53020.patch
+# https://redhat.atlassian.net/browse/RHEL-182418
+Patch102:      mod_http2-2.0.29-CVE-2026-49975.patch
 
 %description
 The mod_h2 Apache httpd module implements the HTTP2 protocol (h2+h2c) on
@@ -54,6 +56,10 @@ echo "LoadModule proxy_http2_module modules/mod_proxy_http2.so" > %{buildroot}%{
 %{_httpd_moddir}/mod_proxy_http2.so
 
 %changelog
+* Fri Jun 05 2026 Luboš Uhliarik <luhliari@redhat.com> - 2.0.29-4.1
+- Resolves: RHEL-182410 - mod_http2: HTTP/2: Remote Denial of Service via
+  compression bomb and Slowloris-style attack (CVE-2026-49975)
+
 * Tue May 05 2026 Luboš Uhliarik <luhliari@redhat.com> - 2.0.29-4
 - Resolves: RHEL-166269 - httpd: Apache HTTP Server: HTTP/2 DoS by Memory
   Increase (CVE-2025-53020)