From ee771ebe89e43d4c48ccb3d020f46eb88a86b765 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Mon, 15 Sep 2025 12:23:31 +0000 Subject: [PATCH] import CS mod_http2-2.0.26-5.el9 --- SOURCES/mod_http2-2.0.26-CVE-2025-49630.patch | 34 +++++++++++++++++++ SPECS/mod_http2.spec | 8 ++++- 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 SOURCES/mod_http2-2.0.26-CVE-2025-49630.patch diff --git a/SOURCES/mod_http2-2.0.26-CVE-2025-49630.patch b/SOURCES/mod_http2-2.0.26-CVE-2025-49630.patch new file mode 100644 index 0000000..a216493 --- /dev/null +++ b/SOURCES/mod_http2-2.0.26-CVE-2025-49630.patch @@ -0,0 +1,34 @@ +From 349248060f2bff5f4592fda1917f83ba9e70bf3f Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Mon, 7 Jul 2025 11:53:43 +0000 +Subject: [PATCH] tolerate missing host header in h2 proxy + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1927036 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/http2/h2_proxy_session.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/mod_http2/h2_proxy_session.c b/mod_http2/h2_proxy_session.c +index d5d0f9bc6bc..2cfbb5f5d4b 100644 +--- a/mod_http2/h2_proxy_session.c ++++ b/mod_http2/h2_proxy_session.c +@@ -850,6 +850,18 @@ static apr_status_t open_stream(h2_proxy_session *session, const char *url, + dconf = ap_get_module_config(r->per_dir_config, &proxy_module); + if (dconf->preserve_host) { + authority = orig_host; ++ if (!authority) { ++ /* Duplicate mod_proxy behaviour if ProxyPreserveHost is ++ * used but an "HTTP/0.9" request is received without a ++ * Host: header */ ++ authority = r->server->server_hostname; ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(10511) ++ "HTTP/0.9 request (with no host line) " ++ "on incoming request and preserve host set " ++ "forcing hostname to be %s for uri %s", ++ authority, r->uri); ++ apr_table_setn(r->headers_in, "Host", authority); ++ } + } + else { + authority = puri.hostname; + diff --git a/SPECS/mod_http2.spec b/SPECS/mod_http2.spec index 6e3373a..67cb792 100644 --- a/SPECS/mod_http2.spec +++ b/SPECS/mod_http2.spec @@ -3,7 +3,7 @@ Name: mod_http2 Version: 2.0.26 -Release: 4%{?dist} +Release: 5%{?dist} Summary: module implementing HTTP/2 for Apache 2 License: ASL 2.0 URL: https://icing.github.io/mod_h2/ @@ -18,6 +18,8 @@ Patch1: mod_http2-2.0.26-r1918628.patch Patch100: mod_http2-2.0.26-CVE-2024-27316.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2295006 Patch101: mod_http2-2.0.26-CVE-2024-36387.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2374578 +Patch102: mod_http2-2.0.26-CVE-2025-49630.patch BuildRequires: make BuildRequires: gcc @@ -57,6 +59,10 @@ echo "LoadModule proxy_http2_module modules/mod_proxy_http2.so" > %{buildroot}%{ %{_httpd_moddir}/mod_proxy_http2.so %changelog +* Wed Aug 20 2025 Luboš Uhliarik - 2.0.26-5 +- Resolves: RHEL-108706 - CVE-2025-49630 httpd: untrusted input from a client + causes an assertion to fail in the Apache mod_proxy_http2 module + * Mon Jan 27 2025 Luboš Uhliarik - 2.0.26-4 - Resolves: RHEL-76413 - mod_proxy_http2 failures after CVE-2024-38477 fix