import UBI mod_md-2.4.26-2.el9_8.1

This commit is contained in:
AlmaLinux RelEng Bot 2026-06-28 23:40:25 -04:00
parent 89197dc0d4
commit 55381e6ce3
2 changed files with 64 additions and 3 deletions

View File

@ -0,0 +1,55 @@
From 021dc6dbcde4f49c05a2c275eb79ce69be918b61 Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Sun, 26 Apr 2026 16:02:37 +0000
Subject: [PATCH] Merge r1933351 from trunk:
ocsp limits
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933352 13f79535-47bb-0310-9956-ffa450edef68
---
src/md_ocsp.c | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/src/md_ocsp.c b/src/md_ocsp.c
index 8276137..6e65e74 100644
--- a/src/md_ocsp.c
+++ b/src/md_ocsp.c
@@ -46,7 +46,21 @@
#include "md_ocsp.h"
#define MD_OCSP_ID_LENGTH SHA_DIGEST_LENGTH
-
+
+/* Max acceptable OCSP response size (DER-encoded responses are typically <2 KiB) */
+#define MD_OCSP_MAX_RESPONSE_LEN (64 * 1024)
+/* Timeout for OCSP responses */
+#define MD_OCSP_DEFAULT_TIMEOUT apr_time_from_sec(60)
+/* Timeout for connecting to OCSP servers */
+#define MD_OCSP_CONNECT_TIMEOUT apr_time_from_sec(30)
+/*
+ * Below this throughput in bytes per second an OCSP response is regarded as
+ * stalled.
+ */
+#define MD_OCSP_STALLING_BYTES 10
+/* Maximum duration for a stalled period during an OCSP response */
+#define MD_OCSP_STALLING_TIME apr_time_from_sec(30)
+
struct md_ocsp_reg_t {
apr_pool_t *p;
md_store_t *store;
@@ -900,6 +914,12 @@ void md_ocsp_renew(md_ocsp_reg_t *reg, apr_pool_t *p, apr_pool_t *ptemp, apr_tim
rv = md_http_create(&http, ptemp, reg->user_agent, reg->proxy_url);
if (APR_SUCCESS != rv) goto cleanup;
+
+ md_http_set_response_limit(http, MD_OCSP_MAX_RESPONSE_LEN);
+ md_http_set_timeout_default(http, MD_OCSP_DEFAULT_TIMEOUT);
+ md_http_set_connect_timeout_default(http, MD_OCSP_CONNECT_TIMEOUT);
+ md_http_set_stalling_default(http, MD_OCSP_STALLING_BYTES,
+ MD_OCSP_STALLING_TIME);
rv = md_http_multi_perform(http, next_todo, &ctx);
--
2.52.0

View File

@ -3,13 +3,15 @@
Name: mod_md
Version: 2.4.26
Release: 1%{?dist}.1
Release: 2%{?dist}.1
Summary: Certificate provisioning using ACME for the Apache HTTP Server
License: ASL 2.0
URL: https://icing.github.io/mod_md/
Source0: https://github.com/icing/mod_md/releases/download/v%{version}/mod_md-%{version}.tar.gz
Patch1: mod_md-2.0.8-state_dir.patch
Patch2: mod_md-2.4.26-CVE-2025-55753.patch
# https://github.com/apache/httpd/commit/5b1edb79aa2d0f8e4424de64879c46c1942e460a
Patch3: mod_md-2.4.26-CVE-2026-29168.patch
BuildRequires: make
BuildRequires: gcc
BuildRequires: pkgconfig, httpd-devel >= 2.4.41, openssl-devel >= 1.1.0, jansson-devel, libcurl-devel, xmlto
@ -60,8 +62,12 @@ echo "LoadModule md_module modules/mod_md.so" > %{buildroot}%{_httpd_modconfdir}
%{_mandir}/man1/*
%changelog
* Tue Dec 09 2025 Luboš Uhliarik <luhliari@redhat.com> - 1:2.4.26-1.1
- Resolves: RHEL-134496 - httpd: Apache HTTP Server: mod_md (ACME), unintended
* Thu Jun 25 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 1:2.4.26-2.1
- Resolves: RHEL-175644 - mod_md: OCSP response limits
(CVE-2026-29168)
* Fri Jan 09 2026 Luboš Uhliarik <luhliari@redhat.com> - 1:2.4.26-2
- Resolves: RHEL-134497 - httpd: Apache HTTP Server: mod_md (ACME), unintended
retry intervals (CVE-2025-55753)
* Mon May 20 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:2.4.26-1