import UBI mod_md-2.4.26-5.el10_2.1
This commit is contained in:
parent
d433cff607
commit
56ce0cd29e
55
mod_md-2.4.26-CVE-2026-29168.patch
Normal file
55
mod_md-2.4.26-CVE-2026-29168.patch
Normal file
@ -0,0 +1,55 @@
|
||||
From 30e8bcf40b559c795cf73d9b537256ea1ebd1867 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Covener <covener@apache.org>
|
||||
Date: Sun, 26 Apr 2026 16:02:37 +0000
|
||||
Subject: [PATCH] Merge r1933351 from trunk:
|
||||
|
||||
ocsp limits
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933352 13f79535-47bb-0310-9956-ffa450edef68
|
||||
---
|
||||
src/md_ocsp.c | 22 +++++++++++++++++++++-
|
||||
1 file changed, 21 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/md_ocsp.c b/src/md_ocsp.c
|
||||
index 8276137..6e65e74 100644
|
||||
--- a/src/md_ocsp.c
|
||||
+++ b/src/md_ocsp.c
|
||||
@@ -46,7 +46,21 @@
|
||||
#include "md_ocsp.h"
|
||||
|
||||
#define MD_OCSP_ID_LENGTH SHA_DIGEST_LENGTH
|
||||
-
|
||||
+
|
||||
+/* Max acceptable OCSP response size (DER-encoded responses are typically <2 KiB) */
|
||||
+#define MD_OCSP_MAX_RESPONSE_LEN (64 * 1024)
|
||||
+/* Timeout for OCSP responses */
|
||||
+#define MD_OCSP_DEFAULT_TIMEOUT apr_time_from_sec(60)
|
||||
+/* Timeout for connecting to OCSP servers */
|
||||
+#define MD_OCSP_CONNECT_TIMEOUT apr_time_from_sec(30)
|
||||
+/*
|
||||
+ * Below this throughput in bytes per second an OCSP response is regarded as
|
||||
+ * stalled.
|
||||
+ */
|
||||
+#define MD_OCSP_STALLING_BYTES 10
|
||||
+/* Maximum duration for a stalled period during an OCSP response */
|
||||
+#define MD_OCSP_STALLING_TIME apr_time_from_sec(30)
|
||||
+
|
||||
struct md_ocsp_reg_t {
|
||||
apr_pool_t *p;
|
||||
md_store_t *store;
|
||||
@@ -900,6 +914,12 @@ void md_ocsp_renew(md_ocsp_reg_t *reg, apr_pool_t *p, apr_pool_t *ptemp, apr_tim
|
||||
|
||||
rv = md_http_create(&http, ptemp, reg->user_agent, reg->proxy_url);
|
||||
if (APR_SUCCESS != rv) goto cleanup;
|
||||
+
|
||||
+ md_http_set_response_limit(http, MD_OCSP_MAX_RESPONSE_LEN);
|
||||
+ md_http_set_timeout_default(http, MD_OCSP_DEFAULT_TIMEOUT);
|
||||
+ md_http_set_connect_timeout_default(http, MD_OCSP_CONNECT_TIMEOUT);
|
||||
+ md_http_set_stalling_default(http, MD_OCSP_STALLING_BYTES,
|
||||
+ MD_OCSP_STALLING_TIME);
|
||||
|
||||
rv = md_http_multi_perform(http, next_todo, &ctx);
|
||||
|
||||
--
|
||||
2.52.0
|
||||
|
||||
12
mod_md.spec
12
mod_md.spec
@ -5,13 +5,15 @@
|
||||
|
||||
Name: mod_md
|
||||
Version: 2.4.26
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}.1
|
||||
Summary: Certificate provisioning using ACME for the Apache HTTP Server
|
||||
License: Apache-2.0
|
||||
URL: https://icing.github.io/mod_md/
|
||||
Source0: https://github.com/icing/mod_md/releases/download/v%{version}/mod_md-%{version}.tar.gz
|
||||
Patch1: mod_md-2.0.8-state_dir.patch
|
||||
Patch2: mod_md-2.4.26-CVE-2025-55753.patch
|
||||
# https://github.com/apache/httpd/commit/5b1edb79aa2d0f8e4424de64879c46c1942e460a
|
||||
Patch3: mod_md-2.4.26-CVE-2026-29168.patch
|
||||
BuildRequires: make, gcc
|
||||
BuildRequires: pkgconfig, httpd-devel >= 2.4.41, openssl-devel >= 1.1.0, jansson-devel, libcurl-devel, xmlto
|
||||
Requires: httpd-mmn = %{_httpd_mmn}, mod_ssl >= 1:2.4.41
|
||||
@ -60,8 +62,12 @@ echo "LoadModule md_module modules/mod_md.so" > %{buildroot}%{_httpd_modconfdir}
|
||||
%dir %{_httpd_statedir}/md
|
||||
|
||||
%changelog
|
||||
* Tue Dec 09 2025 Luboš Uhliarik <luhliari@redhat.com> - 1:2.4.26-4
|
||||
- Resolves: RHEL-134483 - httpd: Apache HTTP Server: mod_md (ACME), unintended
|
||||
* Thu Jun 25 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 1:2.4.26-5.1
|
||||
- Resolves: RHEL-175647 - mod_md: OCSP response limits
|
||||
(CVE-2026-29168)
|
||||
|
||||
* Fri Jan 09 2026 Luboš Uhliarik <luhliari@redhat.com> - 1:2.4.26-5
|
||||
- Resolves: RHEL-134484 - httpd: Apache HTTP Server: mod_md (ACME), unintended
|
||||
retry intervals (CVE-2025-55753)
|
||||
|
||||
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1:2.4.26-3
|
||||
|
||||
Loading…
Reference in New Issue
Block a user