import UBI mod_md-2.4.26-5.el10_2.1

This commit is contained in:
AlmaLinux RelEng Bot 2026-06-29 13:58:00 -04:00
parent d433cff607
commit 56ce0cd29e
2 changed files with 64 additions and 3 deletions

View File

@ -0,0 +1,55 @@
From 30e8bcf40b559c795cf73d9b537256ea1ebd1867 Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Sun, 26 Apr 2026 16:02:37 +0000
Subject: [PATCH] Merge r1933351 from trunk:
ocsp limits
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933352 13f79535-47bb-0310-9956-ffa450edef68
---
src/md_ocsp.c | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/src/md_ocsp.c b/src/md_ocsp.c
index 8276137..6e65e74 100644
--- a/src/md_ocsp.c
+++ b/src/md_ocsp.c
@@ -46,7 +46,21 @@
#include "md_ocsp.h"
#define MD_OCSP_ID_LENGTH SHA_DIGEST_LENGTH
-
+
+/* Max acceptable OCSP response size (DER-encoded responses are typically <2 KiB) */
+#define MD_OCSP_MAX_RESPONSE_LEN (64 * 1024)
+/* Timeout for OCSP responses */
+#define MD_OCSP_DEFAULT_TIMEOUT apr_time_from_sec(60)
+/* Timeout for connecting to OCSP servers */
+#define MD_OCSP_CONNECT_TIMEOUT apr_time_from_sec(30)
+/*
+ * Below this throughput in bytes per second an OCSP response is regarded as
+ * stalled.
+ */
+#define MD_OCSP_STALLING_BYTES 10
+/* Maximum duration for a stalled period during an OCSP response */
+#define MD_OCSP_STALLING_TIME apr_time_from_sec(30)
+
struct md_ocsp_reg_t {
apr_pool_t *p;
md_store_t *store;
@@ -900,6 +914,12 @@ void md_ocsp_renew(md_ocsp_reg_t *reg, apr_pool_t *p, apr_pool_t *ptemp, apr_tim
rv = md_http_create(&http, ptemp, reg->user_agent, reg->proxy_url);
if (APR_SUCCESS != rv) goto cleanup;
+
+ md_http_set_response_limit(http, MD_OCSP_MAX_RESPONSE_LEN);
+ md_http_set_timeout_default(http, MD_OCSP_DEFAULT_TIMEOUT);
+ md_http_set_connect_timeout_default(http, MD_OCSP_CONNECT_TIMEOUT);
+ md_http_set_stalling_default(http, MD_OCSP_STALLING_BYTES,
+ MD_OCSP_STALLING_TIME);
rv = md_http_multi_perform(http, next_todo, &ctx);
--
2.52.0

View File

@ -5,13 +5,15 @@
Name: mod_md
Version: 2.4.26
Release: 4%{?dist}
Release: 5%{?dist}.1
Summary: Certificate provisioning using ACME for the Apache HTTP Server
License: Apache-2.0
URL: https://icing.github.io/mod_md/
Source0: https://github.com/icing/mod_md/releases/download/v%{version}/mod_md-%{version}.tar.gz
Patch1: mod_md-2.0.8-state_dir.patch
Patch2: mod_md-2.4.26-CVE-2025-55753.patch
# https://github.com/apache/httpd/commit/5b1edb79aa2d0f8e4424de64879c46c1942e460a
Patch3: mod_md-2.4.26-CVE-2026-29168.patch
BuildRequires: make, gcc
BuildRequires: pkgconfig, httpd-devel >= 2.4.41, openssl-devel >= 1.1.0, jansson-devel, libcurl-devel, xmlto
Requires: httpd-mmn = %{_httpd_mmn}, mod_ssl >= 1:2.4.41
@ -60,8 +62,12 @@ echo "LoadModule md_module modules/mod_md.so" > %{buildroot}%{_httpd_modconfdir}
%dir %{_httpd_statedir}/md
%changelog
* Tue Dec 09 2025 Luboš Uhliarik <luhliari@redhat.com> - 1:2.4.26-4
- Resolves: RHEL-134483 - httpd: Apache HTTP Server: mod_md (ACME), unintended
* Thu Jun 25 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 1:2.4.26-5.1
- Resolves: RHEL-175647 - mod_md: OCSP response limits
(CVE-2026-29168)
* Fri Jan 09 2026 Luboš Uhliarik <luhliari@redhat.com> - 1:2.4.26-5
- Resolves: RHEL-134484 - httpd: Apache HTTP Server: mod_md (ACME), unintended
retry intervals (CVE-2025-55753)
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1:2.4.26-3