diff --git a/mod_md-2.4.26-CVE-2026-29168.patch b/mod_md-2.4.26-CVE-2026-29168.patch new file mode 100644 index 0000000..31fb063 --- /dev/null +++ b/mod_md-2.4.26-CVE-2026-29168.patch @@ -0,0 +1,55 @@ +From 30e8bcf40b559c795cf73d9b537256ea1ebd1867 Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Sun, 26 Apr 2026 16:02:37 +0000 +Subject: [PATCH] Merge r1933351 from trunk: + +ocsp limits + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933352 13f79535-47bb-0310-9956-ffa450edef68 +--- + src/md_ocsp.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/src/md_ocsp.c b/src/md_ocsp.c +index 8276137..6e65e74 100644 +--- a/src/md_ocsp.c ++++ b/src/md_ocsp.c +@@ -46,7 +46,21 @@ + #include "md_ocsp.h" + + #define MD_OCSP_ID_LENGTH SHA_DIGEST_LENGTH +- ++ ++/* Max acceptable OCSP response size (DER-encoded responses are typically <2 KiB) */ ++#define MD_OCSP_MAX_RESPONSE_LEN (64 * 1024) ++/* Timeout for OCSP responses */ ++#define MD_OCSP_DEFAULT_TIMEOUT apr_time_from_sec(60) ++/* Timeout for connecting to OCSP servers */ ++#define MD_OCSP_CONNECT_TIMEOUT apr_time_from_sec(30) ++/* ++ * Below this throughput in bytes per second an OCSP response is regarded as ++ * stalled. ++ */ ++#define MD_OCSP_STALLING_BYTES 10 ++/* Maximum duration for a stalled period during an OCSP response */ ++#define MD_OCSP_STALLING_TIME apr_time_from_sec(30) ++ + struct md_ocsp_reg_t { + apr_pool_t *p; + md_store_t *store; +@@ -900,6 +914,12 @@ void md_ocsp_renew(md_ocsp_reg_t *reg, apr_pool_t *p, apr_pool_t *ptemp, apr_tim + + rv = md_http_create(&http, ptemp, reg->user_agent, reg->proxy_url); + if (APR_SUCCESS != rv) goto cleanup; ++ ++ md_http_set_response_limit(http, MD_OCSP_MAX_RESPONSE_LEN); ++ md_http_set_timeout_default(http, MD_OCSP_DEFAULT_TIMEOUT); ++ md_http_set_connect_timeout_default(http, MD_OCSP_CONNECT_TIMEOUT); ++ md_http_set_stalling_default(http, MD_OCSP_STALLING_BYTES, ++ MD_OCSP_STALLING_TIME); + + rv = md_http_multi_perform(http, next_todo, &ctx); + +-- +2.52.0 + diff --git a/mod_md.spec b/mod_md.spec index 47bbe04..a6450f1 100644 --- a/mod_md.spec +++ b/mod_md.spec @@ -5,13 +5,15 @@ Name: mod_md Version: 2.4.26 -Release: 4%{?dist} +Release: 5%{?dist}.1 Summary: Certificate provisioning using ACME for the Apache HTTP Server License: Apache-2.0 URL: https://icing.github.io/mod_md/ Source0: https://github.com/icing/mod_md/releases/download/v%{version}/mod_md-%{version}.tar.gz Patch1: mod_md-2.0.8-state_dir.patch Patch2: mod_md-2.4.26-CVE-2025-55753.patch +# https://github.com/apache/httpd/commit/5b1edb79aa2d0f8e4424de64879c46c1942e460a +Patch3: mod_md-2.4.26-CVE-2026-29168.patch BuildRequires: make, gcc BuildRequires: pkgconfig, httpd-devel >= 2.4.41, openssl-devel >= 1.1.0, jansson-devel, libcurl-devel, xmlto Requires: httpd-mmn = %{_httpd_mmn}, mod_ssl >= 1:2.4.41 @@ -60,8 +62,12 @@ echo "LoadModule md_module modules/mod_md.so" > %{buildroot}%{_httpd_modconfdir} %dir %{_httpd_statedir}/md %changelog -* Tue Dec 09 2025 Luboš Uhliarik - 1:2.4.26-4 -- Resolves: RHEL-134483 - httpd: Apache HTTP Server: mod_md (ACME), unintended +* Thu Jun 25 2026 RHEL Packaging Agent - 1:2.4.26-5.1 +- Resolves: RHEL-175647 - mod_md: OCSP response limits + (CVE-2026-29168) + +* Fri Jan 09 2026 Luboš Uhliarik - 1:2.4.26-5 +- Resolves: RHEL-134484 - httpd: Apache HTTP Server: mod_md (ACME), unintended retry intervals (CVE-2025-55753) * Tue Oct 29 2024 Troy Dawson - 1:2.4.26-3