From 5c90debc8a55359d48f8d233536d5c24eac06fea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Wed, 10 Dec 2025 11:58:06 +0100
Subject: [PATCH] Resolves: #2140979 - mod_md rebase to 2.4.19

---
 mod_md-2.0.8-CVE-2025-55753.patch | 22 ++++++++++++++++++++++
 mod_md.spec                       |  8 +++++++-
 2 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 mod_md-2.0.8-CVE-2025-55753.patch

diff --git a/mod_md-2.0.8-CVE-2025-55753.patch b/mod_md-2.0.8-CVE-2025-55753.patch
new file mode 100644
index 0000000..7a5e590
--- /dev/null
+++ b/mod_md-2.0.8-CVE-2025-55753.patch
@@ -0,0 +1,22 @@
+diff --git a/src/mod_md_drive.c b/src/mod_md_drive.c
+index 670c7e7..35ad58c 100644
+--- a/src/mod_md_drive.c
++++ b/src/mod_md_drive.c
+@@ -135,9 +135,14 @@ static apr_time_t calc_err_delay(int err_count)
+     
+     if (err_count > 0) {
+         /* back off duration, depending on the errors we encounter in a row */
+-        delay = apr_time_from_sec(5 << (err_count - 1));
+-        if (delay > apr_time_from_sec(60*60)) {
+-            delay = apr_time_from_sec(60*60);
++        int i;
++        delay = 30;
++        for (i = 0; i < (err_count - 1); ++i) {
++            delay <<= 1;
++            if ((delay <= 0) || (delay > apr_time_from_sec(60*60))) {
++                delay = apr_time_from_sec(60*60);
++                break;
++            }
+         }
+     }
+     return delay;
diff --git a/mod_md.spec b/mod_md.spec
index 299efa1..194860e 100644
--- a/mod_md.spec
+++ b/mod_md.spec
@@ -3,7 +3,7 @@
 
 Name:           mod_md
 Version:        2.0.8
-Release:        8%{?dist}
+Release:        8%{?dist}.1
 Summary:        Certificate provisioning using ACME for the Apache HTTP Server
 License:        ASL 2.0
 URL:            https://icing.github.io/mod_md/
@@ -13,6 +13,7 @@ Source10:       a2md.xml
 Patch1:         mod_md-2.0.8-state_dir.patch
 Patch2:         mod_md-2.0.8-duptrim-seg.patch
 Patch3:         mod_md-2.0.8-tolerate-missing-res.patch
+Patch4:         mod_md-2.0.8-CVE-2025-55753.patch
 BuildRequires:  gcc
 BuildRequires:  pkgconfig, httpd-devel >= 2.4.37, openssl-devel >= 1.1.0, jansson-devel, libcurl-devel
 BuildRequires:  xmlto
@@ -31,6 +32,7 @@ domains and their virtual hosts automatically, including at renewal.
 %patch1 -p1 -b .state_dir
 %patch2 -p1 -b .dup_trim
 %patch3 -p1 -b .tol_missing_res
+%patch4 -p1 -b .CVE-2025-55753
 
 xmlto man $RPM_SOURCE_DIR/a2md.xml
 
@@ -70,6 +72,10 @@ install -m 644 -p a2md.1 $RPM_BUILD_ROOT%{_mandir}/man1
 %{_mandir}/man1/*
 
 %changelog
+* Tue Dec 09 2025 Luboš Uhliarik <luhliari@redhat.com> - 1:2.0.8-8.1
+- Resolves: RHEL-134487 - httpd:2.4/httpd: Apache HTTP Server: mod_md (ACME),
+  unintended retry intervals (CVE-2025-55753)
+
 * Thu May 28 2020 Lubos Uhliarik <luhliari@redhat.com> - 1:2.0.8-8
 - Resolves: #1832844 - mod_md does not work with ACME server that does not
   provide keyChange or revokeCert resources