import UBI mod_md-2.4.26-1.el9_7.1

SOURCES/mod_md-2.4.26-CVE-2025-55753.patch

@@ -0,0 +1,94 @@
+From b00d19ea455f45376d5393aae60588915c59898e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
+Date: Tue, 9 Dec 2025 16:08:47 +0100
+Subject: [PATCH] * Increasing default `MDRetryDelay` to 30 seconds to 
+ generate less bursty (#391)
+
+traffic on errored renewals for the ACME CA. This leads to error retries
+   of 30s, 1 minute, 2, 4, etc. up to daily attempts.
+ * Checking that configuring `MDRetryDelay` will result in a positive
+   duration. A delay of 0 is not accepted.
+---
+ README.md           |  2 +-
+ src/md_cmd_main.c   |  2 +-
+ src/md_status.c     | 14 ++++++++++----
+ src/mod_md_config.c |  5 ++++-
+ 4 files changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/README.md b/README.md
+index b3b2a7e..03ec74c 100644
+--- a/README.md
++++ b/README.md
+@@ -2371,7 +2371,7 @@ files as usual.
+ 
+ ## MDRetryDelay
+ `MDRetryDelay duration`
+-Default: 5s
++Default: 30s
+ 
+ The delay on a failed renewal before the next attempt is done. This doubles on every consecutive error with a
+ cap of 24 hours, e.g. daily retries. Furthermore, the effective delay is randomly jiggled by +-50%. This is
+diff --git a/src/md_cmd_main.c b/src/md_cmd_main.c
+index 7e7d209..4329e28 100644
+--- a/src/md_cmd_main.c
++++ b/src/md_cmd_main.c
+@@ -186,7 +186,7 @@ static apr_status_t cmd_process(md_cmd_ctx *ctx, const md_cmd_t *cmd)
+         }
+         if (APR_SUCCESS != (rv = md_reg_create(&ctx->reg, ctx->p, ctx->store,
+                                                md_cmd_ctx_get_option(ctx, MD_CMD_OPT_PROXY_URL),
+-                                               ctx->ca_file, apr_time_from_sec(2), 10,
++                                               ctx->ca_file, apr_time_from_sec(15), 10,
+                                                0, apr_time_from_sec(5)))) {
+             fprintf(stderr, "error %d creating registry from store: %s\n", rv, ctx->base_dir);
+             return APR_EINVAL;
+diff --git a/src/md_status.c b/src/md_status.c
+index 936c653..8d7d173 100644
+--- a/src/md_status.c
++++ b/src/md_status.c
+@@ -589,10 +589,16 @@ apr_time_t md_job_delay_on_errors(md_job_t *job, int err_count, const char *last
+         delay = max_delay;
+     }
+     else if (err_count > 0) {
+-        /* back off duration, depending on the errors we encounter in a row */
+-        delay = job->min_delay << (err_count - 1);
+-        if (delay > max_delay) {
+-            delay = max_delay;
++        /* back off duration, depending on the errors we encounter in a row.
++         * As apr_time_t is signed, this might wrap around*/
++        int i;
++        delay = job->min_delay;
++        for (i = 0; i < (err_count - 1); ++i) {
++          delay <<= 1;
++          if ((delay <= 0) || (delay > max_delay)) {
++              delay = max_delay;
++              break;
++          }
+         }
+     }
+     if (delay > 0) {
+diff --git a/src/mod_md_config.c b/src/mod_md_config.c
+index 500f0dd..a13e00d 100644
+--- a/src/mod_md_config.c
++++ b/src/mod_md_config.c
+@@ -85,7 +85,7 @@ static md_mod_conf_t defmc = {
+     "https://crt.sh?q=",       /* default cert checker site url */
+     NULL,                      /* CA cert file to use */
+     apr_time_from_sec(MD_SECS_PER_DAY/2), /* default time between cert checks */
+-    apr_time_from_sec(5),      /* minimum delay for retries */
++    apr_time_from_sec(30),     /* minimum delay for retries */
+     13,                        /* retry_failover after 14 errors, with 5s delay ~ half a day */
+     0,                         /* store locks, disabled by default */
+     apr_time_from_sec(5),      /* max time to wait to obaint a store lock */
+@@ -654,6 +654,9 @@ static const char *md_config_set_min_delay(cmd_parms *cmd, void *dc, const char
+     if (md_duration_parse(&delay, value, "s") != APR_SUCCESS) {
+         return "unrecognized duration format";
+     }
++    if (delay <= 0) {
++        return "minimum delay must be greater than 0";
++    }
+     config->mc->min_delay = delay;
+     return NULL;
+ }
+-- 
+2.44.0
+

SPECS/mod_md.spec

@@ -3,12 +3,13 @@
 
 Name:           mod_md
 Version:        2.4.26
-Release:        1%{?dist}
+Release:        1%{?dist}.1
 Summary:        Certificate provisioning using ACME for the Apache HTTP Server
 License:        ASL 2.0
 URL:            https://icing.github.io/mod_md/
 Source0:        https://github.com/icing/mod_md/releases/download/v%{version}/mod_md-%{version}.tar.gz
 Patch1:         mod_md-2.0.8-state_dir.patch
+Patch2:         mod_md-2.4.26-CVE-2025-55753.patch
 BuildRequires:  make
 BuildRequires:  gcc
 BuildRequires:  pkgconfig, httpd-devel >= 2.4.41, openssl-devel >= 1.1.0, jansson-devel, libcurl-devel, xmlto
@@ -59,6 +60,10 @@ echo "LoadModule md_module modules/mod_md.so" > %{buildroot}%{_httpd_modconfdir}
 %{_mandir}/man1/*
 
 %changelog
+* Tue Dec 09 2025 Luboš Uhliarik <luhliari@redhat.com> - 1:2.4.26-1.1
+- Resolves: RHEL-134496 - httpd: Apache HTTP Server: mod_md (ACME), unintended
+  retry intervals (CVE-2025-55753)
+
 * Mon May 20 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:2.4.26-1
 - Resolves: RHEL-25075 - new version 2.4.26
 - Resolves: RHEL-11838 - [RFE] add support of dns_01 challenge to mod_md