import mod_http2-2.0.26-2.el9_4

a00f8397 · Rocky Automation · 74f77d7a · a00f8397 · a00f8397 · a00f8397
Commit a00f8397 authored 11 months ago by Rocky Automation
--- a/.mod_http2.checksum
+++ b/.mod_http2.checksum
-9e2e7d021b97177da4b76649ac9f233acdf566a8806f1715ea34d8e2b2448c6f
+a90d635d2b732a1c9adaf081d1994089316069845b03d40a51b09d95913f8e9d
--- a/.mod_http2.metadata
+++ b/.mod_http2.metadata
-825d8923a25af3b8175004f2f9dd90c89d3a7e2961c8572ad37af78fda31ac8c SOURCES/mod_http2-1.15.19.tar.gz
+528f66eb9be3dd273c68b342206b2d17d3e188ab1cf2465344b080c9bb9d67a3 SOURCES/mod_http2-2.0.26.tar.gz
--- a/SOURCES/mod_http2-2.0.26-CVE-2024-27316.patch
+++ b/SOURCES/mod_http2-2.0.26-CVE-2024-27316.patch
+From 134e28ae5abc997fe064995627b3ebe247a5d5d8 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Fri, 23 Feb 2024 15:13:56 +0100
+Subject: [PATCH] RESET stream after 100 failed incoming headers
+
+---
+ mod_http2/h2_session.c | 10 +++++++---
+ mod_http2/h2_stream.c  |  1 +
+ mod_http2/h2_stream.h  |  1 +
+ 3 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/mod_http2/h2_session.c b/mod_http2/h2_session.c
+index 1e560e47..6d379cc5 100644
+--- a/mod_http2/h2_session.c
+++ b/mod_http2/h2_session.c
+@@ -319,9 +319,13 @@ static int on_header_cb(nghttp2_session *ngh2, const nghttp2_frame *frame,
+     
+     status = h2_stream_add_header(stream, (const char *)name, namelen,
+                                   (const char *)value, valuelen);
+-    if (status != APR_SUCCESS
+-        && (!stream->rtmp
+-            || stream->rtmp->http_status == H2_HTTP_STATUS_UNSET)) {
+    if (status != APR_SUCCESS &&
+        (!stream->rtmp ||
+         stream->rtmp->http_status == H2_HTTP_STATUS_UNSET ||
+         /* We accept a certain amount of failures in order to reply
+          * with an informative HTTP error response like 413. But of the
+          * client is too wrong, we fail the request an RESET the stream */
+         stream->request_headers_failed > 100)) {
+         return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+     }
+     return 0;
+diff --git a/mod_http2/h2_stream.c b/mod_http2/h2_stream.c
+index f6c92024..ee87555f 100644
+--- a/mod_http2/h2_stream.c
+++ b/mod_http2/h2_stream.c
+@@ -813,6 +813,7 @@ apr_status_t h2_stream_add_header(h2_stream *stream,
+     
+ cleanup:
+     if (error) {
+        ++stream->request_headers_failed;
+         set_error_response(stream, error);
+         return APR_EINVAL; 
+     }
+diff --git a/mod_http2/h2_stream.h b/mod_http2/h2_stream.h
+index d68d4260..405978a4 100644
+--- a/mod_http2/h2_stream.h
+++ b/mod_http2/h2_stream.h
+@@ -91,6 +91,7 @@ struct h2_stream {
+     struct h2_request *rtmp;    /* request being assembled */
+     apr_table_t *trailers_in;   /* optional, incoming trailers */
+     int request_headers_added;  /* number of request headers added */
+    int request_headers_failed; /* number of request headers failed to add */
+ 
+ #if AP_HAS_RESPONSE_BUCKETS
+     ap_bucket_response *response; /* the final, non-interim response or NULL */
+
--- a/SPECS/mod_http2.spec
+++ b/SPECS/mod_http2.spec
@@ -2,22 +2,18 @@
 %{!?_httpd_mmn: %global _httpd_mmn %(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo 0-0)}

 Name:		mod_http2
-Version:	1.15.19
-Release:	5%{?dist}.1
+Version:	2.0.26
+Release:	2%{?dist}
 Summary:	module implementing HTTP/2 for Apache 2
 License:	ASL 2.0
 URL:		https://icing.github.io/mod_h2/
 Source0:	https://github.com/icing/mod_h2/releases/download/v%{version}/mod_http2-%{version}.tar.gz
-Patch1:         mod_http2-1.14.1-buildfix.patch
-Patch2:         mod_http2-1.15.14-openssl30.patch
+# Patch1:       ...

 # Security patches:
-# https://bugzilla.redhat.com/show_bug.cgi?id=2034672
-Patch100:       mod_http2-1.15.19-CVE-2021-44224.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=2176209
-Patch101:       mod_http2-1.15.19-CVE-2023-25690.patch
+#
 # https://bugzilla.redhat.com/show_bug.cgi?id=2268277
-Patch102:       mod_http2-1.15.19-CVE-2024-27316.patch
+Patch100:      mod_http2-2.0.26-CVE-2024-27316.patch

 BuildRequires: make
 BuildRequires:  gcc
@@ -32,13 +28,7 @@ The mod_h2 Apache httpd module implements the HTTP2 protocol (h2+h2c) on
 top of libnghttp2 for httpd 2.4 servers.

 %prep
-%setup -q
-%patch1 -p1 -b .buildfix
-%patch2 -p1 -b .openssl30
-
-%patch100 -p1 -b .CVE-2021-44224
-%patch101 -p1 -b .CVE-2023-25690
-%patch102 -p1 -b .CVE-2024-27316
+%autosetup -p1

 %build
 autoreconf -i
@@ -63,10 +53,13 @@ echo "LoadModule proxy_http2_module modules/mod_proxy_http2.so" > %{buildroot}%{
 %{_httpd_moddir}/mod_proxy_http2.so

 %changelog
-* Fri Apr 05 2024 Luboš Uhliarik <luhliari@redhat.com> - 1.15.19-5.1
- Resolves: RHEL-29826 - mod_http2: httpd: CONTINUATION frames
+* Fri Apr 05 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.0.26-2
+- Resolves: RHEL-31855 - mod_http2: httpd: CONTINUATION frames
  DoS (CVE-2024-27316)

+* Thu Jan 18 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.0.26-1
+- Resolves: RHEL-14691 - mod_http2 rebase to 2.0.26
+
 * Wed Aug 16 2023 Luboš Uhliarik <luhliari@redhat.com> - 1.15.19-5
 - Resolves: #2177753 - CVE-2023-25690 httpd: HTTP request splitting with
  mod_rewrite and mod_proxy