Looks like there's a PR for this with test builds still running: https://src.fedoraproject.org/rpms/httpd/pull-request/48#
On Wed, May 6, 2026 at 11:21 AM Marius Schwarz <[email protected]> wrote: > > Hi, > > the necessary updates are not to be found in bodhi, i assume someone > missed the info: > > > https://thehackernews.com/2026/05/critical-apache-http2-flaw-cve-2026.html > > *CVE-2026-23918 is a double-free in Apache httpd 2.4.66 mod_http2 > <https://httpd.apache.org/docs/current/mod/mod_http2.html>, specifically in > the stream cleanup path of h2_mplx.c. The bug triggers when a client sends > an HTTP/2 HEADERS frame immediately followed by RST_STREAM with a non-zero > error code on the same stream, before the multiplexer has registered the > stream.... *whereas the RCE path requires an Apache Portable Runtime (APR > <https://apr.apache.org/>) with the mmap allocator, which is the default > on Debian-derived systems and on the official httpd Docker image. ... > > *The first is denial-of-service, which is trivial: one TCP connection, two > frames, no authentication, no special headers, no specific URL, and the > worker crashes. Apache respawns it, but every request on the crashed worker > is dropped, and the pattern can be sustained as long as the attacker keeps > sending.* > > > Can someone pls init the updates for all releases, thanks. > > > Best regards, > > Marius Schwarz > > -- > _______________________________________________ > devel mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Do not reply to spam, report it: > https://forge.fedoraproject.org/infra/tickets/issues/new > -- Jonathan Wright AlmaLinux OS Foundation Mattermost: chat <https://chat.almalinux.org/almalinux/messages/@jonathan>
-- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
