From nobody Thu Jun 4 07:36:04 2026 X-Original-To: apache@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gWGZr2XwQz6gBgr for ; Thu, 04 Jun 2026 07:36:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gWGZr1t5Wz3lDT for ; Thu, 04 Jun 2026 07:36:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780558564; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=2nWiTSlI2R+2VZJaUvay+RpWCeDISZ+XCnwl+2ZjYu4=; b=IPU/7e9bskcLVEmFOPXYd2Oqt3SqJKtmgdPL8ADi7hSV6lz/kVF4IYT5kZVIzI8oo2CmWy 5bHlVo3C0ry43sNPoT0N3I8gxrP96XvxluykfsB2sEzzmTENi6xxKLG4OqKnk3jk5YQHc+ qBuQIpeRyvVQVuCLA1r/KiLHMQTliLOUEqHMx3LBinrEwsKWsK9cHrpTeltmkQlG9WlCNY ntM1tAe229UqzfNj6bigIS/hlc+gkaDZ0X2fDRM53X46y71wHDO9x7+cb/Pc10ESYMExHZ kJELEaf0UmZGR+c/6YoIfbQM18ItAoAIB6Y/I8Hb20+BxdcKod5K71ULnoxSyw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780558564; a=rsa-sha256; cv=none; b=ZU2mB/NIGcXrrlk5PHStRr+3ziz+72hwRVRHXapMBZNJ57TDf7qrFLOQYH5jg2viAtK+Vq 0C6b73gM8tot7cg43TBzPnyLReLqLasAhs5Nczib+GjvP8qsIOKMLxHQ5u8CatVz+50LbR Khr2RAnaz4mQtDLrr3kaRnbNXUSpe7+Kok02q2D5ZzqjY574aFifHBUZF3sE2tGshbzg2y MVF+UAX9CJQFDt7FXvDf59wyLofi24I+ahJgCOGq8zr+Fw9b+21ZAqzbGLMKUWBLMWSi4a 2g1GeKrk9UgKOAjBdLOTtKEdfY558aUEfSUkWBAY/igc6Flv97oZIMSuGvVbnw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780558564; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=2nWiTSlI2R+2VZJaUvay+RpWCeDISZ+XCnwl+2ZjYu4=; b=YW2WQY/mov3jVjCI6Kl8SnsTpQq8T7JEXO+CWax6Da+VATXbmmnBGQkH5mcrzvJiw3bdrq Eui9x7Yv7q4PsCuHUuBjCTZH9jGUwLb++imMEe6ppjwhUR4P+17DthOjq/wO8FfdDZFPWr iz0+LQ6dIBddlOKGmyO+ebkhCBhQXu17VKhX0+0+7OsWKrgdUZQa66YHDUfOyL6Tofo8wM Em2yNEWLC7+UoaMEX0CG8x1dDWvgV+Gjuk8tOOu1RfuXt9UVz1LJFLbFn8x8Qjj8BjvWAS d5jyyV77gyfcsdHjTYJmjYluQw09aSheRs7ETbtNyO/sFJLA3Qj94tmd9P2RmQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4gWGZr1SSgzpp3 for ; Thu, 04 Jun 2026 07:36:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 6547a4p6045959 for ; Thu, 4 Jun 2026 07:36:04 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 6547a4Rs045958 for apache@FreeBSD.org; Thu, 4 Jun 2026 07:36:04 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" From: bugzilla-noreply@freebsd.org To: apache@FreeBSD.org Subject: maintainer-feedback requested: [Bug 295842] www/apache24: Patch CVE-2026-49975 (HTTP2 Bomb DoS) Date: Thu, 04 Jun 2026 07:36:04 +0000 X-Bugzilla-Type: request X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: apache@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? Message-ID: In-Reply-To: References: X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Support of apache-related ports List-Archive: https://lists.freebsd.org/archives/freebsd-apache List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-apache@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Bugzilla Automation has asked freebsd-apache (Nobody) for maintainer-feedback: Bug 295842: www/apache24: Patch CVE-2026-49975 (HTTP2 Bomb DoS) https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D295842 --- Description --- There is a new vulnerability in Apache HTTPD: https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb Assigned CVE: CVE-2026-49975 Patch: https://github.com/apache/httpd/commit/47d3100b252dc6668a9e46ae885242be9eec= a9cd We've built and tested the patch locally: The build worked fine and the CVE= is fixed / Vuln can't be exploited anymore