maintainer-feedback requested: [Bug 295842] www/apache24: Patch CVE-2026-49975 (HTTP2 Bomb DoS)

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 295842] www/apache24: Patch CVE-2026-49975 (HTTP2 Bomb DoS)"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 04 Jun 2026 07:36:04 UTC

Bugzilla Automation <bugzilla@FreeBSD.org> has asked freebsd-apache (Nobody)
<apache@FreeBSD.org> for maintainer-feedback:
Bug 295842: www/apache24: Patch CVE-2026-49975 (HTTP2 Bomb DoS)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295842



--- Description ---
There is a new vulnerability in Apache HTTPD:
https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb

Assigned CVE: CVE-2026-49975

Patch:
https://github.com/apache/httpd/commit/47d3100b252dc6668a9e46ae885242be9eeca9cd

We've built and tested the patch locally: The build worked fine and the CVE is
fixed / Vuln can't be exploited anymore