[Bug 295842] www/apache24: Patch CVE-2026-49975 (HTTP2 Bomb DoS)

Reply: bugzilla-noreply_a_freebsd.org: "maintainer-feedback requested: [Bug 295842] www/apache24: Patch CVE-2026-49975 (HTTP2 Bomb DoS)"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 295842] www/apache24: Patch CVE-2026-49975 (HTTP2 Bomb DoS)"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 295842] www/apache24: Patch CVE-2026-49975 (HTTP2 Bomb DoS)"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 295842] www/apache24: Patch CVE-2026-49975 (HTTP2 Bomb DoS)"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 295842] www/apache24: Patch CVE-2026-49975 (HTTP2 Bomb DoS)"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 04 Jun 2026 07:36:04 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295842

            Bug ID: 295842
           Summary: www/apache24: Patch CVE-2026-49975 (HTTP2 Bomb DoS)
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: apache@FreeBSD.org
          Reporter: i.dani@outlook.com
          Assignee: apache@FreeBSD.org
             Flags: maintainer-feedback?(apache@FreeBSD.org)

Created attachment 271469
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=271469&action=edit
Patch CVE-2026-49975

There is a new vulnerability in Apache HTTPD:
https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb

Assigned CVE: CVE-2026-49975

Patch:
https://github.com/apache/httpd/commit/47d3100b252dc6668a9e46ae885242be9eeca9cd

We've built and tested the patch locally: The build worked fine and the CVE is
fixed / Vuln can't be exploited anymore

-- 
You are receiving this mail because:
You are the assignee for the bug.