Version in base suite: 2.4.66-1~deb12u1 Base version: apache2_2.4.66-1~deb12u1 Target version: apache2_2.4.66-1~deb12u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/a/apache2/apache2_2.4.66-1~deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/a/apache2/apache2_2.4.66-1~deb12u2.dsc changelog | 8 ++ patches/bug1125368.patch | 102 ++++++++++++++++++++++++++++++++ patches/old-memory-handling-http2.patch | 48 +++++++++++++++ patches/series | 2 salsa-ci.yml | 2 5 files changed, 162 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp65idfus2/apache2_2.4.66-1~deb12u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp65idfus2/apache2_2.4.66-1~deb12u2.dsc: no acceptable signature found diff -Nru apache2-2.4.66/debian/changelog apache2-2.4.66/debian/changelog --- apache2-2.4.66/debian/changelog 2025-12-05 18:54:44.000000000 +0000 +++ apache2-2.4.66/debian/changelog 2026-01-22 22:03:37.000000000 +0000 @@ -1,3 +1,11 @@ +apache2 (2.4.66-1~deb12u2) bookworm; urgency=medium + + * Team upload + * Fix a regression on http2 + (Closes: #1125713, #1125368, #1126177, #1128831) + + -- Bastien Roucariès Thu, 22 Jan 2026 23:03:37 +0100 + apache2 (2.4.66-1~deb12u1) bookworm; urgency=medium * Team upload diff -Nru apache2-2.4.66/debian/patches/bug1125368.patch apache2-2.4.66/debian/patches/bug1125368.patch --- apache2-2.4.66/debian/patches/bug1125368.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.66/debian/patches/bug1125368.patch 2026-01-22 22:03:37.000000000 +0000 @@ -0,0 +1,102 @@ +From: Stefan Eissing +Date: Thu, 11 Dec 2025 08:45:15 +0000 +Subject: *) mod_http2: update to version 2.0.37 Prevent double purge of a + stream, resulting in a double free. Fixes PR 69899. + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1930444 13f79535-47bb-0310-9956-ffa450edef68 + +origin: https://github.com/apache/httpd/commit/542e0da07048d3934ef18c22b44cf8d62e64067f +bug-debian: https://bugs.debian.org/1125368 +bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=69899 +--- + changes-entries/h2_v2.0.37.txt | 4 ++++ + modules/http2/h2_mplx.c | 23 ++++++++++++++++++----- + modules/http2/h2_version.h | 4 ++-- + 3 files changed, 24 insertions(+), 7 deletions(-) + create mode 100644 changes-entries/h2_v2.0.37.txt + +diff --git a/changes-entries/h2_v2.0.37.txt b/changes-entries/h2_v2.0.37.txt +new file mode 100644 +index 0000000..8f22cde +--- /dev/null ++++ b/changes-entries/h2_v2.0.37.txt +@@ -0,0 +1,4 @@ ++ *) mod_http2: update to version 2.0.37 ++ Prevent double purge of a stream, resulting in a double free. ++ Fixes PR 69899. ++ [Stefan Eissing] +diff --git a/modules/http2/h2_mplx.c b/modules/http2/h2_mplx.c +index f9616ab..75518f4 100644 +--- a/modules/http2/h2_mplx.c ++++ b/modules/http2/h2_mplx.c +@@ -126,12 +126,24 @@ int h2_mplx_c1_stream_is_running(h2_mplx *m, h2_stream *stream) + return rv; + } + ++static int add_for_purge(h2_mplx *m, h2_stream *stream) ++{ ++ int i; ++ for (i = 0; i < m->spurge->nelts; ++i) { ++ h2_stream *s = APR_ARRAY_IDX(m->spurge, i, h2_stream*); ++ if (s == stream) /* already scheduled for purging */ ++ return FALSE; ++ } ++ APR_ARRAY_PUSH(m->spurge, h2_stream *) = stream; ++ return TRUE; ++} ++ + static void c1c2_stream_joined(h2_mplx *m, h2_stream *stream) + { + ap_assert(!stream_is_running(stream)); + + h2_ihash_remove(m->shold, stream->id); +- APR_ARRAY_PUSH(m->spurge, h2_stream *) = stream; ++ add_for_purge(m, stream); + } + + static void m_stream_cleanup(h2_mplx *m, h2_stream *stream) +@@ -164,7 +176,7 @@ static void m_stream_cleanup(h2_mplx *m, h2_stream *stream) + ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c1, + H2_STRM_MSG(stream, "cleanup, c2 is done, move to spurge")); + /* processing has finished */ +- APR_ARRAY_PUSH(m->spurge, h2_stream *) = stream; ++ add_for_purge(m, stream); + } + else { + ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c1, +@@ -178,9 +190,10 @@ static void m_stream_cleanup(h2_mplx *m, h2_stream *stream) + } + else { + /* never started */ +- ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c1, +- H2_STRM_MSG(stream, "cleanup, never started, move to spurge")); +- APR_ARRAY_PUSH(m->spurge, h2_stream *) = stream; ++ int added = add_for_purge(m, stream); ++ if (added) ++ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c1, ++ H2_STRM_MSG(stream, "cleanup, never started, move to spurge")); + } + } + +diff --git a/modules/http2/h2_version.h b/modules/http2/h2_version.h +index 8d38c34..8bcaf69 100644 +--- a/modules/http2/h2_version.h ++++ b/modules/http2/h2_version.h +@@ -27,7 +27,7 @@ + * @macro + * Version number of the http2 module as c string + */ +-#define MOD_HTTP2_VERSION "2.0.35" ++#define MOD_HTTP2_VERSION "2.0.37" + + /** + * @macro +@@ -35,7 +35,7 @@ + * release. This is a 24 bit number with 8 bits for major number, 8 bits + * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203. + */ +-#define MOD_HTTP2_VERSION_NUM 0x020023 ++#define MOD_HTTP2_VERSION_NUM 0x020025 + + + #endif /* mod_h2_h2_version_h */ diff -Nru apache2-2.4.66/debian/patches/old-memory-handling-http2.patch apache2-2.4.66/debian/patches/old-memory-handling-http2.patch --- apache2-2.4.66/debian/patches/old-memory-handling-http2.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.66/debian/patches/old-memory-handling-http2.patch 2026-01-22 22:03:37.000000000 +0000 @@ -0,0 +1,48 @@ +From: Thorsten Glaser +Date: Sun, 1 Mar 2026 18:04:39 +0100 +Subject: Fix http2 segfault + +origin: from https://github.com/icing/mod_h2/issues/313#issuecomment-3834622658 +--- + modules/http2/h2_session.c | 22 +++------------------- + 1 file changed, 3 insertions(+), 19 deletions(-) + +diff --git a/modules/http2/h2_session.c b/modules/http2/h2_session.c +index 21ede5c..dda6c77 100644 +--- a/modules/http2/h2_session.c ++++ b/modules/http2/h2_session.c +@@ -111,31 +111,15 @@ static void cleanup_unprocessed_streams(h2_session *session) + h2_mplx_c1_streams_do(session->mplx, rst_unprocessed_stream, session); + } + +-/* APR callback invoked if allocation fails. */ +-static int abort_on_oom(int retcode) +-{ +- ap_abort_on_oom(); +- return retcode; /* unreachable, hopefully. */ +-} +- + static h2_stream *h2_session_open_stream(h2_session *session, int stream_id, + int initiated_on) + { + h2_stream * stream; +- apr_allocator_t *allocator; + apr_pool_t *stream_pool; +- apr_status_t rv; +- +- rv = apr_allocator_create(&allocator); +- if (rv != APR_SUCCESS) +- return NULL; +- +- apr_allocator_max_free_set(allocator, ap_max_mem_free); +- apr_pool_create_ex(&stream_pool, session->pool, NULL, allocator); +- apr_allocator_owner_set(allocator, stream_pool); +- apr_pool_abort_set(abort_on_oom, stream_pool); ++ ++ apr_pool_create(&stream_pool, session->pool); + apr_pool_tag(stream_pool, "h2_stream"); +- ++ + stream = h2_stream_create(stream_id, stream_pool, session, + session->monitor, initiated_on); + if (stream) { diff -Nru apache2-2.4.66/debian/patches/series apache2-2.4.66/debian/patches/series --- apache2-2.4.66/debian/patches/series 2025-12-05 18:54:44.000000000 +0000 +++ apache2-2.4.66/debian/patches/series 2026-01-22 22:03:37.000000000 +0000 @@ -5,3 +5,5 @@ build_suexec-custom.patch reproducible_builds.diff fix-macro.patch +bug1125368.patch +old-memory-handling-http2.patch diff -Nru apache2-2.4.66/debian/salsa-ci.yml apache2-2.4.66/debian/salsa-ci.yml --- apache2-2.4.66/debian/salsa-ci.yml 2025-12-05 10:21:29.000000000 +0000 +++ apache2-2.4.66/debian/salsa-ci.yml 2026-01-22 22:03:37.000000000 +0000 @@ -2,3 +2,5 @@ include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml +variables: + RELEASE: 'bookworm'