Version in base suite: 2.4.67-1~deb13u2

Base version: apache2_2.4.67-1~deb13u2
Target version: apache2_2.4.67-1~deb13u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/a/apache2/apache2_2.4.67-1~deb13u2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/a/apache2/apache2_2.4.67-1~deb13u3.dsc

 changelog                      |   11 +++++++++++
 patches/CVE-2026-49975_1.patch |   26 ++++++++++++++++++++++++++
 patches/CVE-2026-49975_2.patch |   24 ++++++++++++++++++++++++
 patches/series                 |    2 ++
 4 files changed, 63 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpa05wqn7x/apache2_2.4.67-1~deb13u2.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpa05wqn7x/apache2_2.4.67-1~deb13u3.dsc: no acceptable signature found
diff -Nru apache2-2.4.67/debian/changelog apache2-2.4.67/debian/changelog
--- apache2-2.4.67/debian/changelog	2026-05-06 09:07:41.000000000 +0000
+++ apache2-2.4.67/debian/changelog	2026-06-05 10:55:53.000000000 +0000
@@ -1,3 +1,14 @@
+apache2 (2.4.67-1~deb13u3) trixie-security; urgency=medium
+
+  * Fix CVE-2026-49975 (HTTP/2 Bomb)
+    The bomb targets HPACK, HTTP/2's header compression
+    scheme: one byte on the wire becomes one full header
+    allocation on the server, repeated thousands of times
+    per request. The hold is a zero-byte flow-control
+    window that keeps the server from ever freeing any of it.
+
+ -- Bastien Roucariès <rouca@debian.org>  Fri, 05 Jun 2026 12:55:53 +0200
+
 apache2 (2.4.67-1~deb13u2) trixie-security; urgency=medium
 
   * Rebuild for trixie-security
diff -Nru apache2-2.4.67/debian/patches/CVE-2026-49975_1.patch apache2-2.4.67/debian/patches/CVE-2026-49975_1.patch
--- apache2-2.4.67/debian/patches/CVE-2026-49975_1.patch	1970-01-01 00:00:00.000000000 +0000
+++ apache2-2.4.67/debian/patches/CVE-2026-49975_1.patch	2026-06-05 10:53:21.000000000 +0000
@@ -0,0 +1,26 @@
+From: Stefan Eissing <stefan@eissing.org>
+Date: Wed, 27 May 2026 10:50:32 +0200
+Subject: cookie reqest header counting
+
+Account merged cookie headers as an "add" to keep LimitRequestFields effective.
+
+origin: backport, https://github.com/icing/mod_h2/commit/cb7cd2eec3b6ef02dea62d77de2a38a108af66ee
+bug: https://github.com/icing/mod_h2/pull/324
+bug-security: https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb
+---
+ modules/http2/h2_util.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/modules/http2/h2_util.c b/modules/http2/h2_util.c
+index b377ff7..b265bc9 100644
+--- a/modules/http2/h2_util.c
++++ b/modules/http2/h2_util.c
+@@ -1719,6 +1719,8 @@ static apr_status_t req_add_header(apr_table_t *headers, apr_pool_t *pool,
+             apr_table_setn(headers, "Cookie",
+                            apr_psprintf(pool, "%s; %.*s", existing,
+                                         (int)nv->valuelen, nv->value));
++            /* Treat the merge as an "add" to not escape LimitRequestFields */
++            *pwas_added = 1;
+             return APR_SUCCESS;
+         }
+     }
diff -Nru apache2-2.4.67/debian/patches/CVE-2026-49975_2.patch apache2-2.4.67/debian/patches/CVE-2026-49975_2.patch
--- apache2-2.4.67/debian/patches/CVE-2026-49975_2.patch	1970-01-01 00:00:00.000000000 +0000
+++ apache2-2.4.67/debian/patches/CVE-2026-49975_2.patch	2026-06-05 10:53:21.000000000 +0000
@@ -0,0 +1,24 @@
+From: Stefan Eissing <stefan@eissing.org>
+Date: Wed, 27 May 2026 11:05:44 +0200
+Subject: ignore duplicate empty cookie headers
+
+origin: backport, https://github.com/icing/mod_h2/commit/b5c211e7010d31224ac2621664479177314aec96
+bug: https://github.com/icing/mod_h2/pull/324
+bug-security: https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb
+---
+ modules/http2/h2_util.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/modules/http2/h2_util.c b/modules/http2/h2_util.c
+index b265bc9..b303945 100644
+--- a/modules/http2/h2_util.c
++++ b/modules/http2/h2_util.c
+@@ -1708,6 +1708,8 @@ static apr_status_t req_add_header(apr_table_t *headers, apr_pool_t *pool,
+              && !ap_cstr_casecmpn("cookie", (const char *)nv->name, nv->namelen)) {
+         existing = apr_table_get(headers, "cookie");
+         if (existing) {
++            if (!nv->valuelen)
++                return APR_SUCCESS;
+             /* Cookie header come separately in HTTP/2, but need
+              * to be merged by "; " (instead of default ", ")
+              */
diff -Nru apache2-2.4.67/debian/patches/series apache2-2.4.67/debian/patches/series
--- apache2-2.4.67/debian/patches/series	2026-05-06 09:07:33.000000000 +0000
+++ apache2-2.4.67/debian/patches/series	2026-06-05 10:53:51.000000000 +0000
@@ -5,3 +5,5 @@
 build_suexec-custom.patch
 reproducible_builds.diff
 fix-macro.patch
+CVE-2026-49975_1.patch
+CVE-2026-49975_2.patch