diff --git a/SPECS/erlang/CVE-2026-28808.patch b/SPECS/erlang/CVE-2026-28808.patch new file mode 100644 index 00000000000..d829ccf21c0 --- /dev/null +++ b/SPECS/erlang/CVE-2026-28808.patch @@ -0,0 +1,61 @@ +From b520b9a5a61230deb6bd5aeb6554edc1caa776e1 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Thu, 23 Apr 2026 04:57:57 +0000 +Subject: [PATCH] inets: Check script_alias when using mod_auth + +- Update mod_alias: which_alias() now also returns script_alias entries so mod_auth checks directories against real script locations. +- Add explanatory note in httpd.xml under script_alias about using real filesystem paths for directory-based authentication when script_alias is used. +- Add comments in mod_alias.erl clarifying behavior with mod_auth. + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c.patch +--- + lib/inets/doc/src/httpd.xml | 4 ++++ + lib/inets/src/http_server/mod_alias.erl | 9 ++++++++- + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/lib/inets/doc/src/httpd.xml b/lib/inets/doc/src/httpd.xml +index 118d38b..a48532e 100644 +--- a/lib/inets/doc/src/httpd.xml ++++ b/lib/inets/doc/src/httpd.xml +@@ -527,6 +527,10 @@ Transport: TLS +

Access to http://your.server.org/cgi-bin/foo would cause + the server to run the script /web/cgi-bin/foo.

+ ++

When using script_alias with directory-based authentication ++ directory, ensure that authentication ++ rules reference the actual filesystem path (RealName), not the URL path (Alias). ++ The server correctly resolves script_alias paths for authentication checks.

 + + {script_re_write, {Re, Replacement}} + +diff --git a/lib/inets/src/http_server/mod_alias.erl b/lib/inets/src/http_server/mod_alias.erl +index ef6e928..020dc70 100644 +--- a/lib/inets/src/http_server/mod_alias.erl ++++ b/lib/inets/src/http_server/mod_alias.erl +@@ -248,6 +248,12 @@ store({re_write, {Re, Replacement}} = Conf, _) + end; + store({re_write, _} = Conf, _) -> + {error, {wrong_type, Conf}}; ++ ++% When `script_alias` is used in conjunction with `m:mod_auth` for directory-based ++% access control, authentication rules are evaluated against the actual filesystem ++% path where scripts reside, not the aliased URL path. This ensures that CGI scripts ++% mapped outside the document root are properly protected by directory authentication ++% directives. + store({script_alias, {Fake, Real}} = Conf, _) + when is_list(Fake), is_list(Real) -> + {ok, Conf}; +@@ -275,7 +281,8 @@ is_directory_index_list(_) -> + %% --------------------------------------------------------------------- + + which_alias(ConfigDB) -> +- httpd_util:multi_lookup(ConfigDB, alias). ++ httpd_util:multi_lookup(ConfigDB, alias) ++ ++ httpd_util:multi_lookup(ConfigDB, script_alias). + + which_server_name(ConfigDB) -> + httpd_util:lookup(ConfigDB, server_name). +-- +2.45.4 + diff --git a/SPECS/erlang/erlang.spec b/SPECS/erlang/erlang.spec index 50b694584da..dc1d0d4733f 100644 --- a/SPECS/erlang/erlang.spec +++ b/SPECS/erlang/erlang.spec @@ -2,7 +2,7 @@ Summary: erlang Name: erlang Version: 25.3.2.21 -Release: 5%{?dist} +Release: 6%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -22,6 +22,7 @@ Patch4: CVE-2025-48039.patch Patch5: CVE-2026-23941.patch Patch6: CVE-2026-23942.patch Patch7: CVE-2026-23943.patch +Patch8: CVE-2026-28808.patch %description erlang programming language @@ -55,6 +56,9 @@ make %{_libdir}/erlang/* %changelog +* Thu Apr 23 2026 Azure Linux Security Servicing Account - 25.3.2.21-6 +- Patch for CVE-2026-28808 + * Mon Mar 16 2026 Azure Linux Security Servicing Account - 25.3.2.21-5 - Patch for CVE-2026-23943, CVE-2026-23942, CVE-2026-23941