microsoft · azurelinux-security · Apr 23, 2026
@@ -0,0 +1,61 @@
+From b520b9a5a61230deb6bd5aeb6554edc1caa776e1 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Thu, 23 Apr 2026 04:57:57 +0000
+Subject: [PATCH] inets: Check script_alias when using mod_auth
+
+- Update mod_alias: which_alias() now also returns script_alias entries so mod_auth checks directories against real script locations.
+- Add explanatory note in httpd.xml under script_alias about using real filesystem paths for directory-based authentication when script_alias is used.
+- Add comments in mod_alias.erl clarifying behavior with mod_auth.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c.patch
+---
+ lib/inets/doc/src/httpd.xml             | 4 ++++
+ lib/inets/src/http_server/mod_alias.erl | 9 ++++++++-
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/lib/inets/doc/src/httpd.xml b/lib/inets/doc/src/httpd.xml
+index 118d38b..a48532e 100644
+--- a/lib/inets/doc/src/httpd.xml
++++ b/lib/inets/doc/src/httpd.xml
+@@ -527,6 +527,10 @@ Transport: TLS
+ 	<p>Access to http://your.server.org/cgi-bin/foo would cause
+ 	the server to run the script /web/cgi-bin/foo.</p>
+       </item>
++        <note><p>When using <c>script_alias</c> with directory-based authentication
++            <seeerl marker="#prop_dri">directory</seeerl>, ensure that authentication
++            rules reference the actual filesystem path (RealName), not the URL path (Alias).
++            The server correctly resolves script_alias paths for authentication checks.</p></note>
+
+       <tag><marker id="prop_script_re_write"></marker>{script_re_write, {Re, Replacement}}</tag>
+       <item>
+diff --git a/lib/inets/src/http_server/mod_alias.erl b/lib/inets/src/http_server/mod_alias.erl
+index ef6e928..020dc70 100644
+--- a/lib/inets/src/http_server/mod_alias.erl
++++ b/lib/inets/src/http_server/mod_alias.erl
+@@ -248,6 +248,12 @@ store({re_write, {Re, Replacement}} = Conf, _)
+     end;
+ store({re_write, _} = Conf, _) ->
+     {error, {wrong_type, Conf}};
++
++% When `script_alias` is used in conjunction with `m:mod_auth` for directory-based
++% access control, authentication rules are evaluated against the actual filesystem
++% path where scripts reside, not the aliased URL path. This ensures that CGI scripts
++% mapped outside the document root are properly protected by directory authentication
++% directives.
+ store({script_alias, {Fake, Real}} = Conf, _) 
+   when is_list(Fake), is_list(Real) ->
+     {ok, Conf};
+@@ -275,7 +281,8 @@ is_directory_index_list(_) ->
+ %% ---------------------------------------------------------------------
+
+ which_alias(ConfigDB) ->
+-    httpd_util:multi_lookup(ConfigDB, alias). 
++    httpd_util:multi_lookup(ConfigDB, alias) ++
++        httpd_util:multi_lookup(ConfigDB, script_alias).
+
+ which_server_name(ConfigDB) ->
+     httpd_util:lookup(ConfigDB, server_name).
+-- 
+2.45.4
+
@@ -2,7 +2,7 @@
 Summary:        erlang
 Name:           erlang
 Version:        25.3.2.21
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -22,6 +22,7 @@ Patch4:         CVE-2025-48039.patch
 Patch5:         CVE-2026-23941.patch
 Patch6:         CVE-2026-23942.patch
 Patch7:         CVE-2026-23943.patch
+Patch8:         CVE-2026-28808.patch
 
 %description
 erlang programming language
@@ -55,6 +56,9 @@ make
 %{_libdir}/erlang/*
 
 %changelog
+* Thu Apr 23 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 25.3.2.21-6
+- Patch for CVE-2026-28808
+
 * Mon Mar 16 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 25.3.2.21-5
 - Patch for CVE-2026-23943, CVE-2026-23942, CVE-2026-23941