Red Hat Product Errata RHSA-2025:14625 - Security Advisory
Issued:
2025-08-26
Updated:
2025-08-26

RHSA-2025:14625 - Security Advisory

Synopsis

Moderate: mod_http2 security update

Type/Severity

Security Advisory: Moderate

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for mod_http2 is now available for Red Hat Enterprise Linux 10.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The mod_h2 Apache httpd module implements the HTTP2 protocol (h2+h2c) on top of libnghttp2 for httpd 2.4 servers.

Security Fix(es):

  • httpd: mod_proxy_http2: untrusted input from a client causes an assertion to fail in the Apache mod_proxy_http2 module (CVE-2025-49630)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux for x86_64 10 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 10 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x
  • Red Hat Enterprise Linux for Power, little endian 10 ppc64le
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le
  • Red Hat Enterprise Linux for ARM 64 10 aarch64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64
  • Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64
  • Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x
  • Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le
  • Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64

Fixes

  • BZ - 2374578 - CVE-2025-49630 httpd: mod_proxy_http2: untrusted input from a client causes an assertion to fail in the Apache mod_proxy_http2 module

Red Hat Enterprise Linux for x86_64 10

SRPM
mod_http2-2.0.29-2.el10_0.1.src.rpm SHA-256: cead8804a1e7b23661e58ae5ee6ad714fb39e7a991a1d19e95e633ad0c8a98af
x86_64
mod_http2-2.0.29-2.el10_0.1.x86_64.rpm SHA-256: cc34da1fda5f5e8a79b94867d0d792703235f7c355931b37c3e61c0c2e71a972
mod_http2-debuginfo-2.0.29-2.el10_0.1.x86_64.rpm SHA-256: d3b1dcb152df3025f52f8cde62b5775cc4bb85eca96615be879b12bfefc83e6d
mod_http2-debugsource-2.0.29-2.el10_0.1.x86_64.rpm SHA-256: 3c7b0de6fd06b0d2932142fde4dac0c4aaef582a7d5a2692a195c40e08319d8a

Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0

SRPM
mod_http2-2.0.29-2.el10_0.1.src.rpm SHA-256: cead8804a1e7b23661e58ae5ee6ad714fb39e7a991a1d19e95e633ad0c8a98af
x86_64
mod_http2-2.0.29-2.el10_0.1.x86_64.rpm SHA-256: cc34da1fda5f5e8a79b94867d0d792703235f7c355931b37c3e61c0c2e71a972
mod_http2-debuginfo-2.0.29-2.el10_0.1.x86_64.rpm SHA-256: d3b1dcb152df3025f52f8cde62b5775cc4bb85eca96615be879b12bfefc83e6d
mod_http2-debugsource-2.0.29-2.el10_0.1.x86_64.rpm SHA-256: 3c7b0de6fd06b0d2932142fde4dac0c4aaef582a7d5a2692a195c40e08319d8a

Red Hat Enterprise Linux for IBM z Systems 10

SRPM
mod_http2-2.0.29-2.el10_0.1.src.rpm SHA-256: cead8804a1e7b23661e58ae5ee6ad714fb39e7a991a1d19e95e633ad0c8a98af
s390x
mod_http2-2.0.29-2.el10_0.1.s390x.rpm SHA-256: a89c902258f2a3187d544ca06ee6dde72415631811864b4e7a25b3f44eac5e16
mod_http2-debuginfo-2.0.29-2.el10_0.1.s390x.rpm SHA-256: 0ce1a4c5891090b6f9a869d112ff51b8755957e57b9a492b58f4d8dd1d67cd26
mod_http2-debugsource-2.0.29-2.el10_0.1.s390x.rpm SHA-256: 394b01d6ae5db478ddb1ef20b62b076e831d078106b0ea57f9f59860c6f0dec1

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0

SRPM
mod_http2-2.0.29-2.el10_0.1.src.rpm SHA-256: cead8804a1e7b23661e58ae5ee6ad714fb39e7a991a1d19e95e633ad0c8a98af
s390x
mod_http2-2.0.29-2.el10_0.1.s390x.rpm SHA-256: a89c902258f2a3187d544ca06ee6dde72415631811864b4e7a25b3f44eac5e16
mod_http2-debuginfo-2.0.29-2.el10_0.1.s390x.rpm SHA-256: 0ce1a4c5891090b6f9a869d112ff51b8755957e57b9a492b58f4d8dd1d67cd26
mod_http2-debugsource-2.0.29-2.el10_0.1.s390x.rpm SHA-256: 394b01d6ae5db478ddb1ef20b62b076e831d078106b0ea57f9f59860c6f0dec1

Red Hat Enterprise Linux for Power, little endian 10

SRPM
mod_http2-2.0.29-2.el10_0.1.src.rpm SHA-256: cead8804a1e7b23661e58ae5ee6ad714fb39e7a991a1d19e95e633ad0c8a98af
ppc64le
mod_http2-2.0.29-2.el10_0.1.ppc64le.rpm SHA-256: c97d8f9f25cbc8ae5ece8e9b8330c8a715bab1223fd1ce1254e8bccee5c08c5a
mod_http2-debuginfo-2.0.29-2.el10_0.1.ppc64le.rpm SHA-256: f36336505968ad8845164b2b1e7e5048ab7e3239adf228475d216d68fbbbdf26
mod_http2-debugsource-2.0.29-2.el10_0.1.ppc64le.rpm SHA-256: a9c591d68c10a9abc1559cd7b44973386a0be705fae27935b77edcfec04cbf1e

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0

SRPM
mod_http2-2.0.29-2.el10_0.1.src.rpm SHA-256: cead8804a1e7b23661e58ae5ee6ad714fb39e7a991a1d19e95e633ad0c8a98af
ppc64le
mod_http2-2.0.29-2.el10_0.1.ppc64le.rpm SHA-256: c97d8f9f25cbc8ae5ece8e9b8330c8a715bab1223fd1ce1254e8bccee5c08c5a
mod_http2-debuginfo-2.0.29-2.el10_0.1.ppc64le.rpm SHA-256: f36336505968ad8845164b2b1e7e5048ab7e3239adf228475d216d68fbbbdf26
mod_http2-debugsource-2.0.29-2.el10_0.1.ppc64le.rpm SHA-256: a9c591d68c10a9abc1559cd7b44973386a0be705fae27935b77edcfec04cbf1e

Red Hat Enterprise Linux for ARM 64 10

SRPM
mod_http2-2.0.29-2.el10_0.1.src.rpm SHA-256: cead8804a1e7b23661e58ae5ee6ad714fb39e7a991a1d19e95e633ad0c8a98af
aarch64
mod_http2-2.0.29-2.el10_0.1.aarch64.rpm SHA-256: b17f67ff3530fdaa78ab0711190b488604b898f721f84f9a02421c2ae7e6a689
mod_http2-debuginfo-2.0.29-2.el10_0.1.aarch64.rpm SHA-256: 22b5e14dee9788aa1e2d619883555fb983045ffcd63db79507d3a0d5dd42595e
mod_http2-debugsource-2.0.29-2.el10_0.1.aarch64.rpm SHA-256: 46b681be94d107e7f7c20ef6b5236ffb222de6cb3472273c2cd0286672491689

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0

SRPM
mod_http2-2.0.29-2.el10_0.1.src.rpm SHA-256: cead8804a1e7b23661e58ae5ee6ad714fb39e7a991a1d19e95e633ad0c8a98af
aarch64
mod_http2-2.0.29-2.el10_0.1.aarch64.rpm SHA-256: b17f67ff3530fdaa78ab0711190b488604b898f721f84f9a02421c2ae7e6a689
mod_http2-debuginfo-2.0.29-2.el10_0.1.aarch64.rpm SHA-256: 22b5e14dee9788aa1e2d619883555fb983045ffcd63db79507d3a0d5dd42595e
mod_http2-debugsource-2.0.29-2.el10_0.1.aarch64.rpm SHA-256: 46b681be94d107e7f7c20ef6b5236ffb222de6cb3472273c2cd0286672491689

Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0

SRPM
mod_http2-2.0.29-2.el10_0.1.src.rpm SHA-256: cead8804a1e7b23661e58ae5ee6ad714fb39e7a991a1d19e95e633ad0c8a98af
aarch64
mod_http2-2.0.29-2.el10_0.1.aarch64.rpm SHA-256: b17f67ff3530fdaa78ab0711190b488604b898f721f84f9a02421c2ae7e6a689
mod_http2-debuginfo-2.0.29-2.el10_0.1.aarch64.rpm SHA-256: 22b5e14dee9788aa1e2d619883555fb983045ffcd63db79507d3a0d5dd42595e
mod_http2-debugsource-2.0.29-2.el10_0.1.aarch64.rpm SHA-256: 46b681be94d107e7f7c20ef6b5236ffb222de6cb3472273c2cd0286672491689

Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0

SRPM
mod_http2-2.0.29-2.el10_0.1.src.rpm SHA-256: cead8804a1e7b23661e58ae5ee6ad714fb39e7a991a1d19e95e633ad0c8a98af
s390x
mod_http2-2.0.29-2.el10_0.1.s390x.rpm SHA-256: a89c902258f2a3187d544ca06ee6dde72415631811864b4e7a25b3f44eac5e16
mod_http2-debuginfo-2.0.29-2.el10_0.1.s390x.rpm SHA-256: 0ce1a4c5891090b6f9a869d112ff51b8755957e57b9a492b58f4d8dd1d67cd26
mod_http2-debugsource-2.0.29-2.el10_0.1.s390x.rpm SHA-256: 394b01d6ae5db478ddb1ef20b62b076e831d078106b0ea57f9f59860c6f0dec1

Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0

SRPM
mod_http2-2.0.29-2.el10_0.1.src.rpm SHA-256: cead8804a1e7b23661e58ae5ee6ad714fb39e7a991a1d19e95e633ad0c8a98af
ppc64le
mod_http2-2.0.29-2.el10_0.1.ppc64le.rpm SHA-256: c97d8f9f25cbc8ae5ece8e9b8330c8a715bab1223fd1ce1254e8bccee5c08c5a
mod_http2-debuginfo-2.0.29-2.el10_0.1.ppc64le.rpm SHA-256: f36336505968ad8845164b2b1e7e5048ab7e3239adf228475d216d68fbbbdf26
mod_http2-debugsource-2.0.29-2.el10_0.1.ppc64le.rpm SHA-256: a9c591d68c10a9abc1559cd7b44973386a0be705fae27935b77edcfec04cbf1e

Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0

SRPM
mod_http2-2.0.29-2.el10_0.1.src.rpm SHA-256: cead8804a1e7b23661e58ae5ee6ad714fb39e7a991a1d19e95e633ad0c8a98af
x86_64
mod_http2-2.0.29-2.el10_0.1.x86_64.rpm SHA-256: cc34da1fda5f5e8a79b94867d0d792703235f7c355931b37c3e61c0c2e71a972
mod_http2-debuginfo-2.0.29-2.el10_0.1.x86_64.rpm SHA-256: d3b1dcb152df3025f52f8cde62b5775cc4bb85eca96615be879b12bfefc83e6d
mod_http2-debugsource-2.0.29-2.el10_0.1.x86_64.rpm SHA-256: 3c7b0de6fd06b0d2932142fde4dac0c4aaef582a7d5a2692a195c40e08319d8a

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.