import httpd-2.4.37-39.module+el8.4.0+12865+a7065a39.1

SOURCES/httpd-2.4.37-CVE-2021-26691.patch

@@ -0,0 +1,13 @@
+diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
+index 049255d..af70f6b 100644
+--- a/modules/session/mod_session.c
++++ b/modules/session/mod_session.c
+@@ -317,7 +317,7 @@ static apr_status_t ap_session_set(request_rec * r, session_rec * z,
+ static int identity_count(void *v, const char *key, const char *val)
+ {
+     int *count = v;
+-    *count += strlen(key) * 3 + strlen(val) * 3 + 1;
++    *count += strlen(key) * 3 + strlen(val) * 3 + 2;
+     return 1;
+ }
+ 

SOURCES/httpd-2.4.37-CVE-2021-40438.patch

@@ -0,0 +1,29 @@
+diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
+index f383996..6a9ef55 100644
+--- a/modules/proxy/mod_proxy.c
++++ b/modules/proxy/mod_proxy.c
+@@ -1717,7 +1717,8 @@ PROXY_DECLARE(const char *) ap_proxy_de_socketfy(apr_pool_t *p, const char *url)
+      * the UDS path... ignore it
+      */
+     if (!strncasecmp(url, "unix:", 5) &&
+-        ((ptr = ap_strchr_c(url, '|')) != NULL)) {
++        ((ptr = ap_strchr_c(url + 5, '|')) != NULL)) {
++
+         /* move past the 'unix:...|' UDS path info */
+         const char *ret, *c;
+ 
+diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
+index 7714b6c..421f910 100644
+--- a/modules/proxy/proxy_util.c
++++ b/modules/proxy/proxy_util.c
+@@ -2090,8 +2090,8 @@ static void fix_uds_filename(request_rec *r, char **url)
+     if (!r || !r->filename) return;
+ 
+     if (!strncmp(r->filename, "proxy:", 6) &&
+-            (ptr2 = ap_strcasestr(r->filename, "unix:")) &&
+-            (ptr = ap_strchr(ptr2, '|'))) {
++            !ap_cstr_casecmpn(r->filename + 6, "unix:", 5) &&
++            (ptr2 = r->filename + 6 + 5, ptr = ap_strchr(ptr2, '|'))) {
+         apr_uri_t urisock;
+         apr_status_t rv;
+         *ptr = '\0';

SPECS/httpd.spec

@@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.37
-Release: 39%{?dist}
+Release: 39%{?dist}.1
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source2: httpd.logrotate
@@ -179,6 +179,10 @@ Patch209: httpd-2.4.37-CVE-2020-1934.patch
 Patch210: httpd-2.4.37-CVE-2018-17199.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1866563
 Patch211: httpd-2.4.37-CVE-2020-11984.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2005117
+Patch212: httpd-2.4.37-CVE-2021-40438.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1966732
+Patch213: httpd-2.4.37-CVE-2021-26691.patch
 
 License: ASL 2.0
 Group: System Environment/Daemons
@@ -365,6 +369,8 @@ interface for storing and accessing per-user session data.
 %patch209 -p1 -b .CVE-2020-1934
 %patch210 -p1 -b .CVE-2018-17199
 %patch211 -p1 -b .CVE-2020-11984
+%patch212 -p1 -b .CVE-2021-40438
+%patch213 -p1 -b .CVE-2021-26691
 
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -867,6 +873,12 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Thu Sep 30 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-39.1
+- Resolves: #2007234 - CVE-2021-40438 httpd:2.4/httpd: mod_proxy: SSRF via
+  a crafted request uri-path
+- Resolves: #2007646 - CVE-2021-26691 httpd:2.4/httpd: Heap overflow in
+  mod_session
+
 * Tue Jan 26 2021 Artem Egorenkov <aegorenk@redhat.com> - 2.4.37-39
 - prevent htcacheclean from while break when first file processed