diff --git a/SOURCES/httpd-2.4.37-CVE-2024-38473.patch b/SOURCES/httpd-2.4.37-CVE-2024-38473.patch
new file mode 100644
index 0000000..7c26944
--- /dev/null
+++ b/SOURCES/httpd-2.4.37-CVE-2024-38473.patch
@@ -0,0 +1,172 @@
+diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
+index a6df1b8..94ec87e 100644
+--- a/modules/proxy/mod_proxy.c
++++ b/modules/proxy/mod_proxy.c
+@@ -968,6 +968,7 @@ static int proxy_fixup(request_rec *r)
+
+ return OK; /* otherwise; we've done the best we can */
+ }
++
+ /* Send a redirection if the request contains a hostname which is not */
+ /* fully qualified, i.e. doesn't have a domain name appended. Some proxy */
+ /* servers like Netscape's allow this and access hosts from the local */
+@@ -1021,7 +1022,7 @@ static int proxy_handler(request_rec *r)
+ ap_get_module_config(sconf, &proxy_module);
+ apr_array_header_t *proxies = conf->proxies;
+ struct proxy_remote *ents = (struct proxy_remote *) proxies->elts;
+- int i, rc, access_status;
++ int rc = DECLINED, access_status, i;
+ int direct_connect = 0;
+ const char *str;
+ apr_int64_t maxfwd;
+@@ -1036,19 +1037,28 @@ static int proxy_handler(request_rec *r)
+ return DECLINED;
+ }
+
+- if (!r->proxyreq) {
+- /* We may have forced the proxy handler via config or .htaccess */
+- if (r->handler &&
+- strncmp(r->handler, "proxy:", 6) == 0 &&
+- strncmp(r->filename, "proxy:", 6) != 0) {
+- r->proxyreq = PROXYREQ_REVERSE;
+- r->filename = apr_pstrcat(r->pool, r->handler, r->filename, NULL);
++ /* We may have forced the proxy handler via config or .htaccess */
++ if (!r->proxyreq && r->handler && strncmp(r->handler, "proxy:", 6) == 0) {
++ char *old_filename = r->filename;
++
++ r->proxyreq = PROXYREQ_REVERSE;
++ r->filename = apr_pstrcat(r->pool, r->handler, r->filename, NULL);
++
++ /* Still need to fixup/canonicalize r->filename */
++ rc = ap_proxy_fixup_uds_filename(r);
++ if (rc <= OK) {
++ rc = proxy_fixup(r);
+ }
+- else {
+- return DECLINED;
++ if (rc != OK) {
++ r->filename = old_filename;
++ r->proxyreq = 0;
+ }
+- } else if (strncmp(r->filename, "proxy:", 6) != 0) {
+- return DECLINED;
++ }
++ else if (r->proxyreq && strncmp(r->filename, "proxy:", 6) == 0) {
++ rc = OK;
++ }
++ if (rc != OK) {
++ return rc;
+ }
+
+ /* handle max-forwards / OPTIONS / TRACE */
+diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h
+index e5c0a26..354f395 100644
+--- a/modules/proxy/mod_proxy.h
++++ b/modules/proxy/mod_proxy.h
+@@ -921,6 +921,14 @@ PROXY_DECLARE(proxy_balancer_shared *) ap_proxy_find_balancershm(ap_slotmem_prov
+ proxy_balancer *balancer,
+ unsigned int *index);
+
++/*
++ * Strip the UDS part of r->filename if any, and put the UDS path in
++ * r->notes ("uds_path")
++ * @param r current request
++ * @return OK if fixed up, DECLINED if not UDS, or an HTTP_XXX error
++ */
++PROXY_DECLARE(int) ap_proxy_fixup_uds_filename(request_rec *r);
++
+ /**
+ * Get the most suitable worker and/or balancer for the request
+ * @param worker worker used for processing request
+diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
+index 6626ea0..6244e74 100644
+--- a/modules/proxy/proxy_util.c
++++ b/modules/proxy/proxy_util.c
+@@ -2098,7 +2098,7 @@ static int ap_proxy_retry_worker(const char *proxy_function, proxy_worker *worke
+ * were passed a UDS url (eg: from mod_proxy) and adjust uds_path
+ * as required.
+ */
+-static int fix_uds_filename(request_rec *r, char **url)
++PROXY_DECLARE(int) ap_proxy_fixup_uds_filename(request_rec *r)
+ {
+ char *uds_url = r->filename + 6, *origin_url;
+
+@@ -2106,7 +2106,6 @@ static int fix_uds_filename(request_rec *r, char **url)
+ !ap_cstr_casecmpn(uds_url, "unix:", 5) &&
+ (origin_url = ap_strchr(uds_url + 5, '|'))) {
+ char *uds_path = NULL;
+- apr_size_t url_len;
+ apr_uri_t urisock;
+ apr_status_t rv;
+
+@@ -2122,21 +2121,20 @@ static int fix_uds_filename(request_rec *r, char **url)
+ if (!uds_path) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10292)
+ "Invalid proxy UDS filename (%s)", r->filename);
+- return 0;
++ return HTTP_BAD_REQUEST;
+ }
+ apr_table_setn(r->notes, "uds_path", uds_path);
+
+- /* Remove the UDS path from *url and r->filename */
+- url_len = strlen(origin_url);
+- *url = apr_pstrmemdup(r->pool, origin_url, url_len);
+- memcpy(uds_url, *url, url_len + 1);
+-
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
+- "*: rewrite of url due to UDS(%s): %s (%s)",
+- uds_path, *url, r->filename);
++ "*: fixup UDS from %s: %s (%s)",
++ r->filename, origin_url, uds_path);
++
++ /* Overwrite the UDS part in place */
++ memmove(uds_url, origin_url, strlen(origin_url) + 1);
++ return OK;
+ }
+
+- return 1;
++ return DECLINED;
+ }
+
+ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
+@@ -2155,9 +2153,6 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
+ "%s: found worker %s for %s",
+ (*worker)->s->scheme, (*worker)->s->name, *url);
+- if (!forward && !fix_uds_filename(r, url)) {
+- return HTTP_INTERNAL_SERVER_ERROR;
+- }
+ access_status = OK;
+ }
+ else if (forward) {
+@@ -2187,9 +2182,6 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
+ * regarding the Connection header in the request.
+ */
+ apr_table_setn(r->subprocess_env, "proxy-nokeepalive", "1");
+- if (!fix_uds_filename(r, url)) {
+- return HTTP_INTERNAL_SERVER_ERROR;
+- }
+ }
+ }
+ }
+@@ -2199,6 +2191,20 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
+ "all workers are busy. Unable to serve %s", *url);
+ access_status = HTTP_SERVICE_UNAVAILABLE;
+ }
++
++ if (access_status == OK && r->proxyreq == PROXYREQ_REVERSE) {
++ int rc = ap_proxy_fixup_uds_filename(r);
++ if (ap_is_HTTP_ERROR(rc)) {
++ return rc;
++ }
++ /* If the URL has changed in r->filename, take everything after
++ * the "proxy:" prefix.
++ */
++ if (rc == OK) {
++ *url = apr_pstrdup(r->pool, r->filename + 6);
++ }
++ }
++
+ return access_status;
+ }
+
diff --git a/SOURCES/httpd-2.4.37-CVE-2024-38474+.patch b/SOURCES/httpd-2.4.37-CVE-2024-38474+.patch
new file mode 100644
index 0000000..2228924
--- /dev/null
+++ b/SOURCES/httpd-2.4.37-CVE-2024-38474+.patch
@@ -0,0 +1,439 @@
+diff --git a/docs/manual/mod/mod_rewrite.html.en b/docs/manual/mod/mod_rewrite.html.en
+index 2b8ed35..b7f1c31 100644
+--- a/docs/manual/mod/mod_rewrite.html.en
++++ b/docs/manual/mod/mod_rewrite.html.en
+@@ -1403,6 +1403,16 @@ cannot use $N
in the substitution string!
+
L
flag can be useful in this context to end the
+ current round of mod_rewrite processing.
+
++++Setting this flag is required to allow a rewrite to continue If the ++HTTP request being written has an encoded question mark, '%3f', and the ++rewritten result has a '?' in the substiution. This protects from a malicious ++URL taking advantage of a capture and re-substitution of the encoded ++question mark.
++ ++++Setting this flag is required in server-scoped substitutions ++start with a variable or backreference and resolve to a filesystem path. ++These substitutions are not prefixed with the document root. ++This protects from a malicious URL causing the expanded substitution to ++map to an unexpected filesystem location. ++
++ +Available Languages: en |
+diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
+index b71c67c..797f093 100644
+--- a/modules/mappers/mod_rewrite.c
++++ b/modules/mappers/mod_rewrite.c
+@@ -172,6 +172,8 @@ static const char* really_last_key = "rewrite_really_last";
+ #define RULEFLAG_QSLAST (1<<19)
+ #define RULEFLAG_QSNONE (1<<20) /* programattic only */
+ #define RULEFLAG_ESCAPECTLS (1<<21)
++#define RULEFLAG_UNSAFE_PREFIX_STAT (1<<22)
++#define RULEFLAG_UNSAFE_ALLOW3F (1<<23)
+
+ /* return code of the rewrite rule
+ * the result may be escaped - or not
+@@ -179,7 +181,7 @@ static const char* really_last_key = "rewrite_really_last";
+ #define ACTION_NORMAL (1<<0)
+ #define ACTION_NOESCAPE (1<<1)
+ #define ACTION_STATUS (1<<2)
+-
++#define ACTION_STATUS_SET (1<<3)
+
+ #define MAPTYPE_TXT (1<<0)
+ #define MAPTYPE_DBM (1<<1)
+@@ -203,6 +205,7 @@ static const char* really_last_key = "rewrite_really_last";
+ #define OPTION_IGNORE_INHERIT (1<<8)
+ #define OPTION_IGNORE_CONTEXT_INFO (1<<9)
+ #define OPTION_LEGACY_PREFIX_DOCROOT (1<<10)
++#define OPTION_UNSAFE_PREFIX_STAT (1<<12)
+
+ #ifndef RAND_MAX
+ #define RAND_MAX 32767
+@@ -296,6 +299,14 @@ typedef enum {
+ CONDPAT_AP_EXPR
+ } pattern_type;
+
++typedef enum {
++ RULE_RC_NOMATCH = 0, /* the rule didn't match */
++ RULE_RC_MATCH = 1, /* a matching rule w/ substitution */
++ RULE_RC_NOSUB = 2, /* a matching rule w/ no substitution */
++ RULE_RC_STATUS_SET = 3 /* a matching rule that has set an HTTP error
++ to be returned in r->status */
++} rule_return_type;
++
+ typedef struct {
+ char *input; /* Input string of RewriteCond */
+ char *pattern; /* the RegExp pattern string */
+@@ -927,10 +938,15 @@ static void fully_qualify_uri(request_rec *r)
+ return;
+ }
+
++static int startsWith(request_rec *r, const char *haystack, const char *needle) {
++ int rc = (ap_strstr_c(haystack, needle) == haystack);
++ rewritelog((r, 5, NULL, "prefix_stat startsWith(%s, %s) %d", haystack, needle, rc));
++ return rc;
++}
+ /*
+- * stat() only the first segment of a path
++ * stat() only the first segment of a path, and only if it matches the output of the last matching rule
+ */
+-static int prefix_stat(const char *path, apr_pool_t *pool)
++static int prefix_stat(request_rec *r, const char *path, apr_pool_t *pool, rewriterule_entry *lastsub)
+ {
+ const char *curpath = path;
+ const char *root;
+@@ -964,10 +980,36 @@ static int prefix_stat(const char *path, apr_pool_t *pool)
+ apr_finfo_t sb;
+
+ if (apr_stat(&sb, statpath, APR_FINFO_MIN, pool) == APR_SUCCESS) {
+- return 1;
++ if (!lastsub) {
++ rewritelog((r, 3, NULL, "prefix_stat no lastsub subst prefix %s", statpath));
++ return 1;
++ }
++
++ rewritelog((r, 3, NULL, "prefix_stat compare statpath %s and lastsub output %s STATOK %d ",
++ statpath, lastsub->output, lastsub->flags & RULEFLAG_UNSAFE_PREFIX_STAT));
++ if (lastsub->flags & RULEFLAG_UNSAFE_PREFIX_STAT) {
++ return 1;
++ }
++ else {
++ const char *docroot = ap_document_root(r);
++ const char *context_docroot = ap_context_document_root(r);
++ /*
++ * As an example, path (r->filename) is /var/foo/bar/baz.html
++ * even if the flag is not set, we can accept a rule that
++ * began with a literal /var (stapath), or if the entire path
++ * starts with the docroot or context document root
++ */
++ if (startsWith(r, lastsub->output, statpath) ||
++ startsWith(r, path, docroot) ||
++ ((docroot != context_docroot) &&
++ startsWith(r, path, context_docroot))) {
++ return 1;
++ }
++ }
+ }
+ }
+
++ /* prefix will be added */
+ return 0;
+ }
+
+@@ -3046,6 +3088,9 @@ static const char *cmd_rewriteoptions(cmd_parms *cmd,
+ else if (!strcasecmp(w, "legacyprefixdocroot")) {
+ options |= OPTION_LEGACY_PREFIX_DOCROOT;
+ }
++ else if (!strcasecmp(w, "UnsafePrefixStat")) {
++ options |= OPTION_UNSAFE_PREFIX_STAT;
++ }
+ else {
+ return apr_pstrcat(cmd->pool, "RewriteOptions: unknown option '",
+ w, "'", NULL);
+@@ -3752,6 +3797,18 @@ static const char *cmd_rewriterule_setflag(apr_pool_t *p, void *_cfg,
+ ++error;
+ }
+ break;
++ case 'u':
++ case 'U':
++ if (!strcasecmp(key, "nsafePrefixStat")){
++ cfg->flags |= (RULEFLAG_UNSAFE_PREFIX_STAT);
++ }
++ else if(!strcasecmp(key, "nsafeAllow3F")) {
++ cfg->flags |= RULEFLAG_UNSAFE_ALLOW3F;
++ }
++ else {
++ ++error;
++ }
++ break;
+ default:
+ ++error;
+ break;
+@@ -4102,7 +4159,8 @@ static APR_INLINE void force_type_handler(rewriterule_entry *p,
+ /*
+ * Apply a single RewriteRule
+ */
+-static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx)
++static rule_return_type apply_rewrite_rule(rewriterule_entry *p,
++ rewrite_ctx *ctx)
+ {
+ ap_regmatch_t regmatch[AP_MAX_REG_MATCH];
+ apr_array_header_t *rewriteconds;
+@@ -4153,7 +4211,7 @@ static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx)
+ rc = !ap_regexec(p->regexp, ctx->uri, AP_MAX_REG_MATCH, regmatch, 0);
+ if (! (( rc && !(p->flags & RULEFLAG_NOTMATCH)) ||
+ (!rc && (p->flags & RULEFLAG_NOTMATCH)) ) ) {
+- return 0;
++ return RULE_RC_NOMATCH;
+ }
+
+ /* It matched, wow! Now it's time to prepare the context structure for
+@@ -4204,7 +4262,7 @@ static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx)
+ }
+ }
+ else if (!rc) {
+- return 0;
++ return RULE_RC_NOMATCH;
+ }
+
+ /* If some HTTP header was involved in the condition, remember it
+@@ -4224,6 +4282,15 @@ static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx)
+ newuri = do_expand(p->output, ctx, p);
+ rewritelog((r, 2, ctx->perdir, "rewrite '%s' -> '%s'", ctx->uri,
+ newuri));
++ if (!(p->flags & RULEFLAG_UNSAFE_ALLOW3F) &&
++ ap_strcasestr(r->unparsed_uri, "%3f") &&
++ ap_strchr_c(newuri, '?')) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
++ "Unsafe URL with %%3f URL rewritten without "
++ "UnsafeAllow3F");
++ r->status = HTTP_FORBIDDEN;
++ return RULE_RC_STATUS_SET;
++ }
+ }
+
+ /* expand [E=var:val] and [CO=