From eeec984029758e20ec66ef19f916bf834ebc1e1e Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Wed, 22 Jun 2022 05:24:53 -0400
Subject: [PATCH] import httpd-2.4.37-47.module+el8.6.0+15654+427eba2e.2

---
 SOURCES/httpd-2.4.37-CVE-2020-13950.patch | 12 ++++++++++++
 SPECS/httpd.spec                          |  9 ++++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/httpd-2.4.37-CVE-2020-13950.patch

diff --git a/SOURCES/httpd-2.4.37-CVE-2020-13950.patch b/SOURCES/httpd-2.4.37-CVE-2020-13950.patch
new file mode 100644
index 0000000..419a635
--- /dev/null
+++ b/SOURCES/httpd-2.4.37-CVE-2020-13950.patch
@@ -0,0 +1,12 @@
+diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
+index 5786ea8..7da9bde 100644
+--- a/modules/proxy/mod_proxy_http.c
++++ b/modules/proxy/mod_proxy_http.c
+@@ -637,7 +637,6 @@ static int ap_proxy_http_prefetch(proxy_http_req_t *req,
+                       "chunked body with Content-Length (C-L ignored)",
+                       c->client_ip, c->remote_host ? c->remote_host: "");
+         req->old_cl_val = NULL;
+-        origin->keepalive = AP_CONN_CLOSE;
+         p_conn->close = 1;
+     }
+ 
diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec
index daa6a90..866e4cf 100644
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.37
-Release: 47%{?dist}.1
+Release: 47%{?dist}.2
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source2: httpd.logrotate
@@ -216,6 +216,8 @@ Patch221: httpd-2.4.37-CVE-2021-44790.patch
 Patch222: httpd-2.4.37-CVE-2021-44224.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2064321
 Patch223: httpd-2.4.37-CVE-2022-22720.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1966738
+Patch224: httpd-2.4.37-CVE-2020-13950.patch
 
 License: ASL 2.0
 Group: System Environment/Daemons
@@ -421,6 +423,7 @@ interface for storing and accessing per-user session data.
 %patch221 -p1 -b .CVE-2021-44790
 %patch222 -p1 -b .CVE-2021-44224
 %patch223 -p1 -b .CVE-2022-22720
+%patch224 -p1 -b .CVE-2020-13950
 
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -926,6 +929,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Wed Jun 15 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-47.2
+- Resolves: #2097247 - CVE-2020-13950 httpd:2.4/httpd: mod_proxy NULL pointer
+  dereference
+
 * Mon Mar 21 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-47.1
 - Resolves: #2065248 - CVE-2022-22720 httpd:2.4/httpd: HTTP request smuggling
   vulnerability in Apache HTTP Server 2.4.52 and earlier