diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d2..0000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/httpd-2.4.37-CVE-2023-25690.patch b/SOURCES/httpd-2.4.37-CVE-2023-25690.patch
new file mode 100644
index 0000000..878d6e6
--- /dev/null
+++ b/SOURCES/httpd-2.4.37-CVE-2023-25690.patch
@@ -0,0 +1,296 @@
+diff --git a/docs/manual/rewrite/flags.html.en b/docs/manual/rewrite/flags.html.en
+index 80d0759..9673094 100644
+--- a/docs/manual/rewrite/flags.html.en
++++ b/docs/manual/rewrite/flags.html.en
+@@ -85,10 +85,6 @@ of how you might use them.</p>
+ <h2><a name="flag_b" id="flag_b">B (escape backreferences)</a></h2>
+ <p>The [B] flag instructs <code class="directive"><a href="../mod/mod_rewrite.html#rewriterule">RewriteRule</a></code> to escape non-alphanumeric
+ characters before applying the transformation.</p>
+-<p>In 2.4.26 and later, you can limit the escaping to specific characters
+-in backreferences by listing them: <code>[B=#?;]</code>. Note: The space
+-character can be used in the list of characters to escape, but it cannot be
+-the last character in the list.</p>
+
+ <p><code>mod_rewrite</code> has to unescape URLs before mapping them,
+ so backreferences are unescaped at the time they are applied.
+@@ -120,6 +116,16 @@ when the backend may break if presented with an unescaped URL.</p>
+
+ <p>An alternative to this flag is using a <code class="directive"><a href="../mod/mod_rewrite.html#rewritecond">RewriteCond</a></code> to capture against %{THE_REQUEST} which will capture
+ strings in the encoded form.</p>
++
++<p>In 2.4.26 and later, you can limit the escaping to specific characters
++in backreferences by listing them: <code>[B=#?;]</code>. Note: The space
++character can be used in the list of characters to escape, but you must quote
++the entire third argument of <code class="directive"><a href="../mod/mod_rewrite.html#rewriterule">RewriteRule</a></code>
++and the space must not be the last character in the list.</p>
++
++<pre class="prettyprint lang-config"># Escape spaces and question marks.
++RewriteRule "^search/(.*)$" "/search.php?term=$1" "[B= ?]"</pre>
++
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+ <div class="section">
+ <h2><a name="flag_bnp" id="flag_bnp">BNP|backrefnoplus (don't escape space to +)</a></h2>
+diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
+index 38dbb24..c3937ad 100644
+--- a/modules/mappers/mod_rewrite.c
++++ b/modules/mappers/mod_rewrite.c
+@@ -168,6 +168,7 @@ static const char* really_last_key = "rewrite_really_last";
+ #define RULEFLAG_END (1<<17)
+ #define RULEFLAG_ESCAPENOPLUS (1<<18)
+ #define RULEFLAG_QSLAST (1<<19)
++#define RULEFLAG_QSNONE (1<<20) /* programattic only */
+
+ /* return code of the rewrite rule
+ * the result may be escaped - or not
+@@ -761,15 +762,24 @@ static char *escape_absolute_uri(apr_pool_t *p, char *uri, unsigned scheme)
+ ap_escape_uri(p, cp), NULL);
+ }
+
++
+ /*
+ * split out a QUERY_STRING part from
+ * the current URI string
+ */
+-static void splitout_queryargs(request_rec *r, int qsappend, int qsdiscard,
+- int qslast)
++static void splitout_queryargs(request_rec *r, int flags)
+ {
+ char *q;
+ int split;
++ int qsappend = flags & RULEFLAG_QSAPPEND;
++ int qsdiscard = flags & RULEFLAG_QSDISCARD;
++ int qslast = flags & RULEFLAG_QSLAST;
++
++ if (flags & RULEFLAG_QSNONE) {
++ rewritelog((r, 2, NULL, "discarding query string, no parse from substitution"));
++ r->args = NULL;
++ return;
++ }
+
+ /* don't touch, unless it's a scheme for which a query string makes sense.
+ * See RFC 1738 and RFC 2368.
+@@ -794,7 +804,7 @@ static void splitout_queryargs(request_rec *r, int qsappend, int qsdiscard,
+ olduri = apr_pstrdup(r->pool, r->filename);
+ *q++ = '\0';
+ if (qsappend) {
+- if (*q) {
++ if (*q) {
+ r->args = apr_pstrcat(r->pool, q, "&" , r->args, NULL);
+ }
+ }
+@@ -802,9 +812,9 @@ static void splitout_queryargs(request_rec *r, int qsappend, int qsdiscard,
+ r->args = apr_pstrdup(r->pool, q);
+ }
+
+- if (r->args) {
++ if (r->args) {
+ len = strlen(r->args);
+-
++
+ if (!len) {
+ r->args = NULL;
+ }
+@@ -2733,7 +2743,7 @@ static apr_status_t rewritelock_remove(void *data)
+ * XXX: what an inclined parser. Seems we have to leave it so
+ * for backwards compat. *sigh*
+ */
+-static int parseargline(char *str, char **a1, char **a2, char **a3)
++static int parseargline(char *str, char **a1, char **a2, char **a2_end, char **a3)
+ {
+ char quote;
+
+@@ -2784,8 +2794,10 @@ static int parseargline(char *str, char **a1, char **a2, char **a3)
+
+ if (!*str) {
+ *a3 = NULL; /* 3rd argument is optional */
++ *a2_end = str;
+ return 0;
+ }
++ *a2_end = str;
+ *str++ = '\0';
+
+ while (apr_isspace(*str)) {
+@@ -3323,7 +3335,7 @@ static const char *cmd_rewritecond(cmd_parms *cmd, void *in_dconf,
+ rewrite_server_conf *sconf;
+ rewritecond_entry *newcond;
+ ap_regex_t *regexp;
+- char *a1 = NULL, *a2 = NULL, *a3 = NULL;
++ char *a1 = NULL, *a2 = NULL, *a2_end, *a3 = NULL;
+ const char *err;
+
+ sconf = ap_get_module_config(cmd->server->module_config, &rewrite_module);
+@@ -3341,7 +3353,7 @@ static const char *cmd_rewritecond(cmd_parms *cmd, void *in_dconf,
+ * of the argument line. So we can use a1 .. a3 without
+ * copying them again.
+ */
+- if (parseargline(str, &a1, &a2, &a3)) {
++ if (parseargline(str, &a1, &a2, &a2_end, &a3)) {
+ return apr_pstrcat(cmd->pool, "RewriteCond: bad argument line '", str,
+ "'", NULL);
+ }
+@@ -3749,7 +3761,7 @@ static const char *cmd_rewriterule(cmd_parms *cmd, void *in_dconf,
+ rewrite_server_conf *sconf;
+ rewriterule_entry *newrule;
+ ap_regex_t *regexp;
+- char *a1 = NULL, *a2 = NULL, *a3 = NULL;
++ char *a1 = NULL, *a2 = NULL, *a2_end, *a3 = NULL;
+ const char *err;
+
+ sconf = ap_get_module_config(cmd->server->module_config, &rewrite_module);
+@@ -3763,7 +3775,7 @@ static const char *cmd_rewriterule(cmd_parms *cmd, void *in_dconf,
+ }
+
+ /* parse the argument line ourself */
+- if (parseargline(str, &a1, &a2, &a3)) {
++ if (parseargline(str, &a1, &a2, &a2_end, &a3)) {
+ return apr_pstrcat(cmd->pool, "RewriteRule: bad argument line '", str,
+ "'", NULL);
+ }
+@@ -3810,6 +3822,16 @@ static const char *cmd_rewriterule(cmd_parms *cmd, void *in_dconf,
+ newrule->flags |= RULEFLAG_NOSUB;
+ }
+
++ if (*(a2_end-1) == '?') {
++ /* a literal ? at the end of the unsubstituted rewrite rule */
++ newrule->flags |= RULEFLAG_QSNONE;
++ }
++ else if (newrule->flags & RULEFLAG_QSDISCARD) {
++ if (NULL == ap_strchr(newrule->output, '?')) {
++ newrule->flags |= RULEFLAG_QSNONE;
++ }
++ }
++
+ /* now, if the server or per-dir config holds an
+ * array of RewriteCond entries, we take it for us
+ * and clear the array
+@@ -4215,9 +4237,7 @@ static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx)
+ r->path_info = NULL;
+ }
+
+- splitout_queryargs(r, p->flags & RULEFLAG_QSAPPEND,
+- p->flags & RULEFLAG_QSDISCARD,
+- p->flags & RULEFLAG_QSLAST);
++ splitout_queryargs(r, p->flags);
+
+ /* Add the previously stripped per-directory location prefix, unless
+ * (1) it's an absolute URL path and
+@@ -4699,6 +4719,17 @@ static int hook_uri2file(request_rec *r)
+ unsigned skip;
+ apr_size_t flen;
+
++ if (r->args && *(ap_scan_vchar_obstext(r->args))) {
++ /*
++ * We have a raw control character or a ' ' in r->args.
++ * Correct encoding was missed.
++ */
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10410)
++ "Rewritten query string contains control "
++ "characters or spaces");
++ return HTTP_FORBIDDEN;
++ }
++
+ if (ACTION_STATUS == rulestatus) {
+ int n = r->status;
+
+@@ -4983,6 +5014,17 @@ static int hook_fixup(request_rec *r)
+ if (rulestatus) {
+ unsigned skip;
+
++ if (r->args && *(ap_scan_vchar_obstext(r->args))) {
++ /*
++ * We have a raw control character or a ' ' in r->args.
++ * Correct encoding was missed.
++ */
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10411)
++ "Rewritten query string contains control "
++ "characters or spaces");
++ return HTTP_FORBIDDEN;
++ }
++
+ if (ACTION_STATUS == rulestatus) {
+ int n = r->status;
+
+diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c
+index 058b03f..a529c02 100644
+--- a/modules/proxy/mod_proxy_ajp.c
++++ b/modules/proxy/mod_proxy_ajp.c
+@@ -69,6 +69,16 @@ static int proxy_ajp_canon(request_rec *r, char *url)
+ path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
+ r->proxyreq);
+ search = r->args;
++ if (search && *(ap_scan_vchar_obstext(search))) {
++ /*
++ * We have a raw control character or a ' ' in r->args.
++ * Correct encoding was missed.
++ */
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10406)
++ "To be forwarded query string contains control "
++ "characters or spaces");
++ return HTTP_FORBIDDEN;
++ }
+ }
+ if (path == NULL)
+ return HTTP_BAD_REQUEST;
+diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c
+index 3a28038..c599e1a 100644
+--- a/modules/proxy/mod_proxy_balancer.c
++++ b/modules/proxy/mod_proxy_balancer.c
+@@ -106,6 +106,16 @@ static int proxy_balancer_canon(request_rec *r, char *url)
+ path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
+ r->proxyreq);
+ search = r->args;
++ if (search && *(ap_scan_vchar_obstext(search))) {
++ /*
++ * We have a raw control character or a ' ' in r->args.
++ * Correct encoding was missed.
++ */
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10407)
++ "To be forwarded query string contains control "
++ "characters or spaces");
++ return HTTP_FORBIDDEN;
++ }
+ }
+ if (path == NULL)
+ return HTTP_BAD_REQUEST;
+diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
+index c1c591a..58a8c86 100644
+--- a/modules/proxy/mod_proxy_http.c
++++ b/modules/proxy/mod_proxy_http.c
+@@ -90,6 +90,16 @@ static int proxy_http_canon(request_rec *r, char *url)
+ path = ap_proxy_canonenc(r->pool, url, strlen(url),
+ enc_path, 0, r->proxyreq);
+ search = r->args;
++ if (search && *(ap_scan_vchar_obstext(search))) {
++ /*
++ * We have a raw control character or a ' ' in r->args.
++ * Correct encoding was missed.
++ */
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10408)
++ "To be forwarded query string contains control "
++ "characters or spaces");
++ return HTTP_FORBIDDEN;
++ }
+ }
+ break;
+ case PROXYREQ_PROXY:
+diff --git a/modules/proxy/mod_proxy_wstunnel.c b/modules/proxy/mod_proxy_wstunnel.c
+index e005a94..f5e27d9 100644
+--- a/modules/proxy/mod_proxy_wstunnel.c
++++ b/modules/proxy/mod_proxy_wstunnel.c
+@@ -77,6 +77,16 @@ static int proxy_wstunnel_canon(request_rec *r, char *url)
+ path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
+ r->proxyreq);
+ search = r->args;
++ if (search && *(ap_scan_vchar_obstext(search))) {
++ /*
++ * We have a raw control character or a ' ' in r->args.
++ * Correct encoding was missed.
++ */
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10409)
++ "To be forwarded query string contains control "
++ "characters or spaces");
++ return HTTP_FORBIDDEN;
++ }
+ }
+ if (path == NULL)
+ return HTTP_BAD_REQUEST;
diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec
index fd3e23f..059349a 100644
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@@ -13,7 +13,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.37
-Release: 51%{?dist}.1
+Release: 51%{?dist}.5
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source2: httpd.logrotate
@@ -244,7 +244,8 @@ Patch235: httpd-2.4.37-CVE-2022-37436.patch
Patch236: httpd-2.4.37-CVE-2006-20001.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2161777
Patch237: httpd-2.4.37-CVE-2022-36760.patch
-
+# https://bugzilla.redhat.com/show_bug.cgi?id=2176209
+Patch238: httpd-2.4.37-CVE-2023-25690.patch
License: ASL 2.0
Group: System Environment/Daemons
@@ -464,6 +465,7 @@ interface for storing and accessing per-user session data.
%patch235 -p1 -b .CVE-2022-37436
%patch236 -p1 -b .CVE-2006-20001
%patch237 -p1 -b .CVE-2022-36760
+%patch238 -p1 -b .CVE-2023-25690
# Patch in the vendor string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -969,8 +971,9 @@ rm -rf $RPM_BUILD_ROOT
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
-* Tue Feb 21 2023 CentOS Sources <bugs@centos.org> - 2.4.37-51.el8.centos.1
-- Apply debranding changes
+* Sat Mar 18 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-51.5
+- Resolves: #2177747 - CVE-2023-25690 httpd:2.4/httpd: HTTP request splitting
+ with mod_rewrite and mod_proxy
* Tue Jan 31 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-51.1
- Resolves: #2165967 - prevent sscg creating /dhparams.pem