diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d2..0000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/httpd-2.4.37-CVE-2021-26691.patch b/SOURCES/httpd-2.4.37-CVE-2021-26691.patch
new file mode 100644
index 0000000..786aea2
--- /dev/null
+++ b/SOURCES/httpd-2.4.37-CVE-2021-26691.patch
@@ -0,0 +1,13 @@
+diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
+index 049255d..af70f6b 100644
+--- a/modules/session/mod_session.c
++++ b/modules/session/mod_session.c
+@@ -317,7 +317,7 @@ static apr_status_t ap_session_set(request_rec * r, session_rec * z,
+ static int identity_count(void *v, const char *key, const char *val)
+ {
+     int *count = v;
+-    *count += strlen(key) * 3 + strlen(val) * 3 + 1;
++    *count += strlen(key) * 3 + strlen(val) * 3 + 2;
+     return 1;
+ }
+ 
diff --git a/SOURCES/httpd-2.4.37-CVE-2021-40438.patch b/SOURCES/httpd-2.4.37-CVE-2021-40438.patch
new file mode 100644
index 0000000..57aa7ce
--- /dev/null
+++ b/SOURCES/httpd-2.4.37-CVE-2021-40438.patch
@@ -0,0 +1,29 @@
+diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
+index f383996..6a9ef55 100644
+--- a/modules/proxy/mod_proxy.c
++++ b/modules/proxy/mod_proxy.c
+@@ -1717,7 +1717,8 @@ PROXY_DECLARE(const char *) ap_proxy_de_socketfy(apr_pool_t *p, const char *url)
+      * the UDS path... ignore it
+      */
+     if (!strncasecmp(url, "unix:", 5) &&
+-        ((ptr = ap_strchr_c(url, '|')) != NULL)) {
++        ((ptr = ap_strchr_c(url + 5, '|')) != NULL)) {
++
+         /* move past the 'unix:...|' UDS path info */
+         const char *ret, *c;
+ 
+diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
+index 7714b6c..421f910 100644
+--- a/modules/proxy/proxy_util.c
++++ b/modules/proxy/proxy_util.c
+@@ -2090,8 +2090,8 @@ static void fix_uds_filename(request_rec *r, char **url)
+     if (!r || !r->filename) return;
+ 
+     if (!strncmp(r->filename, "proxy:", 6) &&
+-            (ptr2 = ap_strcasestr(r->filename, "unix:")) &&
+-            (ptr = ap_strchr(ptr2, '|'))) {
++            !ap_cstr_casecmpn(r->filename + 6, "unix:", 5) &&
++            (ptr2 = r->filename + 6 + 5, ptr = ap_strchr(ptr2, '|'))) {
+         apr_uri_t urisock;
+         apr_status_t rv;
+         *ptr = '\0';
diff --git a/SOURCES/welcome.conf b/SOURCES/welcome.conf
index 9d91408..5158e8b 100644
--- a/SOURCES/welcome.conf
+++ b/SOURCES/welcome.conf
@@ -7,25 +7,13 @@
 #
 <LocationMatch "^/+$">
     Options -Indexes
-    ErrorDocument 403 /noindex/index.html
+    ErrorDocument 403 /.noindex.html
 </LocationMatch>
 
 <Directory /usr/share/httpd/noindex>
-    Options MultiViews
-    DirectoryIndex index.html
-
-    AddLanguage en-US .en-US
-    AddLanguage es-ES .es-ES
-    AddLanguage zh-CN .zh-CN
-    AddLanguage zh-HK .zh-HK
-    AddLanguage zh-TW .zh-TW
-
-    LanguagePriority en
-    ForceLanguagePriority Fallback
-
     AllowOverride None
     Require all granted
 </Directory>
 
-Alias /noindex /usr/share/httpd/noindex
-Alias /poweredby.png /usr/share/httpd/icons/apache_pb2.png
+Alias /.noindex.html /usr/share/httpd/noindex/index.html
+Alias /poweredby.png /usr/share/httpd/icons/apache_pb2.png
\ No newline at end of file
diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec
index aa0c8e5..ca7540b 100644
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@@ -13,10 +13,9 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.37
-Release: 39%{?dist}
+Release: 39%{?dist}.1
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
-Source1: centos-noindex-8.0.tar.gz
 Source2: httpd.logrotate
 Source3: instance.conf
 Source4: httpd-ssl-pass-dialog
@@ -180,6 +179,10 @@ Patch209: httpd-2.4.37-CVE-2020-1934.patch
 Patch210: httpd-2.4.37-CVE-2018-17199.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1866563
 Patch211: httpd-2.4.37-CVE-2020-11984.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2005117
+Patch212: httpd-2.4.37-CVE-2021-40438.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1966732
+Patch213: httpd-2.4.37-CVE-2021-26691.patch
 
 License: ASL 2.0
 Group: System Environment/Daemons
@@ -366,6 +369,8 @@ interface for storing and accessing per-user session data.
 %patch209 -p1 -b .CVE-2020-1934
 %patch210 -p1 -b .CVE-2018-17199
 %patch211 -p1 -b .CVE-2020-11984
+%patch212 -p1 -b .CVE-2021-40438
+%patch213 -p1 -b .CVE-2021-26691
 
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -569,7 +574,8 @@ EOF
 
 # Handle contentdir
 mkdir $RPM_BUILD_ROOT%{contentdir}/noindex
-tar xzf %{SOURCE1} -C $RPM_BUILD_ROOT%{contentdir}/noindex/ --strip-components=1
+ln -s ../../testpage/index.html \
+      $RPM_BUILD_ROOT%{contentdir}/noindex/index.html
 rm -rf %{contentdir}/htdocs
 
 # remove manual sources
@@ -783,7 +789,7 @@ rm -rf $RPM_BUILD_ROOT
 %{contentdir}/error/README
 %{contentdir}/error/*.var
 %{contentdir}/error/include/*.html
-%{contentdir}/noindex/*
+%{contentdir}/noindex/index.html
 
 %attr(0710,root,apache) %dir /run/httpd
 %attr(0700,apache,apache) %dir /run/httpd/htcacheclean
@@ -867,8 +873,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
-* Tue May 18 2021 CentOS Sources <bugs@centos.org> - 2.4.37-39.el8.centos
-- Apply debranding changes
+* Thu Sep 30 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-39.1
+- Resolves: #2007234 - CVE-2021-40438 httpd:2.4/httpd: mod_proxy: SSRF via
+  a crafted request uri-path
+- Resolves: #2007646 - CVE-2021-26691 httpd:2.4/httpd: Heap overflow in
+  mod_session
 
 * Tue Jan 26 2021 Artem Egorenkov <aegorenk@redhat.com> - 2.4.37-39
 - prevent htcacheclean from while break when first file processed