diff --git a/.gitignore b/.gitignore
index 260a2d6..9969f1d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1 @@
 SOURCES/httpd-2.4.6.tar.bz2
-SOURCES/centos-noindex.tar.gz
diff --git a/.httpd.metadata b/.httpd.metadata
index 17ede1b..d335a99 100644
--- a/.httpd.metadata
+++ b/.httpd.metadata
@@ -1,2 +1 @@
 16d8ec72535ded65d035122b0d944b0e64eaa2a2 SOURCES/httpd-2.4.6.tar.bz2
-6ce5ab3c765b9efeceb2e636e32373bc6e6ed489 SOURCES/centos-noindex.tar.gz
diff --git a/SOURCES/httpd-2.4.6-CVE-2021-26691.patch b/SOURCES/httpd-2.4.6-CVE-2021-26691.patch
new file mode 100644
index 0000000..7ad6c23
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-CVE-2021-26691.patch
@@ -0,0 +1,13 @@
+diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
+index 036e265..b66875e 100644
+--- a/modules/session/mod_session.c
++++ b/modules/session/mod_session.c
+@@ -308,7 +308,7 @@ static apr_status_t ap_session_set(request_rec * r, session_rec * z,
+ 
+ static int identity_count(int *count, const char *key, const char *val)
+ {
+-    *count += strlen(key) * 3 + strlen(val) * 3 + 1;
++    *count += strlen(key) * 3 + strlen(val) * 3 + 2;
+     return 1;
+ }
+ 
diff --git a/SOURCES/httpd-2.4.6-CVE-2021-34798.patch b/SOURCES/httpd-2.4.6-CVE-2021-34798.patch
new file mode 100644
index 0000000..ec8142f
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-CVE-2021-34798.patch
@@ -0,0 +1,13 @@
+diff --git a/server/scoreboard.c b/server/scoreboard.c
+index f989b99..7cce507 100644
+--- a/server/scoreboard.c
++++ b/server/scoreboard.c
+@@ -370,7 +370,7 @@ AP_DECLARE(void) ap_increment_counts(ap_sb_handle_t *sb, request_rec *r)
+     if (pfn_ap_logio_get_last_bytes != NULL) {
+         bytes = pfn_ap_logio_get_last_bytes(r->connection);
+     }
+-    else if (r->method_number == M_GET && r->method[0] == 'H') {
++    else if (r->method_number == M_GET && r->method && r->method[0] == 'H') {
+         bytes = 0;
+     }
+     else {
diff --git a/SOURCES/httpd-2.4.6-CVE-2021-39275.patch b/SOURCES/httpd-2.4.6-CVE-2021-39275.patch
new file mode 100644
index 0000000..42d6fcb
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-CVE-2021-39275.patch
@@ -0,0 +1,21 @@
+diff --git a/server/util.c b/server/util.c
+index 4eac462..7373fec 100644
+--- a/server/util.c
++++ b/server/util.c
+@@ -2317,13 +2317,12 @@ AP_DECLARE(char *) ap_escape_quotes(apr_pool_t *p, const char *instring)
+      * in front of every " that doesn't already have one.
+      */
+     while (*inchr != '\0') {
+-        if ((*inchr == '\\') && (inchr[1] != '\0')) {
+-            *outchr++ = *inchr++;
+-            *outchr++ = *inchr++;
+-        }
+         if (*inchr == '"') {
+             *outchr++ = '\\';
+         }
++        if ((*inchr == '\\') && (inchr[1] != '\0')) {
++            *outchr++ = *inchr++;
++        }
+         if (*inchr != '\0') {
+             *outchr++ = *inchr++;
+         }
diff --git a/SOURCES/httpd-2.4.6-CVE-2021-44790.patch b/SOURCES/httpd-2.4.6-CVE-2021-44790.patch
new file mode 100644
index 0000000..3c95fa0
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-CVE-2021-44790.patch
@@ -0,0 +1,12 @@
+diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c
+index 61a14f5..1dc676f 100644
+--- a/modules/lua/lua_request.c
++++ b/modules/lua/lua_request.c
+@@ -303,6 +303,7 @@ static int req_parsebody(lua_State *L)
+             if (!crlf) break;
+             key = (char *) apr_pcalloc(r->pool, 256);
+             filename = (char *) apr_pcalloc(r->pool, 256);
++            if (end - crlf <= 8) break;
+             vlen = end - crlf - 8;
+             buffer = (char *) apr_pcalloc(r->pool, vlen+1);
+             memcpy(buffer, crlf + 4, vlen);
diff --git a/SOURCES/welcome.conf b/SOURCES/welcome.conf
index c1b6c11..5d1e452 100644
--- a/SOURCES/welcome.conf
+++ b/SOURCES/welcome.conf
@@ -16,7 +16,3 @@
 </Directory>
 
 Alias /.noindex.html /usr/share/httpd/noindex/index.html
-Alias /noindex/css/bootstrap.min.css /usr/share/httpd/noindex/css/bootstrap.min.css
-Alias /noindex/css/open-sans.css /usr/share/httpd/noindex/css/open-sans.css
-Alias /images/apache_pb.gif /usr/share/httpd/noindex/images/apache_pb.gif
-Alias /images/poweredby.png /usr/share/httpd/noindex/images/poweredby.png
diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec
index e4dcdc0..9172077 100644
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@@ -4,7 +4,7 @@
 %define mmn 20120211
 %define oldmmnisa %{mmn}-%{__isa_name}-%{__isa_bits}
 %define mmnisa %{mmn}%{__isa_name}%{__isa_bits}
-%define vstring CentOS
+%define vstring %(source /etc/os-release; echo ${REDHAT_SUPPORT_PRODUCT})
 
 # Drop automatic provides for module DSOs
 %{?filter_setup:
@@ -15,10 +15,10 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.6
-Release: 97%{?dist}.2
+Release: 97%{?dist}.4
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
-Source1: centos-noindex.tar.gz
+Source1: index.html
 Source2: httpd.logrotate
 Source3: httpd.sysconf
 Source4: httpd-ssl-pass-dialog
@@ -242,6 +242,10 @@ Patch229: httpd-2.4.6-CVE-2018-1303.patch
 Patch230: httpd-2.4.6-CVE-2018-1283.patch
 Patch240: httpd-2.4.6-CVE-2020-1934.patch
 Patch241: httpd-2.4.6-CVE-2021-40438.patch
+Patch242: httpd-2.4.6-CVE-2021-44790.patch
+Patch243: httpd-2.4.6-CVE-2021-34798.patch
+Patch244: httpd-2.4.6-CVE-2021-39275.patch
+Patch245: httpd-2.4.6-CVE-2021-26691.patch
 
 License: ASL 2.0
 Group: System Environment/Daemons
@@ -506,6 +510,10 @@ rm modules/ssl/ssl_engine_dh.c
 %patch230 -p1 -b .cve1283
 %patch240 -p1 -b .cve1934
 %patch241 -p1 -b .cve40438
+%patch242 -p1 -b .cve44790
+%patch243 -p1 -b .cve34798
+%patch244 -p1 -b .cve39275
+%patch245 -p1 -b .cve26691
 
 # Patch in the vendor string and the release string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -659,10 +667,8 @@ EOF
 
 # Handle contentdir
 mkdir $RPM_BUILD_ROOT%{contentdir}/noindex
-tar xzf $RPM_SOURCE_DIR/centos-noindex.tar.gz \
-        -C $RPM_BUILD_ROOT%{contentdir}/noindex/ \
-        --strip-components=1
-
+install -m 644 -p $RPM_SOURCE_DIR/index.html \
+        $RPM_BUILD_ROOT%{contentdir}/noindex/index.html
 rm -rf %{contentdir}/htdocs
 
 # remove manual sources
@@ -685,7 +691,7 @@ rm -v $RPM_BUILD_ROOT%{docroot}/html/*.html \
       $RPM_BUILD_ROOT%{docroot}/cgi-bin/*
 
 # Symlink for the powered-by-$DISTRO image:
-ln -s ../noindex/images/poweredby.png \
+ln -s ../../pixmaps/poweredby.png \
         $RPM_BUILD_ROOT%{contentdir}/icons/poweredby.png
 
 # symlinks for /etc/httpd
@@ -871,7 +877,7 @@ rm -rf $RPM_BUILD_ROOT
 %{contentdir}/error/README
 %{contentdir}/error/*.var
 %{contentdir}/error/include/*.html
-%{contentdir}/noindex/*
+%{contentdir}/noindex/index.html
 
 %dir %{docroot}
 %dir %{docroot}/cgi-bin
@@ -937,11 +943,16 @@ rm -rf $RPM_BUILD_ROOT
 %{_sysconfdir}/rpm/macros.httpd
 
 %changelog
-* Wed Nov 10 2021 CentOS Sources <bugs@centos.org> - 2.4.6-97.el7.centos.2
-- Remove index.html, add centos-noindex.tar.gz
-- change vstring
-- change symlink for poweredby.png
-- update welcome.conf with proper aliases
+* Mon Jan 10 2022 Luboš Uhliarik <luhliari@redhat.com>
+- Resolves: #2031072 - CVE-2021-34798 httpd: NULL pointer dereference via
+  malformed requests
+- Resolves: #2031074 - CVE-2021-39275 httpd: out-of-bounds write in
+  ap_escape_quotes() via malicious input
+- Resolves: #1969226 - CVE-2021-26691 httpd: Heap overflow in mod_session
+
+* Mon Jan 10 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-97.3
+- Resolves: #2035058 - CVE-2021-44790 httpd: mod_lua: possible buffer overflow
+  when parsing multipart content
 
 * Mon Oct 25 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-97.2
 - Resolves: #2015694 - proxy rewrite to unix socket fails with CVE-2021-40438 fix