diff --git a/.gitignore b/.gitignore
index 2c3e956..cfbe234 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,2 @@
-SOURCES/htcacheclean.service.xml
+SOURCES/apache-poweredby.png
SOURCES/httpd-2.4.37.tar.bz2
-SOURCES/httpd.conf.xml
-SOURCES/httpd.service.xml
diff --git a/.httpd.metadata b/.httpd.metadata
index 091ca86..06980e0 100644
--- a/.httpd.metadata
+++ b/.httpd.metadata
@@ -1,4 +1,2 @@
-a34c31169efbe6140496c37801489610461bdf9b SOURCES/htcacheclean.service.xml
+3a7449d6cff00e5ccb3ed8571f34c0528555d38f SOURCES/apache-poweredby.png
4a38471de821288b0300148016f2b03dfee8adf2 SOURCES/httpd-2.4.37.tar.bz2
-fa18caadd0afbddc2c7a7fc404bf4f2b41867148 SOURCES/httpd.conf.xml
-888df830bdc465de3bced6f075c33380018e544f SOURCES/httpd.service.xml
diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d2..0000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/htcacheclean.service.xml b/SOURCES/htcacheclean.service.xml
new file mode 100644
index 0000000..01b68e4
--- /dev/null
+++ b/SOURCES/htcacheclean.service.xml
@@ -0,0 +1,123 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+]>
+<!--
+ Copyright 2018 Red Hat, Inc.
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language overning permissions and
+ limitations under the License.
+-->
+<refentry>
+ <refentryinfo>
+ <title>htcacheclean systemd unit</title>
+ <productname>httpd</productname>
+ <author><contrib>Author</contrib><surname>Orton</surname><firstname>Joe</firstname><email>jorton@redhat.com</email></author>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>htcacheclean.service</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>htcacheclean.service</refname>
+ <refpurpose>htcacheclean unit file for systemd</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <para>
+ <filename>/usr/lib/systemd/system/htcacheclean.service</filename>
+ </para>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>Description</title>
+
+ <para>This manual page describes the <command>systemd</command>
+ unit file for the <command>htcacheclean</command> daemon. This
+ unit file provides a service which runs
+ <command>htcacheclean</command> in daemon mode,
+ periodically cleaning the disk cache root to ensure disk space
+ usage is within configured limits.</para>
+
+ </refsect1>
+
+ <refsect1>
+ <title>Options</title>
+
+ <para>The service is configured by configuration file
+ <filename>/etc/sysconfig/htcacheclean</filename>. The following
+ variables are used, following standard <command>systemd</command>
+ <varname>EnvironmentFile=</varname> syntax:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><varname>INTERVAL=</varname></term>
+
+ <listitem><para>Sets the interval between cache clean runs, in
+ minutes. By default this is configured as
+ <emphasis>15</emphasis>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>CACHE_ROOT=</varname></term>
+
+ <listitem><para>Sets the directory name used for the cache
+ root. By default this is configured as
+ <filename>/var/cache/httpd/proxy</filename>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>LIMIT=</varname></term>
+
+ <listitem><para>Sets the total disk cache space limit, in
+ bytes. Use a <emphasis>K</emphasis> or <emphasis>M</emphasis>
+ suffix to signify kilobytes or megabytes. By default this is
+ set to <emphasis>100M</emphasis>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>OPTIONS=</varname></term>
+
+ <listitem><para>Any other options to pass to
+ <command>htcacheclean</command>.</para></listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>Files</title>
+
+ <para><filename>/usr/lib/systemd/system/htcacheclean.service</filename>,
+ <filename>/etc/sysconfig/htcacheclean</filename></para>
+ </refsect1>
+
+ <refsect1>
+ <title>See also</title>
+
+ <para>
+ <citerefentry><refentrytitle>htcacheclean</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>httpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>httpd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+</refentry>
+
+<!-- LocalWords: systemd httpd htcacheclean
+-->
diff --git a/SOURCES/httpd-2.4.37-CVE-2021-26690.patch b/SOURCES/httpd-2.4.37-CVE-2021-26690.patch
new file mode 100644
index 0000000..f606576
--- /dev/null
+++ b/SOURCES/httpd-2.4.37-CVE-2021-26690.patch
@@ -0,0 +1,14 @@
+diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
+index 7ee477c..049255d 100644
+--- a/modules/session/mod_session.c
++++ b/modules/session/mod_session.c
+@@ -404,8 +404,8 @@ static apr_status_t session_identity_decode(request_rec * r, session_rec * z)
+ char *plast = NULL;
+ const char *psep = "=";
+ char *key = apr_strtok(pair, psep, &plast);
+- char *val = apr_strtok(NULL, psep, &plast);
+ if (key && *key) {
++ char *val = apr_strtok(NULL, sep, &plast);
+ if (!val || !*val) {
+ apr_table_unset(z->entries, key);
+ }
diff --git a/SOURCES/httpd-2.4.37-CVE-2021-30641.patch b/SOURCES/httpd-2.4.37-CVE-2021-30641.patch
new file mode 100644
index 0000000..5a34afb
--- /dev/null
+++ b/SOURCES/httpd-2.4.37-CVE-2021-30641.patch
@@ -0,0 +1,44 @@
+diff --git a/server/request.c b/server/request.c
+index d5c558a..18625af 100644
+--- a/server/request.c
++++ b/server/request.c
+@@ -1419,7 +1419,20 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
+
+ cache = prep_walk_cache(AP_NOTE_LOCATION_WALK, r);
+ cached = (cache->cached != NULL);
+- entry_uri = r->uri;
++
++ /*
++ * When merge_slashes is set to AP_CORE_CONFIG_OFF the slashes in r->uri
++ * have not been merged. But for Location walks we always go with merged
++ * slashes no matter what merge_slashes is set to.
++ */
++ if (sconf->merge_slashes != AP_CORE_CONFIG_OFF) {
++ entry_uri = r->uri;
++ }
++ else {
++ char *uri = apr_pstrdup(r->pool, r->uri);
++ ap_no2slash(uri);
++ entry_uri = uri;
++ }
+
+ /* If we have an cache->cached location that matches r->uri,
+ * and the vhost's list of locations hasn't changed, we can skip
+@@ -1486,7 +1499,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
+ pmatch = apr_palloc(rxpool, nmatch*sizeof(ap_regmatch_t));
+ }
+
+- if (ap_regexec(entry_core->r, entry_uri, nmatch, pmatch, 0)) {
++ if (ap_regexec(entry_core->r, r->uri, nmatch, pmatch, 0)) {
+ continue;
+ }
+
+@@ -1496,7 +1509,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
+ apr_table_setn(r->subprocess_env,
+ ((const char **)entry_core->refs->elts)[i],
+ apr_pstrndup(r->pool,
+- entry_uri + pmatch[i].rm_so,
++ r->uri + pmatch[i].rm_so,
+ pmatch[i].rm_eo - pmatch[i].rm_so));
+ }
+ }
diff --git a/SOURCES/httpd-2.4.37-proxy-ws-idle-timeout.patch b/SOURCES/httpd-2.4.37-proxy-ws-idle-timeout.patch
index 25864bf..ef4408c 100644
--- a/SOURCES/httpd-2.4.37-proxy-ws-idle-timeout.patch
+++ b/SOURCES/httpd-2.4.37-proxy-ws-idle-timeout.patch
@@ -20,7 +20,7 @@ index 21ffbe2..16e1628 100644
<li><a href="#comments_section">Comments</a></li></ul></div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
-+<div class="directive-section"><h2><a name="ProxyWebsocketIdleTimeout" id="ProxyWebsocketIdleTimeout">ProxyWebsocketIdleTimeout</a> <a name="proxywebsocketidletimeout
++<div class="directive-section"><h2><a name="ProxyWebsocketIdleTimeout" id="ProxyWebsocketIdleTimeout">ProxyWebsocketIdleTimeout</a> <a name="proxywebsocketidletimeout" id="proxywebsocketidletimeout">Directive</a> <a title="Permanent link" href="#proxywebsocketidletimeout" class="permalink">¶</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets the maximum amount of time to wait for data on the websockets tunnel</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>ProxyWebsocketIdleTimeout <var>num</var>[ms]</code></td></tr>
diff --git a/SOURCES/httpd-2.4.37-r1845768+.patch b/SOURCES/httpd-2.4.37-r1845768+.patch
new file mode 100644
index 0000000..a51934f
--- /dev/null
+++ b/SOURCES/httpd-2.4.37-r1845768+.patch
@@ -0,0 +1,48 @@
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index 70d151e..e4f5fc8 100644
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -1095,7 +1095,9 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s,
+ /*
+ * Read a file that optionally contains the server certificate in PEM
+ * format, possibly followed by a sequence of CA certificates that
+- * should be sent to the peer in the SSL Certificate message.
++ * should be sent to the peer in the SSL Certificate message. Returns
++ * 0 on success, otherwise the OpenSSL error stack contents should be
++ * reported.
+ */
+ static int use_certificate_chain(
+ SSL_CTX *ctx, char *file, int skipfirst, pem_password_cb *cb)
+@@ -1128,8 +1130,10 @@ static int use_certificate_chain(
+ ctx->extra_certs = NULL;
+ }
+ #endif
++
+ /* create new extra chain by loading the certs */
+ n = 0;
++ ERR_clear_error();
+ while ((x509 = PEM_read_bio_X509(bio, NULL, cb, NULL)) != NULL) {
+ if (!SSL_CTX_add_extra_chain_cert(ctx, x509)) {
+ X509_free(x509);
+@@ -1190,6 +1194,7 @@ static apr_status_t ssl_init_ctx_cert_chain(server_rec *s,
+ if (n < 0) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01903)
+ "Failed to configure CA certificate chain!");
++ ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
+ return ssl_die(s);
+ }
+
+diff --git a/modules/ssl/ssl_util_ocsp.c b/modules/ssl/ssl_util_ocsp.c
+index b11a6e9..b66e151 100644
+--- a/modules/ssl/ssl_util_ocsp.c
++++ b/modules/ssl/ssl_util_ocsp.c
+@@ -363,7 +363,9 @@ static STACK_OF(X509) *modssl_read_ocsp_certificates(const char *file)
+ BIO_free(bio);
+ return NULL;
+ }
++
+ /* create new extra chain by loading the certs */
++ ERR_clear_error();
+ while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) {
+ if (!other_certs) {
+ other_certs = sk_X509_new_null();
diff --git a/SOURCES/httpd-2.4.37-r1873907.patch b/SOURCES/httpd-2.4.37-r1873907.patch
new file mode 100644
index 0000000..4ec0cfa
--- /dev/null
+++ b/SOURCES/httpd-2.4.37-r1873907.patch
@@ -0,0 +1,265 @@
+diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en
+index b543150..ab72d4f 100644
+--- a/docs/manual/mod/mod_ssl.html.en
++++ b/docs/manual/mod/mod_ssl.html.en
+@@ -1524,6 +1524,32 @@ The available (case-insensitive) <em>protocol</em>s are:</p>
+ <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProtocol TLSv1</pre>
+ </div>
+
++<div class="note">
++<h3><code class="directive">SSLProtocol</code> for name-based virtual hosts</h3>
++<p>
++Before OpenSSL 1.1.1, even though the Server Name Indication (SNI) allowed to
++determine the targeted virtual host early in the TLS handshake, it was not
++possible to switch the TLS protocol version of the connection at this point,
++and thus the <code class="directive">SSLProtocol</code> negotiated was always based off
++the one of the <em>base virtual host</em> (first virtual host declared on the
++listening <code>IP:port</code> of the connection).
++</p>
++<p>
++Beginning with Apache HTTP server version 2.4.42, when built/linked against
++OpenSSL 1.1.1 or later, and when the SNI is provided by the client in the TLS
++handshake, the <code class="directive">SSLProtocol</code> of each (name-based) virtual
++host can and will be honored.
++</p>
++<p>
++For compatibility with previous versions, if no
++<code class="directive">SSLProtocol</code> is configured in a name-based virtual host,
++the one from the base virtual host still applies, <strong>unless</strong>
++<code class="directive">SSLProtocol</code> is configured globally in which case the
++global value applies (this latter exception is more sensible than compatible,
++though).
++</p>
++</div>
++
+ </div>
+ <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+ <div class="directive-section"><h2><a name="SSLProxyCACertificateFile" id="SSLProxyCACertificateFile">SSLProxyCACertificateFile</a> <a name="sslproxycacertificatefile" id="sslproxycacertificatefile">Directive</a></h2>
+diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
+index 0c4bf1f..ca5f702 100644
+--- a/modules/ssl/ssl_engine_config.c
++++ b/modules/ssl/ssl_engine_config.c
+@@ -269,6 +269,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p,
+ mrg->protocol_set = 1;
+ }
+ else {
++ mrg->protocol_set = base->protocol_set;
+ mrg->protocol = base->protocol;
+ }
+
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index 31062bc..70d151e 100644
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -520,7 +520,9 @@ static apr_status_t ssl_init_ctx_tls_extensions(server_rec *s,
+ "Configuring TLS extension handling");
+
+ /*
+- * Server name indication (SNI)
++ * The Server Name Indication (SNI) provided by the ClientHello can be
++ * used to select the right (name-based-)vhost and its SSL configuration
++ * before the handshake takes place.
+ */
+ if (!SSL_CTX_set_tlsext_servername_callback(mctx->ssl_ctx,
+ ssl_callback_ServerNameIndication) ||
+@@ -532,6 +534,16 @@ static apr_status_t ssl_init_ctx_tls_extensions(server_rec *s,
+ return ssl_die(s);
+ }
+
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
++ /*
++ * The ClientHello callback also allows to retrieve the SNI, but since it
++ * runs at the earliest possible connection stage we can even set the TLS
++ * protocol version(s) according to the selected (name-based-)vhost, which
++ * is not possible at the SNI callback stage (due to OpenSSL internals).
++ */
++ SSL_CTX_set_client_hello_cb(mctx->ssl_ctx, ssl_callback_ClientHello, NULL);
++#endif
++
+ #ifdef HAVE_OCSP_STAPLING
+ /*
+ * OCSP Stapling support, status_request extension
+@@ -708,7 +720,7 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
+ #else /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */
+ /* We first determine the maximum protocol version we should provide */
+ #if SSL_HAVE_PROTOCOL_TLSV1_3
+- if (SSL_HAVE_PROTOCOL_TLSV1_3 && (protocol & SSL_PROTOCOL_TLSV1_3)) {
++ if (protocol & SSL_PROTOCOL_TLSV1_3) {
+ prot = TLS1_3_VERSION;
+ } else
+ #endif
+diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
+index 8b44674..7313a55 100644
+--- a/modules/ssl/ssl_engine_kernel.c
++++ b/modules/ssl/ssl_engine_kernel.c
+@@ -2357,28 +2357,31 @@ static apr_status_t set_challenge_creds(conn_rec *c, const char *servername,
+ * This function sets the virtual host from an extended
+ * client hello with a server name indication extension ("SNI", cf. RFC 6066).
+ */
+-static apr_status_t init_vhost(conn_rec *c, SSL *ssl)
++static apr_status_t init_vhost(conn_rec *c, SSL *ssl, const char *servername)
+ {
+- const char *servername;
+ X509 *cert;
+ EVP_PKEY *key;
+
+ if (c) {
+ SSLConnRec *sslcon = myConnConfig(c);
+-
+- if (sslcon->server != c->base_server) {
+- /* already found the vhost */
+- return APR_SUCCESS;
++
++ if (sslcon->vhost_found) {
++ /* already found the vhost? */
++ return sslcon->vhost_found > 0 ? APR_SUCCESS : APR_NOTFOUND;
+ }
++ sslcon->vhost_found = -1;
+
+- servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
++ if (!servername) {
++ servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
++ }
+ if (servername) {
+ if (ap_vhost_iterate_given_conn(c, ssl_find_vhost,
+ (void *)servername)) {
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02043)
+ "SSL virtual host for servername %s found",
+ servername);
+-
++
++ sslcon->vhost_found = +1;
+ return APR_SUCCESS;
+ }
+ else if (ssl_is_challenge(c, servername, &cert, &key)) {
+@@ -2428,11 +2431,72 @@ static apr_status_t init_vhost(conn_rec *c, SSL *ssl)
+ int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx)
+ {
+ conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
+- apr_status_t status = init_vhost(c, ssl);
++ apr_status_t status = init_vhost(c, ssl, NULL);
+
+ return (status == APR_SUCCESS)? SSL_TLSEXT_ERR_OK : SSL_TLSEXT_ERR_NOACK;
+ }
+
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
++/*
++ * This callback function is called when the ClientHello is received.
++ */
++int ssl_callback_ClientHello(SSL *ssl, int *al, void *arg)
++{
++ char *servername = NULL;
++ conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
++ const unsigned char *pos;
++ size_t len, remaining;
++ (void)arg;
++
++ /* We can't use SSL_get_servername() at this earliest OpenSSL connection
++ * stage, and there is no SSL_client_hello_get0_servername() provided as
++ * of OpenSSL 1.1.1. So the code below, that extracts the SNI from the
++ * ClientHello's TLS extensions, is taken from some test code in OpenSSL,
++ * i.e. client_hello_select_server_ctx() in "test/handshake_helper.c".
++ */
++
++ /*
++ * The server_name extension was given too much extensibility when it
++ * was written, so parsing the normal case is a bit complex.
++ */
++ if (!SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_server_name, &pos,
++ &remaining)
++ || remaining <= 2)
++ goto give_up;
++
++ /* Extract the length of the supplied list of names. */
++ len = (*(pos++) << 8);
++ len += *(pos++);
++ if (len + 2 != remaining)
++ goto give_up;
++ remaining = len;
++
++ /*
++ * The list in practice only has a single element, so we only consider
++ * the first one.
++ */
++ if (remaining <= 3 || *pos++ != TLSEXT_NAMETYPE_host_name)
++ goto give_up;
++ remaining--;
++
++ /* Now we can finally pull out the byte array with the actual hostname. */
++ len = (*(pos++) << 8);
++ len += *(pos++);
++ if (len + 2 != remaining)
++ goto give_up;
++
++ /* Use the SNI to switch to the relevant vhost, should it differ from
++ * c->base_server.
++ */
++ servername = apr_pstrmemdup(c->pool, (const char *)pos, len);
++
++give_up:
++ init_vhost(c, ssl, servername);
++ return SSL_CLIENT_HELLO_SUCCESS;
++}
++#endif /* OPENSSL_VERSION_NUMBER < 0x10101000L */
++
++
+ /*
+ * Find a (name-based) SSL virtual host where either the ServerName
+ * or one of the ServerAliases matches the supplied name (to be used
+@@ -2452,12 +2516,25 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
+ if (found && (ssl = sslcon->ssl) &&
+ (sc = mySrvConfig(s))) {
+ SSL_CTX *ctx = SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx);
++
+ /*
+ * SSL_set_SSL_CTX() only deals with the server cert,
+ * so we need to duplicate a few additional settings
+ * from the ctx by hand
+ */
+ SSL_set_options(ssl, SSL_CTX_get_options(ctx));
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L \
++ && (!defined(LIBRESSL_VERSION_NUMBER) \
++ || LIBRESSL_VERSION_NUMBER >= 0x20800000L)
++ /*
++ * Don't switch the protocol if none is configured for this vhost,
++ * the default in this case is still the base server's SSLProtocol.
++ */
++ if (myCtxConfig(sslcon, sc)->protocol_set) {
++ SSL_set_min_proto_version(ssl, SSL_CTX_get_min_proto_version(ctx));
++ SSL_set_max_proto_version(ssl, SSL_CTX_get_max_proto_version(ctx));
++ }
++#endif
+ if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
+ (SSL_num_renegotiations(ssl) == 0)) {
+ /*
+@@ -2654,7 +2731,7 @@ int ssl_callback_alpn_select(SSL *ssl,
+ * they callback the SNI. We need to make sure that we know which vhost
+ * we are dealing with so we respect the correct protocols.
+ */
+- init_vhost(c, ssl);
++ init_vhost(c, ssl, NULL);
+
+ proposed = ap_select_protocol(c, NULL, sslconn->server, client_protos);
+ if (!proposed) {
+diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
+index 8055200..f8a1db7 100644
+--- a/modules/ssl/ssl_private.h
++++ b/modules/ssl/ssl_private.h
+@@ -563,6 +563,7 @@ typedef struct {
+
+ const char *cipher_suite; /* cipher suite used in last reneg */
+ int service_unavailable; /* thouugh we negotiate SSL, no requests will be served */
++ int vhost_found; /* whether we found vhost from SNI already */
+ } SSLConnRec;
+
+ /* BIG FAT WARNING: SSLModConfigRec has unusual memory lifetime: it is
+@@ -946,6 +947,9 @@ void ssl_callback_Info(const SSL *, int, int);
+ #ifdef HAVE_TLSEXT
+ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
+ #endif
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
++int ssl_callback_ClientHello(SSL *, int *, void *);
++#endif
+ #ifdef HAVE_TLS_SESSION_TICKETS
+ int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
+ EVP_CIPHER_CTX *, HMAC_CTX *, int);
diff --git a/SOURCES/httpd-2.4.37-reply-two-tls-rec.patch b/SOURCES/httpd-2.4.37-reply-two-tls-rec.patch
new file mode 100644
index 0000000..a4a3835
--- /dev/null
+++ b/SOURCES/httpd-2.4.37-reply-two-tls-rec.patch
@@ -0,0 +1,188 @@
+diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
+index 018b667..4e3875a 100644
+--- a/modules/ssl/ssl_engine_io.c
++++ b/modules/ssl/ssl_engine_io.c
+@@ -1598,18 +1598,32 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
+ }
+
+
+-/* ssl_io_filter_output() produces one SSL/TLS message per bucket
++/* ssl_io_filter_output() produces one SSL/TLS record per bucket
+ * passed down the output filter stack. This results in a high
+- * overhead (network packets) for any output comprising many small
+- * buckets. SSI page applied through the HTTP chunk filter, for
+- * example, may produce many brigades containing small buckets -
+- * [chunk-size CRLF] [chunk-data] [CRLF].
++ * overhead (more network packets & TLS processing) for any output
++ * comprising many small buckets. SSI output passed through the HTTP
++ * chunk filter, for example, may produce many brigades containing
++ * small buckets - [chunk-size CRLF] [chunk-data] [CRLF].
+ *
+- * The coalescing filter merges many small buckets into larger buckets
+- * where possible, allowing the SSL I/O output filter to handle them
+- * more efficiently. */
++ * Sending HTTP response headers as a separate TLS record to the
++ * response body also reveals information to a network observer (the
++ * size of headers) which can be significant.
++ *
++ * The coalescing filter merges data buckets with the aim of producing
++ * fewer, larger TLS records - without copying/buffering all content
++ * and introducing unnecessary overhead.
++ *
++ * ### This buffering could be probably be done more comprehensively
++ * ### in ssl_io_filter_output itself.
++ *
++ * ### Another possible performance optimisation in particular for the
++ * ### [HEAP] [FILE] HTTP response case is using a brigade rather than
++ * ### a char array to buffer; using apr_brigade_write() to append
++ * ### will use already-allocated memory from the HEAP, reducing # of
++ * ### copies.
++ */
+
+-#define COALESCE_BYTES (2048)
++#define COALESCE_BYTES (AP_IOBUFSIZE)
+
+ struct coalesce_ctx {
+ char buffer[COALESCE_BYTES];
+@@ -1622,11 +1636,12 @@ static apr_status_t ssl_io_filter_coalesce(ap_filter_t *f,
+ apr_bucket *e, *upto;
+ apr_size_t bytes = 0;
+ struct coalesce_ctx *ctx = f->ctx;
++ apr_size_t buffered = ctx ? ctx->bytes : 0; /* space used on entry */
+ unsigned count = 0;
+
+ /* The brigade consists of zero-or-more small data buckets which
+- * can be coalesced (the prefix), followed by the remainder of the
+- * brigade.
++ * can be coalesced (referred to as the "prefix"), followed by the
++ * remainder of the brigade.
+ *
+ * Find the last bucket - if any - of that prefix. count gives
+ * the number of buckets in the prefix. The "prefix" must contain
+@@ -1641,24 +1656,97 @@ static apr_status_t ssl_io_filter_coalesce(ap_filter_t *f,
+ e != APR_BRIGADE_SENTINEL(bb)
+ && !APR_BUCKET_IS_METADATA(e)
+ && e->length != (apr_size_t)-1
+- && e->length < COALESCE_BYTES
+- && (bytes + e->length) < COALESCE_BYTES
+- && (ctx == NULL
+- || bytes + ctx->bytes + e->length < COALESCE_BYTES);
++ && e->length <= COALESCE_BYTES
++ && (buffered + bytes + e->length) <= COALESCE_BYTES;
+ e = APR_BUCKET_NEXT(e)) {
+ if (e->length) count++; /* don't count zero-length buckets */
+ bytes += e->length;
+ }
++
++ /* If there is room remaining and the next bucket is a data
++ * bucket, try to include it in the prefix to coalesce. For a
++ * typical [HEAP] [FILE] HTTP response brigade, this handles
++ * merging the headers and the start of the body into a single TLS
++ * record. */
++ if (bytes + buffered > 0
++ && bytes + buffered < COALESCE_BYTES
++ && e != APR_BRIGADE_SENTINEL(bb)
++ && !APR_BUCKET_IS_METADATA(e)) {
++ apr_status_t rv = APR_SUCCESS;
++
++ /* For an indeterminate length bucket (PIPE/CGI/...), try a
++ * non-blocking read to have it morph into a HEAP. If the
++ * read fails with EAGAIN, it is harmless to try a split
++ * anyway, split is ENOTIMPL for most PIPE-like buckets. */
++ if (e->length == (apr_size_t)-1) {
++ const char *discard;
++ apr_size_t ignore;
++
++ rv = apr_bucket_read(e, &discard, &ignore, APR_NONBLOCK_READ);
++ if (rv != APR_SUCCESS && !APR_STATUS_IS_EAGAIN(rv)) {
++ ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, f->c, APLOGNO(10232)
++ "coalesce failed to read from %s bucket",
++ e->type->name);
++ return AP_FILTER_ERROR;
++ }
++ }
++
++ if (rv == APR_SUCCESS) {
++ /* If the read above made the bucket morph, it may now fit
++ * entirely within the buffer. Otherwise, split it so it does
++ * fit. */
++ if (e->length > COALESCE_BYTES
++ || e->length + buffered + bytes > COALESCE_BYTES) {
++ rv = apr_bucket_split(e, COALESCE_BYTES - (buffered + bytes));
++ }
++
++ if (rv == APR_SUCCESS && e->length == 0) {
++ /* As above, don't count in the prefix if the bucket is
++ * now zero-length. */
++ }
++ else if (rv == APR_SUCCESS) {
++ ap_log_cerror(APLOG_MARK, APLOG_TRACE4, 0, f->c,
++ "coalesce: adding %" APR_SIZE_T_FMT " bytes "
++ "from split %s bucket, total %" APR_SIZE_T_FMT,
++ e->length, e->type->name, bytes + buffered);
++
++ count++;
++ bytes += e->length;
++ e = APR_BUCKET_NEXT(e);
++ }
++ else if (rv != APR_ENOTIMPL) {
++ ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, f->c, APLOGNO(10233)
++ "coalesce: failed to split data bucket");
++ return AP_FILTER_ERROR;
++ }
++ }
++ }
++
++ /* The prefix is zero or more buckets. upto now points to the
++ * bucket AFTER the end of the prefix, which may be the brigade
++ * sentinel. */
+ upto = e;
+
+- /* Coalesce the prefix, if:
+- * a) more than one bucket is found to coalesce, or
+- * b) the brigade contains only a single data bucket, or
+- * c) the data bucket is not last but we have buffered data already.
++ /* Coalesce the prefix, if any of the following are true:
++ *
++ * a) the prefix is more than one bucket
++ * OR
++ * b) the prefix is the entire brigade, which is a single bucket
++ * AND the prefix length is smaller than the buffer size,
++ * OR
++ * c) the prefix is a single bucket
++ * AND there is buffered data from a previous pass.
++ *
++ * The aim with (b) is to buffer a small bucket so it can be
++ * coalesced with future invocations of this filter. e.g. three
++ * calls each with a single 100 byte HEAP bucket should get
++ * coalesced together. But an invocation with a 8192 byte HEAP
++ * should pass through untouched.
+ */
+ if (bytes > 0
+ && (count > 1
+- || (upto == APR_BRIGADE_SENTINEL(bb))
++ || (upto == APR_BRIGADE_SENTINEL(bb)
++ && bytes < COALESCE_BYTES)
+ || (ctx && ctx->bytes > 0))) {
+ /* If coalescing some bytes, ensure a context has been
+ * created. */
+@@ -1669,7 +1757,8 @@ static apr_status_t ssl_io_filter_coalesce(ap_filter_t *f,
+
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE4, 0, f->c,
+ "coalesce: have %" APR_SIZE_T_FMT " bytes, "
+- "adding %" APR_SIZE_T_FMT " more", ctx->bytes, bytes);
++ "adding %" APR_SIZE_T_FMT " more (buckets=%u)",
++ ctx->bytes, bytes, count);
+
+ /* Iterate through the prefix segment. For non-fatal errors
+ * in this loop it is safe to break out and fall back to the
+@@ -1684,7 +1773,8 @@ static apr_status_t ssl_io_filter_coalesce(ap_filter_t *f,
+ if (APR_BUCKET_IS_METADATA(e)
+ || e->length == (apr_size_t)-1) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, f->c, APLOGNO(02012)
+- "unexpected bucket type during coalesce");
++ "unexpected %s bucket during coalesce",
++ e->type->name);
+ break; /* non-fatal error; break out */
+ }
+
diff --git a/SOURCES/httpd-2.4.37-usertrack-samesite.patch b/SOURCES/httpd-2.4.37-usertrack-samesite.patch
new file mode 100644
index 0000000..592616e
--- /dev/null
+++ b/SOURCES/httpd-2.4.37-usertrack-samesite.patch
@@ -0,0 +1,178 @@
+diff --git a/docs/manual/mod/mod_usertrack.html.en b/docs/manual/mod/mod_usertrack.html.en
+index b212747..d2da9b9 100644
+--- a/docs/manual/mod/mod_usertrack.html.en
++++ b/docs/manual/mod/mod_usertrack.html.en
+@@ -47,7 +47,10 @@
+ <ul id="toc">
+ <li><img alt="" src="../images/down.gif" /> <a href="#cookiedomain">CookieDomain</a></li>
+ <li><img alt="" src="../images/down.gif" /> <a href="#cookieexpires">CookieExpires</a></li>
++<li><img alt="" src="../images/down.gif" /> <a href="#cookiehttponly">CookieHTTPOnly</a></li>
+ <li><img alt="" src="../images/down.gif" /> <a href="#cookiename">CookieName</a></li>
++<li><img alt="" src="../images/down.gif" /> <a href="#cookiesamesite">CookieSameSite</a></li>
++<li><img alt="" src="../images/down.gif" /> <a href="#cookiesecure">CookieSecure</a></li>
+ <li><img alt="" src="../images/down.gif" /> <a href="#cookiestyle">CookieStyle</a></li>
+ <li><img alt="" src="../images/down.gif" /> <a href="#cookietracking">CookieTracking</a></li>
+ </ul>
+@@ -127,6 +130,22 @@ CustomLog "logs/clickstream.log" usertrack</pre>
+ <pre class="prettyprint lang-config">CookieExpires "3 weeks"</pre>
+
+
++</div>
++<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
++<div class="directive-section"><h2><a name="CookieHTTPOnly" id="CookieHTTPOnly">CookieHTTPOnly</a> <a name="cookiehttponly" id="cookiehttponly">Directive</a></h2>
++<table class="directive">
++<tbody><tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Adds the 'HTTPOnly' attribute to the cookie</td></tr>
++<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>CookieHTTPOnly on|off</code></td></tr>
++<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>CookieHTTPOnly off</code></td></tr>
++<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
++<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>FileInfo</td></tr>
++<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
++<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_usertrack</td></tr>
++</tbody></table>
++ <p>When set to 'ON', the 'HTTPOnly' cookie attribute is added to this
++ modules tracking cookie. This attribute instructs browsers to block javascript
++ from reading the value of the cookie.</p>
++
+ </div>
+ <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+ <div class="directive-section"><h2><a name="CookieName" id="CookieName">CookieName</a> <a name="cookiename" id="cookiename">Directive</a></h2>
+@@ -150,6 +169,45 @@ CustomLog "logs/clickstream.log" usertrack</pre>
+ <pre class="prettyprint lang-config">CookieName clicktrack</pre>
+
+
++</div>
++<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
++<div class="directive-section"><h2><a name="CookieSameSite" id="CookieSameSite">CookieSameSite</a> <a name="cookiesamesite" id="cookiesamesite">Directive</a></h2>
++<table class="directive">
++<tbody><tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Adds the 'SameSite' attribute to the cookie</td></tr>
++<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>CookieSameSite None|Lax|Strict</code></td></tr>
++<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>unset</code></td></tr>
++<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
++<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>FileInfo</td></tr>
++<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
++<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_usertrack</td></tr>
++</tbody></table>
++ <p>When set to 'None', 'Lax', or 'Strict', the 'SameSite' cookie attribute
++ is added to this modules tracking cookie with the corresponding value.
++ This attribute instructs browser on how to treat the cookie when it is
++ requested in a cross-site context.</p>
++
++ <div class="note">
++ <p>A value of 'None' sets 'SameSite=None', which is the most liberal setting. To
++ omit this attribute, omit the directive entirely.</p>
++ </div>
++
++
++</div>
++<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
++<div class="directive-section"><h2><a name="CookieSecure" id="CookieSecure">CookieSecure</a> <a name="cookiesecure" id="cookiesecure">Directive</a></h2>
++<table class="directive">
++<tbody><tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Adds the 'Secure' attribute to the cookie</td></tr>
++<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>CookieSecure on|off</code></td></tr>
++<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>CookieSecure off</code></td></tr>
++<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
++<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>FileInfo</td></tr>
++<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
++<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_usertrack</td></tr>
++</tbody></table>
++ <p>When set to 'ON', the 'Secure' cookie attribute is added to this
++ modules tracking cookie. This attribute instructs browsers to only
++ transmit the cookie over HTTPS.</p>
++
+ </div>
+ <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+ <div class="directive-section"><h2><a name="CookieStyle" id="CookieStyle">CookieStyle</a> <a name="cookiestyle" id="cookiestyle">Directive</a></h2>
+diff --git a/modules/metadata/mod_usertrack.c b/modules/metadata/mod_usertrack.c
+index 73a9f45..65759c2 100644
+--- a/modules/metadata/mod_usertrack.c
++++ b/modules/metadata/mod_usertrack.c
+@@ -86,6 +86,9 @@ typedef struct {
+ const char *cookie_domain;
+ char *regexp_string; /* used to compile regexp; save for debugging */
+ ap_regex_t *regexp; /* used to find usertrack cookie in cookie header */
++ int is_secure;
++ int is_httponly;
++ const char *samesite;
+ } cookie_dir_rec;
+
+ /* Make Cookie: Now we have to generate something that is going to be
+@@ -143,6 +146,21 @@ static void make_cookie(request_rec *r)
+ : ""),
+ NULL);
+ }
++ if (dcfg->samesite != NULL) {
++ new_cookie = apr_pstrcat(r->pool, new_cookie, "; ",
++ dcfg->samesite,
++ NULL);
++ }
++ if (dcfg->is_secure) {
++ new_cookie = apr_pstrcat(r->pool, new_cookie, "; Secure",
++ NULL);
++ }
++ if (dcfg->is_httponly) {
++ new_cookie = apr_pstrcat(r->pool, new_cookie, "; HttpOnly",
++ NULL);
++ }
++
++
+
+ apr_table_addn(r->err_headers_out,
+ (dcfg->style == CT_COOKIE2 ? "Set-Cookie2" : "Set-Cookie"),
+@@ -269,6 +287,7 @@ static void *make_cookie_dir(apr_pool_t *p, char *d)
+ dcfg->cookie_domain = NULL;
+ dcfg->style = CT_UNSET;
+ dcfg->enabled = 0;
++ /* calloc'ed to disabled: samesite, is_secure, is_httponly */
+
+ /* In case the user does not use the CookieName directive,
+ * we need to compile the regexp for the default cookie name. */
+@@ -429,6 +448,31 @@ static const char *set_cookie_style(cmd_parms *cmd, void *mconfig,
+ return NULL;
+ }
+
++/*
++ * SameSite enabled disabled
++ */
++
++static const char *set_samesite_value(cmd_parms *cmd, void *mconfig,
++ const char *name)
++{
++ cookie_dir_rec *dcfg;
++
++ dcfg = (cookie_dir_rec *) mconfig;
++
++ if (strcasecmp(name, "strict") == 0) {
++ dcfg->samesite = "SameSite=Strict";
++ } else if (strcasecmp(name, "lax") == 0) {
++ dcfg->samesite = "SameSite=Lax";
++ } else if (strcasecmp(name, "none") == 0) {
++ dcfg->samesite = "SameSite=None";
++ } else {
++ return "CookieSameSite accepts 'Strict', 'Lax', or 'None'";
++ }
++
++
++ return NULL;
++}
++
+ static const command_rec cookie_log_cmds[] = {
+ AP_INIT_TAKE1("CookieExpires", set_cookie_exp, NULL, OR_FILEINFO,
+ "an expiry date code"),
+@@ -440,6 +484,17 @@ static const command_rec cookie_log_cmds[] = {
+ "whether or not to enable cookies"),
+ AP_INIT_TAKE1("CookieName", set_cookie_name, NULL, OR_FILEINFO,
+ "name of the tracking cookie"),
++ AP_INIT_FLAG("CookieTracking", set_cookie_enable, NULL, OR_FILEINFO,
++ "whether or not to enable cookies"),
++ AP_INIT_TAKE1("CookieSameSite", set_samesite_value, NULL, OR_FILEINFO,
++ "SameSite setting"),
++ AP_INIT_FLAG("CookieSecure", ap_set_flag_slot,
++ (void *)APR_OFFSETOF(cookie_dir_rec, is_secure), OR_FILEINFO,
++ "is cookie secure"),
++ AP_INIT_FLAG("CookieHttpOnly", ap_set_flag_slot,
++ (void *)APR_OFFSETOF(cookie_dir_rec, is_httponly),OR_FILEINFO,
++ "is cookie http only"),
++
+ {NULL}
+ };
+
diff --git a/SOURCES/httpd.conf.xml b/SOURCES/httpd.conf.xml
new file mode 100644
index 0000000..705e527
--- /dev/null
+++ b/SOURCES/httpd.conf.xml
@@ -0,0 +1,259 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+]>
+<!--
+ Copyright 2018 Red Hat, Inc.
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<refentry>
+ <refentryinfo>
+ <title>httpd.conf</title>
+ <productname>httpd</productname>
+ <author><contrib>Author</contrib><surname>Orton</surname><firstname>Joe</firstname><email>jorton@redhat.com</email></author>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>httpd.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>httpd.conf</refname>
+ <refpurpose>Configuration files for httpd</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <para>
+ <filename>/etc/httpd/conf/httpd.conf</filename>,
+ <filename>/etc/httpd/conf.modules.d</filename>,
+ <filename>/etc/httpd/conf.d</filename>
+ </para>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>Description</title>
+
+ <para>The main configuration file for the <command>httpd</command> daemon is
+ <filename>/etc/httpd/conf/httpd.conf</filename>. The syntax of
+ this file is described at <ulink
+ url="https://httpd.apache.org/docs/2.4/configuring.html"/>, and
+ the full set of available directives is listed at <ulink
+ url="https://httpd.apache.org/docs/2.4/mod/directives.html"/>.
+ </para>
+
+ <refsect2>
+ <title>Configuration structure</title>
+
+ <para>The main configuration file
+ (<filename>httpd.conf</filename>) sets up various defaults and
+ includes configuration files from two directories -
+ <filename>/etc/httpd/conf.modules.d</filename> and
+ <filename>/etc/httpd/conf.d</filename>. Packages containing
+ loadable modules (like <option>mod_ssl.so</option>) place files
+ in the <filename>conf.modules.d</filename> directory with the
+ appropriate <option>LoadModule</option> directive so that module
+ is loaded by default.</para>
+
+ <para>Some notable configured defaults are:.</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>DocumentRoot @DOCROOT@/html</option></term>
+ <listitem><para>The default document root from which content
+ is served.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>Listen 80</option></term>
+ <listitem><para>The daemon lists on TCP port 80.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>ErrorLog "logs/error_log"</option></term>
+ <listitem><para>Error messages are logged to
+ <filename>@LOGDIR@/error_log</filename>.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>ScriptAlias /cgi-bin/ "@DOCROOT@/cgi-bin/"</option></term>
+ <listitem><para>CGI scripts are served via the URL-path <option>/cgi-bin/</option>.</para></listitem>
+ </varlistentry>
+
+ </variablelist>
+
+ <para>To remove any of the default configuration provided in
+ separate files covered below, replace that file with an empty
+ file rather than removing it from the filesystem, otherwise it
+ may be restored to the original when the package which provides
+ it is upgraded.</para>
+
+ </refsect2>
+
+ <refsect2>
+ <title>MPM configuration</title>
+
+ <para>The configuration file at
+ <filename>/etc/httpd/conf.modules.d/00-mpm.conf</filename> is
+ used to select the multi-processing module (MPM), which governs
+ how <command>httpd</command> divides work between processes
+ and/or threads at run-time. Exactly one
+ <option>LoadModule</option> directive must be uncommented in
+ this file; by default the <option>@MPM@</option> MPM is enabled.
+ For more information on MPMs, see <ulink
+ url="https://httpd.apache.org/docs/2.4/mpm.html"/>.</para>
+
+ <para>If using the <emphasis>prefork</emphasis> MPM, the
+ "httpd_graceful_shutdown" SELinux boolean should also be
+ enabled, since with this MPM, httpd needs to establish TCP
+ connections to local ports to successfully complete a graceful
+ restart or shutdown. This boolean can be enabled by running the
+ command: <command>semanage boolean -m --on
+ httpd_graceful_shutdown</command></para>
+ </refsect2>
+
+ <refsect2>
+ <title>Module configuration files</title>
+
+ <para>Module configuration files are provided in the
+ <filename>/etc/httpd/conf.modules.d/</filename> directory. Filenames
+ in this directory are by convention prefixed with two digit numeric
+ prefix to ensure they are processed in the desired order. Core
+ modules provide with the <command>httpd</command> package are
+ loaded by files with a <option>0x-</option> prefix to ensure
+ these are loaded first. Only filenames with a
+ <option>.conf</option> suffix in this directory will be
+ processed.</para>
+
+ <para>Other provided configuration files are listed below.
+
+ <variablelist>
+ <varlistentry>
+ <term><filename>/etc/httpd/conf.modules.d/00-base.conf</filename></term>
+ <listitem><para>The set of core modules included with
+ <command>httpd</command> which are all loaded by
+ default.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><filename>/etc/httpd/conf.modules.d/00-optional.conf</filename></term>
+ <listitem><para>The set of non-core modules included with
+ <command>httpd</command> which are <emphasis>not</emphasis>
+ loaded by default.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term><filename>/etc/httpd/conf.modules.d/00-systemd.conf</filename></term>
+ <listitem><para>This file loads <option>mod_systemd</option>
+ which is necessary for the correct operation of the
+ <command>httpd.service</command> service, and should not be
+ removed or disabled.</para></listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
+ </refsect2>
+
+ <refsect2>
+ <title>Other configuration files</title>
+
+ <para>Default module configuration files and site-specific
+ configuration files are loaded from the
+ <filename>/etc/httpd/conf.d/</filename> directory. Only files
+ with a <option>.conf</option> suffix will be loaded. The
+ following files are provided:
+
+ <variablelist>
+ <varlistentry>
+ <term><filename>/etc/httpd/conf.d/userdir.conf</filename></term>
+ <listitem><para>This file gives an example configuration for
+ <option>mod_userdir</option> to map URLs such as
+ <option>http://localhost/~jim/</option> to
+ <filename>/home/jim/public_html/</filename>. Userdir mapping
+ is disabled by default.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><filename>/etc/httpd/conf.d/autoindex.conf</filename></term>
+ <listitem><para>This file provides the default configuration
+ for <option>mod_autoindex</option> which generates HTML
+ directory listings when enabled. It also makes file icon
+ image files available at the <option>/icons/</option>
+ URL-path.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><filename>/etc/httpd/conf.d/welcome.conf</filename></term>
+ <listitem><para>This file enables a "welcome page" at
+ <option>http://localhost/</option> if no content is present
+ in the default documentation root
+ <filename>/var/www/html</filename>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><filename>/etc/httpd/conf.d/ssl.conf</filename> (present only if <option>mod_ssl</option> is installed)</term>
+ <listitem><para>This file configures a TLS
+ <option>VirtualHost</option> listening on port
+ <option>443</option>. If the default configuration is used,
+ the referenced test certificate and private key are
+ generated the first time <command>httpd.service</command> is
+ started; see
+ <citerefentry><refentrytitle>httpd-init.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ for more information.</para></listitem>
+ </varlistentry>
+
+ </variablelist></para>
+ </refsect2>
+
+ <refsect2>
+ <title>Instantiated services</title>
+
+ <para>As an alternative to (or in addition to) the
+ <command>httpd.service</command> unit, the instantiated template
+ service <command>httpd@.service</command> unit file can be used,
+ which starts <command>httpd</command> using a different
+ configuration file to the default. For example,
+ <command>systemctl start httpd@foobar.service</command> will
+ start httpd using the configuration file
+ <filename>/etc/httpd/conf/foobar.conf</filename>. See <citerefentry><refentrytitle>httpd@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> for more information.</para>
+ </refsect2>
+
+ </refsect1>
+ <refsect1>
+ <title>Files</title>
+
+ <para>
+ <filename>/etc/httpd/conf/httpd.conf</filename>,
+ <filename>/etc/httpd/conf.d</filename>,
+ <filename>/etc/httpd/conf.modules.d</filename>
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>See also</title>
+
+ <para>
+ <citerefentry><refentrytitle>httpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>httpd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <ulink url="https://httpd.apache.org/docs/2.4/configuring.html"/>,
+ <ulink url="https://httpd.apache.org/docs/2.4/mod/directives.html"/>
+ </para>
+ </refsect1>
+
+</refentry>
+
+<!-- LocalWords: systemd PidFile
+-->
diff --git a/SOURCES/httpd.service.xml b/SOURCES/httpd.service.xml
new file mode 100644
index 0000000..b2c72dd
--- /dev/null
+++ b/SOURCES/httpd.service.xml
@@ -0,0 +1,332 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+
+]>
+<!--
+ Copyright 2018 Red Hat, Inc.
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<refentry>
+ <refentryinfo>
+ <title>httpd systemd units</title>
+ <productname>httpd</productname>
+ <author><contrib>Author</contrib><surname>Orton</surname><firstname>Joe</firstname><email>jorton@redhat.com</email></author>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>httpd.service</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>httpd.service</refname>
+ <refname>httpd@.service</refname>
+ <refname>httpd.socket</refname>
+ <refname>httpd-init.service</refname>
+ <refpurpose>httpd unit files for systemd</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <para>
+ <filename>/usr/lib/systemd/system/httpd.service</filename>,
+ <filename>/usr/lib/systemd/system/httpd@.service</filename>,
+ <filename>/usr/lib/systemd/system/httpd-init.service</filename>,
+ <filename>/usr/lib/systemd/system/httpd.socket</filename>
+ </para>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>Description</title>
+
+ <para>This manual page describes the <command>systemd</command>
+ unit files used to integrate the <command>httpd</command> daemon
+ with <command>systemd</command>. Two main unit files are
+ available: <command>httpd.service</command> allows the
+ <command>httpd</command> daemon to be run as a system service, and
+ <command>httpd.socket</command> allows httpd to be started via
+ socket-based activation. Most systems will use
+ <command>httpd.service</command>.</para>
+
+ <para>The <command>apachectl</command> command has been modified
+ to invoke <command>systemctl</command> for most uses, so for
+ example, running <command>apachectl start</command> is equivalent
+ to running <command>systemctl start httpd.service</command>. This
+ ensures that the running httpd daemon is tracked and managed by
+ <command>systemd</command>. In contrast, running
+ <command>httpd</command> directly from a root shell will start the
+ service outside of <command>systemd</command>; in this case,
+ default security restrictions described below (including, but not
+ limited to, SELinux) will not be enforced.</para>
+
+ <refsect2>
+ <title>Changing default behaviour</title>
+
+ <para>To change the default behaviour of the httpd service, an
+ <emphasis>over-ride</emphasis> file should be created, rather
+ than changing
+ <filename>/usr/lib/systemd/system/httpd.service</filename>
+ directly, since such changes would be lost over package
+ upgrades. Running <command>systemctl edit
+ httpd.service</command> or <command>systemctl edit
+ httpd.socket</command> as root will create a drop-in file (in
+ the former case, in
+ <filename>/etc/systemd/system/httpd.service.d</filename>) which
+ over-rides the system defaults.</para>
+
+ <para>For example, to set the <option>LD_LIBRARY_PATH</option>
+ environment variable for the daemon, run <command>systemctl edit
+ httpd.service</command> and enter:
+
+ <programlisting>[Service]
+Environment=LD_LIBRARY_PATH=/opt/vendor/lib</programlisting></para>
+ </refsect2>
+
+ <refsect2>
+ <title>Starting the service at boot time</title>
+
+ <para>The httpd.service and httpd.socket units are
+ <emphasis>disabled</emphasis> by default. To start the httpd
+ service at boot time, run: <command>systemctl enable
+ httpd.service</command>. In the default configuration, the
+ httpd daemon will accept connections on port 80 (and, if mod_ssl
+ is installed, TLS connections on port 443) for any configured
+ IPv4 or IPv6 address.</para>
+
+ <para>If httpd is configured to depend on any specific IP
+ address (for example, with a "Listen" directive) which may only
+ become available during start-up, or if httpd depends on other
+ services (such as a database daemon), the service
+ <emphasis>must</emphasis> be configured to ensure correct
+ start-up ordering.</para>
+
+ <para>For example, to ensure httpd is only running after all
+ configured network interfaces are configured, create a drop-in
+ file (as described above) with the following section:
+
+ <programlisting>[Unit]
+After=network-online.target
+Wants=network-online.target</programlisting>
+
+ See <ulink
+ url="https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/"/>
+ for more information on start-up ordering with systemd.</para>
+
+ </refsect2>
+
+ <refsect2>
+ <title>SSL/TLS certificate generation</title>
+
+ <para>The <command>httpd-init.service</command> unit is provided
+ with the mod_ssl package. This oneshot unit automatically
+ creates a TLS server certificate and key (using a generated
+ self-signed CA certificate and key) for testing purposes before
+ httpd is started. To inhibit certificate generation, use
+ <command>systemctl mask httpd-init.service</command> after
+ installing mod_ssl, and adjust the mod_ssl configuration to use
+ an appropriate certificate and key.</para>
+
+ </refsect2>
+
+ <refsect2>
+ <title>Reloading and stopping the service</title>
+
+ <para>When running <command>systemctl reload
+ httpd.service</command>, a <emphasis>graceful</emphasis>
+ restart is used, which sends a signal to the httpd parent
+ process to reload the configuration and re-open log files. Any
+ children with open connections at the time of reload will
+ terminate only once they have completed serving requests. This
+ prevents users of the server seeing errors (or potentially
+ losing data) due to the reload, but means some there is some
+ delay before any configuration changes take effect for all
+ users.</para>
+
+ <para>Similarly, a <emphasis>graceful stop</emphasis> is used
+ when <command>systemctl stop httpd.service</command> is run,
+ which terminates the server only once active connections have
+ been processed.</para>
+
+ <para>To "ungracefully" stop the server without waiting for
+ requests to complete, use <command>systemctl kill
+ --kill-who=main httpd</command>; similarly to "ungracefully"
+ reload the configuration, use <command>systemctl kill
+ --kill-who=main --signal=HUP httpd</command>.</para>
+ </refsect2>
+
+ <refsect2>
+ <title>Automated service restarts</title>
+
+ <para>System packages (including the httpd package itself) may
+ restart the httpd service automatically after packages are
+ upgraded, installed, or removed. This is done using the
+ <command>systemctl reload httpd.service</command>, which
+ produces a <emphasis>graceful</emphasis> restart by default as
+ described above.</para>
+
+ <para>To suppress automatic reloads entirely, create the file
+ <filename>/etc/sysconfig/httpd-disable-posttrans</filename>.</para>
+ </refsect2>
+
+ <refsect2>
+ <title>Changing the default MPM (Multi-Processing Module)</title>
+
+ <para>httpd offers a choice of multi-processing modules (MPMs),
+ which can be configured in
+ <filename>/etc/httpd/conf.modules.d/00-mpm.conf</filename>.
+ See
+ <citerefentry><refentrytitle>httpd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ for more information on changing the MPM.</para>
+ </refsect2>
+
+ <refsect2>
+ <title>systemd integration and mod_systemd</title>
+
+ <para>The httpd service uses the <option>notify</option> systemd
+ service type. The <literal>mod_systemd</literal> module must be
+ loaded (as in the default configuration) for this to work
+ correctly - the service will fail if this module is not
+ loaded. <literal>mod_systemd</literal> also makes worker and
+ request statistics available when running <command>systemctl status
+ httpd</command>. See
+ <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ for more information on systemd service types.</para>
+ </refsect2>
+
+ <refsect2>
+ <title>Security and SELinux</title>
+
+ <para>The default SELinux policy restricts the httpd service in
+ various ways. For example, the default policy limits the ports
+ to which httpd can bind (using the <literal>Listen</literal>
+ directive), which parts of the filesystem can be accessed, and
+ whether outgoing TCP connections are possible. Many of these
+ restrictions can be relaxed or adjusted by using
+ <command>semanage</command> to change booleans or other
+ types. See
+ <citerefentry><refentrytitle>httpd_selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ for more information.</para>
+
+ <para>The httpd service enables <emphasis>PrivateTmp</emphasis>
+ by default. The <filename>/tmp</filename> and
+ <filename>/var/tmp</filename> directories available within the
+ httpd process (and CGI scripts, etc) are not shared by other
+ processes. See
+ <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ for more information.</para>
+
+ </refsect2>
+
+ <refsect2>
+ <title>Socket activation</title>
+
+ <para>Socket activation (see
+ <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ for more information) can be used with <command>httpd</command>
+ by enabling the <command>httpd.socket</command> unit. The
+ <command>httpd</command> listener configuration must exactly
+ match the <literal>ListenStream</literal> options configured for
+ the <command>httpd.socket</command> unit. The default
+ <command>httpd.socket</command> has a
+ <literal>ListenStream=80</literal> and, if mod_ssl is installed,
+ <literal>ListenStream=443</literal> by a drop-in file. If
+ additional <literal>Listen</literal> directives are added to the
+ httpd configuration, corresponding
+ <literal>ListenStream</literal> options should be added via
+ drop-in files, for example via <command>systemctl edit
+ httpd.socket</command>.</para>
+
+ <para>If using socket activation with httpd, only one listener
+ on any given TCP port is supported; a configuration with both
+ "<literal>Listen 127.0.0.1:80</literal>" and "<literal>Listen
+ 192.168.1.2:80</literal>" will not work.</para>
+ </refsect2>
+
+ <refsect2>
+ <title>Instantiated services</title>
+
+ <para>The <command>httpd@.service</command> unit is an
+ instantiated template service. An instance of this unit will be
+ started using the configuration file
+ <filename>/etc/httpd/conf/INSTANCE.conf</filename>, where
+ <emphasis>INSTANCE</emphasis> is replaced with the instance
+ name. For example, <command>systemctl start
+ httpd@foobar.service</command> will start httpd using the
+ configuration file
+ <filename>/etc/httpd/conf/foobar.conf</filename>. The
+ <option>HTTPD_INSTANCE</option> environment variable is set to
+ the instance name by the unit and is available for use within
+ the configuration file.</para>
+
+ <para>To allow multiple instances of httpd to run
+ simultaneously, a number of configuration directives must be
+ changed, such as <command>PidFile</command> and
+ <command>DefaultRuntimeDir</command> to pick non-conflicting
+ paths, and <command>Listen</command> to choose different ports.
+ The example configuration file
+ <filename>/usr/share/doc/httpd/instance.conf</filename>
+ demonstrates how to make such changes using
+ <option>HTTPD_INSTANCE</option> variable.</para>
+
+ <para>It can be useful to configure instances of
+ <command>httpd@.service</command> to reload when
+ <command>httpd.service</command> is reloaded; for example,
+ <command>logrotate</command> will reload only
+ <command>httpd.service</command> when logs are rotated. If this
+ behaviour is required, create a drop-in file for the instance as
+ follows:
+
+ <programlisting>[Unit]
+ReloadPropagatedFrom=httpd.service</programlisting>
+
+ As with normal units, drop-in files for instances can be created
+ using <command>systemctl edit</command>, e.g. <command>systemctl edit
+ httpd@foobar.service</command>.</para>
+ </refsect2>
+
+ </refsect1>
+
+ <refsect1>
+ <title>Files</title>
+
+ <para><filename>/usr/lib/systemd/system/httpd.service</filename>,
+ <filename>/usr/lib/systemd/system/httpd.socket</filename>,
+ <filename>/usr/lib/systemd/system/httpd@.service</filename>,
+ <filename>/etc/systemd/systemd/httpd.service.d</filename></para>
+ </refsect1>
+
+ <refsect1>
+ <title>See also</title>
+
+ <para>
+ <citerefentry><refentrytitle>httpd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>httpd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>httpd_selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>semanage</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+</refentry>
+
+<!-- LocalWords: systemd PidFile
+-->
diff --git a/SOURCES/welcome.conf b/SOURCES/welcome.conf
index 5158e8b..37b7394 100644
--- a/SOURCES/welcome.conf
+++ b/SOURCES/welcome.conf
@@ -16,4 +16,4 @@
</Directory>
Alias /.noindex.html /usr/share/httpd/noindex/index.html
-Alias /poweredby.png /usr/share/httpd/icons/apache_pb2.png
\ No newline at end of file
+Alias /poweredby.png /usr/share/httpd/icons/apache_pb3.png
\ No newline at end of file
diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec
index 9d9b886..b6c0e69 100644
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@@ -13,7 +13,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.37
-Release: 39%{?dist}
+Release: 41%{?dist}
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source2: httpd.logrotate
@@ -54,6 +54,7 @@ Source42: httpd-init.service
Source43: httpd-ssl-gencerts
Source44: httpd@.service
Source45: config.layout
+Source46: apache-poweredby.png
# build/scripts patches
# http://bugzilla.redhat.com/show_bug.cgi?id=1231924
@@ -101,6 +102,8 @@ Patch38: httpd-2.4.37-pr37355.patch
Patch39: httpd-2.4.37-proxy-ws-idle-timeout.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1883648
Patch40: httpd-2.4.37-ssl-proxy-chains.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1935742
+Patch41: httpd-2.4.37-usertrack-samesite.patch
# Bug fixes
# https://bugzilla.redhat.com/show_bug.cgi?id=1397243
@@ -150,6 +153,12 @@ Patch83: httpd-2.4.37-r1878890.patch
Patch84: httpd-2.4.37-r1878280.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1891594
Patch85: httpd-2.4.37-htcacheclean-dont-break.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1937334
+Patch86: httpd-2.4.37-r1873907.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1680111
+Patch87: httpd-2.4.37-reply-two-tls-rec.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1905613
+Patch88: httpd-2.4.37-r1845768+.patch
# Security fixes
Patch200: httpd-2.4.37-r1851471.patch
@@ -179,6 +188,10 @@ Patch209: httpd-2.4.37-CVE-2020-1934.patch
Patch210: httpd-2.4.37-CVE-2018-17199.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1866563
Patch211: httpd-2.4.37-CVE-2020-11984.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1972500
+Patch212: httpd-2.4.37-CVE-2021-30641.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1968307
+Patch213: httpd-2.4.37-CVE-2021-26690.patch
License: ASL 2.0
Group: System Environment/Daemons
@@ -188,7 +201,8 @@ BuildRequires: zlib-devel, libselinux-devel, lua-devel, brotli-devel
BuildRequires: apr-devel >= 1.5.0, apr-util-devel >= 1.5.0, pcre-devel >= 5.0
BuildRequires: systemd-devel
# web server testpage added to redhat-logos in 82.0 (rhbz1896319)
-Requires: /etc/mime.types, system-logos-httpd >= 82.0
+# new logo requires new footer copyring which was added in rhbz1934800
+Requires: /etc/mime.types, system-logos(httpd-logo-ng)
Obsoletes: httpd-suexec
Provides: webserver
Provides: mod_dav = %{version}-%{release}, httpd-suexec = %{version}-%{release}
@@ -328,6 +342,7 @@ interface for storing and accessing per-user session data.
%patch38 -p1 -b .pr37355
%patch39 -p1 -b .proxy-ws-idle-timeout
%patch40 -p1 -b .ssl-proxy-chains
+%patch41 -p1 -b .usertrack-samesite
%patch61 -p1 -b .r1738878
%patch62 -p1 -b .r1633085
@@ -352,6 +367,9 @@ interface for storing and accessing per-user session data.
%patch83 -p1 -b .r1878890
%patch84 -p1 -b .r1878280
%patch85 -p1 -b .htcacheclean-dont-break
+%patch86 -p1 -b .r1873907
+%patch87 -p1 -b .reply-two-tls-rec
+%patch88 -p1 -b .r1845768+
%patch200 -p1 -b .r1851471
%patch201 -p1 -b .CVE-2019-0211
@@ -365,6 +383,8 @@ interface for storing and accessing per-user session data.
%patch209 -p1 -b .CVE-2020-1934
%patch210 -p1 -b .CVE-2018-17199
%patch211 -p1 -b .CVE-2020-11984
+%patch212 -p1 -b .CVE-2021-30641
+%patch213 -p1 -b .CVE-2021-26690
# Patch in the vendor string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -391,6 +411,9 @@ if test "x${vmmn}" != "x%{mmn}"; then
exit 1
fi
+# A new logo which comes together with a new test page
+cp %{SOURCE46} ./docs/icons/apache_pb3.png
+
# Provide default layout
cp $RPM_SOURCE_DIR/config.layout .
@@ -867,8 +890,19 @@ rm -rf $RPM_BUILD_ROOT
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
-* Tue Mar 30 2021 CentOS Sources <bugs@centos.org> - 2.4.37-39.el8.centos
-- Apply debranding changes
+* Fri Jul 09 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-41
+- Resolves: #1680111 - httpd sends reply to HTTPS GET using two TLS records
+- Resolves: #1905613 - mod_ssl does not like valid certificate chain
+- Resolves: #1935742 - [RFE] backport samesite/httponly/secure flags for
+ usertrack
+- Resolves: #1972500 - CVE-2021-30641 httpd:2.4/httpd: MergeSlashes regression
+- Resolves: #1968307 - CVE-2021-26690 httpd:2.4/httpd: mod_session NULL pointer
+ dereference in parser
+- Resolves: #1934741 - Apache trademark update - new logo
+
+* Fri May 14 2021 Lubos Uhliarik <luhliari@redhat.com> - 2.4.37-40
+- Resolves: #1952557 - mod_proxy_wstunnel.html is a malformed XML
+- Resolves: #1937334 - SSLProtocol with based virtual hosts
* Tue Jan 26 2021 Artem Egorenkov <aegorenk@redhat.com> - 2.4.37-39
- prevent htcacheclean from while break when first file processed