diff --git a/SOURCES/httpd-2.4.34-CVE-2021-40438.patch b/SOURCES/httpd-2.4.34-CVE-2021-40438.patch
new file mode 100644
index 0000000..57aa7ce
--- /dev/null
+++ b/SOURCES/httpd-2.4.34-CVE-2021-40438.patch
@@ -0,0 +1,29 @@
+diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
+index f383996..6a9ef55 100644
+--- a/modules/proxy/mod_proxy.c
++++ b/modules/proxy/mod_proxy.c
+@@ -1717,7 +1717,8 @@ PROXY_DECLARE(const char *) ap_proxy_de_socketfy(apr_pool_t *p, const char *url)
+      * the UDS path... ignore it
+      */
+     if (!strncasecmp(url, "unix:", 5) &&
+-        ((ptr = ap_strchr_c(url, '|')) != NULL)) {
++        ((ptr = ap_strchr_c(url + 5, '|')) != NULL)) {
++
+         /* move past the 'unix:...|' UDS path info */
+         const char *ret, *c;
+ 
+diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
+index 7714b6c..421f910 100644
+--- a/modules/proxy/proxy_util.c
++++ b/modules/proxy/proxy_util.c
+@@ -2090,8 +2090,8 @@ static void fix_uds_filename(request_rec *r, char **url)
+     if (!r || !r->filename) return;
+ 
+     if (!strncmp(r->filename, "proxy:", 6) &&
+-            (ptr2 = ap_strcasestr(r->filename, "unix:")) &&
+-            (ptr = ap_strchr(ptr2, '|'))) {
++            !ap_cstr_casecmpn(r->filename + 6, "unix:", 5) &&
++            (ptr2 = r->filename + 6 + 5, ptr = ap_strchr(ptr2, '|'))) {
+         apr_uri_t urisock;
+         apr_status_t rv;
+         *ptr = '\0';
diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec
index 0435183..4f53c20 100644
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@@ -51,7 +51,7 @@
 Summary: Apache HTTP Server
 Name: %{?scl:%scl_prefix}httpd
 Version: 2.4.34
-Release: 22%{?dist}
+Release: 22%{?dist}.1
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@@ -176,6 +176,8 @@ Patch210: httpd-2.4.34-CVE-2020-9490.patch
 Patch211: httpd-2.4.34-CVE-2020-11984.patch
 # httpd-2.4.34-CVE-2020-11993.patch
 Patch212: httpd-2.4.34-CVE-2020-11993.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2007237
+Patch213: httpd-2.4.34-CVE-2021-40438.patch
 
 License: ASL 2.0
 Group: System Environment/Daemons
@@ -395,6 +397,7 @@ export LD_LIBRARY_PATH=%{_libdir}:$LD_LIBRARY_PATH
 %patch210 -p1 -b .CVE-2020-9490
 %patch211 -p1 -b .CVE-2020-11984
 %patch212 -p1 -b .CVE-2020-11993
+%patch213 -p1 -b .CVE-2021-40438
 
 # Patch in the vendor string and the release string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -801,7 +804,7 @@ fi
 
 %postun
 %if %{use_systemd}
-%systemd_postun
+%systemd_postun %{httpd_service} %{htcacheclean_service}
 %else
 /sbin/service %{?scl:%scl_prefix}httpd condrestart >/dev/null 2>&1 || :
 %endif
@@ -1053,6 +1056,10 @@ rm -rf $RPM_BUILD_ROOT
 %endif
 
 %changelog
+* Thu Sep 30 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.34-22.1
+- Resolves: #2007237 - CVE-2021-40438 httpd24-httpd: httpd: mod_proxy: SSRF via
+  a crafted request uri-path
+
 * Mon Sep 21 2020 Lubos Uhliarik <luhliari@redhat.com> - 2.4.34-22
 - Resolves: #1869076 - CVE-2020-11984 httpd24-httpd: httpd: mod_proxy_uswgi
   buffer overflow