diff --git a/CVE-2020-13950.patch b/CVE-2020-13950.patch
new file mode 100644
index 0000000000000000000000000000000000000000..93ac8414063c98856d624b53537d5d38342c4e46
--- /dev/null
+++ b/CVE-2020-13950.patch
@@ -0,0 +1,36 @@
+From 8c162db8b65b2193e622b780e8c6516d4265f68b Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Mon, 11 May 2015 15:48:58 +0000
+Subject: [PATCH] mod_proxy_http: follow up to r1656259. The proxy connection
+ may be NULL during prefetch, don't try to dereference it! Still
+ origin->keepalive will be set according to p_conn->close by the caller
+ (proxy_http_handler).
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1678771 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/proxy/mod_proxy_http.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
+index 044bfcd..4a5b851 100644
+--- a/modules/proxy/mod_proxy_http.c
++++ b/modules/proxy/mod_proxy_http.c
+@@ -577,7 +577,6 @@ static int ap_proxy_http_prefetch(proxy_http_req_t *req,
+     apr_off_t bytes;
+     int force10, rv;
+     apr_read_type_e block;
+-    conn_rec *origin = p_conn->connection;
+ 
+     if (apr_table_get(r->subprocess_env, "force-proxy-request-1.0")) {
+         if (req->expecting_100) {
+@@ -637,7 +636,6 @@ static int ap_proxy_http_prefetch(proxy_http_req_t *req,
+                       "chunked body with Content-Length (C-L ignored)",
+                       c->client_ip, c->remote_host ? c->remote_host: "");
+         req->old_cl_val = NULL;
+-        origin->keepalive = AP_CONN_CLOSE;
+         p_conn->close = 1;
+     }
+ 
+-- 
+2.23.0
+
diff --git a/CVE-2020-35452.patch b/CVE-2020-35452.patch
new file mode 100644
index 0000000000000000000000000000000000000000..5f862355245feccfd607c96b4288e4af40b4c66e
--- /dev/null
+++ b/CVE-2020-35452.patch
@@ -0,0 +1,38 @@
+From 3b6431eb9c9dba603385f70a2131ab4a01bf0d3b Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Mon, 18 Jan 2021 17:39:12 +0000
+Subject: [PATCH] Merge r1885659 from trunk:
+
+mod_auth_digest: Fast validation of the nonce's base64 to fail early if
+                 the format can't match anyway.
+
+Submitted by: ylavic
+Reviewed by: ylavic, covener, jailletc36
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1885666 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/aaa/mod_auth_digest.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c
+index 1b5a204278f..d126387cc7f 100644
+--- a/modules/aaa/mod_auth_digest.c
++++ b/modules/aaa/mod_auth_digest.c
+@@ -1426,9 +1426,14 @@ static int check_nonce(request_rec *r, digest_header_rec *resp,
+     time_rec nonce_time;
+     char tmp, hash[NONCE_HASH_LEN+1];
+ 
+-    if (strlen(resp->nonce) != NONCE_LEN) {
++    /* Since the time part of the nonce is a base64 encoding of an
++     * apr_time_t (8 bytes), it should end with a '=', fail early otherwise.
++     */
++    if (strlen(resp->nonce) != NONCE_LEN
++            || resp->nonce[NONCE_TIME_LEN - 1] != '=') {
+         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775)
+-                      "invalid nonce %s received - length is not %d",
++                      "invalid nonce '%s' received - length is not %d "
++                      "or time encoding is incorrect",
+                       resp->nonce, NONCE_LEN);
+         note_digest_auth_failure(r, conf, resp, 1);
+         return HTTP_UNAUTHORIZED;
diff --git a/httpd.spec b/httpd.spec
index 0b8caa7d2aef36c93a7213c049f9ab29a4cbddec..cb0b051615e14ca0d2112e6565957bf50e7521e0 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -8,7 +8,7 @@
 Name:             httpd
 Summary:          Apache HTTP Server
 Version:          2.4.43
-Release:          5
+Release:          6
 License:          ASL 2.0
 URL:              https://httpd.apache.org/
 Source0:          https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@@ -70,6 +70,8 @@ Patch16:          CVE-2020-11984.patch
 Patch17:          CVE-2020-11993.patch 
 Patch18:          CVE-2020-9490.patch
 Patch19:          CVE-2021-26691.patch
+Patch20:          CVE-2020-13950.patch
+Patch21:          CVE-2020-35452.patch
 
 BuildRequires:    gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
 BuildRequires:    zlib-devel libselinux-devel lua-devel brotli-devel
@@ -506,6 +508,12 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Mon Jun 21 2021 yanglu <yanglu72@huawei.com> - 2.4.43-6
+- Type:cves
+- ID:CVE-2020-13950 CVE-2020-35452
+- SUG:NA
+- DESC:fix CVE-2020-13950 CVE-2020-35452
+
 * Wed Jun 16 2021 yanglu <yanglu72@huawei.com> - 2.4.43-5
 - Type:cves
 - ID:CVE-2021-26691