From f08df390cc22a25c5c81319fc57e26e1720628d6 Mon Sep 17 00:00:00 2001
From: eaglegai <eaglegai@163.com>
Date: Wed, 23 Jun 2021 11:41:36 +0800
Subject: [PATCH] fix CVE-2021-26691

(cherry picked from commit 40de1988cef504107cb0c6d26cbfc098b18090a8)
---
 CVE-2021-26690.patch | 27 +++++++++++++++++++++++++++
 httpd.spec           | 12 ++++++++++--
 2 files changed, 37 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2021-26690.patch

diff --git a/CVE-2021-26690.patch b/CVE-2021-26690.patch
new file mode 100644
index 0000000..2c3d49d
--- /dev/null
+++ b/CVE-2021-26690.patch
@@ -0,0 +1,27 @@
+From 67bd9bfe6c38831e14fe7122f1d84391472498f8 Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Mon, 1 Mar 2021 20:07:08 +0000
+Subject: [PATCH] mod_session: save one apr_strtok() in
+ session_identity_decode().
+
+When the encoding is invalid (missing '='), no need to parse further.
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887050 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/session/mod_session.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
+index a2b4a3e608b..01f41fe5d0f 100644
+--- a/modules/session/mod_session.c
++++ b/modules/session/mod_session.c
+@@ -413,8 +413,8 @@ static apr_status_t session_identity_decode(request_rec * r, session_rec * z)
+         char *plast = NULL;
+         const char *psep = "=";
+         char *key = apr_strtok(pair, psep, &plast);
+-        char *val = apr_strtok(NULL, psep, &plast);
+         if (key && *key) {
++            char *val = apr_strtok(NULL, sep, &plast);
+             if (!val || !*val) {
+                 apr_table_unset(z->entries, key);
+             }
diff --git a/httpd.spec b/httpd.spec
index 47c3274..8d69b3a 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -8,7 +8,7 @@
 Name:             httpd
 Summary:          Apache HTTP Server
 Version:          2.4.43
-Release:          7
+Release:          8
 License:          ASL 2.0
 URL:              https://httpd.apache.org/
 Source0:          https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@@ -73,6 +73,7 @@ Patch19:          CVE-2021-26691.patch
 Patch20:          CVE-2020-13950.patch
 Patch21:          CVE-2020-35452.patch
 Patch22:          CVE-2021-30641.patch
+Patch23:          CVE-2021-26690.patch
 
 BuildRequires:    gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
 BuildRequires:    zlib-devel libselinux-devel lua-devel brotli-devel
@@ -509,7 +510,14 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
-* Tue Jun 22 2021 gaihuiying <gaihuiying1@huawei.com> - 2.4.46-7
+* Wed Jun 23 2021 gaihuiying <gaihuiying1@huawei.com> - 2.4.43-8
+- Type:cves
+- ID:CVE-2021-26690
+- SUG:NA
+- DESC:fix CVE-2021-26690
+       modify version number in changelog
+
+* Tue Jun 22 2021 gaihuiying <gaihuiying1@huawei.com> - 2.4.43-7
 - Type:cves
 - ID:CVE-2021-30641
 - SUG:NA
-- 
Gitee