1 files changed, 39 insertions, 0 deletions

diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch
new file mode 100644
index 000000000..d3aea9e12
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch
@@ -0,0 +1,39 @@
+From 67bd9bfe6c38831e14fe7122f1d84391472498f8 Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Mon, 1 Mar 2021 20:07:08 +0000
+Subject: [PATCH] mod_session: save one apr_strtok() in
+ session_identity_decode().
+
+When the encoding is invalid (missing '='), no need to parse further.
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887050 13f79535-47bb-0310-9956-ffa450edef68
+
+Upstream-Status: Backport
+CVE: CVE-2021-26690
+
+Reference to upstream patch:
+https://security-tracker.debian.org/tracker/CVE-2021-26690
+https://github.com/apache/httpd/commit/67bd9bfe6c38831e14fe7122f1d84391472498f8
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ modules/session/mod_session.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
+index ebd05b0..af70f6b 100644
+--- a/modules/session/mod_session.c
++++ b/modules/session/mod_session.c
+@@ -404,8 +404,8 @@ static apr_status_t session_identity_decode(request_rec * r, session_rec * z)
+         char *plast = NULL;
+         const char *psep = "=";
+         char *key = apr_strtok(pair, psep, &plast);
+-        char *val = apr_strtok(NULL, psep, &plast);
+         if (key && *key) {
++            char *val = apr_strtok(NULL, sep, &plast);
+             if (!val || !*val) {
+                 apr_table_unset(z->entries, key);
+             }
+-- 
+2.7.4
+