Adding debian version 2.4.38-3+deb10u8.debian/2.4.38-3+deb10u8

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 20 insertions, 0 deletions

diff --git a/debian/patches/CVE-2021-26690.patch b/debian/patches/CVE-2021-26690.patch
new file mode 100644
index 0000000..72c7457
--- /dev/null
+++ b/debian/patches/CVE-2021-26690.patch
@@ -0,0 +1,20 @@
+Description: <short summary of the patch>
+Author: Apache authors
+Origin: upstream, https://github.com/apache/httpd/commit/67bd9bfe
+Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-26690
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-06-10
+
+--- a/modules/session/mod_session.c
++++ b/modules/session/mod_session.c
+@@ -392,8 +392,8 @@
+         char *plast = NULL;
+         const char *psep = "=";
+         char *key = apr_strtok(pair, psep, &plast);
+-        char *val = apr_strtok(NULL, psep, &plast);
+         if (key && *key) {
++	    char *val = apr_strtok(NULL, sep, &plast);
+             if (!val || !*val) {
+                 apr_table_unset(z->entries, key);
+             }