1 files changed, 35 insertions, 0 deletions

diff --git a/debian/patches/0054-CVE-2023-25690-2.patch b/debian/patches/0054-CVE-2023-25690-2.patch
new file mode 100644
index 0000000..978be78
--- /dev/null
+++ b/debian/patches/0054-CVE-2023-25690-2.patch
@@ -0,0 +1,35 @@
+From 8b93a6512f14f5f68887ddfe677e91233ed79fb0 Mon Sep 17 00:00:00 2001
+From: Ruediger Pluem <rpluem@apache.org>
+Date: Mon, 6 Mar 2023 10:00:09 +0000
+Subject: [PATCH] [2/2] Fix CVE-2023-25690: HTTP Request Smuggling in mod_proxy*
+
+* modules/http2/mod_proxy_http2.c: Fix missing APLOGNO.
+
+Submitted by: jorton
+Reviewed by: rpluem
+
+Note: mod_proxy_http2 is CTR on 2.4.x.
+
+bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-25690
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032476
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-25690
+origin: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1908118 13f79535-47bb-0310-9956-ffa450edef68
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1908118 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/http2/mod_proxy_http2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c
+index aa299b937a5..2a9967e5d57 100644
+--- a/modules/http2/mod_proxy_http2.c
++++ b/modules/http2/mod_proxy_http2.c
+@@ -163,7 +163,7 @@ static int proxy_http2_canon(request_rec *r, char *url)
+                  * We have a raw control character or a ' ' in r->args.
+                  * Correct encoding was missed.
+                  */
+-                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
++                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10412)
+                               "To be forwarded query string contains control "
+                               "characters or spaces");
+                 return HTTP_FORBIDDEN;
+