new file mode 100644
@@ -0,0 +1,37 @@
+From d93e61e3e9622bacff746772cb9c97fdcaed8baf Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Tue, 10 Jan 2023 13:20:55 +0000
+Subject: [PATCH] CVE-2022-36760
+
+SECURITY: CVE-2022-36760 (cve.mitre.org)
+
+Ensure connection closure for an invalid Transfer-Encoding header,
+to prevent HTTP request smuggling attack with an AJP proxy.
+
+cleanup on error
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1906542 13f79535-47bb-0310-9956-ffa450edef68
+
+Upstream-Status: Backport [https://github.com/apache/httpd/commit/d93e61e3e9622bacff746772cb9c97fdcaed8baf]
+CVE: CVE-2022-36760
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ modules/proxy/mod_proxy_ajp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c
+index 226ad9b..1449aca 100644
+--- a/modules/proxy/mod_proxy_ajp.c
++++ b/modules/proxy/mod_proxy_ajp.c
+@@ -257,6 +257,8 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r,
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10396)
+ "%s Transfer-Encoding is not supported",
+ tenc);
++ /* We had a failure: Close connection to backend */
++ conn->close = 1;
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+ } else {
+--
+2.25.1
+
@@ -15,6 +15,7 @@ SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \
file://0007-apache2-allow-to-disable-selinux-support.patch \
file://0008-Fix-perl-install-directory-to-usr-bin.patch \
file://0009-support-apxs.in-force-destdir-to-be-empty-string.patch \
+ file://CVE-2022-36760.patch \
"
SRC_URI:append:class-target = " \
Upstream-Status: Backport from https://github.com/apache/httpd/commit/d93e61e3e9622bacff746772cb9c97fdcaed8baf Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../apache2/apache2/CVE-2022-36760.patch | 37 +++++++++++++++++++ .../recipes-httpd/apache2/apache2_2.4.54.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/CVE-2022-36760.patch