diff -Nru apache2-2.4.41/debian/changelog apache2-2.4.41/debian/changelog
--- apache2-2.4.41/debian/changelog	2020-08-12 19:46:17.000000000 +0000
+++ apache2-2.4.41/debian/changelog	2021-06-17 18:27:53.000000000 +0000
@@ -1,3 +1,31 @@
+apache2 (2.4.41-4ubuntu3.3) focal-security; urgency=medium
+
+  * SECURITY UPDATE: mod_proxy_http denial of service.
+    - debian/patches/CVE-2020-13950.patch: don't dereference NULL proxy
+      connection in modules/proxy/mod_proxy_http.c.
+    - CVE-2020-13950
+  * SECURITY UPDATE: stack overflow via Digest nonce in mod_auth_digest
+    - debian/patches/CVE-2020-35452.patch: fast validation of the nonce's
+      base64 to fail early if the format can't match anyway in
+      modules/aaa/mod_auth_digest.c.
+    - CVE-2020-35452
+  * SECURITY UPDATE: DoS via cookie header in mod_session
+    - debian/patches/CVE-2021-26690.patch: save one apr_strtok() in
+      session_identity_decode() in modules/session/mod_session.c.
+    - CVE-2021-26690
+  * SECURITY UPDATE: heap overflow via SessionHeader
+    - debian/patches/CVE-2021-26691.patch: account for the '&' in
+      identity_concat() in modules/session/mod_session.c.
+    - CVE-2021-26691
+  * SECURITY UPDATE: Unexpected matching behavior with 'MergeSlashes OFF'
+    - debian/patches/CVE-2021-30641.patch: change default behavior in
+      server/request.c.
+    - CVE-2021-30641
+  * This update does _not_ include the changes from 2.4.41-4ubuntu3.2 in
+    focal-proposed.
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 17 Jun 2021 14:27:53 -0400
+
 apache2 (2.4.41-4ubuntu3.1) focal-security; urgency=medium
 
   * SECURITY UPDATE: mod_rewrite redirect issue
diff -Nru apache2-2.4.41/debian/patches/CVE-2020-13950.patch apache2-2.4.41/debian/patches/CVE-2020-13950.patch
--- apache2-2.4.41/debian/patches/CVE-2020-13950.patch	1970-01-01 00:00:00.000000000 +0000
+++ apache2-2.4.41/debian/patches/CVE-2020-13950.patch	2021-06-17 18:27:53.000000000 +0000
@@ -0,0 +1,33 @@
+Backport of:
+
+From 8c162db8b65b2193e622b780e8c6516d4265f68b Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Mon, 11 May 2015 15:48:58 +0000
+Subject: [PATCH] mod_proxy_http: follow up to r1656259. The proxy connection
+ may be NULL during prefetch, don't try to dereference it! Still
+ origin->keepalive will be set according to p_conn->close by the caller
+ (proxy_http_handler).
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1678771 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/proxy/mod_proxy_http.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/modules/proxy/mod_proxy_http.c
++++ b/modules/proxy/mod_proxy_http.c
+@@ -570,7 +570,6 @@ static int ap_proxy_http_prefetch(proxy_
+     apr_off_t bytes;
+     int force10, rv;
+     apr_read_type_e block;
+-    conn_rec *origin = p_conn->connection;
+ 
+     if (apr_table_get(r->subprocess_env, "force-proxy-request-1.0")) {
+         if (req->expecting_100) {
+@@ -630,7 +629,6 @@ static int ap_proxy_http_prefetch(proxy_
+                       "chunked body with Content-Length (C-L ignored)",
+                       c->client_ip, c->remote_host ? c->remote_host: "");
+         req->old_cl_val = NULL;
+-        origin->keepalive = AP_CONN_CLOSE;
+         p_conn->close = 1;
+     }
+ 
diff -Nru apache2-2.4.41/debian/patches/CVE-2020-35452.patch apache2-2.4.41/debian/patches/CVE-2020-35452.patch
--- apache2-2.4.41/debian/patches/CVE-2020-35452.patch	1970-01-01 00:00:00.000000000 +0000
+++ apache2-2.4.41/debian/patches/CVE-2020-35452.patch	2021-06-17 18:27:22.000000000 +0000
@@ -0,0 +1,51 @@
+From 3b6431eb9c9dba603385f70a2131ab4a01bf0d3b Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Mon, 18 Jan 2021 17:39:12 +0000
+Subject: [PATCH] Merge r1885659 from trunk:
+
+mod_auth_digest: Fast validation of the nonce's base64 to fail early if
+                 the format can't match anyway.
+
+Submitted by: ylavic
+Reviewed by: ylavic, covener, jailletc36
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1885666 13f79535-47bb-0310-9956-ffa450edef68
+---
+ CHANGES                       | 3 +++
+ modules/aaa/mod_auth_digest.c | 9 +++++++--
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+#diff --git a/CHANGES b/CHANGES
+#index e5c6afc3aa5..5af3c081b93 100644
+#--- a/CHANGES
+#+++ b/CHANGES
+#@@ -1,6 +1,9 @@
+#                                                          -*- coding: utf-8 -*-
+# Changes with Apache 2.4.47
+# 
+#+  *) mod_auth_digest: Fast validation of the nonce's base64 to fail early if
+#+     the format can't match anyway.  [Yann Ylavic]
+#+
+#   *) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked
+#      Transfer-Encoding from the client, spooling the request body when needed
+#      to provide a Content-Length to the backend.  PR 57087.  [Yann Ylavic]
+--- a/modules/aaa/mod_auth_digest.c
++++ b/modules/aaa/mod_auth_digest.c
+@@ -1422,9 +1422,14 @@ static int check_nonce(request_rec *r, d
+     time_rec nonce_time;
+     char tmp, hash[NONCE_HASH_LEN+1];
+ 
+-    if (strlen(resp->nonce) != NONCE_LEN) {
++    /* Since the time part of the nonce is a base64 encoding of an
++     * apr_time_t (8 bytes), it should end with a '=', fail early otherwise.
++     */
++    if (strlen(resp->nonce) != NONCE_LEN
++            || resp->nonce[NONCE_TIME_LEN - 1] != '=') {
+         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775)
+-                      "invalid nonce %s received - length is not %d",
++                      "invalid nonce '%s' received - length is not %d "
++                      "or time encoding is incorrect",
+                       resp->nonce, NONCE_LEN);
+         note_digest_auth_failure(r, conf, resp, 1);
+         return HTTP_UNAUTHORIZED;
diff -Nru apache2-2.4.41/debian/patches/CVE-2021-26690.patch apache2-2.4.41/debian/patches/CVE-2021-26690.patch
--- apache2-2.4.41/debian/patches/CVE-2021-26690.patch	1970-01-01 00:00:00.000000000 +0000
+++ apache2-2.4.41/debian/patches/CVE-2021-26690.patch	2021-06-17 18:27:33.000000000 +0000
@@ -0,0 +1,25 @@
+From 67bd9bfe6c38831e14fe7122f1d84391472498f8 Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Mon, 1 Mar 2021 20:07:08 +0000
+Subject: [PATCH] mod_session: save one apr_strtok() in
+ session_identity_decode().
+
+When the encoding is invalid (missing '='), no need to parse further.
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887050 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/session/mod_session.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/modules/session/mod_session.c
++++ b/modules/session/mod_session.c
+@@ -404,8 +404,8 @@ static apr_status_t session_identity_dec
+         char *plast = NULL;
+         const char *psep = "=";
+         char *key = apr_strtok(pair, psep, &plast);
+-        char *val = apr_strtok(NULL, psep, &plast);
+         if (key && *key) {
++            char *val = apr_strtok(NULL, sep, &plast);
+             if (!val || !*val) {
+                 apr_table_unset(z->entries, key);
+             }
diff -Nru apache2-2.4.41/debian/patches/CVE-2021-26691.patch apache2-2.4.41/debian/patches/CVE-2021-26691.patch
--- apache2-2.4.41/debian/patches/CVE-2021-26691.patch	1970-01-01 00:00:00.000000000 +0000
+++ apache2-2.4.41/debian/patches/CVE-2021-26691.patch	2021-06-17 18:27:39.000000000 +0000
@@ -0,0 +1,39 @@
+From 7e09dd714fc62c08c5b0319ed7b9702594faf49b Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Mon, 1 Mar 2021 20:13:54 +0000
+Subject: [PATCH] mod_session: account for the '&' in identity_concat().
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887052 13f79535-47bb-0310-9956-ffa450edef68
+---
+ changes-entries/session_parsing.txt | 2 ++
+ modules/session/mod_session.c       | 3 +--
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+ create mode 100644 changes-entries/session_parsing.txt
+
+#diff --git a/changes-entries/session_parsing.txt b/changes-entries/session_parsing.txt
+#new file mode 100644
+#index 00000000000..a996e821063
+#--- /dev/null
+#+++ b/changes-entries/session_parsing.txt
+#@@ -0,0 +1,2 @@
+#+  *) mod_session: Improve session parsing.  [Yann Yalvic]
+#+
+--- a/modules/session/mod_session.c
++++ b/modules/session/mod_session.c
+@@ -317,7 +317,7 @@ static apr_status_t ap_session_set(reque
+ static int identity_count(void *v, const char *key, const char *val)
+ {
+     int *count = v;
+-    *count += strlen(key) * 3 + strlen(val) * 3 + 1;
++    *count += strlen(key) * 3 + strlen(val) * 3 + 2;
+     return 1;
+ }
+ 
+@@ -353,7 +353,6 @@ static int identity_concat(void *v, cons
+  */
+ static apr_status_t session_identity_encode(request_rec * r, session_rec * z)
+ {
+-
+     char *buffer = NULL;
+     int length = 0;
+     if (z->expiry) {
diff -Nru apache2-2.4.41/debian/patches/CVE-2021-30641.patch apache2-2.4.41/debian/patches/CVE-2021-30641.patch
--- apache2-2.4.41/debian/patches/CVE-2021-30641.patch	1970-01-01 00:00:00.000000000 +0000
+++ apache2-2.4.41/debian/patches/CVE-2021-30641.patch	2021-06-17 18:27:44.000000000 +0000
@@ -0,0 +1,60 @@
+From eb986059aa5aa0b6c1d52714ea83e3dd758afdd1 Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Wed, 21 Apr 2021 01:10:12 +0000
+Subject: [PATCH] Merge r1889036 from trunk:
+
+legacy default slash-matching behavior w/ 'MergeSlashes OFF'
+
+Submitted By: Ruediger Pluem
+Reviewed By: covener, rpluem, ylavic
+
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1889038 13f79535-47bb-0310-9956-ffa450edef68
+---
+ server/request.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/server/request.c
++++ b/server/request.c
+@@ -1419,7 +1419,20 @@ AP_DECLARE(int) ap_location_walk(request
+ 
+     cache = prep_walk_cache(AP_NOTE_LOCATION_WALK, r);
+     cached = (cache->cached != NULL);
+-    entry_uri = r->uri;
++
++   /*
++    * When merge_slashes is set to AP_CORE_CONFIG_OFF the slashes in r->uri
++    * have not been merged. But for Location walks we always go with merged
++    * slashes no matter what merge_slashes is set to.
++    */
++    if (sconf->merge_slashes != AP_CORE_CONFIG_OFF) {
++        entry_uri = r->uri;
++    }
++    else {
++        char *uri = apr_pstrdup(r->pool, r->uri);
++        ap_no2slash(uri);
++        entry_uri = uri;
++    }
+ 
+     /* If we have an cache->cached location that matches r->uri,
+      * and the vhost's list of locations hasn't changed, we can skip
+@@ -1486,7 +1499,7 @@ AP_DECLARE(int) ap_location_walk(request
+                     pmatch = apr_palloc(rxpool, nmatch*sizeof(ap_regmatch_t));
+                 }
+ 
+-                if (ap_regexec(entry_core->r, entry_uri, nmatch, pmatch, 0)) {
++                if (ap_regexec(entry_core->r, r->uri, nmatch, pmatch, 0)) {
+                     continue;
+                 }
+ 
+@@ -1496,7 +1509,7 @@ AP_DECLARE(int) ap_location_walk(request
+                         apr_table_setn(r->subprocess_env,
+                                        ((const char **)entry_core->refs->elts)[i],
+                                        apr_pstrndup(r->pool,
+-                                       entry_uri + pmatch[i].rm_so,
++                                       r->uri + pmatch[i].rm_so,
+                                        pmatch[i].rm_eo - pmatch[i].rm_so));
+                     }
+                 }
diff -Nru apache2-2.4.41/debian/patches/series apache2-2.4.41/debian/patches/series
--- apache2-2.4.41/debian/patches/series	2020-08-12 19:42:51.000000000 +0000
+++ apache2-2.4.41/debian/patches/series	2021-06-17 18:27:53.000000000 +0000
@@ -22,3 +22,8 @@
 CVE-2020-11984.patch
 CVE-2020-11993-pre1.patch
 CVE-2020-11993.patch
+CVE-2020-13950.patch
+CVE-2020-35452.patch
+CVE-2021-26690.patch
+CVE-2021-26691.patch
+CVE-2021-30641.patch