diff -Nru apache2-2.4.41/debian/changelog apache2-2.4.41/debian/changelog
--- apache2-2.4.41/debian/changelog	2021-09-23 16:58:57.000000000 +0000
+++ apache2-2.4.41/debian/changelog	2021-09-28 11:00:45.000000000 +0000
@@ -1,3 +1,14 @@
+apache2 (2.4.41-4ubuntu3.6) focal-security; urgency=medium
+
+  * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311)
+    - debian/patches/CVE-2021-40438-2.patch: Fix UDS unix: scheme for P
+      rules in modules/mappers/mod_rewrite.c.
+    - debian/patches/CVE-2021-40438-3.patch: Handle UDS URIs with empty
+      hostname in modules/mappers/mod_rewrite.c,
+      modules/proxy/proxy_util.c.
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 28 Sep 2021 07:00:45 -0400
+
 apache2 (2.4.41-4ubuntu3.5) focal-security; urgency=medium
 
   * SECURITY UPDATE: request splitting over HTTP/2
diff -Nru apache2-2.4.41/debian/patches/CVE-2021-40438-2.patch apache2-2.4.41/debian/patches/CVE-2021-40438-2.patch
--- apache2-2.4.41/debian/patches/CVE-2021-40438-2.patch	1970-01-01 00:00:00.000000000 +0000
+++ apache2-2.4.41/debian/patches/CVE-2021-40438-2.patch	2021-09-28 11:00:35.000000000 +0000
@@ -0,0 +1,41 @@
+From 6e768a811c59ca6a0769b72681aaef381823339f Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <icing@apache.org>
+Date: Thu, 23 Sep 2021 12:29:03 +0000
+Subject: [PATCH] Merge of r1893516 from trunk:
+
+   *) mod_rewrite: Fix UDS ("unix:") scheme for [P] rules.  PR 57691 + 65590.
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1893556 13f79535-47bb-0310-9956-ffa450edef68
+---
+ changes-entries/rewrite_uds.txt | 2 ++
+ modules/mappers/mod_rewrite.c   | 7 +++++++
+ 2 files changed, 9 insertions(+)
+ create mode 100644 changes-entries/rewrite_uds.txt
+
+#diff --git a/changes-entries/rewrite_uds.txt b/changes-entries/rewrite_uds.txt
+#new file mode 100644
+#index 00000000000..4b752a8b46c
+#--- /dev/null
+#+++ b/changes-entries/rewrite_uds.txt
+#@@ -0,0 +1,2 @@
+#+  *) mod_rewrite: Fix UDS ("unix:") scheme for [P] rules.  PR 57691 + 65590.
+#+     [Janne Peltonen <janne.peltonen sange.fi>]
+#\ No newline at end of file
+--- a/modules/mappers/mod_rewrite.c
++++ b/modules/mappers/mod_rewrite.c
+@@ -620,6 +620,13 @@ static unsigned is_absolute_uri(char *ur
+             return 6;
+         }
+         break;
++
++    case 'u':
++    case 'U':
++        if (!ap_cstr_casecmpn(uri, "nix:", 4)) {        /* unix:     */
++            *sqs = 1;
++            return 5;
++        }
+     }
+ 
+     return 0;
diff -Nru apache2-2.4.41/debian/patches/CVE-2021-40438-3.patch apache2-2.4.41/debian/patches/CVE-2021-40438-3.patch
--- apache2-2.4.41/debian/patches/CVE-2021-40438-3.patch	1970-01-01 00:00:00.000000000 +0000
+++ apache2-2.4.41/debian/patches/CVE-2021-40438-3.patch	2021-09-28 11:00:42.000000000 +0000
@@ -0,0 +1,50 @@
+From 81a8b0133b46c4cf7dfc4b5476ad46eb34aa0a5c Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <icing@apache.org>
+Date: Thu, 23 Sep 2021 12:31:53 +0000
+Subject: [PATCH] backport of 1893519,1893532 from trunk:
+
+  *) mod_proxy: Handle UDS URIs with empty hostname ("unix:///...") as if they
+     had no hostname ("unix:/..."), also in mod_rewrite's is_absolulte_uri().
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1893559 13f79535-47bb-0310-9956-ffa450edef68
+---
+ changes-entries/uds_empty_hostname.txt | 2 ++
+ modules/mappers/mod_rewrite.c          | 2 +-
+ modules/proxy/proxy_util.c             | 3 ++-
+ 3 files changed, 5 insertions(+), 2 deletions(-)
+ create mode 100644 changes-entries/uds_empty_hostname.txt
+
+#diff --git a/changes-entries/uds_empty_hostname.txt b/changes-entries/uds_empty_hostname.txt
+#new file mode 100644
+#index 00000000000..beff3023e90
+#--- /dev/null
+#+++ b/changes-entries/uds_empty_hostname.txt
+#@@ -0,0 +1,2 @@
+#+  *) mod_proxy: Handle UDS URIs with empty hostname ("unix:///...") as if they
+#+     had no hostname ("unix:/...").  [Yann Ylavic]
+#\ No newline at end of file
+--- a/modules/mappers/mod_rewrite.c
++++ b/modules/mappers/mod_rewrite.c
+@@ -625,7 +625,7 @@ static unsigned is_absolute_uri(char *ur
+     case 'U':
+         if (!ap_cstr_casecmpn(uri, "nix:", 4)) {        /* unix:     */
+             *sqs = 1;
+-            return 5;
++            return (uri[4] == '/' && uri[5] == '/') ? 7 : 5;
+         }
+     }
+ 
+--- a/modules/proxy/proxy_util.c
++++ b/modules/proxy/proxy_util.c
+@@ -2104,7 +2104,8 @@ static int fix_uds_filename(request_rec
+         rv = apr_uri_parse(r->pool, uds_url, &urisock);
+         *origin_url++ = '|';
+ 
+-        if (rv == APR_SUCCESS && urisock.path && !urisock.hostname) {
++        if (rv == APR_SUCCESS && urisock.path && (!urisock.hostname
++                                                  || !urisock.hostname[0])) {
+             uds_path = ap_runtime_dir_relative(r->pool, urisock.path);
+         }
+         if (!uds_path) {
diff -Nru apache2-2.4.41/debian/patches/series apache2-2.4.41/debian/patches/series
--- apache2-2.4.41/debian/patches/series	2021-09-23 16:58:57.000000000 +0000
+++ apache2-2.4.41/debian/patches/series	2021-09-28 11:00:39.000000000 +0000
@@ -36,3 +36,5 @@
 CVE-2021-33193-pre1.patch
 CVE-2021-33193-pre2.patch
 CVE-2021-33193.patch
+CVE-2021-40438-2.patch
+CVE-2021-40438-3.patch