diff --git a/CVE-2022-31081-2.patch b/CVE-2022-31081-2.patch
new file mode 100644
index 0000000..81faa40
--- /dev/null
+++ b/CVE-2022-31081-2.patch
@@ -0,0 +1,36 @@
+From 8dc5269d59e2d5d9eb1647d82c449ccd880f7fd0 Mon Sep 17 00:00:00 2001
+From: Theo van Hoesel <tvanhoesel@perceptyx.com>
+Date: Tue, 21 Jun 2022 20:00:47 +0000
+Subject: [PATCH] Include reason in response body content
+
+---
+ lib/HTTP/Daemon.pm | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/lib/HTTP/Daemon.pm b/lib/HTTP/Daemon.pm
+index a5112b3..2d022ae 100644
+--- a/lib/HTTP/Daemon.pm
++++ b/lib/HTTP/Daemon.pm
+@@ -299,16 +299,18 @@ READ_HEADER:
+         # check that they are all numbers (RFC: Content-Length = 1*DIGIT)
+         my @nums = grep { /^[0-9]+$/} @vals;
+         unless (@vals == @nums) {
+-            $self->send_error(400);
+-            $self->reason("Content-Length value must be a unsigned integer");
++            my $reason = "Content-Length value must be an unsigned integer";
++            $self->send_error(400, $reason);
++            $self->reason($reason);
+             return;
+         }
+         # check they are all the same
+         my $len = shift @nums;
+         foreach (@nums) {
+             next if $_ == $len;
+-            $self->send_error(400);
+-            $self->reason("Content-Length values are not the same");
++            my $reason = "Content-Length values are not the same";
++            $self->send_error(400, $reason);
++            $self->reason($reason);
+             return;
+         }
+         # ensure we have now a fixed header, with only 1 value
diff --git a/CVE-2022-31081.patch b/CVE-2022-31081.patch
new file mode 100644
index 0000000..dfd212e
--- /dev/null
+++ b/CVE-2022-31081.patch
@@ -0,0 +1,50 @@
+From e84475de51d6fd7b29354a997413472a99db70b2 Mon Sep 17 00:00:00 2001
+From: Theo van Hoesel <tvanhoesel@perceptyx.com>
+Date: Thu, 16 Jun 2022 08:28:30 +0000
+Subject: [PATCH] Fix Content-Length ', '-separated string issues
+
+After a security issue, we ensure we comply to
+RFC-7230 -- HTTP/1.1 Message Syntax and Routing
+- section 3.3.2 -- Content-Length
+- section 3.3.3 -- Message Body Length
+---
+ lib/HTTP/Daemon.pm | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/lib/HTTP/Daemon.pm b/lib/HTTP/Daemon.pm
+index c0cdf76..a5112b3 100644
+--- a/lib/HTTP/Daemon.pm
++++ b/lib/HTTP/Daemon.pm
+@@ -288,6 +288,32 @@ READ_HEADER:
+     }
+     elsif ($len) {
+ 
++        # After a security issue, we ensure we comply to
++        # RFC-7230 -- HTTP/1.1 Message Syntax and Routing
++        # section 3.3.2 -- Content-Length
++        # section 3.3.3 -- Message Body Length
++
++        # split and clean up Content-Length ', ' separated string
++        my @vals = map {my $str = $_; $str =~ s/^\s+//; $str =~ s/\s+$//; $str }
++            split ',', $len;
++        # check that they are all numbers (RFC: Content-Length = 1*DIGIT)
++        my @nums = grep { /^[0-9]+$/} @vals;
++        unless (@vals == @nums) {
++            $self->send_error(400);
++            $self->reason("Content-Length value must be a unsigned integer");
++            return;
++        }
++        # check they are all the same
++        my $len = shift @nums;
++        foreach (@nums) {
++            next if $_ == $len;
++            $self->send_error(400);
++            $self->reason("Content-Length values are not the same");
++            return;
++        }
++        # ensure we have now a fixed header, with only 1 value
++        $r->header('Content-Length' => $len);
++
+         # Plain body specified by "Content-Length"
+         my $missing = $len - length($buf);
+         while ($missing > 0) {
diff --git a/perl-HTTP-Daemon.changes b/perl-HTTP-Daemon.changes
index 7494abc..192f1d2 100644
--- a/perl-HTTP-Daemon.changes
+++ b/perl-HTTP-Daemon.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Jul 13 09:04:49 UTC 2022 - Otto Hollmann <otto.hollmann@suse.com>
+
+- Fix request smuggling in HTTP::Daemon
+  (CVE-2022-31081, bsc#1201157)
+  * CVE-2022-31081.patch
+  * CVE-2022-31081-2.patch
+
 -------------------------------------------------------------------
 Fri Mar  4 03:07:35 UTC 2022 - Tina Müller <timueller+perl@suse.de>
 
diff --git a/perl-HTTP-Daemon.spec b/perl-HTTP-Daemon.spec
index 28e8d90..795097b 100644
--- a/perl-HTTP-Daemon.spec
+++ b/perl-HTTP-Daemon.spec
@@ -20,11 +20,15 @@
 Name:           perl-HTTP-Daemon
 Version:        6.14
 Release:        0
-License:        Artistic-1.0 OR GPL-1.0-or-later
 Summary:        Simple http server class
+License:        Artistic-1.0 OR GPL-1.0-or-later
 URL:            https://metacpan.org/release/%{cpan_name}
 Source0:        https://cpan.metacpan.org/authors/id/O/OA/OALDERS/%{cpan_name}-%{version}.tar.gz
 Source1:        cpanspec.yml
+# PATCH-FIX-SECURITY bsc#1201157 otto.hollmann@suse.com
+# Fix request smuggling in HTTP::Daemon
+Patch0:         CVE-2022-31081.patch
+Patch1:         CVE-2022-31081-2.patch
 BuildArch:      noarch
 BuildRequires:  perl
 BuildRequires:  perl-macros
@@ -65,7 +69,7 @@ method on this object will read data from the client and return an
 back various responses.
 
 %prep
-%autosetup  -n %{cpan_name}-%{version}
+%autosetup  -n %{cpan_name}-%{version} -p1
 find . -type f ! -path "*/t/*" ! -name "*.pl" ! -path "*/bin/*" ! -path "*/script/*" ! -name "configure" -print0 | xargs -0 chmod 644
 
 %build