diff --git a/.gitignore b/.gitignore
index 260a2d6..9969f1d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1 @@
SOURCES/httpd-2.4.6.tar.bz2
-SOURCES/centos-noindex.tar.gz
diff --git a/.httpd.metadata b/.httpd.metadata
index 17ede1b..d335a99 100644
--- a/.httpd.metadata
+++ b/.httpd.metadata
@@ -1,2 +1 @@
16d8ec72535ded65d035122b0d944b0e64eaa2a2 SOURCES/httpd-2.4.6.tar.bz2
-6ce5ab3c765b9efeceb2e636e32373bc6e6ed489 SOURCES/centos-noindex.tar.gz
diff --git a/SOURCES/httpd-2.4.6-CVE-2016-5387.patch b/SOURCES/httpd-2.4.6-CVE-2016-5387.patch
new file mode 100644
index 0000000..9f22044
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-CVE-2016-5387.patch
@@ -0,0 +1,16 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5387
+
+--- httpd-2.4.6/server/util_script.c.cve5387
++++ httpd-2.4.6/server/util_script.c
+@@ -190,6 +190,10 @@
+ continue;
+ }
+ #endif
++ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++ /* Don't pass through HTTP_PROXY */
++ continue;
++ }
+ else
+ add_unless_null(e, http2env(r, hdrs[i].key), hdrs[i].val);
+ }
diff --git a/SOURCES/httpd-2.4.6-r1560093.patch b/SOURCES/httpd-2.4.6-r1560093.patch
new file mode 100644
index 0000000..664699a
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-r1560093.patch
@@ -0,0 +1,16 @@
+# ./pullrev.sh 1560093
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1331341
+
+http://svn.apache.org/viewvc?view=revision&revision=1560093
+
+--- httpd-2.4.6/modules/cache/mod_cache.c
++++ httpd-2.4.6/modules/cache/mod_cache.c
+@@ -1130,7 +1130,6 @@
+ "Content-Range")))
+ || ((reason = cache_header_cmp(r->pool, left, right,
+ "Content-Type")))
+- || ((reason = cache_header_cmp(r->pool, left, right, "Expires")))
+ || ((reason = cache_header_cmp(r->pool, left, right, "ETag")))
+ || ((reason = cache_header_cmp(r->pool, left, right,
+ "Last-Modified")))) {
diff --git a/SOURCES/httpd-2.4.6-r1748212.patch b/SOURCES/httpd-2.4.6-r1748212.patch
new file mode 100644
index 0000000..69ff27f
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-r1748212.patch
@@ -0,0 +1,70 @@
+# ./pullrev.sh 1748212
+http://svn.apache.org/viewvc?view=revision&revision=1748212
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1343582
+
+diff -uap httpd-2.4.6/include/httpd.h.r1748212 httpd-2.4.6/include/httpd.h
+--- httpd-2.4.6/include/httpd.h.r1748212
++++ httpd-2.4.6/include/httpd.h
+@@ -477,7 +477,7 @@ AP_DECLARE(const char *) ap_get_server_b
+ * When adding a new code here add it to status_lines as well.
+ * A future version should dynamically generate the apr_table_t at startup.
+ */
+-#define RESPONSE_CODES 83
++#define RESPONSE_CODES 103
+
+ #define HTTP_CONTINUE 100
+ #define HTTP_SWITCHING_PROTOCOLS 101
+@@ -525,6 +525,7 @@ AP_DECLARE(const char *) ap_get_server_b
+ #define HTTP_PRECONDITION_REQUIRED 428
+ #define HTTP_TOO_MANY_REQUESTS 429
+ #define HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE 431
++#define HTTP_UNAVAILABLE_FOR_LEGAL_REASONS 451
+ #define HTTP_INTERNAL_SERVER_ERROR 500
+ #define HTTP_NOT_IMPLEMENTED 501
+ #define HTTP_BAD_GATEWAY 502
+diff -uap httpd-2.4.6/modules/http/http_protocol.c.r1748212 httpd-2.4.6/modules/http/http_protocol.c
+--- httpd-2.4.6/modules/http/http_protocol.c.r1748212
++++ httpd-2.4.6/modules/http/http_protocol.c
+@@ -146,7 +146,27 @@ static const char * const status_lines[R
+ "429 Too Many Requests",
+ NULL, /* 430 */
+ "431 Request Header Fields Too Large",
+-#define LEVEL_500 71
++ NULL, /* 432 */
++ NULL, /* 433 */
++ NULL, /* 434 */
++ NULL, /* 435 */
++ NULL, /* 436 */
++ NULL, /* 437 */
++ NULL, /* 438 */
++ NULL, /* 439 */
++ NULL, /* 440 */
++ NULL, /* 441 */
++ NULL, /* 442 */
++ NULL, /* 443 */
++ NULL, /* 444 */
++ NULL, /* 445 */
++ NULL, /* 446 */
++ NULL, /* 447 */
++ NULL, /* 448 */
++ NULL, /* 449 */
++ NULL, /* 450 */
++ "451 Unavailable For Legal Reasons",
++#define LEVEL_500 91
+ "500 Internal Server Error",
+ "501 Not Implemented",
+ "502 Bad Gateway",
+@@ -1295,6 +1315,12 @@ static const char *get_canned_error_stri
+ case HTTP_NETWORK_AUTHENTICATION_REQUIRED:
+ return("<p>The client needs to authenticate to gain\n"
+ "network access.</p>\n");
++ case HTTP_UNAVAILABLE_FOR_LEGAL_REASONS:
++ s1 = apr_pstrcat(p,
++ "<p>Access to ", ap_escape_html(r->pool, r->uri),
++ "\nhas been denied for legal reasons.<br />\n",
++ NULL);
++ return(add_optional_notes(r, s1, "error-notes", "</p>\n"));
+ default: /* HTTP_INTERNAL_SERVER_ERROR */
+ /*
+ * This comparison to expose error-notes could be modified to
diff --git a/SOURCES/welcome.conf b/SOURCES/welcome.conf
index c1b6c11..5d1e452 100644
--- a/SOURCES/welcome.conf
+++ b/SOURCES/welcome.conf
@@ -16,7 +16,3 @@
</Directory>
Alias /.noindex.html /usr/share/httpd/noindex/index.html
-Alias /noindex/css/bootstrap.min.css /usr/share/httpd/noindex/css/bootstrap.min.css
-Alias /noindex/css/open-sans.css /usr/share/httpd/noindex/css/open-sans.css
-Alias /images/apache_pb.gif /usr/share/httpd/noindex/images/apache_pb.gif
-Alias /images/poweredby.png /usr/share/httpd/noindex/images/poweredby.png
diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec
index 39ceacb..8c8a96e 100644
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@@ -4,7 +4,7 @@
%define mmn 20120211
%define oldmmnisa %{mmn}-%{__isa_name}-%{__isa_bits}
%define mmnisa %{mmn}%{__isa_name}%{__isa_bits}
-%define vstring CentOS
+%define vstring %(source /etc/os-release; echo ${REDHAT_SUPPORT_PRODUCT})
# Drop automatic provides for module DSOs
%{?filter_setup:
@@ -15,10 +15,10 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.6
-Release: 40%{?dist}.1
+Release: 40%{?dist}.4
URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
-Source1: centos-noindex.tar.gz
+Source1: index.html
Source2: httpd.logrotate
Source3: httpd.sysconf
Source4: httpd-ssl-pass-dialog
@@ -110,6 +110,8 @@ Patch90: httpd-2.4.6-apachectl-status.patch
Patch91: httpd-2.4.6-r1650655.patch
Patch92: httpd-2.4.6-r1533448.patch
Patch93: httpd-2.4.6-r1610013.patch
+Patch105: httpd-2.4.6-r1560093.patch
+Patch106: httpd-2.4.6-r1748212.patch
# Security fixes
Patch200: httpd-2.4.6-CVE-2013-6438.patch
Patch201: httpd-2.4.6-CVE-2014-0098.patch
@@ -122,6 +124,7 @@ Patch207: httpd-2.4.6-CVE-2013-5704.patch
Patch208: httpd-2.4.6-CVE-2014-3581.patch
Patch209: httpd-2.4.6-CVE-2015-3185.patch
Patch210: httpd-2.4.6-CVE-2015-3183.patch
+Patch211: httpd-2.4.6-CVE-2016-5387.patch
License: ASL 2.0
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -294,6 +297,8 @@ rm modules/ssl/ssl_engine_dh.c
%patch91 -p1 -b .r1650655
%patch92 -p1 -b .r1533448
%patch93 -p1 -b .r1610013
+%patch105 -p1 -b .r1560093
+%patch106 -p1 -b .r1748212
%patch200 -p1 -b .cve6438
%patch201 -p1 -b .cve0098
@@ -306,6 +311,7 @@ rm modules/ssl/ssl_engine_dh.c
%patch208 -p1 -b .cve3581
%patch209 -p1 -b .cve3185
%patch210 -p1 -b .cve3183
+%patch211 -p1 -b .cve5387
# Patch in the vendor string and the release string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -459,10 +465,8 @@ EOF
# Handle contentdir
mkdir $RPM_BUILD_ROOT%{contentdir}/noindex
-tar xzf $RPM_SOURCE_DIR/centos-noindex.tar.gz \
- -C $RPM_BUILD_ROOT%{contentdir}/noindex/ \
- --strip-components=1
-
+install -m 644 -p $RPM_SOURCE_DIR/index.html \
+ $RPM_BUILD_ROOT%{contentdir}/noindex/index.html
rm -rf %{contentdir}/htdocs
# remove manual sources
@@ -485,7 +489,7 @@ rm -v $RPM_BUILD_ROOT%{docroot}/html/*.html \
$RPM_BUILD_ROOT%{docroot}/cgi-bin/*
# Symlink for the powered-by-$DISTRO image:
-ln -s ../noindex/images/poweredby.png \
+ln -s ../../pixmaps/poweredby.png \
$RPM_BUILD_ROOT%{contentdir}/icons/poweredby.png
# symlinks for /etc/httpd
@@ -671,7 +675,7 @@ rm -rf $RPM_BUILD_ROOT
%{contentdir}/error/README
%{contentdir}/error/*.var
%{contentdir}/error/include/*.html
-%{contentdir}/noindex/*
+%{contentdir}/noindex/index.html
%dir %{docroot}
%dir %{docroot}/cgi-bin
@@ -737,11 +741,14 @@ rm -rf $RPM_BUILD_ROOT
%{_sysconfdir}/rpm/macros.httpd
%changelog
-* Thu May 12 2016 CentOS Sources <bugs@centos.org> - 2.4.6-40.el7.centos.1
-- Remove index.html, add centos-noindex.tar.gz
-- change vstring
-- change symlink for poweredby.png
-- update welcome.conf with proper aliases
+* Tue Jul 12 2016 Joe Orton <jorton@redhat.com> - 2.4.6-40.4
+- add security fix for CVE-2016-5387
+
+* Thu Jul 7 2016 Joe Orton <jorton@redhat.com> - 2.4.6-40.3
+- add 451 (Unavailable For Legal Reasons) response status-code (#1353269)
+
+* Fri Jun 17 2016 Joe Orton <jorton@redhat.com> - 2.4.6-40.2
+- mod_cache: treat cache as valid with changed Expires in 304 (#1347648)
* Mon Mar 21 2016 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-40.1
- fix apache user creation when apache group already exists (#1319001)