diff --git a/.gitignore b/.gitignore
index 260a2d6..9969f1d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1 @@
 SOURCES/httpd-2.4.6.tar.bz2
-SOURCES/centos-noindex.tar.gz
diff --git a/.httpd.metadata b/.httpd.metadata
index 17ede1b..d335a99 100644
--- a/.httpd.metadata
+++ b/.httpd.metadata
@@ -1,2 +1 @@
 16d8ec72535ded65d035122b0d944b0e64eaa2a2 SOURCES/httpd-2.4.6.tar.bz2
-6ce5ab3c765b9efeceb2e636e32373bc6e6ed489 SOURCES/centos-noindex.tar.gz
diff --git a/SOURCES/httpd-2.4.6-CVE-2017-15715.patch b/SOURCES/httpd-2.4.6-CVE-2017-15715.patch
new file mode 100644
index 0000000..74e3770
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-CVE-2017-15715.patch
@@ -0,0 +1,190 @@
+diff --git a/include/ap_regex.h b/include/ap_regex.h
+index 5122154..349ae83 100644
+--- a/include/ap_regex.h
++++ b/include/ap_regex.h
+@@ -77,6 +77,8 @@ extern "C" {
+ #define AP_REG_NOMEM 0x20    /* nomem in our code */
+ #define AP_REG_DOTALL 0x40   /* perl's /s flag */
+ 
++#define AP_REG_DOLLAR_ENDONLY 0x200 /**< '$' matches at end of subject string only */
++
+ /* Error values: */
+ enum {
+   AP_REG_ASSERT = 1,  /** internal error ? */
+@@ -100,6 +102,26 @@ typedef struct {
+ 
+ /* The functions */
+ 
++/**
++ * Get default compile flags
++ * @return Bitwise OR of AP_REG_* flags
++ */
++AP_DECLARE(int) ap_regcomp_get_default_cflags(void);
++
++/**
++ * Set default compile flags
++ * @param cflags Bitwise OR of AP_REG_* flags
++ */
++AP_DECLARE(void) ap_regcomp_set_default_cflags(int cflags);
++
++/**
++ * Get the AP_REG_* corresponding to the string.
++ * @param name The name (i.e. AP_REG_<name>)
++ * @return The AP_REG_*, or zero if the string is unknown
++ *
++ */
++AP_DECLARE(int) ap_regcomp_default_cflag_by_name(const char *name);
++
+ /**
+  * Compile a regular expression.
+  * @param preg Returned compiled regex
+diff --git a/server/core.c b/server/core.c
+index b3240a0..e073ddf 100644
+--- a/server/core.c
++++ b/server/core.c
+@@ -48,6 +48,7 @@
+ #include "mod_core.h"
+ #include "mod_proxy.h"
+ #include "ap_listen.h"
++#include "ap_regex.h"
+ 
+ #include "mod_so.h" /* for ap_find_loaded_module_symbol */
+ 
+@@ -2646,6 +2647,58 @@ static const char *virtualhost_section(cmd_parms *cmd, void *dummy,
+     return errmsg;
+ }
+ 
++static const char *set_regex_default_options(cmd_parms *cmd,
++                                             void *dummy,
++                                             const char *arg)
++{
++    const command_rec *thiscmd = cmd->cmd;
++    int cflags, cflag;
++
++    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
++    if (err != NULL) {
++        return err;
++    }
++
++    cflags = ap_regcomp_get_default_cflags();
++    while (*arg) {
++        const char *name = ap_getword_conf(cmd->pool, &arg);
++        int how = 0;
++
++        if (strcasecmp(name, "none") == 0) {
++            cflags = 0;
++            continue;
++        }
++
++        if (*name == '+') {
++            name++;
++            how = +1;
++        }
++        else if (*name == '-') {
++            name++;
++            how = -1;
++        }
++
++        cflag = ap_regcomp_default_cflag_by_name(name);
++        if (!cflag) {
++            return apr_psprintf(cmd->pool, "%s: option '%s' unknown",
++                                thiscmd->name, name);
++        }
++
++        if (how > 0) {
++            cflags |= cflag;
++        }
++        else if (how < 0) {
++            cflags &= ~cflag;
++        }
++        else {
++            cflags = cflag;
++        }
++    }
++    ap_regcomp_set_default_cflags(cflags);
++
++    return NULL;
++}
++
+ static const char *set_server_alias(cmd_parms *cmd, void *dummy,
+                                     const char *arg)
+ {
+@@ -4164,6 +4217,9 @@ AP_INIT_TAKE12("RLimitNPROC", no_set_limit, NULL,
+    OR_ALL, "soft/hard limits for max number of processes per uid"),
+ #endif
+ 
++AP_INIT_RAW_ARGS("RegexDefaultOptions", set_regex_default_options, NULL, RSRC_CONF,
++                 "default options for regexes (prefixed by '+' to add, '-' to del)"),
++
+ /* internal recursion stopper */
+ AP_INIT_TAKE12("LimitInternalRecursion", set_recursion_limit, NULL, RSRC_CONF,
+               "maximum recursion depth of internal redirects and subrequests"),
+@@ -4569,6 +4625,8 @@ static int core_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptem
+     apr_pool_cleanup_register(pconf, NULL, reset_config_defines,
+                               apr_pool_cleanup_null);
+ 
++    ap_regcomp_set_default_cflags(AP_REG_DOLLAR_ENDONLY);
++
+     mpm_common_pre_config(pconf);
+ 
+     return OK;
+diff --git a/server/util_pcre.c b/server/util_pcre.c
+index 1e83cad..d7df400 100644
+--- a/server/util_pcre.c
++++ b/server/util_pcre.c
+@@ -110,6 +110,38 @@ AP_DECLARE(void) ap_regfree(ap_regex_t *preg)
+  *            Compile a regular expression       *
+  *************************************************/
+ 
++static int default_cflags = AP_REG_DOLLAR_ENDONLY;
++
++AP_DECLARE(int) ap_regcomp_get_default_cflags(void)
++{
++    return default_cflags;
++}
++
++AP_DECLARE(void) ap_regcomp_set_default_cflags(int cflags)
++{
++    default_cflags = cflags;
++}
++
++AP_DECLARE(int) ap_regcomp_default_cflag_by_name(const char *name)
++{
++    int cflag = 0;
++
++    if (strcasecmp(name, "ICASE") == 0) {
++        cflag = AP_REG_ICASE;
++    }
++    else if (strcasecmp(name, "DOTALL") == 0) {
++        cflag = AP_REG_DOTALL;
++    }
++    else if (strcasecmp(name, "DOLLAR_ENDONLY") == 0) {
++        cflag = AP_REG_DOLLAR_ENDONLY;
++    }
++    else if (strcasecmp(name, "EXTENDED") == 0) {
++        cflag = AP_REG_EXTENDED;
++    }
++
++    return cflag;
++}
++
+ /*
+  * Arguments:
+  *  preg        points to a structure for recording the compiled expression
+@@ -126,12 +158,16 @@ AP_DECLARE(int) ap_regcomp(ap_regex_t * preg, const char *pattern, int cflags)
+     int errcode = 0;
+     int options = 0;
+ 
++    cflags |= default_cflags;
+     if ((cflags & AP_REG_ICASE) != 0)
+         options |= PCRE_CASELESS;
+     if ((cflags & AP_REG_NEWLINE) != 0)
+         options |= PCRE_MULTILINE;
+     if ((cflags & AP_REG_DOTALL) != 0)
+         options |= PCRE_DOTALL;
++    if ((cflags & AP_REG_DOLLAR_ENDONLY) != 0)
++        options |= PCRE_DOLLAR_ENDONLY;
++
+ 
+     preg->re_pcre =
+         pcre_compile2(pattern, options, &errcode, &errorptr, &erroffset, NULL);
diff --git a/SOURCES/httpd-2.4.6-CVE-2018-1283.patch b/SOURCES/httpd-2.4.6-CVE-2018-1283.patch
new file mode 100644
index 0000000..c51bb4f
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-CVE-2018-1283.patch
@@ -0,0 +1,23 @@
+--- a/modules/session/mod_session.c	2018/02/16 13:39:47	1824476
++++ b/modules/session/mod_session.c	2018/02/16 13:41:31	1824477
+@@ -510,12 +510,15 @@
+      */
+     ap_session_load(r, &z);
+ 
+-    if (z && conf->env) {
+-        session_identity_encode(r, z);
+-        if (z->encoded) {
+-            apr_table_set(r->subprocess_env, HTTP_SESSION, z->encoded);
+-            z->encoded = NULL;
++    if (conf->env) {
++        if (z) {
++            session_identity_encode(r, z);
++            if (z->encoded) {
++                apr_table_set(r->subprocess_env, HTTP_SESSION, z->encoded);
++                z->encoded = NULL;
++            }
+         }
++        apr_table_unset(r->headers_in, "Session");
+     }
+ 
+     return OK;
diff --git a/SOURCES/httpd-2.4.6-CVE-2018-1303.patch b/SOURCES/httpd-2.4.6-CVE-2018-1303.patch
new file mode 100644
index 0000000..f0b6bde
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-CVE-2018-1303.patch
@@ -0,0 +1,12 @@
+--- a/modules/cache/mod_cache_socache.c	2018/02/16 13:32:48	1824474
++++ b/modules/cache/mod_cache_socache.c	2018/02/16 13:34:35	1824475
+@@ -213,7 +213,8 @@
+                         "Premature end of cache headers.");
+                 return APR_EGENERAL;
+             }
+-            while (apr_isspace(buffer[colon])) {
++            /* Do not go past the \r from above as apr_isspace('\r') is true */
++            while (apr_isspace(buffer[colon]) && (colon < *slider)) {
+                 colon++;
+             }
+             apr_table_addn(table, apr_pstrndup(r->pool, (const char *) buffer
diff --git a/SOURCES/httpd-2.4.6-CVE-2019-10098.patch b/SOURCES/httpd-2.4.6-CVE-2019-10098.patch
new file mode 100644
index 0000000..f8298cc
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-CVE-2019-10098.patch
@@ -0,0 +1,91 @@
+diff --git a/include/ap_regex.h b/include/ap_regex.h
+index 349ae83..952e77a 100644
+--- a/include/ap_regex.h
++++ b/include/ap_regex.h
+@@ -79,6 +79,12 @@ extern "C" {
+ 
+ #define AP_REG_DOLLAR_ENDONLY 0x200 /**< '$' matches at end of subject string only */
+ 
++#define AP_REG_NO_DEFAULT 0x400 /**< Don't implicitely add AP_REG_DEFAULT options */
++
++#define AP_REG_MATCH "MATCH_" /**< suggested prefix for ap_regname */
++
++#define AP_REG_DEFAULT (AP_REG_DOTALL|AP_REG_DOLLAR_ENDONLY)
++
+ /* Error values: */
+ enum {
+   AP_REG_ASSERT = 1,  /** internal error ? */
+diff --git a/modules/filters/mod_substitute.c b/modules/filters/mod_substitute.c
+index 15cd8ee..69af111 100644
+--- a/modules/filters/mod_substitute.c
++++ b/modules/filters/mod_substitute.c
+@@ -599,8 +599,10 @@ static const char *set_pattern(cmd_parms *cmd, void *cfg, const char *line)
+ 
+     /* first see if we can compile the regex */
+     if (!is_pattern) {
+-        r = ap_pregcomp(cmd->pool, from, AP_REG_EXTENDED |
+-                        (ignore_case ? AP_REG_ICASE : 0));
++        int flags = AP_REG_NO_DEFAULT
++                    | (ap_regcomp_get_default_cflags() & AP_REG_DOLLAR_ENDONLY)
++                    | (ignore_case ? AP_REG_ICASE : 0);
++        r = ap_pregcomp(cmd->pool, from, flags);
+         if (!r)
+             return "Substitute could not compile regex";
+     }
+diff --git a/server/core.c b/server/core.c
+index d4af287..6ae0f5f 100644
+--- a/server/core.c
++++ b/server/core.c
+@@ -4625,7 +4625,7 @@ static int core_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptem
+     apr_pool_cleanup_register(pconf, NULL, reset_config_defines,
+                               apr_pool_cleanup_null);
+ 
+-    ap_regcomp_set_default_cflags(AP_REG_DOLLAR_ENDONLY);
++    ap_regcomp_set_default_cflags(AP_REG_DEFAULT);
+ 
+     mpm_common_pre_config(pconf);
+ 
+diff --git a/server/util_pcre.c b/server/util_pcre.c
+index d7df400..f778c75 100644
+--- a/server/util_pcre.c
++++ b/server/util_pcre.c
+@@ -110,7 +110,7 @@ AP_DECLARE(void) ap_regfree(ap_regex_t *preg)
+  *            Compile a regular expression       *
+  *************************************************/
+ 
+-static int default_cflags = AP_REG_DOLLAR_ENDONLY;
++static int default_cflags = AP_REG_DEFAULT;
+ 
+ AP_DECLARE(int) ap_regcomp_get_default_cflags(void)
+ {
+@@ -158,7 +158,8 @@ AP_DECLARE(int) ap_regcomp(ap_regex_t * preg, const char *pattern, int cflags)
+     int errcode = 0;
+     int options = 0;
+ 
+-    cflags |= default_cflags;
++    if ((cflags & AP_REG_NO_DEFAULT) == 0)
++        cflags |= default_cflags;
+     if ((cflags & AP_REG_ICASE) != 0)
+         options |= PCRE_CASELESS;
+     if ((cflags & AP_REG_NEWLINE) != 0)
+diff --git a/server/util_regex.c b/server/util_regex.c
+index 73eccec..5038b99 100644
+--- a/server/util_regex.c
++++ b/server/util_regex.c
+@@ -93,6 +93,7 @@ AP_DECLARE(ap_rxplus_t*) ap_rxplus_compile(apr_pool_t *pool,
+     }
+ 
+     /* anything after the current delimiter is flags */
++    ret->flags = ap_regcomp_get_default_cflags() & AP_REG_DOLLAR_ENDONLY;
+     while (*++endp) {
+         switch (*endp) {
+         case 'i': ret->flags |= AP_REG_ICASE; break;
+@@ -105,7 +106,7 @@ AP_DECLARE(ap_rxplus_t*) ap_rxplus_compile(apr_pool_t *pool,
+         default: break; /* we should probably be stricter here */
+         }
+     }
+-    if (ap_regcomp(&ret->rx, rxstr, ret->flags) == 0) {
++    if (ap_regcomp(&ret->rx, rxstr, AP_REG_NO_DEFAULT | ret->flags) == 0) {
+         apr_pool_cleanup_register(pool, &ret->rx, rxplus_cleanup,
+                                   apr_pool_cleanup_null);
+     }
diff --git a/SOURCES/httpd-2.4.6-CVE-2020-1934.patch b/SOURCES/httpd-2.4.6-CVE-2020-1934.patch
new file mode 100644
index 0000000..ac82c7e
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-CVE-2020-1934.patch
@@ -0,0 +1,71 @@
+diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c
+index 680be8b..10382df 100644
+--- a/modules/proxy/mod_proxy_ftp.c
++++ b/modules/proxy/mod_proxy_ftp.c
+@@ -218,7 +218,7 @@ static int ftp_check_string(const char *x)
+  * (EBCDIC) machines either.
+  */
+ static apr_status_t ftp_string_read(conn_rec *c, apr_bucket_brigade *bb,
+-        char *buff, apr_size_t bufflen, int *eos)
++        char *buff, apr_size_t bufflen, int *eos, apr_size_t *outlen)
+ {
+     apr_bucket *e;
+     apr_status_t rv;
+@@ -230,6 +230,7 @@ static apr_status_t ftp_string_read(conn_rec *c, apr_bucket_brigade *bb,
+     /* start with an empty string */
+     buff[0] = 0;
+     *eos = 0;
++    *outlen = 0;
+ 
+     /* loop through each brigade */
+     while (!found) {
+@@ -273,6 +274,7 @@ static apr_status_t ftp_string_read(conn_rec *c, apr_bucket_brigade *bb,
+                 if (len > 0) {
+                     memcpy(pos, response, len);
+                     pos += len;
++                    *outlen += len;
+                 }
+             }
+             APR_BUCKET_REMOVE(e);
+@@ -386,28 +388,37 @@ static int ftp_getrc_msg(conn_rec *ftp_ctrl, apr_bucket_brigade *bb, char *msgbu
+     char buff[5];
+     char *mb = msgbuf, *me = &msgbuf[msglen];
+     apr_status_t rv;
++    apr_size_t nread;
++    
+     int eos;
+ 
+-    if (APR_SUCCESS != (rv = ftp_string_read(ftp_ctrl, bb, response, sizeof(response), &eos))) {
++    if (APR_SUCCESS != (rv = ftp_string_read(ftp_ctrl, bb, response, sizeof(response), &eos, &nread))) {
+         return -1;
+     }
+ /*
+     ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, NULL,
+                  "<%s", response);
+ */
++    if (nread < 4) {
++        ap_log_error(APLOG_MARK, APLOG_INFO, 0, NULL, APLOGNO(10229) "Malformed FTP response '%s'", response);
++        *mb = '\0';
++        return -1;
++    }
++
++
+     if (!apr_isdigit(response[0]) || !apr_isdigit(response[1]) ||
+-    !apr_isdigit(response[2]) || (response[3] != ' ' && response[3] != '-'))
++        !apr_isdigit(response[2]) || (response[3] != ' ' && response[3] != '-'))
+         status = 0;
+     else
+         status = 100 * response[0] + 10 * response[1] + response[2] - 111 * '0';
+ 
+     mb = apr_cpystrn(mb, response + 4, me - mb);
+ 
+-    if (response[3] == '-') {
++    if (response[3] == '-') { /* multi-line reply "123-foo\nbar\n123 baz" */
+         memcpy(buff, response, 3);
+         buff[3] = ' ';
+         do {
+-            if (APR_SUCCESS != (rv = ftp_string_read(ftp_ctrl, bb, response, sizeof(response), &eos))) {
++            if (APR_SUCCESS != (rv = ftp_string_read(ftp_ctrl, bb, response, sizeof(response), &eos, &nread))) {
+                 return -1;
+             }
+             mb = apr_cpystrn(mb, response + (' ' == response[0] ? 1 : 4), me - mb);
diff --git a/SOURCES/httpd-2.4.6-session-expiry-updt-int.patch b/SOURCES/httpd-2.4.6-session-expiry-updt-int.patch
new file mode 100644
index 0000000..56d6c53
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-session-expiry-updt-int.patch
@@ -0,0 +1,194 @@
+diff --git a/docs/manual/mod/mod_session.html.en b/docs/manual/mod/mod_session.html.en
+index 96a61e6..4ecc97d 100644
+--- a/docs/manual/mod/mod_session.html.en
++++ b/docs/manual/mod/mod_session.html.en
+@@ -69,6 +69,7 @@
+ <li><img alt="" src="../images/down.gif" /> <a href="#sessionheader">SessionHeader</a></li>
+ <li><img alt="" src="../images/down.gif" /> <a href="#sessioninclude">SessionInclude</a></li>
+ <li><img alt="" src="../images/down.gif" /> <a href="#sessionmaxage">SessionMaxAge</a></li>
++<li><img alt="" src="../images/down.gif" /> <a href="#sessionexpiryupdateinterval">SessionExpiryUpdateInterval</a></li>
+ </ul>
+ <h3>Topics</h3>
+ <ul id="topics">
+@@ -494,6 +495,37 @@ AuthName realm
+ 
+     <p>Setting the maxage to zero disables session expiry.</p>
+ 
++</div>
++<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
++<div class="directive-section"><h2><a name="SessionExpiryUpdateInterval" id="sessionexpiryupdateinterval">SessionExpiryUpdateInterval</a> <a name="sessionexpiryupdateinterval" id="sessionexpiryupdateinterval">Directive</a></h2>
++<table class="directive">
++<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Define the number of seconds a session's expiry may change without the session being updated</td></tr>
++<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionExpiryUpdateInterval <var>interval</var></code></td></tr>
++<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SessionExpiryUpdateInterval 0 (always update)</code></td></tr>
++<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
++<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session</td></tr>
++</table>
++    <p>The <code class="directive">SessionExpiryUpdateInterval</code> directive allows
++    sessions to avoid the cost associated with writing the session each request
++    when only the expiry time has changed. This can be used to make a website
++    more efficient or reduce load on a database when using
++    <module>mod_session_dbd</module>. The session is always written if the data
++    stored in the session has changed or the expiry has changed by more than the
++    configured interval.</p>
++
++    <p>Setting the interval to zero disables this directive, and the session
++    expiry is refreshed for each request.</p>
++
++    <p>This directive only has an effect when combined with <code class="directive"><a href="../mod/mod_session.html#sessionmaxage">SessionMaxAge</a></code> to enable session
++    expiry. Sessions without an expiry are only written when the data stored in
++    the session has changed.</p>
++
++    <div class="warning"><h3>Warning</h3>
++    <p>Because the session expiry may not be refreshed with each request, it's
++    possible for sessions to expire up to <var>interval</var> seconds early.
++    Using a small interval usually provides sufficient savings while having a
++    minimal effect on expiry resolution.</p></div>
++
+ </div>
+ </div>
+ <div class="bottomlang">
+diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
+index 3e73c7a..83bf3fc 100644
+--- a/modules/session/mod_session.c
++++ b/modules/session/mod_session.c
+@@ -177,6 +177,7 @@ static apr_status_t ap_session_save(request_rec * r, session_rec * z)
+ {
+     if (z) {
+         apr_time_t now = apr_time_now();
++        apr_time_t initialExpiry = z->expiry;
+         int rv = 0;
+ 
+         session_dir_conf *dconf = ap_get_module_config(r->per_dir_config,
+@@ -202,6 +203,17 @@ static apr_status_t ap_session_save(request_rec * r, session_rec * z)
+             z->maxage = dconf->maxage;
+         }
+ 
++        /* don't save if the only change is the expiry by a small amount */
++        if (!z->dirty && dconf->expiry_update_time
++                && (z->expiry - initialExpiry < dconf->expiry_update_time)) {
++            return APR_SUCCESS;
++        }
++
++        /* also don't save sessions that didn't change at all */
++        if (!z->dirty && !z->maxage) {
++            return APR_SUCCESS;
++        }
++
+         /* encode the session */
+         rv = ap_run_session_encode(r, z);
+         if (OK != rv) {
+@@ -544,6 +556,10 @@ static void *merge_session_dir_config(apr_pool_t * p, void *basev, void *addv)
+     new->env_set = add->env_set || base->env_set;
+     new->includes = apr_array_append(p, base->includes, add->includes);
+     new->excludes = apr_array_append(p, base->excludes, add->excludes);
++    new->expiry_update_time = (add->expiry_update_set == 0)
++                                ? base->expiry_update_time
++                                : add->expiry_update_time;
++    new->expiry_update_set = add->expiry_update_set || base->expiry_update_set;
+ 
+     return new;
+ }
+@@ -613,6 +629,21 @@ static const char *add_session_exclude(cmd_parms * cmd, void *dconf, const char
+     return NULL;
+ }
+ 
++static const char *
++     set_session_expiry_update(cmd_parms * parms, void *dconf, const char *arg)
++{
++    session_dir_conf *conf = dconf;
++
++    conf->expiry_update_time = atoi(arg);
++    if (conf->expiry_update_time < 0) {
++        return "SessionExpiryUpdateInterval must be positive or nul";
++    }
++    conf->expiry_update_time = apr_time_from_sec(conf->expiry_update_time);
++    conf->expiry_update_set = 1;
++
++    return NULL;
++}
++
+ 
+ static const command_rec session_cmds[] =
+ {
+@@ -628,6 +659,9 @@ static const command_rec session_cmds[] =
+                   "URL prefixes to include in the session. Defaults to all URLs"),
+     AP_INIT_TAKE1("SessionExclude", add_session_exclude, NULL, RSRC_CONF|OR_AUTHCFG,
+                   "URL prefixes to exclude from the session. Defaults to no URLs"),
++    AP_INIT_TAKE1("SessionExpiryUpdateInterval", set_session_expiry_update, NULL, RSRC_CONF|OR_AUTHCFG,
++                  "time interval for which a session's expiry time may change "
++                  "without having to be rewritten. Zero to disable"),
+     {NULL}
+ };
+ 
+diff --git a/modules/session/mod_session.h b/modules/session/mod_session.h
+index a6dd5e9..bdeb532 100644
+--- a/modules/session/mod_session.h
++++ b/modules/session/mod_session.h
+@@ -115,6 +115,9 @@ typedef struct {
+                                    * URLs included if empty */
+     apr_array_header_t *excludes; /* URL prefixes to be excluded. No
+                                    * URLs excluded if empty */
++    apr_time_t expiry_update_time; /* seconds the session expiry may change and
++                                    * not have to be rewritten */
++    int expiry_update_set;
+ } session_dir_conf;
+ 
+ /**
+diff --git a/modules/session/mod_session_cookie.c b/modules/session/mod_session_cookie.c
+index 6a02322..4aa75e4 100644
+--- a/modules/session/mod_session_cookie.c
++++ b/modules/session/mod_session_cookie.c
+@@ -60,9 +60,6 @@ static apr_status_t session_cookie_save(request_rec * r, session_rec * z)
+     session_cookie_dir_conf *conf = ap_get_module_config(r->per_dir_config,
+                                                     &session_cookie_module);
+ 
+-    /* don't cache auth protected pages */
+-    apr_table_addn(r->headers_out, "Cache-Control", "no-cache");
+-
+     /* create RFC2109 compliant cookie */
+     if (conf->name_set) {
+         if (z->encoded && z->encoded[0]) {
+@@ -162,6 +159,9 @@ static apr_status_t session_cookie_load(request_rec * r, session_rec ** z)
+     /* put the session in the notes so we don't have to parse it again */
+     apr_table_setn(m->notes, note, (char *)zz);
+ 
++    /* don't cache auth protected pages */
++    apr_table_addn(r->headers_out, "Cache-Control", "no-cache, private");
++
+     return OK;
+ 
+ }
+diff --git a/modules/session/mod_session_dbd.c b/modules/session/mod_session_dbd.c
+index cf65e5a..20ef72e 100644
+--- a/modules/session/mod_session_dbd.c
++++ b/modules/session/mod_session_dbd.c
+@@ -243,6 +243,9 @@ static apr_status_t session_dbd_load(request_rec * r, session_rec ** z)
+     /* put the session in the notes so we don't have to parse it again */
+     apr_table_setn(m->notes, note, (char *)zz);
+ 
++    /* don't cache pages with a session */
++    apr_table_addn(r->headers_out, "Cache-Control", "no-cache, private");
++
+     return OK;
+ 
+ }
+@@ -407,9 +410,6 @@ static apr_status_t session_dbd_save(request_rec * r, session_rec * z)
+     if (conf->name_set || conf->name2_set) {
+         char *oldkey = NULL, *newkey = NULL;
+ 
+-        /* don't cache pages with a session */
+-        apr_table_addn(r->headers_out, "Cache-Control", "no-cache");
+-
+         /* if the session is new or changed, make a new session ID */
+         if (z->uuid) {
+             oldkey = apr_pcalloc(r->pool, APR_UUID_FORMATTED_LENGTH + 1);
+@@ -456,7 +456,7 @@ static apr_status_t session_dbd_save(request_rec * r, session_rec * z)
+     else if (conf->peruser) {
+ 
+         /* don't cache pages with a session */
+-        apr_table_addn(r->headers_out, "Cache-Control", "no-cache");
++        apr_table_addn(r->headers_out, "Cache-Control", "no-cache, private");
+ 
+         if (r->user) {
+             ret = dbd_save(r, r->user, r->user, z->encoded, z->expiry);
diff --git a/SOURCES/httpd-2.4.6-ssl-close-notify-client.patch b/SOURCES/httpd-2.4.6-ssl-close-notify-client.patch
new file mode 100644
index 0000000..04afef3
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-ssl-close-notify-client.patch
@@ -0,0 +1,161 @@
+diff --git a/include/http_connection.h b/include/http_connection.h
+index 2192507..924ddda 100644
+--- a/include/http_connection.h
++++ b/include/http_connection.h
+@@ -47,9 +47,18 @@ extern "C" {
+  */
+ AP_CORE_DECLARE(void) ap_process_connection(conn_rec *c, void *csd);
+ 
++/**
++ * Shutdown the connection for writing.
++ * @param c The connection to shutdown
++ * @param flush Whether or not to flush pending data before
++ * @return APR_SUCCESS or the underlying error
++ */
++AP_CORE_DECLARE(apr_status_t) ap_shutdown_conn(conn_rec *c, int flush);
++
+ /**
+  * Flushes all remain data in the client send buffer
+  * @param c The connection to flush
++ * @remark calls ap_shutdown_conn(c, 1)
+  */
+ AP_CORE_DECLARE(void) ap_flush_conn(conn_rec *c);
+ 
+diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
+index 8be833a..6c79a1a 100644
+--- a/modules/proxy/proxy_util.c
++++ b/modules/proxy/proxy_util.c
+@@ -2886,6 +2886,33 @@ PROXY_DECLARE(int) ap_proxy_connect_backend(const char *proxy_function,
+     }
+ }
+ 
++static apr_status_t connection_shutdown(void *theconn)
++{
++    proxy_conn_rec *conn = (proxy_conn_rec *)theconn;
++    conn_rec *c = conn->connection;
++    if (c) {
++        if (!c->aborted) {
++            apr_interval_time_t saved_timeout = 0;
++            apr_socket_timeout_get(conn->sock, &saved_timeout);
++            if (saved_timeout) {
++                apr_socket_timeout_set(conn->sock, 0);
++            }
++
++            (void)ap_shutdown_conn(c, 0);
++            c->aborted = 1;
++
++            if (saved_timeout) {
++                apr_socket_timeout_set(conn->sock, saved_timeout);
++            }
++        }
++
++        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02642)
++                      "proxy: connection shutdown");
++    }
++    return APR_SUCCESS;
++}
++
++
+ PROXY_DECLARE(int) ap_proxy_connection_create(const char *proxy_function,
+                                               proxy_conn_rec *conn,
+                                               conn_rec *c,
+@@ -2958,6 +2985,11 @@ PROXY_DECLARE(int) ap_proxy_connection_create(const char *proxy_function,
+     }
+     apr_socket_timeout_set(conn->sock, current_timeout);
+ 
++    /* Shutdown the connection before closing it (eg. SSL connections
++     * need to be close-notify-ed).
++     */
++    apr_pool_pre_cleanup_register(conn->scpool, conn, connection_shutdown);
++
+     return OK;
+ }
+ 
+diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c
+index fbd701f..a8778d4 100644
+--- a/modules/ssl/ssl_util_ssl.c
++++ b/modules/ssl/ssl_util_ssl.c
+@@ -166,6 +166,7 @@ int SSL_smart_shutdown(SSL *ssl)
+ {
+     int i;
+     int rc;
++    int flush;
+ 
+     /*
+      * Repeat the calls, because SSL_shutdown internally dispatches through a
+@@ -175,8 +176,20 @@ int SSL_smart_shutdown(SSL *ssl)
+      * connection and OpenSSL cannot recognize it.
+      */
+     rc = 0;
++    flush = !(SSL_get_shutdown(ssl) & SSL_SENT_SHUTDOWN);
+     for (i = 0; i < 4 /* max 2x pending + 2x data = 4 */; i++) {
+-        if ((rc = SSL_shutdown(ssl)))
++        rc = SSL_shutdown(ssl);
++        if (rc >= 0 && flush && (SSL_get_shutdown(ssl) & SSL_SENT_SHUTDOWN)) {
++            /* Once the close notity is sent through the output filters,
++             * ensure it is flushed through the socket.
++             */
++            if (BIO_flush(SSL_get_wbio(ssl)) <= 0) {
++                rc = -1;
++                break;
++            }
++            flush = 0;
++        }
++        if (rc != 0)
+             break;
+     }
+     return rc;
+diff --git a/server/connection.c b/server/connection.c
+index 6e4495f..4942c77 100644
+--- a/server/connection.c
++++ b/server/connection.c
+@@ -64,22 +64,32 @@ AP_IMPLEMENT_HOOK_RUN_ALL(int,pre_connection,(conn_rec *c, void *csd),(c, csd),O
+ #define MAX_SECS_TO_LINGER 30
+ #endif
+ 
+-AP_CORE_DECLARE(void) ap_flush_conn(conn_rec *c)
++AP_CORE_DECLARE(apr_status_t) ap_shutdown_conn(conn_rec *c, int flush)
+ {
++    apr_status_t rv;
+     apr_bucket_brigade *bb;
+     apr_bucket *b;
+ 
+     bb = apr_brigade_create(c->pool, c->bucket_alloc);
+ 
+-    /* FLUSH bucket */
+-    b = apr_bucket_flush_create(c->bucket_alloc);
+-    APR_BRIGADE_INSERT_TAIL(bb, b);
++    if (flush) {
++        /* FLUSH bucket */
++        b = apr_bucket_flush_create(c->bucket_alloc);
++        APR_BRIGADE_INSERT_TAIL(bb, b);
++    }
+ 
+     /* End Of Connection bucket */
+     b = ap_bucket_eoc_create(c->bucket_alloc);
+     APR_BRIGADE_INSERT_TAIL(bb, b);
+ 
+-    ap_pass_brigade(c->output_filters, bb);
++    rv = ap_pass_brigade(c->output_filters, bb);
++    apr_brigade_destroy(bb);
++    return rv;
++}
++
++AP_CORE_DECLARE(void) ap_flush_conn(conn_rec *c)
++{
++    (void)ap_shutdown_conn(c, 1);
+ }
+ 
+ /* we now proceed to read from the client until we get EOF, or until
+diff --git a/server/mpm/event/event.c b/server/mpm/event/event.c
+index 5852685..defa109 100644
+--- a/server/mpm/event/event.c
++++ b/server/mpm/event/event.c
+@@ -841,6 +841,7 @@ static int start_lingering_close_nonblocking(event_conn_state_t *cs)
+     apr_socket_t *csd = cs->pfd.desc.s;
+ 
+     if (c->aborted
++        || ap_shutdown_conn(c, 0) != APR_SUCCESS || c->aborted
+         || apr_socket_shutdown(csd, APR_SHUTDOWN_WRITE) != APR_SUCCESS) {
+         apr_socket_close(csd);
+         apr_pool_clear(cs->p);
diff --git a/SOURCES/welcome.conf b/SOURCES/welcome.conf
index c1b6c11..5d1e452 100644
--- a/SOURCES/welcome.conf
+++ b/SOURCES/welcome.conf
@@ -16,7 +16,3 @@
 </Directory>
 
 Alias /.noindex.html /usr/share/httpd/noindex/index.html
-Alias /noindex/css/bootstrap.min.css /usr/share/httpd/noindex/css/bootstrap.min.css
-Alias /noindex/css/open-sans.css /usr/share/httpd/noindex/css/open-sans.css
-Alias /images/apache_pb.gif /usr/share/httpd/noindex/images/apache_pb.gif
-Alias /images/poweredby.png /usr/share/httpd/noindex/images/poweredby.png
diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec
index 4259e99..5034023 100644
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@@ -4,7 +4,7 @@
 %define mmn 20120211
 %define oldmmnisa %{mmn}-%{__isa_name}-%{__isa_bits}
 %define mmnisa %{mmn}%{__isa_name}%{__isa_bits}
-%define vstring CentOS
+%define vstring %(source /etc/os-release; echo ${REDHAT_SUPPORT_PRODUCT})
 
 # Drop automatic provides for module DSOs
 %{?filter_setup:
@@ -15,10 +15,10 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.6
-Release: 93%{?dist}
+Release: 95%{?dist}
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
-Source1: centos-noindex.tar.gz
+Source1: index.html
 Source2: httpd.logrotate
 Source3: httpd.sysconf
 Source4: httpd-ssl-pass-dialog
@@ -72,6 +72,9 @@ Patch37: httpd-2.4.6-uds.patch
 Patch38: httpd-2.4.6-upn.patch
 Patch39: httpd-2.4.6-r1664565.patch
 Patch40: httpd-2.4.6-r1861793+.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1715981
+Patch41: httpd-2.4.6-session-expiry-updt-int.patch
+
 # Bug fixes
 Patch51: httpd-2.4.3-sslsninotreq.patch
 Patch55: httpd-2.4.4-malformed-host.patch
@@ -196,6 +199,8 @@ Patch140: httpd-2.4.6-r1833014.patch
 Patch141: httpd-2.4.6-r1583175.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1649470
 Patch142: httpd-2.4.6-r1862604.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1724879
+Patch143: httpd-2.4.6-ssl-close-notify-client.patch
 
 # Security fixes
 Patch200: httpd-2.4.6-CVE-2013-6438.patch
@@ -225,6 +230,11 @@ Patch223: httpd-2.4.6-CVE-2019-0220.patch
 Patch224: httpd-2.4.6-CVE-2017-15710.patch
 Patch225: httpd-2.4.6-CVE-2018-1301.patch
 Patch226: httpd-2.4.6-CVE-2018-17199.patch
+Patch227: httpd-2.4.6-CVE-2017-15715.patch
+Patch228: httpd-2.4.6-CVE-2019-10098.patch
+Patch229: httpd-2.4.6-CVE-2018-1303.patch
+Patch230: httpd-2.4.6-CVE-2018-1283.patch
+Patch240: httpd-2.4.6-CVE-2020-1934.patch
 
 License: ASL 2.0
 Group: System Environment/Daemons
@@ -361,6 +371,7 @@ rm modules/ssl/ssl_engine_dh.c
 %patch38 -p1 -b .upn
 %patch39 -p1 -b .r1664565
 %patch40 -p1 -b .r1861793+
+%patch41 -p1 -b .session-expiry
 
 %patch51 -p1 -b .sninotreq
 %patch55 -p1 -b .malformedhost
@@ -449,8 +460,8 @@ rm modules/ssl/ssl_engine_dh.c
 %patch139 -p1 -b .r1824872
 %patch140 -p1 -b .r1833014
 %patch141 -p1 -b .r1583175
-%patch142 -p1 -b .1862604
-
+%patch142 -p1 -b .r1862604
+%patch143 -p1 -b .ssl-close-notify-client
 
 %patch200 -p1 -b .cve6438
 %patch201 -p1 -b .cve0098
@@ -479,6 +490,11 @@ rm modules/ssl/ssl_engine_dh.c
 %patch224 -p1 -b .cve15710
 %patch225 -p1 -b .cve1301
 %patch226 -p1 -b .cve17199
+%patch227 -p1 -b .cve15715
+%patch228 -p1 -b .cve10098
+%patch229 -p1 -b .cve1303
+%patch230 -p1 -b .cve1283
+%patch240 -p1 -b .cve1934
 
 # Patch in the vendor string and the release string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -632,10 +648,8 @@ EOF
 
 # Handle contentdir
 mkdir $RPM_BUILD_ROOT%{contentdir}/noindex
-tar xzf $RPM_SOURCE_DIR/centos-noindex.tar.gz \
-        -C $RPM_BUILD_ROOT%{contentdir}/noindex/ \
-        --strip-components=1
-
+install -m 644 -p $RPM_SOURCE_DIR/index.html \
+        $RPM_BUILD_ROOT%{contentdir}/noindex/index.html
 rm -rf %{contentdir}/htdocs
 
 # remove manual sources
@@ -658,7 +672,7 @@ rm -v $RPM_BUILD_ROOT%{docroot}/html/*.html \
       $RPM_BUILD_ROOT%{docroot}/cgi-bin/*
 
 # Symlink for the powered-by-$DISTRO image:
-ln -s ../noindex/images/poweredby.png \
+ln -s ../../pixmaps/poweredby.png \
         $RPM_BUILD_ROOT%{contentdir}/icons/poweredby.png
 
 # symlinks for /etc/httpd
@@ -844,7 +858,7 @@ rm -rf $RPM_BUILD_ROOT
 %{contentdir}/error/README
 %{contentdir}/error/*.var
 %{contentdir}/error/include/*.html
-%{contentdir}/noindex/*
+%{contentdir}/noindex/index.html
 
 %dir %{docroot}
 %dir %{docroot}/cgi-bin
@@ -910,11 +924,21 @@ rm -rf $RPM_BUILD_ROOT
 %{_sysconfdir}/rpm/macros.httpd
 
 %changelog
-* Tue Mar 31 2020 CentOS Sources <bugs@centos.org> - 2.4.6-93.el7.centos
-- Remove index.html, add centos-noindex.tar.gz
-- change vstring
-- change symlink for poweredby.png
-- update welcome.conf with proper aliases
+* Fri Apr 17 2020 Lubos Uhliarik <luhliari@redhat.com> - 2.4.6-95
+- Resolves: #1823262 - CVE-2020-1934 httpd: mod_proxy_ftp use of uninitialized
+  value
+
+* Thu Mar 26 2020 Lubos Uhliarik <luhliari@redhat.com> - 2.4.6-94
+- Resolves: #1565491 - CVE-2017-15715 httpd: <FilesMatch> bypass with a trailing
+  newline in the file name
+- Resolves: #1747283 - CVE-2019-10098 httpd: mod_rewrite potential open redirect
+- Resolves: #1724879 - httpd terminates all SSL connections using an abortive
+  shutdown
+- Resolves: #1715981 - Backport of SessionExpiryUpdateInterval directive
+- Resolves: #1565457 - CVE-2018-1303 httpd: Out of bounds read in
+  mod_cache_socache can allow a remote attacker to cause a denial of service
+- Resolves: #1566531 - CVE-2018-1283 httpd: Improper handling of headers in 
+  mod_session can allow a remote user to modify session data for CGI applications
 
 * Tue Oct 08 2019 Lubos Uhliarik <luhliari@redhat.com> - 2.4.6-93
 - Resolves: #1677496 - CVE-2018-17199 httpd: mod_session_cookie does not respect