diff --git a/.gitignore b/.gitignore
index 260a2d6..9969f1d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1 @@
SOURCES/httpd-2.4.6.tar.bz2
-SOURCES/centos-noindex.tar.gz
diff --git a/.httpd.metadata b/.httpd.metadata
index 17ede1b..d335a99 100644
--- a/.httpd.metadata
+++ b/.httpd.metadata
@@ -1,2 +1 @@
16d8ec72535ded65d035122b0d944b0e64eaa2a2 SOURCES/httpd-2.4.6.tar.bz2
-6ce5ab3c765b9efeceb2e636e32373bc6e6ed489 SOURCES/centos-noindex.tar.gz
diff --git a/SOURCES/httpd-2.4.6-http-protocol-options-define.patch b/SOURCES/httpd-2.4.6-http-protocol-options-define.patch
new file mode 100644
index 0000000..eb6e5e5
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-http-protocol-options-define.patch
@@ -0,0 +1,17 @@
+diff --git a/server/main.c b/server/main.c
+index 28d1872..544882d 100644
+--- a/server/main.c
++++ b/server/main.c
+@@ -478,6 +478,12 @@ int main(int argc, const char * const argv[])
+ ap_server_post_read_config = apr_array_make(pcommands, 1, sizeof(char *));
+ ap_server_config_defines = apr_array_make(pcommands, 1, sizeof(char *));
+
++ {
++ char **new = (char **)apr_array_push(ap_server_config_defines);
++
++ *new = "_RH_HAS_HTTPPROTOCOLOPTIONS";
++ }
++
+ error = ap_setup_prelinked_modules(process);
+ if (error) {
+ ap_log_error(APLOG_MARK, APLOG_STARTUP|APLOG_EMERG, 0, NULL, APLOGNO(00012)
diff --git a/SOURCES/httpd-2.4.6-mpm-segfault.patch b/SOURCES/httpd-2.4.6-mpm-segfault.patch
new file mode 100644
index 0000000..d42be44
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-mpm-segfault.patch
@@ -0,0 +1,10 @@
+--- a/server/mpm/event/event.c
++++ a/server/mpm/event/event.c
+@@ -2735,6 +2735,7 @@ static int event_run(apr_pool_t * _pconf, apr_pool_t * plog, server_rec * s)
+
+ /* we've been told to restart */
+ apr_signal(SIGHUP, SIG_IGN);
++ apr_signal(AP_SIG_GRACEFUL, SIG_IGN);
+
+ if (one_process) {
+ /* not worth thinking about */
diff --git a/SOURCES/httpd-2.4.6-r1348019.patch b/SOURCES/httpd-2.4.6-r1348019.patch
new file mode 100644
index 0000000..b8cca1c
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-r1348019.patch
@@ -0,0 +1,77 @@
+diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
+index 2121892..6f904b2 100644
+--- a/modules/proxy/proxy_util.c
++++ b/modules/proxy/proxy_util.c
+@@ -2838,33 +2838,48 @@ PROXY_DECLARE(int) ap_proxy_connect_backend(const char *proxy_function,
+
+ connected = 1;
+ }
+- /*
+- * Put the entire worker to error state if
+- * the PROXY_WORKER_IGNORE_ERRORS flag is not set.
+- * Altrough some connections may be alive
+- * no further connections to the worker could be made
+- */
+- if (!connected && PROXY_WORKER_IS_USABLE(worker) &&
+- !(worker->s->status & PROXY_WORKER_IGNORE_ERRORS)) {
+- worker->s->error_time = apr_time_now();
+- worker->s->status |= PROXY_WORKER_IN_ERROR;
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(00959)
+- "ap_proxy_connect_backend disabling worker for (%s) for %"
+- APR_TIME_T_FMT "s",
+- worker->s->hostname, apr_time_sec(worker->s->retry));
++
++ if (PROXY_WORKER_IS_USABLE(worker)) {
++ /*
++ * Put the entire worker to error state if
++ * the PROXY_WORKER_IGNORE_ERRORS flag is not set.
++ * Although some connections may be alive
++ * no further connections to the worker could be made
++ */
++ if (!connected) {
++ if (!(worker->s->status & PROXY_WORKER_IGNORE_ERRORS)) {
++ worker->s->error_time = apr_time_now();
++ worker->s->status |= PROXY_WORKER_IN_ERROR;
++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(00959)
++ "ap_proxy_connect_backend disabling worker for (%s) for %"
++ APR_TIME_T_FMT "s",
++ worker->s->hostname, apr_time_sec(worker->s->retry));
++ }
++ }
++ else {
++ if (worker->s->retries) {
++ /*
++ * A worker came back. So here is where we need to
++ * either reset all params to initial conditions or
++ * apply some sort of aging
++ */
++ }
++ worker->s->error_time = 0;
++ worker->s->retries = 0;
++ }
++ return connected ? OK : DECLINED;
+ }
+ else {
+- if (worker->s->retries) {
+- /*
+- * A worker came back. So here is where we need to
+- * either reset all params to initial conditions or
+- * apply some sort of aging
+- */
+- }
+- worker->s->error_time = 0;
+- worker->s->retries = 0;
++ /*
++ * The worker is in error likely done by a different thread / process
++ * e.g. for a timeout or bad status. We should respect this and should
++ * not continue with a connection via this worker even if we got one.
++ */
++ if (connected) {
++ socket_cleanup(conn);
++ }
++ return DECLINED;
+ }
+- return connected ? OK : DECLINED;
+ }
+
+ PROXY_DECLARE(int) ap_proxy_connection_create(const char *proxy_function,
diff --git a/SOURCES/httpd-2.4.6-r1593002.patch b/SOURCES/httpd-2.4.6-r1593002.patch
new file mode 100644
index 0000000..6aa0688
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-r1593002.patch
@@ -0,0 +1,35 @@
+--- a/modules/ssl/ssl_util_stapling.c 2014/05/07 12:51:38 1593001
++++ b/modules/ssl/ssl_util_stapling.c 2014/05/07 12:52:13 1593002
+@@ -145,14 +145,15 @@
+ X509_digest(x, EVP_sha1(), cinf->idx, NULL);
+
+ aia = X509_get1_ocsp(x);
+- if (aia)
++ if (aia) {
+ cinf->uri = sk_OPENSSL_STRING_pop(aia);
++ X509_email_free(aia);
++ }
+ if (!cinf->uri && !mctx->stapling_force_url) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218)
+ "ssl_stapling_init_cert: no responder URL");
++ return 0;
+ }
+- if (aia)
+- X509_email_free(aia);
+ return 1;
+ }
+
+@@ -403,6 +404,13 @@
+ else
+ ocspuri = cinf->uri;
+
++ if (!ocspuri) {
++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02621)
++ "stapling_renew_response: no uri for responder");
++ rv = FALSE;
++ goto done;
++ }
++
+ /* Create a temporary pool to constrain memory use */
+ apr_pool_create(&vpool, conn->pool);
+
diff --git a/SOURCES/httpd-2.4.6-r1634529.patch b/SOURCES/httpd-2.4.6-r1634529.patch
new file mode 100644
index 0000000..9b831c6
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-r1634529.patch
@@ -0,0 +1,275 @@
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index 9811af8..568627f 100644
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -276,7 +276,7 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+ #ifdef HAVE_OCSP_STAPLING
+- ssl_stapling_ex_init();
++ ssl_stapling_certinfo_hash_init(p);
+ #endif
+
+ /*
+@@ -899,6 +899,8 @@ static void ssl_init_ctx(server_rec *s,
+ }
+
+ static int ssl_server_import_cert(server_rec *s,
++ apr_pool_t *p,
++ apr_pool_t *ptemp,
+ modssl_ctx_t *mctx,
+ const char *id,
+ int idx)
+@@ -933,7 +935,7 @@ static int ssl_server_import_cert(server_rec *s,
+
+ #ifdef HAVE_OCSP_STAPLING
+ if ((mctx->pkp == FALSE) && (mctx->stapling_enabled == TRUE)) {
+- if (!ssl_stapling_init_cert(s, mctx, cert)) {
++ if (!ssl_stapling_init_cert(s, p, ptemp, mctx, cert)) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02235)
+ "Unable to configure server certificate for stapling");
+ }
+@@ -1081,10 +1083,10 @@ static void ssl_init_server_certs(server_rec *s,
+ ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC);
+ #endif
+
+- have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA);
+- have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA);
++ have_rsa = ssl_server_import_cert(s, p, ptemp, mctx, rsa_id, SSL_AIDX_RSA);
++ have_dsa = ssl_server_import_cert(s, p, ptemp, mctx, dsa_id, SSL_AIDX_DSA);
+ #ifndef OPENSSL_NO_EC
+- have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC);
++ have_ecc = ssl_server_import_cert(s, p, ptemp, mctx, ecc_id, SSL_AIDX_ECC);
+ #endif
+
+ if (!(have_rsa || have_dsa
+diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
+index 80e1e8e..0cc6d3f 100644
+--- a/modules/ssl/ssl_private.h
++++ b/modules/ssl/ssl_private.h
+@@ -132,6 +132,13 @@
+ #if OPENSSL_VERSION_NUMBER >= 0x00908080 && !defined(OPENSSL_NO_OCSP) \
+ && !defined(OPENSSL_NO_TLSEXT)
+ #define HAVE_OCSP_STAPLING
++/* backward compatibility with OpenSSL < 1.0 */
++#ifndef sk_OPENSSL_STRING_num
++#define sk_OPENSSL_STRING_num sk_num
++#endif
++#ifndef sk_OPENSSL_STRING_value
++#define sk_OPENSSL_STRING_value sk_value
++#endif
+ #if (OPENSSL_VERSION_NUMBER < 0x10000000)
+ #define sk_OPENSSL_STRING_pop sk_pop
+ #endif
+@@ -862,10 +869,10 @@ const char *ssl_cmd_SSLStaplingErrorCacheTimeout(cmd_parms *, void *, const char
+ const char *ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms *, void *, int);
+ const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *, void *, int);
+ const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *);
+-const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *);
++const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *);
+ void modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *);
+-void ssl_stapling_ex_init(void);
+-int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x);
++void ssl_stapling_certinfo_hash_init(apr_pool_t *);
++int ssl_stapling_init_cert(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *, X509 *);
+ #endif
+ #ifndef OPENSSL_NO_SRP
+ int ssl_callback_SRPServerParams(SSL *, int *, void *);
+diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c
+index 2be2c36..2387ae1 100644
+--- a/modules/ssl/ssl_util_stapling.c
++++ b/modules/ssl/ssl_util_stapling.c
+@@ -43,36 +43,32 @@
+
+ #define MAX_STAPLING_DER 10240
+
+-/* Cached info stored in certificate ex_info. */
++/* Cached info stored in the global stapling_certinfo hash. */
+ typedef struct {
+- /* Index in session cache SHA1 hash of certificate */
+- UCHAR idx[20];
+- /* Certificate ID for OCSP requests or NULL if ID cannot be determined */
++ /* Index in session cache (SHA-1 digest of DER encoded certificate) */
++ UCHAR idx[SHA_DIGEST_LENGTH];
++ /* Certificate ID for OCSP request */
+ OCSP_CERTID *cid;
+- /* Responder details */
++ /* URI of the OCSP responder */
+ char *uri;
+ } certinfo;
+
+-static void certinfo_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+- int idx, long argl, void *argp)
++static apr_status_t ssl_stapling_certid_free(void *data)
+ {
+- certinfo *cinf = ptr;
++ OCSP_CERTID *cid = data;
+
+- if (!cinf)
+- return;
+- if (cinf->uri)
+- OPENSSL_free(cinf->uri);
+- OPENSSL_free(cinf);
++ if (cid) {
++ OCSP_CERTID_free(cid);
++ }
++
++ return APR_SUCCESS;
+ }
+
+-static int stapling_ex_idx = -1;
++static apr_hash_t *stapling_certinfo;
+
+-void ssl_stapling_ex_init(void)
++void ssl_stapling_certinfo_hash_init(apr_pool_t *p)
+ {
+- if (stapling_ex_idx != -1)
+- return;
+- stapling_ex_idx = X509_get_ex_new_index(0, "X509 cached OCSP info", 0, 0,
+- certinfo_free);
++ stapling_certinfo = apr_hash_make(p);
+ }
+
+ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
+@@ -106,70 +102,97 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x)
+
+ }
+
+-int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x)
++int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp,
++ modssl_ctx_t *mctx, X509 *x)
+ {
+- certinfo *cinf;
++ UCHAR idx[SHA_DIGEST_LENGTH];
++ certinfo *cinf = NULL;
+ X509 *issuer = NULL;
++ OCSP_CERTID *cid = NULL;
+ STACK_OF(OPENSSL_STRING) *aia = NULL;
+
+- if (x == NULL)
++ if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1))
+ return 0;
+- cinf = X509_get_ex_data(x, stapling_ex_idx);
++
++ cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx));
+ if (cinf) {
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02215)
+- "ssl_stapling_init_cert: certificate already initialized!");
+- return 0;
+- }
+- cinf = OPENSSL_malloc(sizeof(certinfo));
+- if (!cinf) {
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02216)
+- "ssl_stapling_init_cert: error allocating memory!");
+- return 0;
++ /*
++ * We already parsed the certificate, and no OCSP URI was found.
++ * The certificate might be used for multiple vhosts, though,
++ * so we check for a ForceURL for this vhost.
++ */
++ if (!cinf->uri && !mctx->stapling_force_url) {
++ ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x,
++ APLOGNO(02814) "ssl_stapling_init_cert: no OCSP URI "
++ "in certificate and no SSLStaplingForceURL "
++ "configured for server %s", mctx->sc->vhost_id);
++ return 0;
++ }
++ return 1;
+ }
+- cinf->cid = NULL;
+- cinf->uri = NULL;
+- X509_set_ex_data(x, stapling_ex_idx, cinf);
+-
+- issuer = stapling_get_issuer(mctx, x);
+
+- if (issuer == NULL) {
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02217)
+- "ssl_stapling_init_cert: Can't retrieve issuer certificate!");
++ if (!(issuer = stapling_get_issuer(mctx, x))) {
++ ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02217)
++ "ssl_stapling_init_cert: can't retrieve issuer "
++ "certificate!");
+ return 0;
+ }
+
+- cinf->cid = OCSP_cert_to_id(NULL, x, issuer);
++ cid = OCSP_cert_to_id(NULL, x, issuer);
+ X509_free(issuer);
+- if (!cinf->cid)
++ if (!cid) {
++ ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02815)
++ "ssl_stapling_init_cert: can't create CertID "
++ "for OCSP request");
+ return 0;
+- X509_digest(x, EVP_sha1(), cinf->idx, NULL);
++ }
+
+ aia = X509_get1_ocsp(x);
+- if (aia) {
+- cinf->uri = sk_OPENSSL_STRING_pop(aia);
+- X509_email_free(aia);
+- }
+- if (!cinf->uri && !mctx->stapling_force_url) {
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218)
+- "ssl_stapling_init_cert: no responder URL");
++
++ if (!aia && !mctx->stapling_force_url) {
++ OCSP_CERTID_free(cid);
++ ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x,
++ APLOGNO(02218) "ssl_stapling_init_cert: no OCSP URI "
++ "in certificate and no SSLStaplingForceURL set");
+ return 0;
+ }
++
++ /* At this point, we have determined that there's something to store */
++ cinf = apr_pcalloc(p, sizeof(certinfo));
++ memcpy (cinf->idx, idx, sizeof(idx));
++ cinf->cid = cid;
++ /* make sure cid is also freed at pool cleanup */
++ apr_pool_cleanup_register(p, cid, ssl_stapling_certid_free,
++ apr_pool_cleanup_null);
++ if (aia) {
++ /* allocate uri from the pconf pool */
++ cinf->uri = apr_pstrdup(p, sk_OPENSSL_STRING_value(aia, 0));
++ X509_email_free(aia);
++ }
++
++ ssl_log_xerror(SSLLOG_MARK, APLOG_TRACE1, 0, ptemp, s, x,
++ "ssl_stapling_init_cert: storing certinfo for server %s",
++ mctx->sc->vhost_id);
++
++ apr_hash_set(stapling_certinfo, cinf->idx, sizeof(cinf->idx), cinf);
++
+ return 1;
+ }
+
+-static certinfo *stapling_get_cert_info(server_rec *s, modssl_ctx_t *mctx,
++static certinfo *stapling_get_certinfo(server_rec *s, modssl_ctx_t *mctx,
+ SSL *ssl)
+ {
+ certinfo *cinf;
+ X509 *x;
++ UCHAR idx[SHA_DIGEST_LENGTH];
+ x = SSL_get_certificate(ssl);
+- if (x == NULL)
++ if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1))
+ return NULL;
+- cinf = X509_get_ex_data(x, stapling_ex_idx);
++ cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx));
+ if (cinf && cinf->cid)
+ return cinf;
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926)
+- "stapling_get_cert_info: stapling not supported for certificate");
++ "stapling_get_certinfo: stapling not supported for certificate");
+ return NULL;
+ }
+
+@@ -585,7 +608,7 @@ static int stapling_cb(SSL *ssl, void *arg)
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01951)
+ "stapling_cb: OCSP Stapling callback called");
+
+- cinf = stapling_get_cert_info(s, mctx, ssl);
++ cinf = stapling_get_certinfo(s, mctx, ssl);
+ if (cinf == NULL) {
+ return SSL_TLSEXT_ERR_NOACK;
+ }
diff --git a/SOURCES/httpd-2.4.6-r1651653.patch b/SOURCES/httpd-2.4.6-r1651653.patch
new file mode 100644
index 0000000..a67093e
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-r1651653.patch
@@ -0,0 +1,100 @@
+diff --git a/server/util.c b/server/util.c
+index e0ba5c2..a6516d4 100644
+--- a/server/util.c
++++ b/server/util.c
+@@ -968,20 +968,20 @@ AP_DECLARE(const char *) ap_pcfg_strerror(apr_pool_t *p, ap_configfile_t *cfp,
+ /* Read one line from open ap_configfile_t, strip LF, increase line number */
+ /* If custom handler does not define a getstr() function, read char by char */
+ static apr_status_t ap_cfg_getline_core(char *buf, apr_size_t bufsize,
+- ap_configfile_t *cfp)
++ apr_size_t offset, ap_configfile_t *cfp)
+ {
+ apr_status_t rc;
+ /* If a "get string" function is defined, use it */
+ if (cfp->getstr != NULL) {
+ char *cp;
+- char *cbuf = buf;
+- apr_size_t cbufsize = bufsize;
++ char *cbuf = buf + offset;
++ apr_size_t cbufsize = bufsize - offset;
+
+ while (1) {
+ ++cfp->line_number;
+ rc = cfp->getstr(cbuf, cbufsize, cfp->param);
+ if (rc == APR_EOF) {
+- if (cbuf != buf) {
++ if (cbuf != buf + offset) {
+ *cbuf = '\0';
+ break;
+ }
+@@ -999,11 +999,11 @@ static apr_status_t ap_cfg_getline_core(char *buf, apr_size_t bufsize,
+ */
+ cp = cbuf;
+ cp += strlen(cp);
+- if (cp > cbuf && cp[-1] == LF) {
++ if (cp > buf && cp[-1] == LF) {
+ cp--;
+- if (cp > cbuf && cp[-1] == CR)
++ if (cp > buf && cp[-1] == CR)
+ cp--;
+- if (cp > cbuf && cp[-1] == '\\') {
++ if (cp > buf && cp[-1] == '\\') {
+ cp--;
+ /*
+ * line continuation requested -
+@@ -1021,19 +1021,19 @@ static apr_status_t ap_cfg_getline_core(char *buf, apr_size_t bufsize,
+ }
+ } else {
+ /* No "get string" function defined; read character by character */
+- apr_size_t i = 0;
++ apr_size_t i = offset;
+
+ if (bufsize < 2) {
+ /* too small, assume caller is crazy */
+ return APR_EINVAL;
+ }
+- buf[0] = '\0';
++ buf[offset] = '\0';
+
+ while (1) {
+ char c;
+ rc = cfp->getch(&c, cfp->param);
+ if (rc == APR_EOF) {
+- if (i > 0)
++ if (i > offset)
+ break;
+ else
+ return APR_EOF;
+@@ -1051,11 +1051,11 @@ static apr_status_t ap_cfg_getline_core(char *buf, apr_size_t bufsize,
+ break;
+ }
+ }
+- else if (i >= bufsize - 2) {
+- return APR_ENOSPC;
+- }
+ buf[i] = c;
+ ++i;
++ if (i >= bufsize - 1) {
++ return APR_ENOSPC;
++ }
+ }
+ buf[i] = '\0';
+ }
+@@ -1089,7 +1089,7 @@ static int cfg_trim_line(char *buf)
+ AP_DECLARE(apr_status_t) ap_cfg_getline(char *buf, apr_size_t bufsize,
+ ap_configfile_t *cfp)
+ {
+- apr_status_t rc = ap_cfg_getline_core(buf, bufsize, cfp);
++ apr_status_t rc = ap_cfg_getline_core(buf, bufsize, 0, cfp);
+ if (rc == APR_SUCCESS)
+ cfg_trim_line(buf);
+ return rc;
+@@ -1116,7 +1116,7 @@ AP_DECLARE(apr_status_t) ap_varbuf_cfg_getline(struct ap_varbuf *vb,
+ }
+
+ for (;;) {
+- rc = ap_cfg_getline_core(vb->buf + vb->strlen, vb->avail - vb->strlen, cfp);
++ rc = ap_cfg_getline_core(vb->buf, vb->avail, vb->strlen, cfp);
+ if (rc == APR_ENOSPC || rc == APR_SUCCESS)
+ vb->strlen += strlen(vb->buf + vb->strlen);
+ if (rc != APR_ENOSPC)
diff --git a/SOURCES/httpd-2.4.6-r1662640.patch b/SOURCES/httpd-2.4.6-r1662640.patch
new file mode 100644
index 0000000..3d1f726
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-r1662640.patch
@@ -0,0 +1,40 @@
+--- a/modules/ssl/ssl_engine_kernel.c 2015/02/27 06:05:11 1662639
++++ b/modules/ssl/ssl_engine_kernel.c 2015/02/27 06:18:31 1662640
+@@ -80,7 +80,8 @@
+
+ if (SSL_get_state(ssl) != SSL_ST_OK) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)
+- "TLS upgrade handshake failed: not accepted by client!?");
++ "TLS upgrade handshake failed");
++ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
+
+ return APR_ECONNABORTED;
+ }
+@@ -314,6 +315,16 @@
+ int depth, verify_old, verify, n;
+
+ if (ssl) {
++ /*
++ * We should have handshaken here (on handshakeserver),
++ * otherwise we are being redirected (ErrorDocument) from
++ * a renegotiation failure below. The access is still
++ * forbidden in the latter case, let ap_die() handle
++ * this recursive (same) error.
++ */
++ if (SSL_get_state(ssl) != SSL_ST_OK) {
++ return HTTP_FORBIDDEN;
++ }
+ ctx = SSL_get_SSL_CTX(ssl);
+ }
+
+@@ -828,8 +839,8 @@
+
+ if (SSL_get_state(ssl) != SSL_ST_OK) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
+- "Re-negotiation handshake failed: "
+- "Not accepted by client!?");
++ "Re-negotiation handshake failed");
++ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
+
+ r->connection->keepalive = AP_CONN_CLOSE;
+ return HTTP_FORBIDDEN;
diff --git a/SOURCES/httpd-2.4.6-r1681114.patch b/SOURCES/httpd-2.4.6-r1681114.patch
new file mode 100644
index 0000000..d112972
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-r1681114.patch
@@ -0,0 +1,157 @@
+diff --git a/modules/http/http_request.c b/modules/http/http_request.c
+index cdfec8b..c97dc77 100644
+--- a/modules/http/http_request.c
++++ b/modules/http/http_request.c
+@@ -73,19 +73,22 @@ static void update_r_in_filters(ap_filter_t *f,
+ }
+ }
+
+-AP_DECLARE(void) ap_die(int type, request_rec *r)
++static void ap_die_r(int type, request_rec *r, int recursive_error)
+ {
+- int error_index = ap_index_of_response(type);
+- char *custom_response = ap_response_code_string(r, error_index);
+- int recursive_error = 0;
++ char *custom_response;
+ request_rec *r_1st_err = r;
+
+- if (type == AP_FILTER_ERROR) {
++ if (type == OK || type == DONE){
++ ap_finalize_request_protocol(r);
++ return;
++ }
++
++ if (!ap_is_HTTP_VALID_RESPONSE(type)) {
+ ap_filter_t *next;
+
+ /*
+ * Check if we still have the ap_http_header_filter in place. If
+- * this is the case we should not ignore AP_FILTER_ERROR here because
++ * this is the case we should not ignore the error here because
+ * it means that we have not sent any response at all and never
+ * will. This is bad. Sent an internal server error instead.
+ */
+@@ -99,8 +102,14 @@ AP_DECLARE(void) ap_die(int type, request_rec *r)
+ * next->frec == ap_http_header_filter
+ */
+ if (next) {
+- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01579)
+- "Custom error page caused AP_FILTER_ERROR");
++ if (type != AP_FILTER_ERROR) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01579)
++ "Invalid response status %i", type);
++ }
++ else {
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02831)
++ "Response from AP_FILTER_ERROR");
++ }
+ type = HTTP_INTERNAL_SERVER_ERROR;
+ }
+ else {
+@@ -108,20 +117,13 @@ AP_DECLARE(void) ap_die(int type, request_rec *r)
+ }
+ }
+
+- if (type == DONE) {
+- ap_finalize_request_protocol(r);
+- return;
+- }
+-
+ /*
+ * The following takes care of Apache redirects to custom response URLs
+ * Note that if we are already dealing with the response to some other
+ * error condition, we just report on the original error, and give up on
+ * any attempt to handle the other thing "intelligently"...
+ */
+- if (r->status != HTTP_OK) {
+- recursive_error = type;
+-
++ if (recursive_error != HTTP_OK) {
+ while (r_1st_err->prev && (r_1st_err->prev->status != HTTP_OK))
+ r_1st_err = r_1st_err->prev; /* Get back to original error */
+
+@@ -140,6 +142,10 @@ AP_DECLARE(void) ap_die(int type, request_rec *r)
+ }
+
+ custom_response = NULL; /* Do NOT retry the custom thing! */
++ } else {
++ int error_index = ap_index_of_response(type);
++ custom_response = ap_response_code_string(r, error_index);
++ recursive_error = 0;
+ }
+
+ r->status = type;
+@@ -216,6 +222,11 @@ AP_DECLARE(void) ap_die(int type, request_rec *r)
+ ap_send_error_response(r_1st_err, recursive_error);
+ }
+
++AP_DECLARE(void) ap_die(int type, request_rec *r)
++{
++ ap_die_r(type, r, r->status);
++}
++
+ static void check_pipeline(conn_rec *c)
+ {
+ if (c->keepalive != AP_CONN_CLOSE) {
+@@ -337,18 +348,7 @@ void ap_process_async_request(request_rec *r)
+ apr_thread_mutex_unlock(r->invoke_mtx);
+ #endif
+
+- if (access_status == DONE) {
+- /* e.g., something not in storage like TRACE */
+- access_status = OK;
+- }
+-
+- if (access_status == OK) {
+- ap_finalize_request_protocol(r);
+- }
+- else {
+- r->status = HTTP_OK;
+- ap_die(access_status, r);
+- }
++ ap_die_r(access_status, r, HTTP_OK);
+
+ ap_process_request_after_handler(r);
+ }
+@@ -631,8 +631,8 @@ AP_DECLARE(void) ap_internal_fast_redirect(request_rec *rr, request_rec *r)
+
+ AP_DECLARE(void) ap_internal_redirect(const char *new_uri, request_rec *r)
+ {
+- request_rec *new = internal_internal_redirect(new_uri, r);
+ int access_status;
++ request_rec *new = internal_internal_redirect(new_uri, r);
+
+ AP_INTERNAL_REDIRECT(r->uri, new_uri);
+
+@@ -648,12 +648,7 @@ AP_DECLARE(void) ap_internal_redirect(const char *new_uri, request_rec *r)
+ access_status = ap_invoke_handler(new);
+ }
+ }
+- if (access_status == OK) {
+- ap_finalize_request_protocol(new);
+- }
+- else {
+- ap_die(access_status, new);
+- }
++ ap_die(access_status, new);
+ }
+
+ /* This function is designed for things like actions or CGI scripts, when
+@@ -674,15 +669,9 @@ AP_DECLARE(void) ap_internal_redirect_handler(const char *new_uri, request_rec *
+ ap_set_content_type(new, r->content_type);
+ access_status = ap_process_request_internal(new);
+ if (access_status == OK) {
+- if ((access_status = ap_invoke_handler(new)) != 0) {
+- ap_die(access_status, new);
+- return;
+- }
+- ap_finalize_request_protocol(new);
+- }
+- else {
+- ap_die(access_status, new);
++ access_status = ap_invoke_handler(new);
+ }
++ ap_die(access_status, new);
+ }
+
+ AP_DECLARE(void) ap_allow_methods(request_rec *r, int reset, ...)
diff --git a/SOURCES/httpd-2.4.6-r1683112.patch b/SOURCES/httpd-2.4.6-r1683112.patch
new file mode 100644
index 0000000..bb412c9
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-r1683112.patch
@@ -0,0 +1,45 @@
+diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
+index 7f96aff..5517e08 100644
+--- a/modules/proxy/mod_proxy.c
++++ b/modules/proxy/mod_proxy.c
+@@ -1118,7 +1118,7 @@ static int proxy_handler(request_rec *r)
+ AP_PROXY_RUN(r, worker, conf, url, attempts);
+ access_status = proxy_run_scheme_handler(r, worker, conf,
+ url, NULL, 0);
+- if (access_status == OK)
++ if (access_status == OK || apr_table_get(r->notes, "proxy-error-override"))
+ break;
+ else if (access_status == HTTP_INTERNAL_SERVER_ERROR) {
+ /* Unrecoverable server error.
+diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c
+index cf52a7d..380b870 100644
+--- a/modules/proxy/mod_proxy_ajp.c
++++ b/modules/proxy/mod_proxy_ajp.c
+@@ -636,6 +636,11 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r,
+ */
+ rv = r->status;
+ r->status = HTTP_OK;
++ /*
++ * prevent proxy_handler() from treating this as an
++ * internal error.
++ */
++ apr_table_setn(r->notes, "proxy-error-override", "1");
+ }
+ else {
+ rv = OK;
+diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
+index 89b5d15..bb5cdf9 100644
+--- a/modules/proxy/mod_proxy_http.c
++++ b/modules/proxy/mod_proxy_http.c
+@@ -1648,6 +1648,11 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r,
+ }
+ ap_discard_request_body(backend->r);
+ }
++ /*
++ * prevent proxy_handler() from treating this as an
++ * internal error.
++ */
++ apr_table_setn(r->notes, "proxy-error-override", "1");
+ return proxy_status;
+ }
+
diff --git a/SOURCES/httpd-2.4.6-r1726019.patch b/SOURCES/httpd-2.4.6-r1726019.patch
new file mode 100644
index 0000000..4408d8c
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-r1726019.patch
@@ -0,0 +1,20 @@
+diff --git a/modules/proxy/mod_proxy_fcgi.c b/modules/proxy/mod_proxy_fcgi.c
+index 19fed62..7889b0e 100644
+--- a/modules/proxy/mod_proxy_fcgi.c
++++ b/modules/proxy/mod_proxy_fcgi.c
+@@ -927,6 +927,15 @@ static int fcgi_do_request(apr_pool_t *p, request_rec *r,
+ /* Step 3: Read records from the back end server and handle them. */
+ rv = dispatch(conn, conf, r, request_id);
+ if (rv != APR_SUCCESS) {
++ /* If the client aborted the connection during retrieval or (partially)
++ * sending the response, dont't return a HTTP_SERVICE_UNAVAILABLE, since
++ * this is not a backend problem. */
++ if (r->connection->aborted) {
++ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, rv, r,
++ "The client aborted the connection.");
++ conn->close = 1;
++ return OK;
++ }
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01075)
+ "Error dispatching request to %s:", server_portstr);
+ conn->close = 1;
diff --git a/SOURCES/httpd-2.4.6-r1738878.patch b/SOURCES/httpd-2.4.6-r1738878.patch
new file mode 100644
index 0000000..0aab1c4
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-r1738878.patch
@@ -0,0 +1,139 @@
+diff --git a/modules/proxy/ajp.h b/modules/proxy/ajp.h
+index c65ebe5..330573b 100644
+--- a/modules/proxy/ajp.h
++++ b/modules/proxy/ajp.h
+@@ -413,11 +413,13 @@ apr_status_t ajp_ilink_receive(apr_socket_t *sock, ajp_msg_t *msg);
+ * @param r current request
+ * @param buffsize max size of the AJP packet.
+ * @param uri requested uri
++ * @param secret authentication secret
+ * @return APR_SUCCESS or error
+ */
+ apr_status_t ajp_send_header(apr_socket_t *sock, request_rec *r,
+ apr_size_t buffsize,
+- apr_uri_t *uri);
++ apr_uri_t *uri,
++ const char *secret);
+
+ /**
+ * Read the ajp message and return the type of the message.
+diff --git a/modules/proxy/ajp_header.c b/modules/proxy/ajp_header.c
+index 074f0a8..53571ee 100644
+--- a/modules/proxy/ajp_header.c
++++ b/modules/proxy/ajp_header.c
+@@ -213,7 +213,8 @@ AJPV13_REQUEST/AJPV14_REQUEST=
+
+ static apr_status_t ajp_marshal_into_msgb(ajp_msg_t *msg,
+ request_rec *r,
+- apr_uri_t *uri)
++ apr_uri_t *uri,
++ const char *secret)
+ {
+ int method;
+ apr_uint32_t i, num_headers = 0;
+@@ -293,17 +294,15 @@ static apr_status_t ajp_marshal_into_msgb(ajp_msg_t *msg,
+ i, elts[i].key, elts[i].val);
+ }
+
+-/* XXXX need to figure out how to do this
+- if (s->secret) {
++ if (secret) {
+ if (ajp_msg_append_uint8(msg, SC_A_SECRET) ||
+- ajp_msg_append_string(msg, s->secret)) {
++ ajp_msg_append_string(msg, secret)) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+- "Error ajp_marshal_into_msgb - "
++ "ajp_marshal_into_msgb: "
+ "Error appending secret");
+ return APR_EGENERAL;
+ }
+ }
+- */
+
+ if (r->user) {
+ if (ajp_msg_append_uint8(msg, SC_A_REMOTE_USER) ||
+@@ -628,7 +627,8 @@ static apr_status_t ajp_unmarshal_response(ajp_msg_t *msg,
+ apr_status_t ajp_send_header(apr_socket_t *sock,
+ request_rec *r,
+ apr_size_t buffsize,
+- apr_uri_t *uri)
++ apr_uri_t *uri,
++ const char *secret)
+ {
+ ajp_msg_t *msg;
+ apr_status_t rc;
+@@ -640,7 +640,7 @@ apr_status_t ajp_send_header(apr_socket_t *sock,
+ return rc;
+ }
+
+- rc = ajp_marshal_into_msgb(msg, r, uri);
++ rc = ajp_marshal_into_msgb(msg, r, uri, secret);
+ if (rc != APR_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00988)
+ "ajp_send_header: ajp_marshal_into_msgb failed");
+diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
+index 5517e08..e998f58 100644
+--- a/modules/proxy/mod_proxy.c
++++ b/modules/proxy/mod_proxy.c
+@@ -260,6 +260,12 @@ static const char *set_worker_param(apr_pool_t *p,
+ return "flusher name length must be < 16 characters";
+ PROXY_STRNCPY(worker->s->flusher, val);
+ }
++ else if (!strcasecmp(key, "secret")) {
++ if (PROXY_STRNCPY(worker->s->secret, val) != APR_SUCCESS) {
++ return apr_psprintf(p, "Secret length must be < %d characters",
++ (int)sizeof(worker->s->secret));
++ }
++ }
+ else {
+ return "unknown Worker parameter";
+ }
+diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h
+index b702028..06f2b17 100644
+--- a/modules/proxy/mod_proxy.h
++++ b/modules/proxy/mod_proxy.h
+@@ -317,6 +317,7 @@ PROXY_WORKER_DISABLED | PROXY_WORKER_STOPPED | PROXY_WORKER_IN_ERROR )
+ #define PROXY_WORKER_MAX_HOSTNAME_SIZE 64
+ #define PROXY_BALANCER_MAX_HOSTNAME_SIZE PROXY_WORKER_MAX_HOSTNAME_SIZE
+ #define PROXY_BALANCER_MAX_STICKY_SIZE 64
++#define PROXY_WORKER_MAX_SECRET_SIZE 64
+
+ #define PROXY_MAX_PROVIDER_NAME_SIZE 16
+
+@@ -394,6 +395,7 @@ typedef struct {
+ unsigned int disablereuse_set:1;
+ unsigned int was_malloced:1;
+ unsigned int is_name_matchable:1;
++ char secret[PROXY_WORKER_MAX_SECRET_SIZE]; /* authentication secret (e.g. AJP13) */
+ } proxy_worker_shared;
+
+ #define ALIGNED_PROXY_WORKER_SHARED_SIZE (APR_ALIGN_DEFAULT(sizeof(proxy_worker_shared)))
+diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c
+index 380b870..81039bf 100644
+--- a/modules/proxy/mod_proxy_ajp.c
++++ b/modules/proxy/mod_proxy_ajp.c
+@@ -196,6 +196,7 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r,
+ apr_off_t content_length = 0;
+ int original_status = r->status;
+ const char *original_status_line = r->status_line;
++ const char *secret = NULL;
+
+ if (psf->io_buffer_size_set)
+ maxsize = psf->io_buffer_size;
+@@ -205,12 +206,15 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r,
+ maxsize = AJP_MSG_BUFFER_SZ;
+ maxsize = APR_ALIGN(maxsize, 1024);
+
++ if (*conn->worker->s->secret)
++ secret = conn->worker->s->secret;
++
+ /*
+ * Send the AJP request to the remote server
+ */
+
+ /* send request headers */
+- status = ajp_send_header(conn->sock, r, maxsize, uri);
++ status = ajp_send_header(conn->sock, r, maxsize, uri, secret);
+ if (status != APR_SUCCESS) {
+ conn->close = 1;
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(00868)
diff --git a/SOURCES/httpd-2.4.6-r1775832.patch b/SOURCES/httpd-2.4.6-r1775832.patch
new file mode 100644
index 0000000..97c5f5f
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-r1775832.patch
@@ -0,0 +1,16 @@
+--- a/modules/filters/mod_ext_filter.c 2016/12/23 12:35:43 1775831
++++ b/modules/filters/mod_ext_filter.c 2016/12/23 12:36:26 1775832
+@@ -757,6 +757,13 @@
+ break;
+ }
+
++ if (AP_BUCKET_IS_ERROR(b)) {
++ apr_bucket *cpy;
++ apr_bucket_copy(b, &cpy);
++ APR_BRIGADE_INSERT_TAIL(bb_tmp, cpy);
++ break;
++ }
++
+ rv = apr_bucket_read(b, &data, &len, APR_BLOCK_READ);
+ if (rv != APR_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01463) "apr_bucket_read()");
diff --git a/SOURCES/httpd-2.4.6-statements-comment.patch b/SOURCES/httpd-2.4.6-statements-comment.patch
new file mode 100644
index 0000000..fd56e11
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-statements-comment.patch
@@ -0,0 +1,16 @@
+diff --git a/modules/aaa/mod_access_compat.c b/modules/aaa/mod_access_compat.c
+index 46d8da0..0a5d5a1 100644
+--- a/modules/aaa/mod_access_compat.c
++++ b/modules/aaa/mod_access_compat.c
+@@ -152,6 +152,11 @@ static const char *allow_cmd(cmd_parms *cmd, void *dv, const char *from,
+ if (strcasecmp(from, "from"))
+ return "allow and deny must be followed by 'from'";
+
++ s = ap_strchr(where, '#');
++ if (s) {
++ *s = '\0';
++ }
++
+ a = (allowdeny *) apr_array_push(cmd->info ? d->allows : d->denys);
+ a->x.from = where;
+ a->limited = cmd->limited;
diff --git a/SOURCES/manual.conf b/SOURCES/manual.conf
index d09757d..cf626ac 100644
--- a/SOURCES/manual.conf
+++ b/SOURCES/manual.conf
@@ -2,10 +2,12 @@
# This configuration file allows the manual to be accessed at
# http://localhost/manual/
#
-AliasMatch ^/manual(?:/(?:de|en|fr|ja|ko|ru))?(/.*)?$ "/usr/share/httpd/manual$1"
+Alias /manual /usr/share/httpd/manual
Options Indexes
AllowOverride None
Require all granted
+
+ RedirectMatch 301 ^/manual/(?:de|en|fr|ja|ko|ru)(/.*)$ "/manual$1"
diff --git a/SOURCES/welcome.conf b/SOURCES/welcome.conf
index c1b6c11..5d1e452 100644
--- a/SOURCES/welcome.conf
+++ b/SOURCES/welcome.conf
@@ -16,7 +16,3 @@
Alias /.noindex.html /usr/share/httpd/noindex/index.html
-Alias /noindex/css/bootstrap.min.css /usr/share/httpd/noindex/css/bootstrap.min.css
-Alias /noindex/css/open-sans.css /usr/share/httpd/noindex/css/open-sans.css
-Alias /images/apache_pb.gif /usr/share/httpd/noindex/images/apache_pb.gif
-Alias /images/poweredby.png /usr/share/httpd/noindex/images/poweredby.png
diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec
index d385291..cc1763c 100644
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@@ -4,7 +4,7 @@
%define mmn 20120211
%define oldmmnisa %{mmn}-%{__isa_name}-%{__isa_bits}
%define mmnisa %{mmn}%{__isa_name}%{__isa_bits}
-%define vstring CentOS
+%define vstring %(source /etc/os-release; echo ${REDHAT_SUPPORT_PRODUCT})
# Drop automatic provides for module DSOs
%{?filter_setup:
@@ -15,10 +15,10 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.6
-Release: 45%{?dist}.4
+Release: 67%{?dist}
URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
-Source1: centos-noindex.tar.gz
+Source1: index.html
Source2: httpd.logrotate
Source3: httpd.sysconf
Source4: httpd-ssl-pass-dialog
@@ -126,7 +126,35 @@ Patch105: httpd-2.4.6-r1560093.patch
Patch106: httpd-2.4.6-r1748212.patch
Patch107: httpd-2.4.6-r1570327.patch
Patch108: httpd-2.4.6-r1631119.patch
-Patch109: httpd-2.4.6-r1587053.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1406184
+Patch109: httpd-2.4.6-r1593002.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1389535
+Patch110: httpd-2.4.6-r1662640.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1348019
+Patch111: httpd-2.4.6-r1348019.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1396197
+Patch112: httpd-2.4.6-r1587053.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1376835
+Patch113: httpd-2.4.6-mpm-segfault.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1372692
+Patch114: httpd-2.4.6-r1681114.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1371876
+Patch115: httpd-2.4.6-r1775832.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1353740
+Patch116: httpd-2.4.6-r1726019.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1364604
+Patch117: httpd-2.4.6-r1683112.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1378946
+Patch118: httpd-2.4.6-r1651653.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1414258
+Patch119: httpd-2.4.6-r1634529.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1397241
+Patch120: httpd-2.4.6-r1738878.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1445885
+Patch121: httpd-2.4.6-http-protocol-options-define.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1332242
+Patch122: httpd-2.4.6-statements-comment.patch
+
# Security fixes
Patch200: httpd-2.4.6-CVE-2013-6438.patch
Patch201: httpd-2.4.6-CVE-2014-0098.patch
@@ -331,7 +359,20 @@ rm modules/ssl/ssl_engine_dh.c
%patch106 -p1 -b .r1748212
%patch107 -p1 -b .r1570327
%patch108 -p1 -b .r1631119
-%patch109 -p1 -b .r1587053
+%patch109 -p1 -b .r1593002
+%patch110 -p1 -b .r1662640
+%patch111 -p1 -b .r1348019
+%patch112 -p1 -b .r1587053
+%patch113 -p1 -b .mpmsegfault
+%patch114 -p1 -b .r1681114
+%patch115 -p1 -b .r1371876
+%patch116 -p1 -b .r1726019
+%patch117 -p1 -b .r1683112
+%patch118 -p1 -b .r1651653
+%patch119 -p1 -b .r1634529
+%patch120 -p1 -b .r1738878
+%patch121 -p1 -b .httpprotdefine
+%patch122 -p1 -b .statement-comment
%patch200 -p1 -b .cve6438
%patch201 -p1 -b .cve0098
@@ -501,10 +542,8 @@ EOF
# Handle contentdir
mkdir $RPM_BUILD_ROOT%{contentdir}/noindex
-tar xzf $RPM_SOURCE_DIR/centos-noindex.tar.gz \
- -C $RPM_BUILD_ROOT%{contentdir}/noindex/ \
- --strip-components=1
-
+install -m 644 -p $RPM_SOURCE_DIR/index.html \
+ $RPM_BUILD_ROOT%{contentdir}/noindex/index.html
rm -rf %{contentdir}/htdocs
# remove manual sources
@@ -527,7 +566,7 @@ rm -v $RPM_BUILD_ROOT%{docroot}/html/*.html \
$RPM_BUILD_ROOT%{docroot}/cgi-bin/*
# Symlink for the powered-by-$DISTRO image:
-ln -s ../noindex/images/poweredby.png \
+ln -s ../../pixmaps/poweredby.png \
$RPM_BUILD_ROOT%{contentdir}/icons/poweredby.png
# symlinks for /etc/httpd
@@ -587,7 +626,7 @@ rm -rf $RPM_BUILD_ROOT/etc/httpd/conf/{original,extra}
%pre
# Add the "apache" group and user
/usr/sbin/groupadd -g 48 -r apache 2> /dev/null || :
-/usr/sbin/useradd -c "Apache" -u 48 -g 48 \
+/usr/sbin/useradd -c "Apache" -u 48 -g apache \
-s /sbin/nologin -r -d %{contentdir} apache 2> /dev/null || :
%post
@@ -713,7 +752,7 @@ rm -rf $RPM_BUILD_ROOT
%{contentdir}/error/README
%{contentdir}/error/*.var
%{contentdir}/error/include/*.html
-%{contentdir}/noindex/*
+%{contentdir}/noindex/index.html
%dir %{docroot}
%dir %{docroot}/cgi-bin
@@ -779,26 +818,92 @@ rm -rf $RPM_BUILD_ROOT
%{_sysconfdir}/rpm/macros.httpd
%changelog
-* Wed Apr 12 2017 CentOS Sources - 2.4.6-45.el7.centos.4
-- Remove index.html, add centos-noindex.tar.gz
-- change vstring
-- change symlink for poweredby.png
-- update welcome.conf with proper aliases
+* Tue May 09 2017 Luboš Uhliarik - 2.4.6-67
+- Related: #1332242 - Explicitly disallow the '#' character in allow,deny
+ directives
+
+* Tue May 09 2017 Luboš Uhliarik - 2.4.6-66
+- Related: #1332242 - Explicitly disallow the '#' character in allow,deny
+ directives
+
+* Thu Apr 27 2017 Luboš Uhliarik - 2.4.6-65
+- Resolves: #1445885 - define _RH_HAS_HTTPPROTOCOLOPTIONS
+
+* Tue Apr 18 2017 Luboš Uhliarik - 2.4.6-64
+- Resolves: #1442872 - apache user is not created during httpd installation
+ when apache group already exist with GID other than 48
+
+* Wed Mar 22 2017 Luboš Uhliarik - 2.4.6-63
+- Related: #1412976 - CVE-2016-0736 CVE-2016-2161 CVE-2016-8743
+ httpd: various flaws
+
+* Wed Mar 15 2017 Luboš Uhliarik - 2.4.6-62
+- Resolves: #1397241 - Backport Apache Bug 53098 - mod_proxy_ajp:
+ patch to set worker secret passed to tomcat
+
+* Wed Mar 15 2017 Luboš Uhliarik - 2.4.6-61
+- Related: #1414258 - Crash during restart or at startup in mod_ssl,
+ in certinfo_free() function registered by ssl_stapling_ex_init()
+
+* Tue Mar 14 2017 Luboš Uhliarik - 2.4.6-60
+- Resolves: #1414258 - Crash during restart or at startup in mod_ssl,
+ in certinfo_free() function registered by ssl_stapling_ex_init()
+
+* Mon Mar 13 2017 Luboš Uhliarik - 2.4.6-59
+- Resolves: #1378946 - Backport of apache bug 55910: Continuation lines
+ are broken during buffer resize
+
+* Fri Mar 10 2017 Luboš Uhliarik - 2.4.6-58
+- Resolves: #1364604 - Upstream Bug 56925 - ErrorDocument directive misbehaves
+ with mod_proxy_http and mod_proxy_ajp
-* Wed Mar 08 2017 Luboš Uhliarik - 2.4.6-45.4
+* Thu Mar 09 2017 Luboš Uhliarik - 2.4.6-57
+- Resolves: #1324416 - Error 404 when switching language in HTML manual
+ more than once
+
+* Wed Mar 08 2017 Luboš Uhliarik - 2.4.6-56
+- Resolves: #1353740 - Backport Apache PR58118 to fix mod_proxy_fcgi
+ spamming non-errors: AH01075: Error dispatching request to : (passing
+ brigade to output filters)
+
+* Wed Mar 08 2017 Luboš Uhliarik - 2.4.6-55
+- Resolves: #1371876 - Apache httpd returns "200 OK" for a request
+ exceeding LimitRequestBody when enabling mod_ext_filter
+
+* Tue Mar 07 2017 Luboš Uhliarik - 2.4.6-54
+- Resolves: #1372692 - Apache httpd does not log status code "413" in
+ access_log when exceeding LimitRequestBody
+
+* Tue Mar 07 2017 Luboš Uhliarik - 2.4.6-53
+- Resolves: #1376835 - httpd with worker/event mpm segfaults after multiple
+ successive graceful reloads
+
+* Tue Mar 07 2017 Luboš Uhliarik - 2.4.6-52
+- Resolves: #1332242 - Explicitly disallow the '#' character in allow,deny
+ directives
+
+* Mon Mar 06 2017 Luboš Uhliarik - 2.4.6-51
- Resolves: #1396197 - Backport: mod_proxy_wstunnel - AH02447: err/hup
on backconn
-* Tue Feb 14 2017 Joe Orton - 2.4.6-45.3
+* Mon Mar 06 2017 Luboš Uhliarik - 2.4.6-50
+- Resolves: #1348019 - mod_proxy: Fix a race condition that caused a failed
+ worker to be retried before the retry period is over
+
+* Mon Mar 06 2017 Luboš Uhliarik - 2.4.6-49
+- Resolves: #1389535 - Segmentation fault in SSL_renegotiate
+
+* Mon Mar 06 2017 Luboš Uhliarik - 2.4.6-48
+- Resolves: #1406184 - stapling_renew_response: abort early
+ (before apr_uri_parse) if ocspuri is empty
+
+* Tue Feb 7 2017 Joe Orton - 2.4.6-47
- prefork: fix delay completing graceful restart (#1327624)
- mod_ldap: fix authz regression, failing to rebind (#1415257)
-* Tue Feb 14 2017 Joe Orton - 2.4.6-45.2
-- updated patch for CVE-2016-8743
-
-* Mon Jan 30 2017 Luboš Uhliarik - 2.4.6-45.1
-- Resolves: #1412975 - CVE-2016-0736 CVE-2016-2161 CVE-2016-8743 httpd: various
- flaws
+* Thu Jan 26 2017 Luboš Uhliarik - 2.4.6-46
+- Resolves: #1412976 - CVE-2016-0736 CVE-2016-2161 CVE-2016-8743
+ httpd: various flaws
* Wed Aug 03 2016 Luboš Uhliarik - 2.4.6-45
- RFE: run mod_rewrite external mapping program as non-root (#1316900)