summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBenedikt Boehm <hollow@gentoo.org>2009-07-29 08:08:30 +0000
committerBenedikt Boehm <hollow@gentoo.org>2009-07-29 08:08:30 +0000
commit8e7082d1d4d2d7c427d600a816934b89cdc6f7f8 (patch)
tree7d37954713c54299079b1f88ece358c9fe1fcaab /2.2/patches
parentadd peruser-dc patch (diff)
downloadapache-8e7082d1d4d2d7c427d600a816934b89cdc6f7f8.tar.gz
apache-8e7082d1d4d2d7c427d600a816934b89cdc6f7f8.tar.bz2
apache-8e7082d1d4d2d7c427d600a816934b89cdc6f7f8.zip
remove patches that have been backported to 2.2.12
Diffstat (limited to '2.2/patches')
-rw-r--r--2.2/patches/04_all_mod_ssl_tls_sni.patch380
-rw-r--r--2.2/patches/05_all_fix_graceful_multiple_listeners.patch42
-rw-r--r--2.2/patches/06_all_CVE-2009-1191.patch37
-rw-r--r--2.2/patches/07_all_CVE-2009-1195.patch136
-rw-r--r--2.2/patches/08_all_CVE-2009-1890.patch38
-rw-r--r--2.2/patches/09_all_CVE-2009-1891.patch29
-rw-r--r--2.2/patches/10_all_r779472.patch67
-rw-r--r--2.2/patches/11_all_r790738.patch18
8 files changed, 0 insertions, 747 deletions
diff --git a/2.2/patches/04_all_mod_ssl_tls_sni.patch b/2.2/patches/04_all_mod_ssl_tls_sni.patch
deleted file mode 100644
index 73392ae..0000000
--- a/2.2/patches/04_all_mod_ssl_tls_sni.patch
+++ /dev/null
@@ -1,380 +0,0 @@
-# httpd-2.2.x-sni.patch - server name indication support for Apache 2.2
-# (see RFC 4366, "Transport Layer Security (TLS) Extensions")
-
-# based on a patch from the EdelKey project
-# (http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch)
-
-# Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later
-# to work properly (ftp://ftp.openssl.org/snapshot/). The 0.9.8 versions
-# must be configured explicitly for TLS extension support at compile time
-# ("./config enable-tlsext").
-
-Index: httpd-2.2.x/modules/ssl/ssl_private.h
-===================================================================
---- httpd-2.2.x/modules/ssl/ssl_private.h (revision 663014)
-+++ httpd-2.2.x/modules/ssl/ssl_private.h (working copy)
-@@ -35,6 +35,7 @@
- #include "http_connection.h"
- #include "http_request.h"
- #include "http_protocol.h"
-+#include "http_vhost.h"
- #include "util_script.h"
- #include "util_filter.h"
- #include "util_ebcdic.h"
-@@ -555,6 +556,9 @@ int ssl_callback_NewSessionCach
- SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
- void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
- void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int);
-+#ifndef OPENSSL_NO_TLSEXT
-+int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
-+#endif
-
- /** Session Cache Support */
- void ssl_scache_init(server_rec *, apr_pool_t *);
-Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
-===================================================================
---- httpd-2.2.x/modules/ssl/ssl_engine_init.c (revision 663014)
-+++ httpd-2.2.x/modules/ssl/ssl_engine_init.c (working copy)
-@@ -355,6 +355,33 @@ static void ssl_init_server_check(server
- }
- }
-
-+#ifndef OPENSSL_NO_TLSEXT
-+static void ssl_init_ctx_tls_extensions(server_rec *s,
-+ apr_pool_t *p,
-+ apr_pool_t *ptemp,
-+ modssl_ctx_t *mctx)
-+{
-+ /*
-+ * Configure TLS extensions support
-+ */
-+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-+ "Configuring TLS extension handling");
-+
-+ /*
-+ * Server name indication (SNI)
-+ */
-+ if (!SSL_CTX_set_tlsext_servername_callback(mctx->ssl_ctx,
-+ ssl_callback_ServerNameIndication) ||
-+ !SSL_CTX_set_tlsext_servername_arg(mctx->ssl_ctx, mctx)) {
-+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
-+ "Unable to initialize TLS servername extension "
-+ "callback (incompatible OpenSSL version?)");
-+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
-+ ssl_die();
-+ }
-+}
-+#endif
-+
- static void ssl_init_ctx_protocol(server_rec *s,
- apr_pool_t *p,
- apr_pool_t *ptemp,
-@@ -687,6 +714,9 @@ static void ssl_init_ctx(server_rec *s,
- if (mctx->pks) {
- /* XXX: proxy support? */
- ssl_init_ctx_cert_chain(s, p, ptemp, mctx);
-+#ifndef OPENSSL_NO_TLSEXT
-+ ssl_init_ctx_tls_extensions(s, p, ptemp, mctx);
-+#endif
- }
- }
-
-@@ -1036,9 +1066,19 @@ void ssl_init_CheckServers(server_rec *b
- klen = strlen(key);
-
- if ((ps = (server_rec *)apr_hash_get(table, key, klen))) {
-- ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
-+ ap_log_error(APLOG_MARK,
-+#ifdef OPENSSL_NO_TLSEXT
-+ APLOG_WARNING,
-+#else
-+ APLOG_DEBUG,
-+#endif
-+ 0,
- base_server,
-+#ifdef OPENSSL_NO_TLSEXT
- "Init: SSL server IP/port conflict: "
-+#else
-+ "Init: SSL server IP/port overlap: "
-+#endif
- "%s (%s:%d) vs. %s (%s:%d)",
- ssl_util_vhostid(p, s),
- (s->defn_name ? s->defn_name : "unknown"),
-@@ -1055,8 +1095,14 @@ void ssl_init_CheckServers(server_rec *b
-
- if (conflict) {
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server,
-+#ifdef OPENSSL_NO_TLSEXT
- "Init: You should not use name-based "
- "virtual hosts in conjunction with SSL!!");
-+#else
-+ "Init: Name-based SSL virtual hosts only "
-+ "work for clients with TLS server name indication "
-+ "support (RFC 4366)");
-+#endif
- }
- }
-
-Index: httpd-2.2.x/modules/ssl/ssl_engine_vars.c
-===================================================================
---- httpd-2.2.x/modules/ssl/ssl_engine_vars.c (revision 663014)
-+++ httpd-2.2.x/modules/ssl/ssl_engine_vars.c (working copy)
-@@ -320,6 +320,12 @@ static char *ssl_var_lookup_ssl(apr_pool
- else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
- result = ssl_var_lookup_ssl_compress_meth(ssl);
- }
-+#ifndef OPENSSL_NO_TLSEXT
-+ else if (ssl != NULL && strcEQ(var, "TLS_SNI")) {
-+ result = apr_pstrdup(p, SSL_get_servername(ssl,
-+ TLSEXT_NAMETYPE_host_name));
-+ }
-+#endif
- return result;
- }
-
-Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c
-===================================================================
---- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 663014)
-+++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy)
-@@ -31,6 +31,9 @@
- #include "ssl_private.h"
-
- static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
-+#ifndef OPENSSL_NO_TLSEXT
-+static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s);
-+#endif
-
- /*
- * Post Read Request Handler
-@@ -39,6 +42,9 @@ int ssl_hook_ReadReq(request_rec *r)
- {
- SSLConnRec *sslconn = myConnConfig(r->connection);
- SSL *ssl;
-+#ifndef OPENSSL_NO_TLSEXT
-+ const char *servername;
-+#endif
-
- if (!sslconn) {
- return DECLINED;
-@@ -87,6 +93,14 @@ int ssl_hook_ReadReq(request_rec *r)
- if (!ssl) {
- return DECLINED;
- }
-+#ifndef OPENSSL_NO_TLSEXT
-+ if (!r->hostname &&
-+ (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
-+ /* Use the SNI extension as the hostname if no Host: header was sent */
-+ r->hostname = apr_pstrdup(r->pool, servername);
-+ ap_update_vhost_from_headers(r);
-+ }
-+#endif
- SSL_set_app_data2(ssl, r);
-
- /*
-@@ -353,6 +367,11 @@ int ssl_hook_Access(request_rec *r)
- * currently active/remembered verify depth (because this means more
- * restriction on the certificate chain).
- */
-+ if ((sc->server->auth.verify_depth != UNSET) &&
-+ (dc->nVerifyDepth == UNSET)) {
-+ /* apply per-vhost setting, if per-directory config is not set */
-+ dc->nVerifyDepth = sc->server->auth.verify_depth;
-+ }
- if (dc->nVerifyDepth != UNSET) {
- /* XXX: doesnt look like sslconn->verify_depth is actually used */
- if (!(n = sslconn->verify_depth)) {
-@@ -382,6 +401,11 @@ int ssl_hook_Access(request_rec *r)
- * verification but at least skip the I/O-intensive renegotation
- * handshake.
- */
-+ if ((sc->server->auth.verify_mode != SSL_CVERIFY_UNSET) &&
-+ (dc->nVerifyClient == SSL_CVERIFY_UNSET)) {
-+ /* apply per-vhost setting, if per-directory config is not set */
-+ dc->nVerifyClient = sc->server->auth.verify_mode;
-+ }
- if (dc->nVerifyClient != SSL_CVERIFY_UNSET) {
- /* remember old state */
- verify_old = SSL_get_verify_mode(ssl);
-@@ -997,6 +1021,9 @@ int ssl_hook_Fixup(request_rec *r)
- SSLDirConfigRec *dc = myDirConfig(r);
- apr_table_t *env = r->subprocess_env;
- char *var, *val = "";
-+#ifndef OPENSSL_NO_TLSEXT
-+ const char *servername;
-+#endif
- STACK_OF(X509) *peer_certs;
- SSL *ssl;
- int i;
-@@ -1018,6 +1045,13 @@ int ssl_hook_Fixup(request_rec *r)
- /* the always present HTTPS (=HTTP over SSL) flag! */
- apr_table_setn(env, "HTTPS", "on");
-
-+#ifndef OPENSSL_NO_TLSEXT
-+ /* add content of SNI TLS extension (if supplied with ClientHello) */
-+ if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
-+ apr_table_set(env, "SSL_TLS_SNI", servername);
-+ }
-+#endif
-+
- /* standard SSL environment variables */
- if (dc->nOptions & SSL_OPT_STDENVVARS) {
- for (i = 0; ssl_hook_Fixup_vars[i]; i++) {
-@@ -1810,3 +1844,141 @@ void ssl_callback_LogTracingState(MODSSL
- }
- }
-
-+#ifndef OPENSSL_NO_TLSEXT
-+/*
-+ * This callback function is executed when OpenSSL encounters an extended
-+ * client hello with a server name indication extension ("SNI", cf. RFC 4366).
-+ */
-+int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx)
-+{
-+ const char *servername =
-+ SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
-+
-+ if (servername) {
-+ conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
-+ if (c) {
-+ if (ap_vhost_iterate_given_conn(c, ssl_find_vhost,
-+ (void *)servername)) {
-+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
-+ "SSL virtual host for servername %s found",
-+ servername);
-+ return SSL_TLSEXT_ERR_OK;
-+ }
-+ else {
-+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
-+ "No matching SSL virtual host for servername "
-+ "%s found (using default/first virtual host)",
-+ servername);
-+ return SSL_TLSEXT_ERR_ALERT_WARNING;
-+ }
-+ }
-+ }
-+
-+ return SSL_TLSEXT_ERR_NOACK;
-+}
-+
-+/*
-+ * Find a (name-based) SSL virtual host where either the ServerName
-+ * or one of the ServerAliases matches the supplied name (to be used
-+ * with ap_vhost_iterate_given_conn())
-+ */
-+static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
-+{
-+ SSLSrvConfigRec *sc;
-+ SSL *ssl;
-+ BOOL found = FALSE;
-+ apr_array_header_t *names;
-+ int i;
-+
-+ /* check ServerName */
-+ if (!strcasecmp(servername, s->server_hostname)) {
-+ found = TRUE;
-+ }
-+
-+ /*
-+ * if not matched yet, check ServerAlias entries
-+ * (adapted from vhost.c:matches_aliases())
-+ */
-+ if (!found) {
-+ names = s->names;
-+ if (names) {
-+ char **name = (char **)names->elts;
-+ for (i = 0; i < names->nelts; ++i) {
-+ if (!name[i])
-+ continue;
-+ if (!strcasecmp(servername, name[i])) {
-+ found = TRUE;
-+ break;
-+ }
-+ }
-+ }
-+ }
-+
-+ /* if still no match, check ServerAlias entries with wildcards */
-+ if (!found) {
-+ names = s->wild_names;
-+ if (names) {
-+ char **name = (char **)names->elts;
-+ for (i = 0; i < names->nelts; ++i) {
-+ if (!name[i])
-+ continue;
-+ if (!ap_strcasecmp_match(servername, name[i])) {
-+ found = TRUE;
-+ break;
-+ }
-+ }
-+ }
-+ }
-+
-+ /* set SSL_CTX (if matched) */
-+ if (found && (ssl = ((SSLConnRec *)myConnConfig(c))->ssl) &&
-+ (sc = mySrvConfig(s))) {
-+ SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx);
-+ /*
-+ * SSL_set_SSL_CTX() only deals with the server cert,
-+ * so we need to duplicate a few additional settings
-+ * from the ctx by hand
-+ */
-+ SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
-+ if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
-+ (SSL_num_renegotiations(ssl) == 0)) {
-+ /*
-+ * Only initialize the verification settings from the ctx
-+ * if they are not yet set, or if we're called when a new
-+ * SSL connection is set up (num_renegotiations == 0).
-+ * Otherwise, we would possibly reset a per-directory
-+ * configuration which was put into effect by ssl_hook_Access.
-+ */
-+ SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
-+ SSL_CTX_get_verify_callback(ssl->ctx));
-+ }
-+
-+ /*
-+ * We also need to make sure that the correct mctx
-+ * (accessed through the c->base_server->module_config vector)
-+ * is assigned to the connection - the CRL callback e.g.
-+ * makes use of it for retrieving its store (mctx->crl).
-+ * Since logging in callbacks uses c->base_server in many
-+ * cases, it also ensures that these messages are routed
-+ * to the proper log.
-+ */
-+ c->base_server = s;
-+
-+ /*
-+ * There is one special filter callback, which is set
-+ * very early depending on the base_server's log level.
-+ * If this is not the first vhost we're now selecting
-+ * (and the first vhost doesn't use APLOG_DEBUG), then
-+ * we need to set that callback here.
-+ */
-+ if (c->base_server->loglevel >= APLOG_DEBUG) {
-+ BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb);
-+ BIO_set_callback_arg(SSL_get_rbio(ssl), (void *)ssl);
-+ }
-+
-+ return 1;
-+ }
-+
-+ return 0;
-+}
-+#endif
-Index: httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h
-===================================================================
---- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (revision 663014)
-+++ httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (working copy)
-@@ -264,6 +264,12 @@ typedef void (*modssl_popfree_fn)(char *
- #define SSL_SESS_CACHE_NO_INTERNAL SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
- #endif
-
-+#ifndef OPENSSL_NO_TLSEXT
-+#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
-+#define OPENSSL_NO_TLSEXT
-+#endif
-+#endif
-+
- #endif /* SSL_TOOLKIT_COMPAT_H */
-
- /** @} */
diff --git a/2.2/patches/05_all_fix_graceful_multiple_listeners.patch b/2.2/patches/05_all_fix_graceful_multiple_listeners.patch
deleted file mode 100644
index 6ed9de1..0000000
--- a/2.2/patches/05_all_fix_graceful_multiple_listeners.patch
+++ /dev/null
@@ -1,42 +0,0 @@
---- httpd/httpd/branches/2.2.x/server/mpm/prefork/prefork.c 2009/01/31 20:53:11 739607
-+++ httpd/httpd/branches/2.2.x/server/mpm/prefork/prefork.c 2009/01/31 20:54:55 739608
-@@ -577,19 +577,27 @@
- apr_int32_t numdesc;
- const apr_pollfd_t *pdesc;
-
-- /* timeout == -1 == wait forever */
-- status = apr_pollset_poll(pollset, -1, &numdesc, &pdesc);
-+ /* check for termination first so we don't sleep for a while in
-+ * poll if already signalled
-+ */
-+ if (one_process && shutdown_pending) {
-+ SAFE_ACCEPT(accept_mutex_off());
-+ return;
-+ }
-+ else if (die_now) {
-+ /* In graceful stop/restart; drop the mutex
-+ * and terminate the child. */
-+ SAFE_ACCEPT(accept_mutex_off());
-+ clean_child_exit(0);
-+ }
-+ /* timeout == 10 seconds to avoid a hang at graceful restart/stop
-+ * caused by the closing of sockets by the signal handler
-+ */
-+ status = apr_pollset_poll(pollset, apr_time_from_sec(10),
-+ &numdesc, &pdesc);
- if (status != APR_SUCCESS) {
-- if (APR_STATUS_IS_EINTR(status)) {
-- if (one_process && shutdown_pending) {
-- return;
-- }
-- else if (die_now) {
-- /* In graceful stop/restart; drop the mutex
-- * and terminate the child. */
-- SAFE_ACCEPT(accept_mutex_off());
-- clean_child_exit(0);
-- }
-+ if (APR_STATUS_IS_TIMEUP(status) ||
-+ APR_STATUS_IS_EINTR(status)) {
- continue;
- }
- /* Single Unix documents select as returning errnos
diff --git a/2.2/patches/06_all_CVE-2009-1191.patch b/2.2/patches/06_all_CVE-2009-1191.patch
deleted file mode 100644
index cbb790a..0000000
--- a/2.2/patches/06_all_CVE-2009-1191.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Index: modules/proxy/mod_proxy_ajp.c
-===================================================================
---- modules/proxy/mod_proxy_ajp.c (Revision 763379)
-+++ modules/proxy/mod_proxy_ajp.c (Arbeitskopie)
-@@ -307,21 +307,17 @@
- "proxy: read zero bytes, expecting"
- " %" APR_OFF_T_FMT " bytes",
- content_length);
-- status = ajp_send_data_msg(conn->sock, msg, 0);
-- if (status != APR_SUCCESS) {
-- /* We had a failure: Close connection to backend */
-- conn->close++;
-- ap_log_error(APLOG_MARK, APLOG_ERR, status, r->server,
-- "proxy: send failed to %pI (%s)",
-- conn->worker->cp->addr,
-- conn->worker->hostname);
-- return HTTP_INTERNAL_SERVER_ERROR;
-- }
-- else {
-- /* Client send zero bytes with C-L > 0
-- */
-- return HTTP_BAD_REQUEST;
-- }
-+ /*
-+ * We can only get here if the client closed the connection
-+ * to us without sending the body.
-+ * Now the connection is in the wrong state on the backend.
-+ * Sending an empty data msg doesn't help either as it does
-+ * not move this connection to the correct state on the backend
-+ * for later resusage by the next request again.
-+ * Close it to clean things up.
-+ */
-+ conn->close++;
-+ return HTTP_BAD_REQUEST;
- }
- }
-
diff --git a/2.2/patches/07_all_CVE-2009-1195.patch b/2.2/patches/07_all_CVE-2009-1195.patch
deleted file mode 100644
index 14a6dba..0000000
--- a/2.2/patches/07_all_CVE-2009-1195.patch
+++ /dev/null
@@ -1,136 +0,0 @@
-Index: server/config.c
-===================================================================
---- server/config.c (revision 773036)
-+++ server/config.c (working copy)
-@@ -1510,7 +1510,7 @@
- parms.temp_pool = ptemp;
- parms.server = s;
- parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
-- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
-+ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
-
- parms.config_file = ap_pcfg_open_custom(p, "-c/-C directives",
- &arr_parms, NULL,
-@@ -1617,7 +1617,7 @@
- parms.temp_pool = ptemp;
- parms.server = s;
- parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
-- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
-+ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
-
- rv = ap_pcfg_openfile(&cfp, p, fname);
- if (rv != APR_SUCCESS) {
-@@ -1755,7 +1755,7 @@
- parms.temp_pool = ptemp;
- parms.server = s;
- parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
-- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
-+ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
- parms.limited = -1;
-
- errmsg = ap_walk_config(conftree, &parms, s->lookup_defaults);
-Index: server/core.c
-===================================================================
---- server/core.c (revision 773036)
-+++ server/core.c (working copy)
-@@ -108,8 +108,7 @@
- conf->opts = dir ? OPT_UNSET : OPT_UNSET|OPT_ALL;
- conf->opts_add = conf->opts_remove = OPT_NONE;
- conf->override = dir ? OR_UNSET : OR_UNSET|OR_ALL;
-- conf->override_opts = OPT_UNSET | OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER
-- | OPT_MULTI;
-+ conf->override_opts = OPT_UNSET | OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
-
- conf->content_md5 = 2;
- conf->accept_path_info = 3;
-@@ -242,8 +241,15 @@
- conf->opts_remove = (conf->opts_remove & ~new->opts_add)
- | new->opts_remove;
- conf->opts = (conf->opts & ~conf->opts_remove) | conf->opts_add;
-- if ((base->opts & OPT_INCNOEXEC) && (new->opts & OPT_INCLUDES)) {
-- conf->opts = (conf->opts & ~OPT_INCNOEXEC) | OPT_INCLUDES;
-+
-+ /* If Includes was enabled with exec in the base config, but
-+ * was enabled without exec in the new config, then disable
-+ * exec in the merged set. */
-+ if (((base->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC))
-+ == (OPT_INCLUDES|OPT_INC_WITH_EXEC))
-+ && ((new->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC))
-+ == OPT_INCLUDES)) {
-+ conf->opts &= ~OPT_INC_WITH_EXEC;
- }
- }
- else {
-@@ -1304,10 +1310,12 @@
- opt = OPT_INDEXES;
- }
- else if (!strcasecmp(w, "Includes")) {
-- opt = OPT_INCLUDES;
-+ /* If Includes is permitted, both Includes and
-+ * IncludesNOEXEC may be changed. */
-+ opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC);
- }
- else if (!strcasecmp(w, "IncludesNOEXEC")) {
-- opt = (OPT_INCLUDES | OPT_INCNOEXEC);
-+ opt = OPT_INCLUDES;
- }
- else if (!strcasecmp(w, "FollowSymLinks")) {
- opt = OPT_SYM_LINKS;
-@@ -1428,10 +1436,10 @@
- opt = OPT_INDEXES;
- }
- else if (!strcasecmp(w, "Includes")) {
-- opt = OPT_INCLUDES;
-+ opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC);
- }
- else if (!strcasecmp(w, "IncludesNOEXEC")) {
-- opt = (OPT_INCLUDES | OPT_INCNOEXEC);
-+ opt = OPT_INCLUDES;
- }
- else if (!strcasecmp(w, "FollowSymLinks")) {
- opt = OPT_SYM_LINKS;
-Index: modules/filters/mod_include.c
-===================================================================
---- modules/filters/mod_include.c (revision 773036)
-+++ modules/filters/mod_include.c (working copy)
-@@ -3574,7 +3574,7 @@
- intern->seen_eos = 0;
- intern->state = PARSE_PRE_HEAD;
- ctx->flags = (SSI_FLAG_PRINTING | SSI_FLAG_COND_TRUE);
-- if (ap_allow_options(r) & OPT_INCNOEXEC) {
-+ if ((ap_allow_options(r) & OPT_INC_WITH_EXEC) == 0) {
- ctx->flags |= SSI_FLAG_NO_EXEC;
- }
- intern->accessenable = conf->accessenable;
-Index: include/http_core.h
-===================================================================
---- include/http_core.h (revision 773036)
-+++ include/http_core.h (working copy)
-@@ -65,7 +65,7 @@
- #define OPT_NONE 0
- /** Indexes directive */
- #define OPT_INDEXES 1
--/** Includes directive */
-+/** SSI is enabled without exec= permission */
- #define OPT_INCLUDES 2
- /** FollowSymLinks directive */
- #define OPT_SYM_LINKS 4
-@@ -73,14 +73,14 @@
- #define OPT_EXECCGI 8
- /** directive unset */
- #define OPT_UNSET 16
--/** IncludesNOEXEC directive */
--#define OPT_INCNOEXEC 32
-+/** SSI exec= permission is permitted, iff OPT_INCLUDES is also set */
-+#define OPT_INC_WITH_EXEC 32
- /** SymLinksIfOwnerMatch directive */
- #define OPT_SYM_OWNER 64
- /** MultiViews directive */
- #define OPT_MULTI 128
- /** All directives */
--#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI)
-+#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INC_WITH_EXEC|OPT_SYM_LINKS|OPT_EXECCGI)
- /** @} */
-
- /**
-
diff --git a/2.2/patches/08_all_CVE-2009-1890.patch b/2.2/patches/08_all_CVE-2009-1890.patch
deleted file mode 100644
index 672c82b..0000000
--- a/2.2/patches/08_all_CVE-2009-1890.patch
+++ /dev/null
@@ -1,38 +0,0 @@
---- httpd/httpd/trunk/modules/proxy/mod_proxy_http.c 2009/07/02 13:37:39 790586
-+++ httpd/httpd/trunk/modules/proxy/mod_proxy_http.c 2009/07/02 13:41:18 790587
-@@ -427,10 +427,16 @@
- apr_off_t bytes_streamed = 0;
-
- if (old_cl_val) {
-+ char *endstr;
-+
- add_cl(p, bucket_alloc, header_brigade, old_cl_val);
-- if (APR_SUCCESS != (status = apr_strtoff(&cl_val, old_cl_val, NULL,
-- 0))) {
-- return HTTP_INTERNAL_SERVER_ERROR;
-+ status = apr_strtoff(&cl_val, old_cl_val, &endstr, 10);
-+
-+ if (status || *endstr || endstr == old_cl_val || cl_val < 0) {
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
-+ "proxy: could not parse request Content-Length (%s)",
-+ old_cl_val);
-+ return HTTP_BAD_REQUEST;
- }
- }
- terminate_headers(bucket_alloc, header_brigade);
-@@ -463,8 +469,13 @@
- *
- * Prevents HTTP Response Splitting.
- */
-- if (bytes_streamed > cl_val)
-- continue;
-+ if (bytes_streamed > cl_val) {
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "proxy: read more bytes of request body than expected "
-+ "(got %" APR_OFF_T_FMT ", expected %" APR_OFF_T_FMT ")",
-+ bytes_streamed, cl_val);
-+ return HTTP_INTERNAL_SERVER_ERROR;
-+ }
-
- if (header_brigade) {
- /* we never sent the header brigade, so go ahead and
diff --git a/2.2/patches/09_all_CVE-2009-1891.patch b/2.2/patches/09_all_CVE-2009-1891.patch
deleted file mode 100644
index 4d778f8..0000000
--- a/2.2/patches/09_all_CVE-2009-1891.patch
+++ /dev/null
@@ -1,29 +0,0 @@
---- httpd/httpd/branches/2.2.x/server/core_filters.c 2009/07/06 12:01:05 791453
-+++ httpd/httpd/branches/2.2.x/server/core_filters.c 2009/07/06 12:03:20 791454
-@@ -542,6 +542,12 @@
- apr_read_type_e eblock = APR_NONBLOCK_READ;
- apr_pool_t *input_pool = b->p;
-
-+ /* Fail quickly if the connection has already been aborted. */
-+ if (c->aborted) {
-+ apr_brigade_cleanup(b);
-+ return APR_ECONNABORTED;
-+ }
-+
- if (ctx == NULL) {
- ctx = apr_pcalloc(c->pool, sizeof(*ctx));
- net->out_ctx = ctx;
-@@ -909,12 +915,9 @@
- /* No need to check for SUCCESS, we did that above. */
- if (!APR_STATUS_IS_EAGAIN(rv)) {
- c->aborted = 1;
-+ return APR_ECONNABORTED;
- }
-
-- /* The client has aborted, but the request was successful. We
-- * will report success, and leave it to the access and error
-- * logs to note that the connection was aborted.
-- */
- return APR_SUCCESS;
- }
-
diff --git a/2.2/patches/10_all_r779472.patch b/2.2/patches/10_all_r779472.patch
deleted file mode 100644
index c4bb6cb..0000000
--- a/2.2/patches/10_all_r779472.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-Index: server/core.c
-===================================================================
---- server/core.c (revision 779471)
-+++ server/core.c (revision 779472)
-@@ -661,7 +661,11 @@
- core_dir_config *conf =
- (core_dir_config *)ap_get_module_config(r->per_dir_config, &core_module);
-
-- return conf->opts;
-+ /* Per comment in http_core.h - the OPT_INC_WITH_EXEC bit is
-+ * inverted, such that the exposed semantics match that of
-+ * OPT_INCNOEXEC; i.e., the bit is only enabled if exec= is *not*
-+ * permitted. */
-+ return conf->opts ^ OPT_INC_WITH_EXEC;
- }
-
- AP_DECLARE(int) ap_allow_overrides(request_rec *r)
-Index: modules/filters/mod_include.c
-===================================================================
---- modules/filters/mod_include.c (revision 779471)
-+++ modules/filters/mod_include.c (revision 779472)
-@@ -3565,7 +3565,7 @@
- intern->seen_eos = 0;
- intern->state = PARSE_PRE_HEAD;
- ctx->flags = (SSI_FLAG_PRINTING | SSI_FLAG_COND_TRUE);
-- if ((ap_allow_options(r) & OPT_INC_WITH_EXEC) == 0) {
-+ if (ap_allow_options(r) & OPT_INCNOEXEC) {
- ctx->flags |= SSI_FLAG_NO_EXEC;
- }
- intern->accessenable = conf->accessenable;
-Index: include/http_core.h
-===================================================================
---- include/http_core.h (revision 779471)
-+++ include/http_core.h (revision 779472)
-@@ -73,16 +73,29 @@
- #define OPT_EXECCGI 8
- /** directive unset */
- #define OPT_UNSET 16
--/** SSI exec= permission is permitted, iff OPT_INCLUDES is also set */
--#define OPT_INC_WITH_EXEC 32
-+/** IncludesNOEXEC directive */
-+#define OPT_INCNOEXEC 32
- /** SymLinksIfOwnerMatch directive */
- #define OPT_SYM_OWNER 64
- /** MultiViews directive */
- #define OPT_MULTI 128
- /** All directives */
--#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INC_WITH_EXEC|OPT_SYM_LINKS|OPT_EXECCGI)
-+#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INCNOEXEC|OPT_SYM_LINKS|OPT_EXECCGI)
- /** @} */
-
-+#ifdef CORE_PRIVATE
-+/* For internal use only - since 2.2.12, the OPT_INCNOEXEC bit is
-+ * internally replaced by OPT_INC_WITH_EXEC. The internal semantics
-+ * of the two SSI-related bits are hence:
-+ *
-+ * OPT_INCLUDES => "enable SSI, without exec= permission"
-+ * OPT_INC_WITH_EXEC => "iff OPT_INCLUDES is set, also enable exec="
-+ *
-+ * The set of options exposed via ap_allow_options() retains the
-+ * semantics of OPT_INCNOEXEC by flipping the bit. */
-+#define OPT_INC_WITH_EXEC OPT_INCNOEXEC
-+#endif
-+
- /**
- * @defgroup get_remote_host Remote Host Resolution
- * @ingroup APACHE_CORE_HTTPD
diff --git a/2.2/patches/11_all_r790738.patch b/2.2/patches/11_all_r790738.patch
deleted file mode 100644
index 3ddf33b..0000000
--- a/2.2/patches/11_all_r790738.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-Index: server/core.c
-===================================================================
---- server/core.c (revision 790737)
-+++ server/core.c (revision 790738)
-@@ -665,7 +665,12 @@
- * inverted, such that the exposed semantics match that of
- * OPT_INCNOEXEC; i.e., the bit is only enabled if exec= is *not*
- * permitted. */
-- return conf->opts ^ OPT_INC_WITH_EXEC;
-+ if (conf->opts & OPT_INCLUDES) {
-+ return conf->opts ^ OPT_INC_WITH_EXEC;
-+ }
-+ else {
-+ return conf->opts;
-+ }
- }
-
- AP_DECLARE(int) ap_allow_overrides(request_rec *r)