Pullup ticket 2852 - requested by tron

bug fix update

Revisions pulled up:
- pkgsrc/www/apache22/Makefile		1.48
- pkgsrc/www/apache22/PLIST		1.13
- pkgsrc/www/apache22/distinfo		1.23
- pkgsrc/www/apache22/patches/patch-ba	1.4
- pkgsrc/www/apache22/patches/patch-bb	1.3

Files added:
pkgsrc/www/apache22/patches/patch-bb

Files deleted:
pkgsrc/www/apache22/patches/patch-ab
pkgsrc/www/apache22/patches/patch-af
pkgsrc/www/apache22/patches/patch-ah
pkgsrc/www/apache22/patches/patch-bc
pkgsrc/www/apache22/patches/patch-bd

   Module Name:	pkgsrc
   Committed By:	tron
   Date:		Thu Aug  6 07:07:23 UTC 2009

   Modified Files:
   	pkgsrc/www/apache22: Makefile PLIST distinfo
   Removed Files:
   	pkgsrc/www/apache22/patches: patch-ab patch-af patch-ah patch-ba
   	    patch-bc patch-bd

   Log Message:
   Update "apache22" package to version 2.2.12. Changes since version 2.2.11:
   - SECURITY: CVE-2009-1891 (cve.mitre.org)
     Fix a potential Denial-of-Service attack against mod_deflate or other
     modules, by forcing the server to consume CPU time in compressing a
     large file after a client disconnects. Bug 39605.
     [Joe Orton, Ruediger Pluem]
   - SECURITY: CVE-2009-1195 (cve.mitre.org)
     Prevent the "Includes" Option from being enabled in an .htaccess
     file if the AllowOverride restrictions do not permit it.
     [Jonathan Peatfield <j.s.peatfield damtp.cam.ac.uk>, Joe Orton,
      Ruediger Pluem, Jeff Trawick]
   - SECURITY: CVE-2009-1890 (cve.mitre.org)
     Fix a potential Denial-of-Service attack against mod_proxy in a
     reverse proxy configuration, where a remote attacker can force a
     proxy process to consume CPU time indefinitely.  [Nick Kew, Joe Orton]
   - SECURITY: CVE-2009-1191 (cve.mitre.org)
     mod_proxy_ajp: Avoid delivering content from a previous request which
     failed to send a request body. Bug 46949 [Ruediger Pluem]
   - SECURITY: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 (cve.mitre.org)
     The bundled copy of the APR-util library has been updated, fixing three
     different security issues which may affect particular configurations
     and third-party modules.
   - mod_include: fix potential segfault when handling back references
     on an empty SSI variable. [Ruediger Pluem, Lars Eilebrecht, Nick Kew]
   - mod_alias: check sanity in Redirect arguments.
     Bug 44729 [S??nke Tesch <st kino-fahrplan.de>, Jim Jagielski]
   - mod_proxy_http: fix Host: header for literal IPv6 addresses.
     Bug 47177 [Carlos Garcia Braschi <cgbraschi gmail.com>]
   - mod_rewrite: Remove locking for writing to the rewritelog.
     Bug 46942
   - mod_alias: Ensure Redirect emits HTTP-compliant URLs.
     Bug 44020
   - mod_proxy_http: fix case sensitivity checking transfer encoding
     Bug 47383 [Ryuzo Yamamoto <ryuzo.yamamoto gmail.com>]
   - mod_rewrite: Fix the error string returned by RewriteRule.
     RewriteRule returned "RewriteCond: bad flag delimiters" when the 3rd
     argument of RewriteRule was not started with "[" or not ended with "]".
     Bug 45082 [Vitaly Polonetsky <m_vitaly topixoft.com>]
   - mod_proxy: Complete ProxyPassReverse to handle balancer URL's.  Given;
       BalancerMember balancer://alias http://example.com/foo
       ProxyPassReverse /bash balancer://alias/bar
     backend url http://example.com/foo/bar/that is now translated /bash/that
     [William Rowe]
   - New piped log syntax: Use "||process args" to launch the given process
     without invoking the shell/command interpreter.  Use "|$command line"
     (the default behavior of "|command line" in 2.2) to invoke using shell,
     consuming an additional shell process for the lifetime of the logging
     pipe program but granting additional process invocation flexibility.
     [William Rowe]
   - mod_ssl: Add server name indication support (RFC 4366) and better
     support for name based virtual hosts with SSL. Bug 34607
     [Peter Sylvester <peter.sylvester edelweb.fr>,
      Kaspar Brand <asfbugz velox.ch>, Guenter Knauf, Joe Orton,
      Ruediger Pluem]
   - mod_negotiation: Escape pathes of filenames in 406 responses to avoid
     HTML injections and HTTP response splitting.  Bug 46837.
     [Geoff Keating <geoffk apple.com>]
   - mod_include: Prevent a case of SSI timefmt-smashing with filter chains
     including multiple INCLUDES filters. Bug 39369 [Joe Orton]
   - mod_rewrite: When evaluating a proxy rule in directory context, do
     escape the filename by default. Bug 46428 [Joe Orton]
   - mod_proxy_ajp: Check more strictly that the backend follows the AJP
     protocol. [Mladen Turk]
   - mod_ssl: Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
     to enable stricter checking of remote server certificates.
     [Ruediger Pluem]
   - mod_substitute: Fix a memory leak. Bug 44948
     [Dan Poirier <poirier pobox.com>]
   - mod_proxy_ajp: Forward remote port information by default.
     [Rainer Jung]
   - mod_disk_cache/mod_mem_cache: Fix handling of CacheIgnoreHeaders
     directive to correctly remove headers before storing them.
     [Lars Eilebrecht]
   - mod_deflate: revert changes in 2.2.8 that caused an invalid
     etag to be emitted for on-the-fly gzip content-encoding.
     Bug 39727 will require larger fixes and this fix was far more
     harmful than the original code. Bug 45023. [Roy T. Fielding]
   - mod_disk_cache: The module now turns off sendfile support if
     'EnableSendfile off' is defined globally. Bug 41218.
     [Lars Eilebrecht, Issac Goldstand]
   - prefork: Fix child process hang during graceful restart/stop in
     configurations with multiple listening sockets.  Bug 42829.  [Joe Orton,
     Jeff Trawick]
   - mod_ssl: Add SSLRenegBufferSize directive to allow changing the
     size of the buffer used for the request-body where necessary
     during a per-dir renegotiation.  Bug 39243.  [Joe Orton]
   - mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome
     way that per-directory rewrites append the previous notion of PATH_INFO
     to each substitution before evaluating subsequent rules.
     Bug 38642 [Eric Covener]
   - mod_authnz_ldap: Reduce number of initialization debug messages and make
     information more clear. Bug 46342 [Dan Poirier]
   - mod_cache: Introduce 'no-cache' per-request environment variable
     to prevent the saving of an otherwise cacheable response.
     [Eric Covener]
   - core: Translate the status line to ASCII on EBCDIC platforms in
     ap_send_interim_response() and for locally generated "100 Continue"
     responses.  [Eric Covener]
   - CGI: return 504 (Gateway timeout) rather than 500 when a script
     times out before returning status line/headers.
     Bug 42190 [Nick Kew]
   - prefork: Log an error instead of segfaulting when child startup fails
     due to pollset creation failures.  Bug 46467.  [Jeff Trawick]
   - mod_ext_filter: fix error handling when the filter prog fails to start,
     and introduce an onfail configuration option to abort

   All the security problems mentioned above had already been fixed in
   "pkgsrc" via patches. Thanks a lot to Adam Ciarcinski for letting me
   know that new version had finally been released.


   To generate a diff of this commit:
   cvs rdiff -u -r1.47 -r1.48 pkgsrc/www/apache22/Makefile
   cvs rdiff -u -r1.12 -r1.13 pkgsrc/www/apache22/PLIST
   cvs rdiff -u -r1.21 -r1.22 pkgsrc/www/apache22/distinfo
   cvs rdiff -u -r1.10 -r0 pkgsrc/www/apache22/patches/patch-ab
   cvs rdiff -u -r1.1 -r0 pkgsrc/www/apache22/patches/patch-af \
       pkgsrc/www/apache22/patches/patch-ah
   cvs rdiff -u -r1.2 -r0 pkgsrc/www/apache22/patches/patch-ba \
       pkgsrc/www/apache22/patches/patch-bc pkgsrc/www/apache22/patches/patch-bd

   -----

   Module Name:	pkgsrc
   Committed By:	tron
   Date:		Thu Aug  6 08:21:44 UTC 2009

   Modified Files:
   	pkgsrc/www/apache22: distinfo
   Added Files:
   	pkgsrc/www/apache22/patches: patch-ba patch-bb

   Log Message:
   Add patches provided by Adam Ciarcinski to fix build with recent versions
   of OpenSSL (e.g. the version in NetBSD-current).


   To generate a diff of this commit:
   cvs rdiff -u -r1.22 -r1.23 pkgsrc/www/apache22/distinfo
   cvs rdiff -u -r0 -r1.4 pkgsrc/www/apache22/patches/patch-ba
   cvs rdiff -u -r0 -r1.3 pkgsrc/www/apache22/patches/patch-bb

10 files changed, 67 insertions, 229 deletions

diff --git a/www/apache22/Makefile b/www/apache22/Makefile
index 12493665fba..c19c55cc044 100644
--- a/www/apache22/Makefile
+++ b/www/apache22/Makefile
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.46.2.1 2009/07/16 05:37:24 spz Exp $
+# $NetBSD: Makefile,v 1.46.2.2 2009/08/07 21:08:15 spz Exp $
 
-DISTNAME=	httpd-2.2.11
-PKGREVISION=	6
+DISTNAME=	httpd-2.2.12
 PKGNAME=	${DISTNAME:S/httpd/apache/}
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE:=httpd/} \
diff --git a/www/apache22/PLIST b/www/apache22/PLIST
index 156be975af4..3d3a6b8dd40 100644
--- a/www/apache22/PLIST
+++ b/www/apache22/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.12 2009/06/14 22:00:18 joerg Exp $
+@comment $NetBSD: PLIST,v 1.12.2.1 2009/08/07 21:08:15 spz Exp $
 ${PLIST.suexec}sbin/suexec
 include/httpd/ap_compat.h
 include/httpd/ap_config.h
@@ -534,6 +534,7 @@ share/httpd/manual/howto/public_html.html
 share/httpd/manual/howto/public_html.html.en
 share/httpd/manual/howto/public_html.html.ja.utf8
 share/httpd/manual/howto/public_html.html.ko.euc-kr
+share/httpd/manual/howto/public_html.html.tr.utf8
 share/httpd/manual/howto/ssi.html
 share/httpd/manual/howto/ssi.html.en
 share/httpd/manual/howto/ssi.html.ja.utf8
@@ -612,6 +613,7 @@ share/httpd/manual/misc/password_encryptions.html.en
 share/httpd/manual/misc/perf-tuning.html
 share/httpd/manual/misc/perf-tuning.html.en
 share/httpd/manual/misc/perf-tuning.html.ko.euc-kr
+share/httpd/manual/misc/perf-tuning.html.tr.utf8
 share/httpd/manual/misc/relevant_standards.html
 share/httpd/manual/misc/relevant_standards.html.en
 share/httpd/manual/misc/relevant_standards.html.ko.euc-kr
@@ -1000,6 +1002,7 @@ share/httpd/manual/programs/apachectl.html.tr.utf8
 share/httpd/manual/programs/apxs.html
 share/httpd/manual/programs/apxs.html.en
 share/httpd/manual/programs/apxs.html.ko.euc-kr
+share/httpd/manual/programs/apxs.html.tr.utf8
 share/httpd/manual/programs/configure.html
 share/httpd/manual/programs/configure.html.en
 share/httpd/manual/programs/configure.html.ko.euc-kr
@@ -1007,23 +1010,29 @@ share/httpd/manual/programs/configure.html.tr.utf8
 share/httpd/manual/programs/dbmmanage.html
 share/httpd/manual/programs/dbmmanage.html.en
 share/httpd/manual/programs/dbmmanage.html.ko.euc-kr
+share/httpd/manual/programs/dbmmanage.html.tr.utf8
 share/httpd/manual/programs/htcacheclean.html
 share/httpd/manual/programs/htcacheclean.html.en
 share/httpd/manual/programs/htcacheclean.html.ko.euc-kr
+share/httpd/manual/programs/htcacheclean.html.tr.utf8
 share/httpd/manual/programs/htdbm.html
 share/httpd/manual/programs/htdbm.html.en
+share/httpd/manual/programs/htdbm.html.tr.utf8
 share/httpd/manual/programs/htdigest.html
 share/httpd/manual/programs/htdigest.html.en
 share/httpd/manual/programs/htdigest.html.ko.euc-kr
+share/httpd/manual/programs/htdigest.html.tr.utf8
 share/httpd/manual/programs/htpasswd.html
 share/httpd/manual/programs/htpasswd.html.en
 share/httpd/manual/programs/htpasswd.html.ko.euc-kr
+share/httpd/manual/programs/htpasswd.html.tr.utf8
 share/httpd/manual/programs/httpd.html
 share/httpd/manual/programs/httpd.html.en
 share/httpd/manual/programs/httpd.html.ko.euc-kr
 share/httpd/manual/programs/httpd.html.tr.utf8
 share/httpd/manual/programs/httxt2dbm.html
 share/httpd/manual/programs/httxt2dbm.html.en
+share/httpd/manual/programs/httxt2dbm.html.tr.utf8
 share/httpd/manual/programs/index.html
 share/httpd/manual/programs/index.html.en
 share/httpd/manual/programs/index.html.es
@@ -1033,15 +1042,19 @@ share/httpd/manual/programs/index.html.tr.utf8
 share/httpd/manual/programs/logresolve.html
 share/httpd/manual/programs/logresolve.html.en
 share/httpd/manual/programs/logresolve.html.ko.euc-kr
+share/httpd/manual/programs/logresolve.html.tr.utf8
 share/httpd/manual/programs/other.html
 share/httpd/manual/programs/other.html.en
 share/httpd/manual/programs/other.html.ko.euc-kr
+share/httpd/manual/programs/other.html.tr.utf8
 share/httpd/manual/programs/rotatelogs.html
 share/httpd/manual/programs/rotatelogs.html.en
 share/httpd/manual/programs/rotatelogs.html.ko.euc-kr
+share/httpd/manual/programs/rotatelogs.html.tr.utf8
 share/httpd/manual/programs/suexec.html
 share/httpd/manual/programs/suexec.html.en
 share/httpd/manual/programs/suexec.html.ko.euc-kr
+share/httpd/manual/programs/suexec.html.tr.utf8
 share/httpd/manual/rewrite/index.html
 share/httpd/manual/rewrite/index.html.en
 share/httpd/manual/rewrite/index.html.tr.utf8
diff --git a/www/apache22/distinfo b/www/apache22/distinfo
index 2a1f4429427..7487b1b0d2e 100644
--- a/www/apache22/distinfo
+++ b/www/apache22/distinfo
@@ -1,16 +1,13 @@
-$NetBSD: distinfo,v 1.20.2.1 2009/07/16 05:37:24 spz Exp $
+$NetBSD: distinfo,v 1.20.2.2 2009/08/07 21:08:15 spz Exp $
 
-SHA1 (httpd-2.2.11.tar.bz2) = 7af256d53b79342f82222bd7b86eedbd9ac21d9a
-RMD160 (httpd-2.2.11.tar.bz2) = b2012af716a459f666e0e41eb04808bd0f7fc28d
-Size (httpd-2.2.11.tar.bz2) = 5230130 bytes
+SHA1 (httpd-2.2.12.tar.bz2) = 76e243a5b7dc9896e83bdfac1aa98bbfdc85aeae
+RMD160 (httpd-2.2.12.tar.bz2) = 4c8e781e5e60a7a332383a798fe0ddc1adffc914
+Size (httpd-2.2.12.tar.bz2) = 5140433 bytes
 SHA1 (patch-aa) = 40f5f687a1217b8d6684dc610d3d4c430f635cbf
-SHA1 (patch-ab) = d5391ca1af9d817d35cb472b0feb05b86a95e560
 SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad
 SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13
 SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913
-SHA1 (patch-af) = cf7cc7d09e0379830d1ce0be4be74c8f2bbb1719
 SHA1 (patch-ag) = 78dcb023f524ef65928b529320932c9664ec0d01
-SHA1 (patch-ah) = 5fc2a3fad42fa67669c219123b8c27e138927452
 SHA1 (patch-ai) = 4ebc3bd580a298973928eb6d13d2ce745eac0312
 SHA1 (patch-al) = 56b9f5c2f6fd01fe5067f9210e328cbf674c68f1
 SHA1 (patch-am) = ab4a2f7e5a1a3064e908b61157e7fd349c0b0c08
@@ -19,6 +16,5 @@ SHA1 (patch-as) = 7880eae75b702563bff8bca833ca81fb3dc4444c
 SHA1 (patch-au) = d4c623bb953ac45cb4c8d95fc1d3c2788452d9a1
 SHA1 (patch-av) = faf8fe2c72c7830daa407907b8161b56300afeaf
 SHA1 (patch-aw) = ca53d67beeb2c2c4d9adb04d3d79e24a8c427fd4
-SHA1 (patch-ba) = ab9984391fcdda9c9793009290d95de8ec2a1371
-SHA1 (patch-bc) = f980d98f1b0ee277d995e3be0f5e55622ebc3931
-SHA1 (patch-bd) = 66f882a4d8c884e5422e025ed175a17412b02fd4
+SHA1 (patch-ba) = c6ec284b27721bf7081afa261146c38e2c2d0063
+SHA1 (patch-bb) = 23c0b0436de72bdf70deeca1d5e243a6180e6b55
diff --git a/www/apache22/patches/patch-ab b/www/apache22/patches/patch-ab
deleted file mode 100644
index 0d3d420696c..00000000000
--- a/www/apache22/patches/patch-ab
+++ /dev/null
@@ -1,40 +0,0 @@
-$NetBSD: patch-ab,v 1.10 2009/05/22 09:46:06 tron Exp $
-
-Patch for CVE-2009-1191 taken from the Apache SVN repository:
-http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_ajp.c?view=markup&pathrev=768506
-
---- modules/proxy/mod_proxy_ajp.c	2008/11/15 14:25:54	714273
-+++ modules/proxy/mod_proxy_ajp.c	2009/04/25 09:58:52	768506
-@@ -307,21 +307,17 @@
-                          "proxy: read zero bytes, expecting"
-                          " %" APR_OFF_T_FMT " bytes",
-                          content_length);
--            status = ajp_send_data_msg(conn->sock, msg, 0);
--            if (status != APR_SUCCESS) {
--                /* We had a failure: Close connection to backend */
--                conn->close++;
--                ap_log_error(APLOG_MARK, APLOG_ERR, status, r->server,
--                            "proxy: send failed to %pI (%s)",
--                            conn->worker->cp->addr,
--                            conn->worker->hostname);
--                return HTTP_INTERNAL_SERVER_ERROR;
--            }
--            else {
--                /* Client send zero bytes with C-L > 0
--                 */
--                return HTTP_BAD_REQUEST;
--            }
-+            /*
-+             * We can only get here if the client closed the connection
-+             * to us without sending the body.
-+             * Now the connection is in the wrong state on the backend.
-+             * Sending an empty data msg doesn't help either as it does
-+             * not move this connection to the correct state on the backend
-+             * for later resusage by the next request again.
-+             * Close it to clean things up.
-+             */
-+            conn->close++;
-+            return HTTP_BAD_REQUEST;
-         }
-     }
- 
diff --git a/www/apache22/patches/patch-af b/www/apache22/patches/patch-af
deleted file mode 100644
index a7ff1db9bea..00000000000
--- a/www/apache22/patches/patch-af
+++ /dev/null
@@ -1,35 +0,0 @@
-$NetBSD: patch-af,v 1.1.2.2 2009/07/16 05:37:25 spz Exp $
-
-Fix for CVE-2009-1891 taken from here:
-
-http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/core_filters.c?r1=421103&r2=791454&pathrev=791454
-
---- server/core_filters.c.orig	2006-07-12 04:38:44.000000000 +0100
-+++ server/core_filters.c	2009-07-14 13:01:09.000000000 +0100
-@@ -542,6 +542,12 @@
-     apr_read_type_e eblock = APR_NONBLOCK_READ;
-     apr_pool_t *input_pool = b->p;
- 
-+    /* Fail quickly if the connection has already been aborted. */
-+    if (c->aborted) {
-+        apr_brigade_cleanup(b);
-+        return APR_ECONNABORTED;
-+    }
-+
-     if (ctx == NULL) {
-         ctx = apr_pcalloc(c->pool, sizeof(*ctx));
-         net->out_ctx = ctx;
-@@ -909,12 +915,9 @@
-             /* No need to check for SUCCESS, we did that above. */
-             if (!APR_STATUS_IS_EAGAIN(rv)) {
-                 c->aborted = 1;
-+                return APR_ECONNABORTED;
-             }
- 
--            /* The client has aborted, but the request was successful. We
--             * will report success, and leave it to the access and error
--             * logs to note that the connection was aborted.
--             */
-             return APR_SUCCESS;
-         }
- 
diff --git a/www/apache22/patches/patch-ah b/www/apache22/patches/patch-ah
deleted file mode 100644
index 9ca46db744c..00000000000
--- a/www/apache22/patches/patch-ah
+++ /dev/null
@@ -1,44 +0,0 @@
-$NetBSD: patch-ah,v 1.1.2.2 2009/07/16 05:37:25 spz Exp $
-
-Fix for CVE-2009-1890 taken from here:
-
-http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=790587&r2=790586&pathrev=790587
-
---- modules/proxy/mod_proxy_http.c.orig	2008-11-11 20:04:34.000000000 +0000
-+++ modules/proxy/mod_proxy_http.c	2009-07-14 13:03:49.000000000 +0100
-@@ -422,10 +422,16 @@
-     apr_off_t bytes_streamed = 0;
- 
-     if (old_cl_val) {
-+        char *endstr;
-+
-         add_cl(p, bucket_alloc, header_brigade, old_cl_val);
--        if (APR_SUCCESS != (status = apr_strtoff(&cl_val, old_cl_val, NULL,
--                                                 0))) {
--            return HTTP_INTERNAL_SERVER_ERROR;
-+        status = apr_strtoff(&cl_val, old_cl_val, &endstr, 10);
-+        
-+        if (status || *endstr || endstr == old_cl_val || cl_val < 0) {
-+            ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
-+                          "proxy: could not parse request Content-Length (%s)",
-+                          old_cl_val);
-+            return HTTP_BAD_REQUEST;
-         }
-     }
-     terminate_headers(bucket_alloc, header_brigade);
-@@ -453,8 +459,13 @@
-          *
-          * Prevents HTTP Response Splitting.
-          */
--        if (bytes_streamed > cl_val)
--             continue;
-+        if (bytes_streamed > cl_val) {
-+            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+                          "proxy: read more bytes of request body than expected "
-+                          "(got %" APR_OFF_T_FMT ", expected %" APR_OFF_T_FMT ")",
-+                          bytes_streamed, cl_val);
-+            return HTTP_INTERNAL_SERVER_ERROR;
-+        }
- 
-         if (header_brigade) {
-             /* we never sent the header brigade, so go ahead and
diff --git a/www/apache22/patches/patch-ba b/www/apache22/patches/patch-ba
index a6c93923735..9ad3d4056a2 100644
--- a/www/apache22/patches/patch-ba
+++ b/www/apache22/patches/patch-ba
@@ -1,42 +1,15 @@
-$NetBSD: patch-ba,v 1.2 2009/06/11 20:30:59 tron Exp $
+$NetBSD: patch-ba,v 1.2.2.1 2009/08/07 21:08:15 spz Exp $
 
-Patch for CVE-2009-1195 taken from:
+Fix build problems with newer versions of OpenSSL.
 
-http://svn.apache.org/viewvc?view=rev&revision=773881
-http://svn.apache.org/viewvc?view=rev&revision=779472
-
---- include/http_core.h.orig	2008-02-26 19:47:51.000000000 +0000
-+++ include/http_core.h	2009-06-11 20:53:26.000000000 +0100
-@@ -65,7 +65,7 @@
- #define OPT_NONE 0
- /** Indexes directive */
- #define OPT_INDEXES 1
--/**  Includes directive */
-+/** SSI is enabled without exec= permission  */
- #define OPT_INCLUDES 2
- /**  FollowSymLinks directive */
- #define OPT_SYM_LINKS 4
-@@ -80,9 +80,22 @@
- /** MultiViews directive */
- #define OPT_MULTI 128
- /**  All directives */
--#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI)
-+#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INCNOEXEC|OPT_SYM_LINKS|OPT_EXECCGI)
- /** @} */
+--- modules/ssl/ssl_engine_init.c.orig	2009-08-05 09:37:09.000000000 +0200
++++ modules/ssl/ssl_engine_init.c
+@@ -573,7 +573,7 @@ static void ssl_init_ctx_verify(server_r
+             ssl_die();
+         }
+ 
+-        SSL_CTX_set_client_CA_list(ctx, (STACK *)ca_list);
++        SSL_CTX_set_client_CA_list(ctx, ca_list);
+     }
  
-+#ifdef CORE_PRIVATE
-+/* For internal use only - since 2.2.12, the OPT_INCNOEXEC bit is
-+ * internally replaced by OPT_INC_WITH_EXEC.  The internal semantics
-+ * of the two SSI-related bits are hence:
-+ *
-+ *  OPT_INCLUDES => "enable SSI, without exec= permission"
-+ *  OPT_INC_WITH_EXEC => "iff OPT_INCLUDES is set, also enable exec="
-+ *
-+ * The set of options exposed via ap_allow_options() retains the
-+ * semantics of OPT_INCNOEXEC by flipping the bit. */
-+#define OPT_INC_WITH_EXEC OPT_INCNOEXEC
-+#endif
-+
- /**
-  * @defgroup get_remote_host Remote Host Resolution 
-  * @ingroup APACHE_CORE_HTTPD
+     /*
diff --git a/www/apache22/patches/patch-bb b/www/apache22/patches/patch-bb
new file mode 100644
index 00000000000..1f8b8b23650
--- /dev/null
+++ b/www/apache22/patches/patch-bb
@@ -0,0 +1,33 @@
+$NetBSD: patch-bb,v 1.3.2.2 2009/08/07 21:08:15 spz Exp $
+
+Fix build problems with newer versions of OpenSSL.
+
+--- modules/ssl/ssl_util_ssl.c.orig	2009-08-05 09:33:37.000000000 +0200
++++ modules/ssl/ssl_util_ssl.c
+@@ -294,7 +294,7 @@ BOOL SSL_X509_isSGC(X509 *cert)
+ #ifdef HAVE_SSL_X509V3_EXT_d2i
+     X509_EXTENSION *ext;
+     int ext_nid;
+-    STACK *sk;
++    STACK_OF(SSL_CIPHER) *sk;
+     BOOL is_sgc;
+     int idx;
+     int i;
+@@ -303,7 +303,7 @@ BOOL SSL_X509_isSGC(X509 *cert)
+     idx = X509_get_ext_by_NID(cert, NID_ext_key_usage, -1);
+     if (idx >= 0) {
+         ext = X509_get_ext(cert, idx);
+-        if ((sk = (STACK *)X509V3_EXT_d2i(ext)) != NULL) {
++        if ((sk = X509V3_EXT_d2i(ext)) != NULL) {
+             for (i = 0; i < sk_num(sk); i++) {
+                 ext_nid = OBJ_obj2nid((ASN1_OBJECT *)sk_value(sk, i));
+                 if (ext_nid == NID_ms_sgc || ext_nid == NID_ns_sgc) {
+@@ -467,7 +467,7 @@ int SSL_CTX_use_certificate_chain(
+     X509 *x509;
+     unsigned long err;
+     int n;
+-    STACK *extra_certs;
++    STACK_OF(X509) *extra_certs;
+ 
+     if ((bio = BIO_new(BIO_s_file_internal())) == NULL)
+         return -1;
diff --git a/www/apache22/patches/patch-bc b/www/apache22/patches/patch-bc
deleted file mode 100644
index 4936c08682a..00000000000
--- a/www/apache22/patches/patch-bc
+++ /dev/null
@@ -1,35 +0,0 @@
-$NetBSD: patch-bc,v 1.2 2009/06/11 20:30:59 tron Exp $
-
-Patch for CVE-2009-1195 taken from:
-
-http://svn.apache.org/viewvc?view=rev&revision=773881
-
---- server/config.c.orig	2008-12-02 22:28:21.000000000 +0000
-+++ server/config.c	2009-06-04 09:44:24.000000000 +0100
-@@ -1510,7 +1510,7 @@
-     parms.temp_pool = ptemp;
-     parms.server = s;
-     parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
--    parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
-+    parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
- 
-     parms.config_file = ap_pcfg_open_custom(p, "-c/-C directives",
-                                             &arr_parms, NULL,
-@@ -1617,7 +1617,7 @@
-     parms.temp_pool = ptemp;
-     parms.server = s;
-     parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
--    parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
-+    parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
- 
-     rv = ap_pcfg_openfile(&cfp, p, fname);
-     if (rv != APR_SUCCESS) {
-@@ -1755,7 +1755,7 @@
-     parms.temp_pool = ptemp;
-     parms.server = s;
-     parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
--    parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
-+    parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
-     parms.limited = -1;
- 
-     errmsg = ap_walk_config(conftree, &parms, s->lookup_defaults);
diff --git a/www/apache22/patches/patch-bd b/www/apache22/patches/patch-bd
deleted file mode 100644
index ebfe0e1ee67..00000000000
--- a/www/apache22/patches/patch-bd
+++ /dev/null
@@ -1,22 +0,0 @@
-$NetBSD: patch-bd,v 1.2 2009/06/11 20:30:59 tron Exp $
-
-Patch for CVE-2009-1195 taken from:
-
-http://svn.apache.org/viewvc?view=rev&revision=773881
-http://svn.apache.org/viewvc?view=rev&revision=779472
-
---- server/core.c.orig	2009-06-11 20:51:15.000000000 +0100
-+++ server/core.c	2009-06-11 21:01:04.000000000 +0100
-@@ -659,7 +659,11 @@
-     core_dir_config *conf =
-       (core_dir_config *)ap_get_module_config(r->per_dir_config, &core_module);
- 
--    return conf->opts;
-+    /* Per comment in http_core.h - the OPT_INC_WITH_EXEC bit is
-+     * inverted, such that the exposed semantics match that of
-+     * OPT_INCNOEXEC; i.e., the bit is only enabled if exec= is *not*
-+     * permitted. */
-+    return conf->opts ^ OPT_INC_WITH_EXEC;
- }
- 
- AP_DECLARE(int) ap_allow_overrides(request_rec *r)