10 files changed, 914 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/apache-CVE-2014-0117.patch b/meta-webserver/recipes-httpd/apache2/apache2/apache-CVE-2014-0117.patch
new file mode 100644
index 000000000..8585f0bb3
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/apache-CVE-2014-0117.patch
@@ -0,0 +1,289 @@
+apache: CVE-2014-0117
+The patch comes from upstream:
+http://svn.apache.org/viewvc?view=revision&revision=1610674
+SECURITY (CVE-2014-0117): Fix a crash in mod_proxy.  In a
+reverse proxy configuration, a remote attacker could send a carefully crafted
+request which could crash a server process, resulting in denial of service.
+Thanks to Marek Kroemeke working with HP's Zero Day Initiative for
+reporting this issue.
+Upstream-Status: Backport
+Submitted by: Edward Lu, breser, covener
+Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
+---
+ modules/proxy/mod_proxy_http.c | 8  +++-
+ include/httpd.h                | 17 ++++++++
+ modules/proxy/proxy_util.c     | 67 ++++++++++++++----------------
+ server/util.c                  | 89 ++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 143 insertions(+), 38 deletions(-)
+diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
+index cffad2e..f11c16f 100644
+--- a/modules/proxy/mod_proxy_http.c
+++ b/modules/proxy/mod_proxy_http.c
+@@ -1362,6 +1362,7 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r,
+          */
+         if (apr_date_checkmask(buffer, "HTTP/#.# ###*")) {
+             int major, minor;
+            int toclose;
+ 
+             major = buffer[5] - '0';
+             minor = buffer[7] - '0';
+@@ -1470,7 +1471,12 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r,
+             te = apr_table_get(r->headers_out, "Transfer-Encoding");
+ 
+             /* strip connection listed hop-by-hop headers from response */
+-            backend->close = ap_proxy_clear_connection_fn(r, r->headers_out);
+            toclose = ap_proxy_clear_connection_fn(r, r->headers_out);
+            backend->close = (toclose != 0);
+            if (toclose < 0) {
+                return ap_proxyerror(r, HTTP_BAD_REQUEST,
+                                     "Malformed connection header");
+            }
+ 
+             if ((buf = apr_table_get(r->headers_out, "Content-Type"))) {
+                 ap_set_content_type(r, apr_pstrdup(p, buf));
+diff --git a/include/httpd.h b/include/httpd.h
+index 36cd58d..9a2cf5c 100644
+--- a/include/httpd.h
+++ b/include/httpd.h
+@@ -1528,6 +1528,23 @@ AP_DECLARE(int) ap_find_etag_weak(apr_pool_t *p, const char *line, const char *t
+ AP_DECLARE(int) ap_find_etag_strong(apr_pool_t *p, const char *line, const char *tok);
+ 
+ /**
+ * Retrieve an array of tokens in the format "1#token" defined in RFC2616. Only
+ * accepts ',' as a delimiter, does not accept quoted strings, and errors on
+ * any separator.
+ * @param p The pool to allocate from
+ * @param tok The line to read tokens from
+ * @param tokens Pointer to an array of tokens. If not NULL, must be an array
+ *    of char*, otherwise it will be allocated on @a p when a token is found
+ * @param skip_invalid If true, when an invalid separator is encountered, it
+ *    will be ignored.
+ * @return NULL on success, an error string otherwise.
+ * @remark *tokens may be NULL on output if NULL in input and no token is found
+ */
+AP_DECLARE(const char *) ap_parse_token_list_strict(apr_pool_t *p, const char *tok,
+                                                    apr_array_header_t **tokens,
+                                                    int skip_invalid);
+
+/**
+  * Retrieve a token, spacing over it and adjusting the pointer to
+  * the first non-white byte afterwards.  Note that these tokens
+  * are delimited by semis and commas and can also be delimited
+diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
+index 67dc939..58daa21 100644
+--- a/modules/proxy/proxy_util.c
+++ b/modules/proxy/proxy_util.c
+@@ -2847,68 +2847,59 @@ PROXY_DECLARE(proxy_balancer_shared *) ap_proxy_find_balancershm(ap_slotmem_prov
+ typedef struct header_connection {
+     apr_pool_t *pool;
+     apr_array_header_t *array;
+-    const char *first;
+-    unsigned int closed:1;
+    const char *error;
+    int is_req;
+ } header_connection;
+ 
+ static int find_conn_headers(void *data, const char *key, const char *val)
+ {
+     header_connection *x = data;
+-    const char *name;
+-
+-    do {
+-        while (*val == ',' || *val == ';') {
+-            val++;
+-        }
+-        name = ap_get_token(x->pool, &val, 0);
+-        if (!strcasecmp(name, "close")) {
+-            x->closed = 1;
+-        }
+-        if (!x->first) {
+-            x->first = name;
+-        }
+-        else {
+-            const char **elt;
+-            if (!x->array) {
+-                x->array = apr_array_make(x->pool, 4, sizeof(char *));
+-            }
+-            elt = apr_array_push(x->array);
+-            *elt = name;
+-        }
+-    } while (*val);
+ 
+-    return 1;
+    x->error = ap_parse_token_list_strict(x->pool, val, &x->array, !x->is_req);
+    return !x->error;
+ }
+ 
+ /**
+  * Remove all headers referred to by the Connection header.
+ * Returns -1 on error. Otherwise, returns 1 if 'Close' was seen in
+ * the Connection header tokens, and 0 if not.
+  */
+ static int ap_proxy_clear_connection(request_rec *r, apr_table_t *headers)
+ {
+-    const char **name;
+    int closed = 0;
+     header_connection x;
+ 
+     x.pool = r->pool;
+     x.array = NULL;
+-    x.first = NULL;
+-    x.closed = 0;
+    x.error = NULL;
+    x.is_req = (headers == r->headers_in);
+ 
+     apr_table_unset(headers, "Proxy-Connection");
+ 
+     apr_table_do(find_conn_headers, &x, headers, "Connection", NULL);
+-    if (x.first) {
+-        /* fast path - no memory allocated for one header */
+-        apr_table_unset(headers, "Connection");
+-        apr_table_unset(headers, x.first);
+    apr_table_unset(headers, "Connection");
+
+    if (x.error) {
+        ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, APLOGNO()
+                "Error parsing Connection header: %s", x.error);
+        return -1;
+     }
+
+     if (x.array) {
+-        /* two or more headers */
+-        while ((name = apr_array_pop(x.array))) {
+-            apr_table_unset(headers, *name);
+        int i;
+        for (i = 0; i < x.array->nelts; i++) {
+            const char *name = APR_ARRAY_IDX(x.array, i, const char *);
+            ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO()
+                          "Removing header '%s' listed in Connection header",
+                          name);
+            if (!strcasecmp(name, "close")) {
+                closed = 1;
+            }
+            apr_table_unset(headers, name);
+         }
+     }
+ 
+-    return x.closed;
+    return closed;
+ }
+ 
+ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p,
+@@ -3095,7 +3086,9 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p,
+      * apr is compiled with APR_POOL_DEBUG.
+      */
+     headers_in_copy = apr_table_copy(r->pool, r->headers_in);
+-    ap_proxy_clear_connection(r, headers_in_copy);
+    if (ap_proxy_clear_connection(r, headers_in_copy) < 0) {
+        return HTTP_BAD_REQUEST;
+    }
+     /* send request headers */
+     headers_in_array = apr_table_elts(headers_in_copy);
+     headers_in = (const apr_table_entry_t *) headers_in_array->elts;
+diff --git a/server/util.c b/server/util.c
+index e0ba5c2..541c9f0 100644
+--- a/server/util.c
+++ b/server/util.c
+@@ -1449,6 +1449,95 @@ AP_DECLARE(int) ap_find_etag_weak(apr_pool_t *p, const char *line,
+     return find_list_item(p, line, tok, AP_ETAG_WEAK);
+ }
+ 
+/* Grab a list of tokens of the format 1#token (from RFC7230) */
+AP_DECLARE(const char *) ap_parse_token_list_strict(apr_pool_t *p,
+                                                const char *str_in,
+                                                apr_array_header_t **tokens,
+                                                int skip_invalid)
+{
+    int in_leading_space = 1;
+    int in_trailing_space = 0;
+    int string_end = 0;
+    const char *tok_begin;
+    const char *cur;
+
+    if (!str_in) {
+        return NULL;
+    }
+
+    tok_begin = cur = str_in;
+
+    while (!string_end) {
+        const unsigned char c = (unsigned char)*cur;
+
+        if (!TEST_CHAR(c, T_HTTP_TOKEN_STOP) && c != '\0') {
+            /* Non-separator character; we are finished with leading
+             * whitespace. We must never have encountered any trailing
+             * whitespace before the delimiter (comma) */
+            in_leading_space = 0;
+            if (in_trailing_space) {
+                return "Encountered illegal whitespace in token";
+            }
+        }
+        else if (c == ' ' || c == '\t') {
+            /* "Linear whitespace" only includes ASCII CRLF, space, and tab;
+             * we can't get a CRLF since headers are split on them already,
+             * so only look for a space or a tab */
+            if (in_leading_space) {
+                /* We're still in leading whitespace */
+                ++tok_begin;
+            }
+            else {
+                /* We must be in trailing whitespace */
+                ++in_trailing_space;
+            }
+        }
+        else if (c == ',' || c == '\0') {
+            if (!in_leading_space) {
+                /* If we're out of the leading space, we know we've read some
+                 * characters of a token */
+                if (*tokens == NULL) {
+                    *tokens = apr_array_make(p, 4, sizeof(char *));
+                }
+                APR_ARRAY_PUSH(*tokens, char *) =
+                    apr_pstrmemdup((*tokens)->pool, tok_begin,
+                                   (cur - tok_begin) - in_trailing_space);
+            }
+            /* We're allowed to have null elements, just don't add them to the
+             * array */
+
+            tok_begin = cur + 1;
+            in_leading_space = 1;
+            in_trailing_space = 0;
+            string_end = (c == '\0');
+        }
+        else {
+            /* Encountered illegal separator char */
+            if (skip_invalid) {
+                /* Skip to the next separator */
+                const char *temp;
+                temp = ap_strchr_c(cur, ',');
+                if(!temp) {
+                    temp = ap_strchr_c(cur, '\0');
+                }
+
+                /* Act like we haven't seen a token so we reset */
+                cur = temp - 1;
+                in_leading_space = 1;
+                in_trailing_space = 0;
+            }
+            else {
+                return apr_psprintf(p, "Encountered illegal separator "
+                                    "'\\x%.2x'", (unsigned int)c);
+            }
+        }
+
+        ++cur;
+    }
+
+    return NULL;
+}
+
+ /* Retrieve a token, spacing over it and returning a pointer to
+  * the first non-white byte afterwards.  Note that these tokens
+  * are delimited by semis and commas; and can also be delimited
+-- 
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/apache-configure_perlbin.patch b/meta-webserver/recipes-httpd/apache2/apache2/apache-configure_perlbin.patch
new file mode 100644
index 000000000..c90279d44
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/apache-configure_perlbin.patch
@@ -0,0 +1,20 @@
+# Author: echo <fei.geng@windriver.com>
+# Date: April 28 2009
+# Summary:Fix perl install directory to /usr/bin
+#
+# Upstream-Status: Inappropriate [configuration]
+--- a/configure.in
+++ b/configure.in
+@@ -638,10 +638,7 @@
+ AC_DEFINE_UNQUOTED(APACHE_MPM_DIR, "$MPM_DIR",
+        [Location of the source for the current MPM])
+ 
+-perlbin=`$ac_aux_dir/PrintPath perl`
+-if test "x$perlbin" = "x"; then
+-    perlbin="/replace/with/path/to/perl/interpreter"
+-fi
+perlbin='/usr/bin/perl'
+ AC_SUBST(perlbin)
+ 
+ dnl If we are running on BSD/OS, we need to use the BSD .include syntax.
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/apache-ssl-ltmain-rpath.patch b/meta-webserver/recipes-httpd/apache2/apache2/apache-ssl-ltmain-rpath.patch
new file mode 100644
index 000000000..3a59fb079
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/apache-ssl-ltmain-rpath.patch
@@ -0,0 +1,76 @@
+--- httpd-2.2.8.orig/build/ltmain.sh
+++ httpd-2.2.8/build/ltmain.sh
+@@ -1515,7 +1515,7 @@ EOF
+        dir=`$echo "X$arg" | $Xsed -e 's/^-L//'`
+        # We need an absolute path.
+        case $dir in
+-       [\\/]* | [A-Za-z]:[\\/]*) ;;
+       =* | [\\/]* | [A-Za-z]:[\\/]*) ;;
+        *)
+          absdir=`cd "$dir" && pwd`
+          if test -z "$absdir"; then
+@@ -2558,7 +2558,7 @@ EOF
+            $echo "*** $linklib is not portable!"
+          fi
+          if test "$linkmode" = lib &&
+-            test "$hardcode_into_libs" = yes; then
+             test "x$wrs_use_rpaths" = "xyes" && test "$hardcode_into_libs" = yes; then
+            # Hardcode the library path.
+            # Skip directories that are in the system default run-time
+            # search path.
+@@ -2832,7 +2832,7 @@ EOF
+ 
+        if test "$linkmode" = lib; then
+          if test -n "$dependency_libs" &&
+-            { test "$hardcode_into_libs" != yes ||
+             { test "$hardcode_into_libs" != yes || test "x$wrs_use_rpaths" != "xyes" ||
+               test "$build_old_libs" = yes ||
+               test "$link_static" = yes; }; then
+            # Extract -R from dependency_libs
+@@ -3426,7 +3426,8 @@ EOF
+          *) finalize_rpath="$finalize_rpath $libdir" ;;
+          esac
+        done
+-       if test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes; then
+        if test "$hardcode_into_libs" != yes || test "x$wrs_use_rpaths" != "xyes" ||
+           test "$build_old_libs" = yes; then
+          dependency_libs="$temp_xrpath $dependency_libs"
+        fi
+       fi
+@@ -3843,7 +3844,7 @@ EOF
+         case $archive_cmds in
+           *\$LD\ *) wl= ;;
+         esac
+-       if test "$hardcode_into_libs" = yes; then
+        if test "$hardcode_into_libs" = yes && test "x$wrs_use_rpaths" = "xyes" ; then
+          # Hardcode the library paths
+          hardcode_libdirs=
+          dep_rpath=
+@@ -4397,6 +4398,27 @@ EOF
+       # Now hardcode the library paths
+       rpath=
+       hardcode_libdirs=
+
+      # short circuit putting rpaths in executables
+      #
+      if test "x$wrs_use_rpaths" != "xyes" ; then
+        flag=
+        for libdir in $compile_rpath; do
+          case $(echo $libdir | ${SED} 's,/[/]*,/,g') in
+            /usr/lib/* | /usr/lib32/* | /usr/lib64/* ) flag="$flag $libdir" ;;
+          esac
+        done
+        compile_rpath="$flag"
+
+        flag=
+        for libdir in $finalize_rpath; do
+          case $(echo $libdir | ${SED} 's,/[/]*,/,g') in
+            /usr/lib/* | /usr/lib32/* | /usr/lib64/* ) flag="$flag $libdir" ;;
+          esac
+        done
+        finalize_rpath="$flag"
+      fi
+
+       for libdir in $compile_rpath $finalize_rpath; do
+        if test -n "$hardcode_libdir_flag_spec"; then
+          if test -n "$hardcode_libdir_separator"; then
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/fix-libtool-name.patch b/meta-webserver/recipes-httpd/apache2/apache2/fix-libtool-name.patch
new file mode 100644
index 000000000..027af04c3
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/fix-libtool-name.patch
@@ -0,0 +1,55 @@
+Fix build scripts to use correct libtool filename
+Upstream-Status: Inappropriate [configuration]
+---
+ httpd-2.4.2/build/config_vars.sh.in |    2 +-
+ httpd-2.4.2/configure               |    2 +-
+ httpd-2.4.2/configure.in            |    2 +-
+ httpd-2.4.2/support/apxs.in         |    2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+--- a/build/config_vars.sh.in
+++ b/build/config_vars.sh.in
+@@ -35,7 +35,7 @@ else
+    APU_CONFIG=@APU_CONFIG@
+ fi
+ 
+-APR_LIBTOOL="`${APR_CONFIG} --apr-libtool`"
+APR_LIBTOOL="`${APR_CONFIG} --apr-libtool | sed -e s,libtool,${host_alias}-libtool,`"
+ APR_INCLUDEDIR="`${APR_CONFIG} --includedir`"
+ test -n "@APU_CONFIG@" && APU_INCLUDEDIR="`${APU_CONFIG} --includedir`"
+ 
+--- a/configure
+++ b/configure
+@@ -6205,7 +6205,7 @@ case $host in
+       if test "x$LTFLAGS" = "x"; then
+           LTFLAGS='--silent'
+       fi
+-      my_libtool=`$apr_config --apr-libtool`
+      my_libtool=`$apr_config --apr-libtool | sed -e s,libtool,${host_alias}-libtool,`
+       LIBTOOL="$my_libtool \$(LTFLAGS)"
+       libtoolversion=`$my_libtool --version`
+       case $libtoolversion in
+--- a/configure.in
+++ b/configure.in
+@@ -264,7 +264,7 @@ case $host in
+       if test "x$LTFLAGS" = "x"; then
+           LTFLAGS='--silent'
+       fi
+-      my_libtool=`$apr_config --apr-libtool`
+      my_libtool=`$apr_config --apr-libtool | sed -e s,libtool,${host_alias}-libtool,`
+       LIBTOOL="$my_libtool \$(LTFLAGS)"
+       libtoolversion=`$my_libtool --version`
+       case $libtoolversion in
+--- a/support/apxs.in
+++ b/support/apxs.in
+@@ -352,7 +352,7 @@ if ($apr_major_version < 2) {
+     }
+ }
+ 
+-my $libtool = `$apr_config --apr-libtool`;
+my $libtool = `$apr_config --apr-libtool| sed -e s,libtool,${host_alias}-libtool,`;
+ chomp($libtool);
+ 
+ my $apr_includedir = `$apr_config --includes`;
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-corelimit.patch b/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-corelimit.patch
new file mode 100644
index 000000000..18e4107ec
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-corelimit.patch
@@ -0,0 +1,37 @@
+Bump up the core size limit if CoreDumpDirectory is
+configured.
+Upstream-Status: Pending 
+Note: upstreaming was discussed but there are competing desires;
+        there are portability oddities here too.
+--- httpd-2.4.1/server/core.c.corelimit
+++ httpd-2.4.1/server/core.c
+@@ -4433,6 +4433,25 @@ static int core_post_config(apr_pool_t *
+     }
+     apr_pool_cleanup_register(pconf, NULL, ap_mpm_end_gen_helper,
+                               apr_pool_cleanup_null);
+
+#ifdef RLIMIT_CORE
+    if (ap_coredumpdir_configured) {
+        struct rlimit lim;
+
+        if (getrlimit(RLIMIT_CORE, &lim) == 0 && lim.rlim_cur == 0) {
+            lim.rlim_cur = lim.rlim_max;
+            if (setrlimit(RLIMIT_CORE, &lim) == 0) {
+                ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+                             "core dump file size limit raised to %lu bytes",
+                             lim.rlim_cur);
+            } else {
+                ap_log_error(APLOG_MARK, APLOG_NOTICE, errno, NULL,
+                             "core dump file size is zero, setrlimit failed");
+            }
+        }
+    }
+#endif
+
+     return OK;
+ }
+ 
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-selinux.patch b/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-selinux.patch
new file mode 100644
index 000000000..873328d9b
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-selinux.patch
@@ -0,0 +1,63 @@
+Log the SELinux context at startup.
+Upstream-Status: Inappropriate [other]
+Note: unlikely to be any interest in this upstream
+--- httpd-2.4.1/configure.in.selinux
+++ httpd-2.4.1/configure.in
+@@ -458,6 +458,11 @@ fopen64
+ dnl confirm that a void pointer is large enough to store a long integer
+ APACHE_CHECK_VOID_PTR_LEN
+ 
+AC_CHECK_LIB(selinux, is_selinux_enabled, [
+   AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
+   APR_ADDTO(AP_LIBS, [-lselinux])
+])
+
+ AC_CACHE_CHECK([for gettid()], ac_cv_gettid,
+ [AC_TRY_RUN(#define _GNU_SOURCE
+ #include <unistd.h>
+--- httpd-2.4.1/server/core.c.selinux
+++ httpd-2.4.1/server/core.c
+@@ -58,6 +58,10 @@
+ #include <unistd.h>
+ #endif
+ 
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
+ /* LimitRequestBody handling */
+ #define AP_LIMIT_REQ_BODY_UNSET         ((apr_off_t) -1)
+ #define AP_DEFAULT_LIMIT_REQ_BODY       ((apr_off_t) 0)
+@@ -4452,6 +4456,28 @@ static int core_post_config(apr_pool_t *
+     }
+ #endif
+ 
+#ifdef HAVE_SELINUX
+    {
+        static int already_warned = 0;
+        int is_enabled = is_selinux_enabled() > 0;
+        
+        if (is_enabled && !already_warned) {
+            security_context_t con;
+            
+            if (getcon(&con) == 0) {
+                
+                ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+                             "SELinux policy enabled; "
+                             "httpd running as context %s", con);
+                
+                already_warned = 1;
+                
+                freecon(con);
+            }
+        }
+    }
+#endif
+
+     return OK;
+ }
+ 
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.4-export.patch b/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.4-export.patch
new file mode 100644
index 000000000..afbed8e55
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.4-export.patch
@@ -0,0 +1,22 @@
+There is no need to "suck in" the apr/apr-util symbols when using
+a shared libapr{,util}, it just bloats the symbol table; so don't.
+Upstream-HEAD: needed
+Upstream-2.0: omit
+Upstream-Status: Pending
+Note: EXPORT_DIRS change is conditional on using shared apr
+--- httpd-2.4.4/server/Makefile.in.export
+++ httpd-2.4.4/server/Makefile.in
+@@ -57,9 +57,6 @@ export_files:
+        ( for dir in $(EXPORT_DIRS); do \
+              ls $$dir/*.h ; \
+          done; \
+-         for dir in $(EXPORT_DIRS_APR); do \
+-             ls $$dir/ap[ru].h $$dir/ap[ru]_*.h 2>/dev/null; \
+-         done; \
+        ) | sed -e s,//,/,g | sort -u > $@
+ 
+ exports.c: export_files
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
new file mode 100644
index 000000000..a4f185501
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/npn-patch-2.4.7.patch
@@ -0,0 +1,289 @@
+Add support for TLS Next Protocol Negotiation:
+* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: Add and implement new
+  hooks for next protocol advertisement/discovery.
+* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Enable
+  NPN advertisement callback in handshake.
+* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Invoke
+  next-protocol discovery hook.
+* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
+  New callback.
+* modules/ssl/ssl_private.h: Add prototype.
+Submitted by: Matthew Steele <mdsteele google.com>
+  with slight tweaks by jorton
+http://svn.apache.org/viewvc?view=revision&revision=1332643
+https://bugzilla.redhat.com//show_bug.cgi?id=809599
+Upstream-Status: Backport
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ CHANGES                         |  2 +
+ modules/ssl/mod_ssl.c           | 12 ++++++
+ modules/ssl/mod_ssl.h           | 21 +++++++++++
+ modules/ssl/ssl_engine_init.c   |  5 +++
+ modules/ssl/ssl_engine_io.c     | 24 ++++++++++++
+ modules/ssl/ssl_engine_kernel.c | 82 +++++++++++++++++++++++++++++++++++++++++
+ modules/ssl/ssl_private.h       |  6 +++
+ 7 files changed, 152 insertions(+)
+diff --git a/CHANGES b/CHANGES
+--- a/CHANGES
+++ b/CHANGES
+@@ -1,6 +1,8 @@
+                                                          -*- coding: utf-8 -*-
+ 
+ Changes with Apache 2.4.7
+  *) mod_ssl: Add support for TLS Next Protocol Negotiation.  PR 52210.
+     [Matthew Steele <mdsteele google.com>]
+ 
+   *) APR 1.5.0 or later is now required for the event MPM.
+   
+diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
+--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
+@@ -275,6 +275,18 @@ static const command_rec ssl_config_cmds[] = {
+     AP_END_CMD
+ };
+ 
+/* Implement 'modssl_run_npn_advertise_protos_hook'. */
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
+    modssl, AP, int, npn_advertise_protos_hook,
+    (conn_rec *connection, apr_array_header_t *protos),
+    (connection, protos), OK, DECLINED);
+
+/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
+    modssl, AP, int, npn_proto_negotiated_hook,
+    (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
+    (connection, proto_name, proto_name_len), OK, DECLINED);
+
+ /*
+  *  the various processing hooks
+  */
+diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
+--- a/modules/ssl/mod_ssl.h
+++ b/modules/ssl/mod_ssl.h
+@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
+ 
+ APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+ 
+/** The npn_advertise_protos optional hook allows other modules to add entries
+ * to the list of protocol names advertised by the server during the Next
+ * Protocol Negotiation (NPN) portion of the SSL handshake.  The hook callee is
+ * given the connection and an APR array; it should push one or more char*'s
+ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
+ * the array and return OK, or do nothing and return DECLINED. */
+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
+                          (conn_rec *connection, apr_array_header_t *protos));
+
+/** The npn_proto_negotiated optional hook allows other modules to discover the
+ * name of the protocol that was chosen during the Next Protocol Negotiation
+ * (NPN) portion of the SSL handshake.  Note that this may be the empty string
+ * (in which case modules should probably assume HTTP), or it may be a protocol
+ * that was never even advertised by the server.  The hook callee is given the
+ * connection, a non-null-terminated string containing the protocol name, and
+ * the length of the string; it should do something appropriate (i.e. insert or
+ * remove filters) and return OK, or do nothing and return DECLINED. */
+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
+                          (conn_rec *connection, const char *proto_name,
+                           apr_size_t proto_name_len));
+
+ #endif /* __MOD_SSL_H__ */
+ /** @} */
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
+@@ -546,6 +546,11 @@ static void ssl_init_ctx_callbacks(server_rec *s,
+     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
+ 
+     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
+
+#ifdef HAVE_TLS_NPN
+    SSL_CTX_set_next_protos_advertised_cb(
+        ctx, ssl_callback_AdvertiseNextProtos, NULL);
+#endif
+ }
+ 
+ static void ssl_init_ctx_verify(server_rec *s,
+diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
+--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
+@@ -28,6 +28,7 @@
+                                   core keeps dumping.''
+                                             -- Unknown    */
+ #include "ssl_private.h"
+#include "mod_ssl.h"
+ #include "apr_date.h"
+ 
+ /*  _________________________________________________________________
+@@ -297,6 +298,7 @@ typedef struct {
+     apr_pool_t *pool;
+     char buffer[AP_IOBUFSIZE];
+     ssl_filter_ctx_t *filter_ctx;
+    int npn_finished;  /* 1 if NPN has finished, 0 otherwise */
+ } bio_filter_in_ctx_t;
+ 
+ /*
+@@ -1412,6 +1414,27 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
+         APR_BRIGADE_INSERT_TAIL(bb, bucket);
+     }
+ 
+#ifdef HAVE_TLS_NPN
+    /* By this point, Next Protocol Negotiation (NPN) should be completed (if
+     * our version of OpenSSL supports it).  If we haven't already, find out
+     * which protocol was decided upon and inform other modules by calling
+     * npn_proto_negotiated_hook. */
+    if (!inctx->npn_finished) {
+        const unsigned char *next_proto = NULL;
+        unsigned next_proto_len = 0;
+
+        SSL_get0_next_proto_negotiated(
+            inctx->ssl, &next_proto, &next_proto_len);
+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
+                      "SSL NPN negotiated protocol: '%s'",
+                      apr_pstrmemdup(f->c->pool, (const char*)next_proto,
+                                     next_proto_len));
+        modssl_run_npn_proto_negotiated_hook(
+            f->c, (const char*)next_proto, next_proto_len);
+        inctx->npn_finished = 1;
+    }
+#endif
+
+     return APR_SUCCESS;
+ }
+ 
+@@ -1893,6 +1916,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c,
+     inctx->block = APR_BLOCK_READ;
+     inctx->pool = c->pool;
+     inctx->filter_ctx = filter_ctx;
+    inctx->npn_finished = 0;
+ }
+ 
+ /* The request_rec pointer is passed in here only to ensure that the
+diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
+--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
+@@ -29,6 +29,7 @@
+                                   time I was too famous.''
+                                             -- Unknown                */
+ #include "ssl_private.h"
+#include "mod_ssl.h"
+ #include "util_md5.h"
+ 
+ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
+@@ -2139,3 +2140,84 @@ int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg)
+ }
+ 
+ #endif /* HAVE_SRP */
+
+#ifdef HAVE_TLS_NPN
+/*
+ * This callback function is executed when SSL needs to decide what protocols
+ * to advertise during Next Protocol Negotiation (NPN).  It must produce a
+ * string in wire format -- a sequence of length-prefixed strings -- indicating
+ * the advertised protocols.  Refer to SSL_CTX_set_next_protos_advertised_cb
+ * in OpenSSL for reference.
+ */
+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
+                                     unsigned int *size_out, void *arg)
+{
+    conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
+    apr_array_header_t *protos;
+    int num_protos;
+    unsigned int size;
+    int i;
+    unsigned char *data;
+    unsigned char *start;
+
+    *data_out = NULL;
+    *size_out = 0;
+
+    /* If the connection object is not available, then there's nothing for us
+     * to do. */
+    if (c == NULL) {
+        return SSL_TLSEXT_ERR_OK;
+    }
+
+    /* Invoke our npn_advertise_protos hook, giving other modules a chance to
+     * add alternate protocol names to advertise. */
+    protos = apr_array_make(c->pool, 0, sizeof(char*));
+    modssl_run_npn_advertise_protos_hook(c, protos);
+    num_protos = protos->nelts;
+
+    /* We now have a list of null-terminated strings; we need to concatenate
+     * them together into a single string, where each protocol name is prefixed
+     * by its length.  First, calculate how long that string will be. */
+    size = 0;
+    for (i = 0; i < num_protos; ++i) {
+        const char *string = APR_ARRAY_IDX(protos, i, const char*);
+        unsigned int length = strlen(string);
+        /* If the protocol name is too long (the length must fit in one byte),
+         * then log an error and skip it. */
+        if (length > 255) {
+            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
+                          "SSL NPN protocol name too long (length=%u): %s",
+                          length, string);
+            continue;
+        }
+        /* Leave room for the length prefix (one byte) plus the protocol name
+         * itself. */
+        size += 1 + length;
+    }
+
+    /* If there is nothing to advertise (either because no modules added
+     * anything to the protos array, or because all strings added to the array
+     * were skipped), then we're done. */
+    if (size == 0) {
+        return SSL_TLSEXT_ERR_OK;
+    }
+
+    /* Now we can build the string.  Copy each protocol name string into the
+     * larger string, prefixed by its length. */
+    data = apr_palloc(c->pool, size * sizeof(unsigned char));
+    start = data;
+    for (i = 0; i < num_protos; ++i) {
+        const char *string = APR_ARRAY_IDX(protos, i, const char*);
+        apr_size_t length = strlen(string);
+        *start = (unsigned char)length;
+        ++start;
+        memcpy(start, string, length * sizeof(unsigned char));
+        start += length;
+    }
+
+    /* Success. */
+    *data_out = data;
+    *size_out = size;
+    return SSL_TLSEXT_ERR_OK;
+}
+#endif /* HAVE_TLS_NPN */
+diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
+--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
+@@ -123,6 +123,11 @@
+ #define MODSSL_SSL_METHOD_CONST
+ #endif
+ 
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
+    && !defined(OPENSSL_NO_TLSEXT)
+#define HAVE_TLS_NPN
+#endif
+
+ #if defined(OPENSSL_FIPS)
+ #define HAVE_FIPS
+ #endif
+@@ -800,6 +805,7 @@ int          ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
+ int         ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
+                                        EVP_CIPHER_CTX *, HMAC_CTX *, int);
+ #endif
+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
+ 
+ /**  Session Cache Support  */
+ void         ssl_scache_init(server_rec *, apr_pool_t *);
+-- 
+1.8.1.2
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/replace-lynx-to-curl-in-apachectl-script.patch b/meta-webserver/recipes-httpd/apache2/apache2/replace-lynx-to-curl-in-apachectl-script.patch
new file mode 100644
index 000000000..584ddc8d9
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/replace-lynx-to-curl-in-apachectl-script.patch
@@ -0,0 +1,52 @@
+From 760ccbb2fb046621a2aeaecabb2b1ef9aa280cf1 Mon Sep 17 00:00:00 2001
+From: Yulong Pei <Yulong.pei@windriver.com>
+Date: Thu, 1 Sep 2011 01:03:14 +0800
+Subject: [PATCH] replace lynx to curl in apachectl script
+Upstream-Status: Inappropriate [configuration]
+Signed-off-by: Yulong Pei <Yulong.pei@windriver.com>
+---
+ support/apachectl.in |   14 ++++++++++----
+ 1 files changed, 10 insertions(+), 4 deletions(-)
+diff --git a/support/apachectl.in b/support/apachectl.in
+index d4dff38..109ea13 100644
+--- a/support/apachectl.in
+++ b/support/apachectl.in
+@@ -51,11 +51,11 @@ fi
+ # a command that outputs a formatted text version of the HTML at the
+ # url given on the command line.  Designed for lynx, however other
+ # programs may work.  
+-LYNX="@LYNX_PATH@ -dump"
+CURL="/usr/bin/curl"
+ #
+ # the URL to your server's mod_status status page.  If you do not
+ # have one, then status and fullstatus will not work.
+-STATUSURL="http://localhost:@PORT@/server-status"
+STATUSURL="http://localhost:@PORT@/"
+ #
+ # Set this variable to a command that increases the maximum
+ # number of file descriptors allowed per child process. This is
+@@ -91,10 +91,16 @@ configtest)
+     ERROR=$?
+     ;;
+ status)
+-    $LYNX $STATUSURL | awk ' /process$/ { print; exit } { print } '
+    $CURL -s $STATUSURL | grep -o "It works!"
+    if [ $? != 0 ] ; then
+        echo The httpd server does not work!
+    fi
+     ;;
+ fullstatus)
+-    $LYNX $STATUSURL
+    $CURL -s $STATUSURL | grep -o "It works!"
+    if [ $? != 0 ] ; then
+        echo The httpd server does not work!
+    fi
+     ;;
+ *)
+     $HTTPD $ARGV
+-- 
+1.6.4
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/server-makefile.patch b/meta-webserver/recipes-httpd/apache2/apache2/server-makefile.patch
new file mode 100644
index 000000000..f1349cb6a
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/server-makefile.patch
@@ -0,0 +1,11 @@
+--- http-2.0.54/server/Makefile.in-old  2005-12-20 13:26:56.000000000 -0500
+++ http-2.0.54/server/Makefile.in      2005-12-20 13:27:22.000000000 -0500
+@@ -27,7 +27,7 @@
+        $(LINK) $(EXTRA_LDFLAGS) $(gen_test_char_OBJECTS) $(EXTRA_LIBS)
+ 
+ test_char.h: gen_test_char
+-       ./gen_test_char > test_char.h
+       gen_test_char > test_char.h
+ 
+ util.lo: test_char.h
+