Index: trunk/server/common/patches/httpd-2.2.x-CVE-2011-3607.patch
===================================================================
--- trunk/server/common/patches/httpd-2.2.x-CVE-2011-3607.patch (revision 2134)
+++ trunk/server/common/patches/httpd-2.2.x-CVE-2011-3607.patch (revision 2134)
@@ -0,0 +1,32 @@
+--- httpd/httpd/branches/2.2.x/server/util.c 2012/01/04 19:42:04 1227279
++++ httpd/httpd/branches/2.2.x/server/util.c 2012/01/04 19:45:22 1227280
+@@ -82,6 +82,8 @@
+ #define IS_SLASH(s) (s == '/')
+ #endif
+
++/* same as APR_SIZE_MAX which doesn't appear until APR 1.3 */
++#define UTIL_SIZE_MAX (~((apr_size_t)0))
+
+ /*
+ * Examine a field value (such as a media-/content-type) string and return
+@@ -366,7 +368,7 @@
+ char *dest, *dst;
+ char c;
+ size_t no;
+- int len;
++ apr_size_t len;
+
+ if (!source)
+ return NULL;
+@@ -391,6 +393,11 @@
+ len++;
+ }
+ else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
++ if (UTIL_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) {
++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
++ "integer overflow or out of memory condition." );
++ return NULL;
++ }
+ len += pmatch[no].rm_eo - pmatch[no].rm_so;
+ }
+
Index: trunk/server/common/patches/httpd-2.2.x-CVE-2012-0031.patch
===================================================================
--- trunk/server/common/patches/httpd-2.2.x-CVE-2012-0031.patch (revision 2134)
+++ trunk/server/common/patches/httpd-2.2.x-CVE-2012-0031.patch (revision 2134)
@@ -0,0 +1,29 @@
+--- httpd/httpd/branches/2.2.x/server/scoreboard.c 2012/01/13 13:27:19 1231057
++++ httpd/httpd/branches/2.2.x/server/scoreboard.c 2012/01/13 13:27:46 1231058
+@@ -42,6 +42,8 @@
+ AP_DECLARE_DATA int ap_extended_status = 0;
+ AP_DECLARE_DATA int ap_mod_status_reqtail = 0;
+
++static ap_scoreboard_e scoreboard_type;
++
+ #if APR_HAS_SHARED_MEMORY
+
+ #include "apr_shm.h"
+@@ -250,7 +252,7 @@
+ if (ap_scoreboard_image == NULL) {
+ return APR_SUCCESS;
+ }
+- if (ap_scoreboard_image->global->sb_type == SB_SHARED) {
++ if (scoreboard_type == SB_SHARED) {
+ ap_cleanup_shared_mem(NULL);
+ }
+ else {
+@@ -312,7 +314,7 @@
+ ap_init_scoreboard(sb_mem);
+ }
+
+- ap_scoreboard_image->global->sb_type = sb_type;
++ ap_scoreboard_image->global->sb_type = scoreboard_type = sb_type;
+ ap_scoreboard_image->global->running_generation = 0;
+ ap_scoreboard_image->global->restart_time = apr_time_now();
+
Index: trunk/server/common/patches/httpd-2.2.x-CVE-2012-0053.patch
===================================================================
--- trunk/server/common/patches/httpd-2.2.x-CVE-2012-0053.patch (revision 2134)
+++ trunk/server/common/patches/httpd-2.2.x-CVE-2012-0053.patch (revision 2134)
@@ -0,0 +1,84 @@
+--- httpd/httpd/branches/2.2.x/server/protocol.c 2012/01/24 19:59:57 1235453
++++ httpd/httpd/branches/2.2.x/server/protocol.c 2012/01/24 20:02:19 1235454
+@@ -670,6 +670,16 @@
+ return 1;
+ }
+
++/* get the length of the field name for logging, but no more than 80 bytes */
++#define LOG_NAME_MAX_LEN 80
++static int field_name_len(const char *field)
++{
++ const char *end = ap_strchr_c(field, ':');
++ if (end == NULL || end - field > LOG_NAME_MAX_LEN)
++ return LOG_NAME_MAX_LEN;
++ return end - field;
++}
++
+ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb)
+ {
+ char *last_field = NULL;
+@@ -709,12 +719,15 @@
+ /* insure ap_escape_html will terminate correctly */
+ field[len - 1] = '\0';
+ apr_table_setn(r->notes, "error-notes",
+- apr_pstrcat(r->pool,
++ apr_psprintf(r->pool,
+ "Size of a request header field "
+ "exceeds server limit.
\n"
+- "\n",
+- ap_escape_html(r->pool, field),
+- "
\n", NULL));
++ "\n%.*s\n
/n",
++ field_name_len(field),
++ ap_escape_html(r->pool, field)));
++ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
++ "Request header exceeds LimitRequestFieldSize: "
++ "%.*s", field_name_len(field), field);
+ }
+ return;
+ }
+@@ -735,13 +748,17 @@
+ * overflow (last_field) as the field with the problem
+ */
+ apr_table_setn(r->notes, "error-notes",
+- apr_pstrcat(r->pool,
++ apr_psprintf(r->pool,
+ "Size of a request header field "
+ "after folding "
+ "exceeds server limit.
\n"
+- "\n",
+- ap_escape_html(r->pool, last_field),
+- "
\n", NULL));
++ "\n%.*s\n
\n",
++ field_name_len(last_field),
++ ap_escape_html(r->pool, last_field)));
++ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
++ "Request header exceeds LimitRequestFieldSize "
++ "after folding: %.*s",
++ field_name_len(last_field), last_field);
+ return;
+ }
+
+@@ -773,13 +790,18 @@
+ if (!(value = strchr(last_field, ':'))) { /* Find ':' or */
+ r->status = HTTP_BAD_REQUEST; /* abort bad request */
+ apr_table_setn(r->notes, "error-notes",
+- apr_pstrcat(r->pool,
++ apr_psprintf(r->pool,
+ "Request header field is "
+ "missing ':' separator.
\n"
+- "\n",
++ "\n%.*s
\n",
++ (int)LOG_NAME_MAX_LEN,
+ ap_escape_html(r->pool,
+- last_field),
+- "
\n", NULL));
++ last_field)));
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Request header field is missing ':' "
++ "separator: %.*s", (int)LOG_NAME_MAX_LEN,
++ last_field);
++
+ return;
+ }
+