--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/apache2/patches/httpoxy.patch Tue Aug 23 07:01:29 2016 -0700
@@ -0,0 +1,38 @@
+https://www.apache.org/security/asf-httpoxy-response.txt
+http://svn.apache.org/viewvc?view=revision&revision=1756564
+
+--- docs/conf/httpd.conf.in 2012/02/06 16:54:24 1241075
++++ docs/conf/httpd.conf.in 2016/08/16 23:32:35 1756564
+@@ -284,6 +284,15 @@
+ #
+ DefaultType text/plain
+
++<IfModule headers_module>
++ #
++ # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
++ # backend servers which have lingering "httpoxy" defects.
++ # 'Proxy' request header is undefined by the IETF, not listed by IANA
++ #
++ RequestHeader unset Proxy early
++</IfModule>
++
+ <IfModule mime_module>
+ #
+ # TypesConfig points to the file containing the list of mappings from
+--- server/util_script.c 2012/08/21 17:42:49 1375683
++++ server/util_script.c 2016/08/16 23:32:35 1756564
+@@ -165,6 +165,14 @@
+ else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+ apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+ }
++ /* HTTP_PROXY collides with a popular envvar used to configure
++ * proxies, don't let clients set/override it. But, if you must...
++ */
++#ifndef SECURITY_HOLE_PASS_PROXY
++ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++ ;
++ }
++#endif
+ /*
+ * You really don't want to disable this check, since it leaves you
+ * wide open to CGIs stealing passwords and people viewing them
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/apache24/patches/httpoxy.patch Tue Aug 23 07:01:29 2016 -0700
@@ -0,0 +1,39 @@
+https://www.apache.org/security/asf-httpoxy-response.txt
+http://svn.apache.org/viewvc?view=revision&revision=1753228
+http://svn.apache.org/viewvc?view=revision&revision=1753229
+
+--- docs/conf/httpd.conf.in 2016/07/18 14:00:30 1753227
++++ docs/conf/httpd.conf.in 2016/07/18 14:07:00 1753228
+@@ -283,6 +283,15 @@
+ Require all granted
+ </Directory>
+
++<IfModule headers_module>
++ #
++ # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
++ # backend servers which have lingering "httpoxy" defects.
++ # 'Proxy' request header is undefined by the IETF, not listed by IANA
++ #
++ RequestHeader unset Proxy early
++</IfModule>
++
+ <IfModule mime_module>
+ #
+ # TypesConfig points to the file containing the list of mappings from
+--- server/util_script.c 2016/07/18 14:00:30 1753227
++++ server/util_script.c 2016/07/18 14:07:00 1753228
+@@ -186,6 +186,14 @@
+ else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+ apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+ }
++ /* HTTP_PROXY collides with a popular envvar used to configure
++ * proxies, don't let clients set/override it. But, if you must...
++ */
++#ifndef SECURITY_HOLE_PASS_PROXY
++ else if (!ap_cstr_casecmp(hdrs[i].key, "Proxy")) {
++ ;
++ }
++#endif
+ /*
+ * You really don't want to disable this check, since it leaves you
+ * wide open to CGIs stealing passwords and people viewing them