Taken from

  http://svn.apache.org/viewvc/apr/apr/trunk/xml/apr_xml.c?r1=757729&r2=781403&view=patch

--- srclib/apr-util/xml/apr_xml.c	2009/03/24 11:12:27	757729

+++ srclib/apr-util/xml/apr_xml.c	2009/06/03 14:26:19	781403

@@ -347,6 +347,25 @@

     return APR_SUCCESS;

 }

+#if XML_MAJOR_VERSION > 1

+/* Stop the parser if an entity declaration is hit. */

+static void entity_declaration(void *userData, const XML_Char *entityName,

+                               int is_parameter_entity, const XML_Char *value,

+                               int value_length, const XML_Char *base,

+                               const XML_Char *systemId, const XML_Char *publicId,

+                               const XML_Char *notationName)

+{

+    apr_xml_parser *parser = userData;

+

+    XML_StopParser(parser->xp, XML_FALSE);

+}

+#else

+/* A noop default_handler. */

+static void default_handler(void *userData, const XML_Char *s, int len)

+{

+}

+#endif

+

 APU_DECLARE(apr_xml_parser *) apr_xml_parser_create(apr_pool_t *pool)

 {

     apr_xml_parser *parser = apr_pcalloc(pool, sizeof(*parser));

@@ -372,6 +391,19 @@

     XML_SetElementHandler(parser->xp, start_handler, end_handler);

     XML_SetCharacterDataHandler(parser->xp, cdata_handler);

+    /* Prevent the "billion laughs" attack against expat by disabling

+     * internal entity expansion.  With 2.x, forcibly stop the parser

+     * if an entity is declared - this is safer and a more obvious

+     * failure mode.  With older versions, installing a noop

+     * DefaultHandler means that internal entities will be expanded as

+     * the empty string, which is also sufficient to prevent the

+     * attack. */

+#if XML_MAJOR_VERSION > 1

+    XML_SetEntityDeclHandler(parser->xp, entity_declaration);

+#else

+    XML_SetDefaultHandler(parser->xp, default_handler);

+#endif

+

     return parser;

 }

Equal to the fix in the apr-util itself:

  http://svn.apache.org/viewvc/apr/apr/trunk/buckets/apr_brigade.c?r1=768417&r2=768416&pathrev=768417&view=patch

See discuission about original vulnerability at

  http://www.mail-archive.com/dev@apr.apache.org/msg21592.html

--- srclib/apr-util/buckets/apr_brigade.c.orig	2009-06-06 12:32:12.000000000 +0400

+++ srclib/apr-util/buckets/apr_brigade.c	2009-06-06 12:35:30.000000000 +0400

@@ -689,9 +689,6 @@

       return -1;

     }

-    /* tack on null terminator to remaining string */

-    *(vd.vbuff.curpos) = '\0';

-

     /* write out what remains in the buffer */

     return apr_brigade_write(b, flush, ctx, buf, vd.vbuff.curpos - buf);

 }

Fix underflow in apr_strmatch_precompile,

  http://svn.apache.org/viewvc/apr/apr/trunk/strmatch/apr_strmatch.c?r1=757729&r2=779878&view=patch

--- srclib/apr-util/strmatch/apr_strmatch.c	2009/03/24 11:12:27	757729

+++ srclib/apr-util/strmatch/apr_strmatch.c	2009/05/29 07:47:52	779878

@@ -103,13 +103,13 @@

     if (case_sensitive) {

         pattern->compare = match_boyer_moore_horspool;

         for (i = 0; i < pattern->length - 1; i++) {

-            shift[(int)s[i]] = pattern->length - i - 1;

+            shift[(unsigned char)s[i]] = pattern->length - i - 1;

         }

     }

     else {

         pattern->compare = match_boyer_moore_horspool_nocase;

         for (i = 0; i < pattern->length - 1; i++) {

-            shift[apr_tolower(s[i])] = pattern->length - i - 1;

+            shift[(unsigned char)apr_tolower(s[i])] = pattern->length - i - 1;

         }

     }

     pattern->context = shift;

#! /bin/sh /usr/share/dpatch/dpatch-run

## 025_libtool_2.x_fixes.dpatch by  <jsw@debian.org>

##

## All lines beginning with `## DP:' are a description of the patch.

## DP: Update build system to work with libtool 2.x

## DP:

## DP: This corresponds to upstream revisions:

## DP:   733052

## DP:   742752

## DP:   748902

## DP:   757363

diff --git a/buildconf b/buildconf

index bc0e9fd..11554ed 100755

--- srclib/apr/buildconf

+++ srclib/apr/buildconf

@@ -35,17 +35,20 @@ fi

 # Note: APR supplies its own config.guess and config.sub -- we do not

 #       rely on libtool's versions

 #

-echo "Copying libtool helper files ..."

+echo "buildconf: copying libtool helper files using $libtoolize"

 # Remove any libtool files so one can switch between libtool 1.3

 # and libtool 1.4 by simply rerunning the buildconf script.

-(cd build ; rm -f ltconfig ltmain.sh libtool.m4)

-

-$libtoolize --copy --automake

-

-if [ -f libtool.m4 ]; then 

-   ltfile=`pwd`/libtool.m4

-else

+(cd build ; rm -f ltconfig ltmain.sh libtool.m4 ltoptions.m4 ltsugar.m4 ltversion.m4 lt~obsolete.m4)

+

+lt_pversion=`$libtoolize --version 2>/dev/null|sed -e 's/([^)]*)//g;s/^[^0-9]*//;s/[- ].*//g;q'`

+lt_version=`echo $lt_pversion|sed -e 's/\([a-z]*\)$/.\1/'`

+IFS=.; set $lt_version; IFS=' '

+if test "$1" = "1"; then

+  $libtoolize --copy --automake

+  if [ -f libtool.m4 ]; then 

+    ltfile=`pwd`/libtool.m4

+  else

    ltfindcmd="`sed -n \"/=[^\\\`]/p;/libtool_m4=/{s/.*=/echo /p;q;}\" \

                    < $libtoolize`"

    ltfile=${LIBTOOL_M4-`eval "$ltfindcmd"`}

@@ -54,21 +57,21 @@ else

      ltpath=`dirname $libtoolize`

      ltfile=`cd $ltpath/../share/aclocal ; pwd`/libtool.m4

    fi

-fi

-  

-if [ ! -f $ltfile ]; then

+  fi

+  if [ ! -f $ltfile ]; then

     echo "$ltfile not found"

     exit 1

+  fi

+  # Do we need this anymore?

+  echo "buildconf: Using libtool.m4 at ${ltfile}."

+  cat $ltfile | sed -e 's/LIBTOOL=\(.*\)top_build/LIBTOOL=\1apr_build/' > build/libtool.m4

 fi

-

-echo "buildconf: Using libtool.m4 at ${ltfile}."

-

-cat $ltfile | sed -e 's/LIBTOOL=\(.*\)top_build/LIBTOOL=\1apr_build/' > build/libtool.m4

-

-# libtool.m4 from 1.6 requires ltsugar.m4

-if [ -f ltsugar.m4 ]; then

-   rm -f build/ltsugar.m4

-   mv ltsugar.m4 build/ltsugar.m4

+if test "$1" = "2"; then

+  $libtoolize --copy

+  # Wouldn't it just be better to define top_builddir??

+  mv build/libtool.m4 build/libtool.m4.$$

+  cat build/libtool.m4.$$ | sed -e 's/LIBTOOL=\(.*\)top_build/LIBTOOL=\1apr_build/' > build/libtool.m4

+  rm build/libtool.m4.$$

 fi

 # Clean up any leftovers

diff --git a/configure.in b/configure.in

index 46b4b32..2ac1439 100644

--- srclib/apr/configure.in

+++ srclib/apr/configure.in

@@ -9,6 +9,7 @@ AC_PREREQ(2.50)

 AC_INIT(build/apr_common.m4)

 AC_CONFIG_HEADER(include/arch/unix/apr_private.h)

 AC_CONFIG_AUX_DIR(build)

+AC_CONFIG_MACRO_DIR(build)

 dnl 

 dnl Include our own M4 macros along with those for libtool

@@ -20,6 +21,10 @@ sinclude(build/apr_win32.m4)

 sinclude(build/apr_hints.m4)

 sinclude(build/libtool.m4)

 sinclude(build/ltsugar.m4)

+sinclude(build/argz.m4)

+sinclude(build/ltoptions.m4)

+sinclude(build/ltversion.m4)

+sinclude(build/lt~obsolete.m4)

 dnl Hard-coded inclusion at the tail end of apr_private.h:

 AH_BOTTOM([

@@ -117,6 +122,8 @@ dnl can only be used once within a configure script, so this prevents a

 dnl preload section from invoking the macro to get compiler info.

 AC_PROG_CC

+AC_PROG_SED

+

 dnl Preload

 APR_PRELOAD

@@ -160,6 +167,11 @@ echo "performing libtool configuration..."

 AC_ARG_ENABLE(experimental-libtool,[  --enable-experimental-libtool Use experimental custom libtool],

   [experimental_libtool=$enableval],[experimental_libtool=no])

+dnl Workarounds for busted Libtool 2.x when we don't call AC_PROG_LIBTOOL

+if test "x$Xsed" = "x"; then

+  Xsed="$SED -e 1s/^X//"

+fi

+

 case $host in

 *-os2*)

     # Use a custom-made libtool replacement

--- ./server/mpm/prefork/prefork.c.orig	2008-05-31 07:58:46.000000000 -0400

+++ ./server/mpm/prefork/prefork.c	2009-06-11 20:10:12.151389121 -0400

@@ -573,19 +573,27 @@

                 apr_int32_t numdesc;

                 const apr_pollfd_t *pdesc;

-                /* timeout == -1 == wait forever */

-                status = apr_pollset_poll(pollset, -1, &numdesc, &pdesc);

+                /* check for termination first so we don't sleep for a while in

+                 * poll if already signalled

+                 */

+                if (one_process && shutdown_pending) {

+                    SAFE_ACCEPT(accept_mutex_off());

+                    return;

+                }

+                else if (die_now) {

+                    /* In graceful stop/restart; drop the mutex

+                     * and terminate the child. */

+                    SAFE_ACCEPT(accept_mutex_off());

+                    clean_child_exit(0);

+                }

+                /* timeout == 10 seconds to avoid a hang at graceful restart/stop

+                 * caused by the closing of sockets by the signal handler

+                 */

+                status = apr_pollset_poll(pollset, apr_time_from_sec(10), 

+                                          &numdesc, &pdesc);

                 if (status != APR_SUCCESS) {

-                    if (APR_STATUS_IS_EINTR(status)) {

-                        if (one_process && shutdown_pending) {

-                            return;

-                        }

-                        else if (die_now) {

-                            /* In graceful stop/restart; drop the mutex

-                             * and terminate the child. */

-                            SAFE_ACCEPT(accept_mutex_off());

-                            clean_child_exit(0);

-                        }

+                    if (APR_STATUS_IS_TIMEUP(status) ||

+                        APR_STATUS_IS_EINTR(status)) {

                         continue;

                     }

                     /* Single Unix documents select as returning errnos