Add support for applying patches.

Poll Apache official patch site/tree in update.sh for potential
patches to apply to the selected release.  Update Dockerfile
RUN stanzas to directly include logic for downloading, verifying
and applying these patches.

Verification limited to checksum generated during update.sh run
as no official mechanism/signing appears to be in place for the
patches themselves.

2.2/Dockerfile

@@ -70,6 +70,14 @@ RUN set -x \
 	&& rm httpd.tar.bz2 \
 	&& cd src \
 	\
+# Apply source patches
+        && { \
+             wget -O CVE-2017-9798-patch-2.2.patch "https://www-us.apache.org/dist/httpd/patches/apply_to_2.2.34/CVE-2017-9798-patch-2.2.patch" \
+               && echo "42c610f8a8f8d4d08664db6d9857120c2c252c9b388d56f238718854e6013e46 CVE-2017-9798-patch-2.2.patch" | sha256sum -c - \
+               && patch -p0 < CVE-2017-9798-patch-2.2.patch \
+               && rm CVE-2017-9798-patch-2.2.patch \
+        ; } \
+# End source patch list
 	&& gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \
 	&& ./configure \
 		--build="$gnuArch" \

2.2/alpine/Dockerfile

@@ -73,6 +73,14 @@ RUN set -x \
 	&& rm httpd.tar.bz2 \
 	&& cd src \
 	\
+# Apply source patches
+        && { \
+             wget -O CVE-2017-9798-patch-2.2.patch "https://www-us.apache.org/dist/httpd/patches/apply_to_2.2.34/CVE-2017-9798-patch-2.2.patch" \
+               && echo "42c610f8a8f8d4d08664db6d9857120c2c252c9b388d56f238718854e6013e46 CVE-2017-9798-patch-2.2.patch" | sha256sum -c - \
+               && patch -p0 < CVE-2017-9798-patch-2.2.patch \
+               && rm CVE-2017-9798-patch-2.2.patch \
+        ; } \
+# End source patch list
 	&& gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \
 	&& ./configure \
 		--build="$gnuArch" \

2.4/Dockerfile

@@ -98,6 +98,8 @@ RUN set -x \
 	&& rm httpd.tar.bz2 \
 	&& cd src \
 	\
+# Apply source patches
+# End source patch list
 	&& gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \
 	&& ./configure \
 		--build="$gnuArch" \

2.4/alpine/Dockerfile

@@ -78,6 +78,8 @@ RUN set -x \
 	&& rm httpd.tar.bz2 \
 	&& cd src \
 	\
+# Apply source patches
+# End source patch list
 	&& gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \
 	&& ./configure \
 		--build="$gnuArch" \

update.sh

@@ -16,15 +16,33 @@ travisEnv=
 for version in "${versions[@]}"; do
 	fullVersion="$(curl -sSL --compressed "https://www-us.apache.org/dist/httpd/" | grep -E '<a href="httpd-'"$version"'[^"-]+.tar.bz2"' | sed -r 's!.*<a href="httpd-([^"-]+).tar.bz2".*!\1!' | sort -V | tail -1)"
 	sha1="$(curl -fsSL "https://www-us.apache.org/dist/httpd/httpd-$fullVersion.tar.bz2.sha1" | cut -d' ' -f1)"
+	patchUrl="https://www-us.apache.org/dist/httpd/patches/apply_to_$fullVersion"
+	patchInsert="$(mktemp)"
+	echo "# Apply source patches" > $patchInsert
+	if curl -fsIo /dev/null "$patchUrl/"; then
+	    patchFiles="$(curl -fssL "$patchUrl/?C=M;O=A" | grep -E 'Source code patch$' | sed -r 's!.*<a href=\"([^\"]+)\".*!\1!')"
+	    for patch in $patchFiles; do
+		psum="$(curl -fssL $patchUrl/$patch | sha256sum | cut -d ' ' -f1)"
+		echo "        && { \\" >> $patchInsert
+		echo "             wget -O ${patch} \"$patchUrl/$patch\" \\" >> $patchInsert
+		echo "               && echo \"${psum} ${patch}\" | sha256sum -c - \\" >> $patchInsert
+		echo "               && patch -p0 < ${patch} \\" >>$patchInsert
+		echo "               && rm ${patch} \\" >> $patchInsert
+		echo "        ; } \\" >> $patchInsert
+	    done
+	fi
+	echo "# End source patch list" >> $patchInsert
 	(
 		set -x
 		sed -ri \
 			-e 's/^(ENV HTTPD_VERSION) .*/\1 '"$fullVersion"'/' \
 			-e 's/^(ENV HTTPD_SHA1) .*/\1 '"$sha1"'/' \
 			-e 's/^(ENV NGHTTP2_VERSION) .*/\1 '"$nghttp2VersionDebian"'/' \
 			-e 's/^(ENV OPENSSL_VERSION) .*/\1 '"$opensslVersionDebian"'/' \
+                        -e '/# Apply source patches/{:a;N;/# End source patch list/!ba;' -e 'r '"$patchInsert" -e 'd;};' \
 			"$version/Dockerfile" "$version"/*/Dockerfile
 	)
+	rm $patchInsert
 
 	for variant in alpine; do
 		travisEnv='\n  - VERSION='"$version VARIANT=$variant$travisEnv"