diff --git a/apache2.changes b/apache2.changes
index 4c9c148..45ccb57 100644
--- a/apache2.changes
+++ b/apache2.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Fri Sep 19 16:18:39 CEST 2008 - skh@suse.de
+
+- add httpd-2.x.x-logresolve.patch again [bnc#210904]
+- add httpd-2.2.x-CVE-2008-2939.patch [bnc#415061]:
+  mod_proxy_ftp: Prevent XSS attacks when using wildcards in
+  the path of the FTP URL. Discovered by Marc Bevand of Rapid7. 
+  [Ruediger Pluem]
+
 -------------------------------------------------------------------
 Tue Aug 26 22:59:55 CEST 2008 - poeml@suse.de
 
diff --git a/apache2.spec b/apache2.spec
index 1f34778..4d5c638 100644
--- a/apache2.spec
+++ b/apache2.spec
@@ -63,7 +63,7 @@ License:        The Apache Software License
 Group:          Productivity/Networking/Web/Servers
 %define realver 2.2.9
 Version:        2.2.9
-Release:        1
+Release:        4
 #Source0:      http://www.apache.org/dist/httpd-%{version}.tar.bz2
 Source0:        http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2
 Source10:       SUSE-NOTICE
@@ -115,6 +115,8 @@ Patch23:        httpd-2.1.9-apachectl.dif
 Patch65:        httpd-2.0.49-log_server_status.dif
 Patch66:        httpd-2.0.54-envvars.dif
 Patch67:        httpd-2.2.0-apxs-a2enmod.dif
+Patch68:        httpd-2.x.x-logresolve.patch
+Patch69:        httpd-2.2.x-CVE-2008-2939.patch
 Url:            http://httpd.apache.org/
 Icon:           Apache.xpm
 Summary:        The Apache Web Server Version 2.0
@@ -332,6 +334,8 @@ Authors:
 %patch65 -p1
 %patch66 -p1
 %patch67 -p1
+%patch68 -p1
+%patch69 -p4
 #
 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
 #
@@ -1021,6 +1025,12 @@ if ! test -f /.buildenv; then
 fi
 
 %changelog
+* Fri Sep 19 2008 skh@suse.de
+- add httpd-2.x.x-logresolve.patch again [bnc#210904]
+- add httpd-2.2.x-CVE-2008-2939.patch [bnc#415061]:
+  mod_proxy_ftp: Prevent XSS attacks when using wildcards in
+  the path of the FTP URL. Discovered by Marc Bevand of Rapid7.
+  [Ruediger Pluem]
 * Wed Aug 27 2008 poeml@suse.de
 - drop rc.config handling (was removed in or after SuSE Linux 8.0)
 - don't use fillup_insserv options which have been removed lately
diff --git a/httpd-2.2.x-CVE-2008-2939.patch b/httpd-2.2.x-CVE-2008-2939.patch
new file mode 100644
index 0000000..157dce5
--- /dev/null
+++ b/httpd-2.2.x-CVE-2008-2939.patch
@@ -0,0 +1,13 @@
+Taken from: http://svn.apache.org/viewvc?view=rev&revision=682870
+
+--- httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_ftp.c	2008/08/05 19:00:05	682869
++++ httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_ftp.c	2008/08/05 19:01:50	682870
+@@ -383,6 +383,7 @@
+                                                            c->bucket_alloc));
+         }
+         if (wildcard != NULL) {
++            wildcard = ap_escape_html(p, wildcard);
+             APR_BRIGADE_INSERT_TAIL(out, apr_bucket_pool_create(wildcard,
+                                                            strlen(wildcard), p,
+                                                            c->bucket_alloc));
+
diff --git a/httpd-2.x.x-logresolve.patch b/httpd-2.x.x-logresolve.patch
new file mode 100644
index 0000000..7db623f
--- /dev/null
+++ b/httpd-2.x.x-logresolve.patch
@@ -0,0 +1,57 @@
+diff -Naur ../httpd-2.2.4.orig/support/logresolve.pl.in ./support/logresolve.pl.in
+--- ../httpd-2.2.4.orig/support/logresolve.pl.in	2006-07-12 05:38:44.000000000 +0200
++++ ./support/logresolve.pl.in	2007-10-23 13:59:27.000000000 +0200
+@@ -57,6 +57,7 @@
+ 
+ use FileHandle;
+ use Socket;
++use File::Temp;
+ 
+ use strict;
+ no strict 'refs';
+@@ -71,11 +72,13 @@
+ my %hash = ();
+ my $parent = $$;
+ 
++my $tempdir = File::Temp::tempdir("logresolve.pl2.sockets.XXXXXX", CLEANUP => 1);
++
+ my @children = ();
+ for (my $child = 1; $child <=$CHILDREN; $child++) {
+ 	my $f = fork();	
+ 	if (!$f) {
+-		$filename = "./.socket.$parent.$child";
++		$filename = "$tempdir/socket.$parent.$child";
+ 		if (-e $filename) { unlink($filename) || warn "$filename .. $!\n";}
+ 		&child($child);
+ 		exit(0);
+@@ -91,9 +94,9 @@
+ 	 # die kiddies, die
+ 	kill(15, @children);
+ 	for (my $child = 1; $child <=$CHILDREN; $child++) {
+-		if (-e "./.socket.$parent.$child") {
+-			unlink("./.socket.$parent.$child")
+-				|| warn ".socket.$parent.$child $!";
++		if (-e "$tempdir/socket.$parent.$child") {
++			unlink("$tempdir/socket.$parent.$child")
++				|| warn "$tempdir/socket.$parent.$child $!";
+ 		}
+ 	}
+ }
+@@ -113,7 +116,7 @@
+ 		if (!socket($CHILDSOCK{$child}, AF_UNIX, SOCK_STREAM, $PROTOCOL)) {
+ 			warn "parent socket to child failed $!";
+ 		}
+-		$filename = "./.socket.$parent.$child";
++		$filename = "$tempdir/socket.$parent.$child";
+ 		my $response;
+ 		do {
+ 			$response = connect($CHILDSOCK{$child}, sockaddr_un($filename));
+@@ -176,7 +179,7 @@
+ 	 # create a socket to communicate with parent
+ 	socket(INBOUND, AF_UNIX, SOCK_STREAM, $PROTOCOL)
+ 		|| die "Error with Socket: !$\n";
+-	$filename = "./.socket.$parent.$me";
++	$filename = "$tempdir/socket.$parent.$me";
+ 	bind(INBOUND, sockaddr_un($filename))
+ 		|| die "Error Binding $filename: $!\n";
+ 	listen(INBOUND, 5) || die "Error Listening: $!\n";