diff -u apache2-2.2.8/debian/changelog apache2-2.2.8/debian/changelog
--- apache2-2.2.8/debian/changelog
+++ apache2-2.2.8/debian/changelog
@@ -1,3 +1,11 @@
+apache2 (2.2.8-1ubuntu0.22) hardy-security; urgency=low
+
+  * SECURITY UPDATE: mod_proxy reverse proxy exposure
+    * debian/patches/216_CVE-2011-3368.dpatch: return 400
+      on invalid requests.
+
+ -- Michael Jeanson <mjeanson@rlnx.com>  Tue, 18 Oct 2011 16:18:53 -0400
+
 apache2 (2.2.8-1ubuntu0.21) hardy-security; urgency=low
 
   * SECURITY UPDATE: Range header DoS vulnerability
diff -u apache2-2.2.8/debian/patches/00list apache2-2.2.8/debian/patches/00list
--- apache2-2.2.8/debian/patches/00list
+++ apache2-2.2.8/debian/patches/00list
@@ -38,0 +39 @@
+216_CVE-2011-3368.dpatch
only in patch2:
unchanged:
--- apache2-2.2.8.orig/debian/patches/216_CVE-2011-3368.dpatch
+++ apache2-2.2.8/debian/patches/216_CVE-2011-3368.dpatch
@@ -0,0 +1,36 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 216_CVE-2011-3368.dpatch by Michael Jeanson <mjeanson@rlnx.com>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix CVE-2011-3368 (mod_proxy reverse proxy exposure)
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' apache2-2.2.8~/server/protocol.c apache2-2.2.8/server/protocol.c
+--- apache2-2.2.8~/server/protocol.c	2007-12-12 15:43:04.000000000 -0500
++++ apache2-2.2.8/server/protocol.c	2011-10-18 16:14:59.018789000 -0400
+@@ -637,6 +637,25 @@
+ 
+     ap_parse_uri(r, uri);
+ 
++    /* RFC 2616:
++     *   Request-URI    = "*" | absoluteURI | abs_path | authority
++     *
++     * authority is a special case for CONNECT.  If the request is not
++     * using CONNECT, and the parsed URI does not have scheme, and
++     * it does not begin with '/', and it is not '*', then, fail
++     * and give a 400 response. */
++    if (r->method_number != M_CONNECT 
++        && !r->parsed_uri.scheme 
++        && uri[0] != '/'
++        && !(uri[0] == '*' && uri[1] == '\0')) {
++        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++                      "invalid request-URI %s", uri);
++        r->args = NULL;
++        r->hostname = NULL;
++        r->status = HTTP_BAD_REQUEST;
++        r->uri = apr_pstrdup(r->pool, uri);
++    }
++
+     if (ll[0]) {
+         r->assbackwards = 0;
+         pro = ll;