diff --git a/.gitignore b/.gitignore
index 28521d6..dbc83cb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,3 +16,4 @@ x86_64
 /httpd-2.4.4.tar.bz2
 /httpd-2.4.6.tar.bz2
 /httpd-2.4.7.tar.bz2
+/httpd-2.4.9.tar.bz2
diff --git a/httpd-2.4.7-sslsninotreq.patch b/httpd-2.4.7-sslsninotreq.patch
deleted file mode 100644
index 55d6fb3..0000000
--- a/httpd-2.4.7-sslsninotreq.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-
---- httpd-2.4.7/modules/ssl/ssl_engine_config.c.sslsninotreq
-+++ httpd-2.4.7/modules/ssl/ssl_engine_config.c
-@@ -55,6 +55,7 @@ SSLModConfigRec *ssl_config_global_creat
-     mc = (SSLModConfigRec *)apr_palloc(pool, sizeof(*mc));
-     mc->pPool = pool;
-     mc->bFixed = FALSE;
-+    mc->sni_required = FALSE;
- 
-     /*
-      * initialize per-module configuration
---- httpd-2.4.7/modules/ssl/ssl_engine_init.c.sslsninotreq
-+++ httpd-2.4.7/modules/ssl/ssl_engine_init.c
-@@ -234,7 +234,7 @@ int ssl_init_Module(apr_pool_t *p, apr_p
-     /*
-      * Configuration consistency checks
-      */
--    ssl_init_CheckServers(base_server, ptemp);
-+    ssl_init_CheckServers(mc, base_server, ptemp);
- 
-     /*
-      *  Announce mod_ssl and SSL library in HTTP Server field
-@@ -1322,7 +1322,7 @@ void ssl_init_ConfigureServer(server_rec
-     }
- }
- 
--void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
-+void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *base_server, apr_pool_t *p)
- {
-     server_rec *s, *ps;
-     SSLSrvConfigRec *sc;
-@@ -1404,6 +1404,7 @@ void ssl_init_CheckServers(server_rec *b
-     }
- 
-     if (conflict) {
-+        mc->sni_required = TRUE;
- #ifndef HAVE_TLSEXT
-         ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917)
-                      "Init: You should not use name-based "
---- httpd-2.4.7/modules/ssl/ssl_engine_kernel.c.sslsninotreq
-+++ httpd-2.4.7/modules/ssl/ssl_engine_kernel.c
-@@ -164,6 +164,7 @@ int ssl_hook_ReadReq(request_rec *r)
-     }
- #ifdef HAVE_TLSEXT
-     if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
-+    if (myModConfig(r->server)->sni_required) {
-         char *host, *scope_id;
-         apr_port_t port;
-         apr_status_t rv;
-@@ -205,6 +206,7 @@ int ssl_hook_ReadReq(request_rec *r)
-                      " virtual host");
-         return HTTP_FORBIDDEN;
-     }
-+    }
- #endif
-     SSL_set_app_data2(ssl, r);
- 
---- httpd-2.4.7/modules/ssl/ssl_private.h.sslsninotreq
-+++ httpd-2.4.7/modules/ssl/ssl_private.h
-@@ -520,6 +520,7 @@ typedef struct {
-     struct {
-         void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
-     } rCtx;
-+    BOOL            sni_required;
- } SSLModConfigRec;
- 
- /** Structure representing configured filenames for certs and keys for
-@@ -765,7 +766,7 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *c
- int          ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
- void         ssl_init_Engine(server_rec *, apr_pool_t *);
- void         ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *);
--void         ssl_init_CheckServers(server_rec *, apr_pool_t *);
-+void         ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *, apr_pool_t *);
- STACK_OF(X509_NAME)
-             *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *);
- void         ssl_init_Child(apr_pool_t *, server_rec *);
diff --git a/httpd-2.4.3-apxs.patch b/httpd-2.4.9-apxs.patch
similarity index 91%
rename from httpd-2.4.3-apxs.patch
rename to httpd-2.4.9-apxs.patch
index f4d2a87..7016dec 100644
--- a/httpd-2.4.3-apxs.patch
+++ b/httpd-2.4.9-apxs.patch
@@ -1,5 +1,7 @@
---- httpd-2.4.3/support/apxs.in.apxs
-+++ httpd-2.4.3/support/apxs.in
+diff --git a/support/apxs.in b/support/apxs.in
+index ad1287f..efcfcf6 100644
+--- a/support/apxs.in
++++ b/support/apxs.in
 @@ -25,7 +25,18 @@ package apxs;
  
  my %config_vars = ();
@@ -53,4 +55,4 @@
 +include %LIBDIR%/httpd/build/special.mk
  
  #   the used tools
- APXS=apxs
+ APACHECTL=apachectl
diff --git a/httpd-2.4.9-sslsninotreq.patch b/httpd-2.4.9-sslsninotreq.patch
new file mode 100644
index 0000000..8b6dea1
--- /dev/null
+++ b/httpd-2.4.9-sslsninotreq.patch
@@ -0,0 +1,83 @@
+diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
+index 19ba733..28caefd 100644
+--- a/modules/ssl/ssl_engine_config.c
++++ b/modules/ssl/ssl_engine_config.c
+@@ -55,6 +55,7 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s)
+     mc = (SSLModConfigRec *)apr_palloc(pool, sizeof(*mc));
+     mc->pPool = pool;
+     mc->bFixed = FALSE;
++    mc->sni_required = FALSE;
+ 
+     /*
+      * initialize per-module configuration
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index b1741b8..8e0c4bc 100644
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -244,7 +244,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
+     /*
+      * Configuration consistency checks
+      */
+-    if ((rv = ssl_init_CheckServers(base_server, ptemp)) != APR_SUCCESS) {
++    if ((rv = ssl_init_CheckServers(mc, base_server, ptemp)) != APR_SUCCESS) {
+         return rv;
+     }
+ 
+@@ -1398,7 +1398,7 @@ apr_status_t ssl_init_ConfigureServer(server_rec *s,
+     return APR_SUCCESS;
+ }
+ 
+-apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
++apr_status_t ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *base_server, apr_pool_t *p)
+ {
+     server_rec *s, *ps;
+     SSLSrvConfigRec *sc;
+@@ -1480,6 +1480,7 @@ apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
+     }
+ 
+     if (conflict) {
++        mc->sni_required = TRUE;
+ #ifndef HAVE_TLSEXT
+         ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917)
+                      "Init: You should not use name-based "
+diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
+index c60f0a6..232be86 100644
+--- a/modules/ssl/ssl_engine_kernel.c
++++ b/modules/ssl/ssl_engine_kernel.c
+@@ -165,6 +165,7 @@ int ssl_hook_ReadReq(request_rec *r)
+ #ifdef HAVE_TLSEXT
+     if (r->proxyreq != PROXYREQ_PROXY) {
+         if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
++        if (myModConfig(r->server)->sni_required) {
+             char *host, *scope_id;
+             apr_port_t port;
+             apr_status_t rv;
+@@ -216,6 +217,7 @@ int ssl_hook_ReadReq(request_rec *r)
+             return HTTP_FORBIDDEN;
+         }
+     }
++    }
+ #endif
+     SSL_set_app_data2(ssl, r);
+ 
+diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
+index 516d7e6..624bf7a 100644
+--- a/modules/ssl/ssl_private.h
++++ b/modules/ssl/ssl_private.h
+@@ -489,6 +489,7 @@ typedef struct {
+     ap_socache_instance_t *stapling_cache_context;
+     apr_global_mutex_t   *stapling_mutex;
+ #endif
++    BOOL            sni_required;
+ } SSLModConfigRec;
+ 
+ /** Structure representing configured filenames for certs and keys for
+@@ -738,7 +739,7 @@ apr_status_t ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_re
+ apr_status_t ssl_init_Engine(server_rec *, apr_pool_t *);
+ apr_status_t ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *,
+                                       apr_array_header_t *);
+-apr_status_t ssl_init_CheckServers(server_rec *, apr_pool_t *);
++apr_status_t ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *, apr_pool_t *);
+ STACK_OF(X509_NAME)
+             *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *);
+ void         ssl_init_Child(apr_pool_t *, server_rec *);
diff --git a/httpd.spec b/httpd.spec
index d73c068..6ba13f2 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -13,8 +13,8 @@
 
 Summary: Apache HTTP Server
 Name: httpd
-Version: 2.4.7
-Release: 6%{?dist}
+Version: 2.4.9
+Release: 1%{?dist}
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@@ -48,7 +48,7 @@ Source40: htcacheclean.service
 Source41: htcacheclean.sysconf
 # build/scripts patches
 Patch1: httpd-2.4.1-apctl.patch
-Patch2: httpd-2.4.3-apxs.patch
+Patch2: httpd-2.4.9-apxs.patch
 Patch3: httpd-2.4.1-deplibs.patch
 Patch5: httpd-2.4.3-layout.patch
 Patch6: httpd-2.4.3-apctl-systemd.patch
@@ -63,10 +63,9 @@ Patch30: httpd-2.4.4-cachehardmax.patch
 Patch31: httpd-2.4.6-sslmultiproxy.patch
 Patch32: httpd-2.4.7-r1537535.patch
 # Bug fixes
-Patch51: httpd-2.4.7-sslsninotreq.patch
+Patch51: httpd-2.4.9-sslsninotreq.patch
 Patch55: httpd-2.4.4-malformed-host.patch
 Patch56: httpd-2.4.4-mod_unique_id.patch
-Patch58: httpd-2.4.6-r1534321.patch
 License: ASL 2.0
 Group: System Environment/Daemons
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -193,7 +192,6 @@ interface for storing and accessing per-user session data.
 %patch51 -p1 -b .sslsninotreq
 %patch55 -p1 -b .malformedhost
 %patch56 -p1 -b .uniqueid
-%patch58 -p1 -b .r1534321
 
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -626,6 +624,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_sysconfdir}/rpm/macros.httpd
 
 %changelog
+* Mon Mar 17 2014 Jan Kaluza <jkaluza@redhat.com> - 2.4.9-1
+- update to 2.4.9
+
 * Fri Feb 28 2014 Joe Orton <jorton@redhat.com> - 2.4.7-6
 - use 2048-bit RSA key with SHA-256 signature in dummy certificate
 
diff --git a/sources b/sources
index f460c94..43c32ab 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-170d7fb6fe5f28b87d1878020a9ab94e  httpd-2.4.7.tar.bz2
+2ef4e65353497606b24fa9bb3e5a3c40  httpd-2.4.9.tar.bz2