diff -Nru apache2-2.4.10/debian/changelog apache2-2.4.10/debian/changelog
--- apache2-2.4.10/debian/changelog	2016-05-13 10:53:34.000000000 +0200
+++ apache2-2.4.10/debian/changelog	2016-07-29 08:34:39.000000000 +0200
@@ -1,3 +1,9 @@
+apache2 (2.4.10-1ubuntu1.1~ubuntu14.04.2) trusty-backports; urgency=medium
+
+  * CVE-2016-5387 (LP: #1604209)
+
+ -- Mike Gerow <gerow@mgerow.com>  Thu, 21 Jul 2016 14:53:00 -0700
+
 apache2 (2.4.10-1ubuntu1.1~ubuntu14.04.1) trusty-backports; urgency=medium
 
   * No-change backport to trusty (LP: #1335068)
diff -Nru apache2-2.4.10/debian/patches/CVE-2016-5387.patch apache2-2.4.10/debian/patches/CVE-2016-5387.patch
--- apache2-2.4.10/debian/patches/CVE-2016-5387.patch	1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.4.10/debian/patches/CVE-2016-5387.patch	2016-07-29 08:34:15.000000000 +0200
@@ -0,0 +1,19 @@
+Description: fix proxy request header vulnerability (httpoxy)
+Origin: based on patch provided by Kurt Seifried
+--- a/server/util_script.c
++++ b/server/util_script.c
+@@ -180,6 +180,14 @@
+         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+         }
++        /* HTTP_PROXY collides with a popular envvar used to configure
++         * proxies, don't let clients set/override it.  But, if you must...
++         */
++#ifndef SECURITY_HOLE_PASS_PROXY
++        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++            ;
++        }
++#endif
+         /*
+          * You really don't want to disable this check, since it leaves you
+          * wide open to CGIs stealing passwords and people viewing them
diff -Nru apache2-2.4.10/debian/patches/series apache2-2.4.10/debian/patches/series
--- apache2-2.4.10/debian/patches/series	2015-03-05 18:05:33.000000000 +0100
+++ apache2-2.4.10/debian/patches/series	2016-07-29 08:34:15.000000000 +0200
@@ -13,3 +13,4 @@
 CVE-2014-3583.patch
 CVE-2014-8109.patch
 CVE-2015-0228.patch
+CVE-2016-5387.patch