diff --git a/net/icinga/core/Makefile b/net/icinga/core/Makefile
index 0eed613780e..75432e29723 100644
--- a/net/icinga/core/Makefile
+++ b/net/icinga/core/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.6 2011/06/02 13:41:39 ajacoutot Exp $
+# $OpenBSD: Makefile,v 1.7 2011/06/02 19:48:17 sthen Exp $
 
 COMMENT-main =		network monitoring system (improved fork of Nagios)
 COMMENT-cgi =		cgi scripts for Icinga (classic Nagios-style UI)
@@ -7,12 +7,12 @@ COMMENT-api =		database-backed API for icinga
 
 DISTNAME =		icinga-$V
 PKGNAME-main =		icinga-$V
+REVISION-main = 	0
 PKGNAME-cgi =		icinga-cgi-$V
+REVISION-cgi =		1
 PKGNAME-ido =		icinga-idoutils-$V
 PKGNAME-api =		icinga-api-$V
 
-REVISION-main = 	0
-
 MULTI_PACKAGES =	-main -cgi -api -ido
 PREFIX-cgi =		/var/www
 PREFIX-api =		/var/www
diff --git a/net/icinga/core/patches/patch-cgi_config_c b/net/icinga/core/patches/patch-cgi_config_c
new file mode 100644
index 00000000000..f48852a9939
--- /dev/null
+++ b/net/icinga/core/patches/patch-cgi_config_c
@@ -0,0 +1,15 @@
+$OpenBSD: patch-cgi_config_c,v 1.1 2011/06/02 19:48:17 sthen Exp $
+
+fix XSS; from cbe9993f upstream
+
+--- cgi/config.c.orig	Thu Jun  2 14:26:09 2011
++++ cgi/config.c	Thu Jun  2 14:26:27 2011
+@@ -429,7 +429,7 @@ int process_cgivars(void){
+ 				error=TRUE;
+ 				break;
+ 			}
+-			strncpy(to_expand,variables[x],MAX_COMMAND_BUFFER);
++			strncpy(to_expand,escape_string(variables[x]),MAX_COMMAND_BUFFER);
+ 			to_expand[MAX_COMMAND_BUFFER-1]='\0';
+ 		}
+