Log message:
apache24: updated to 2.4.52

Changes with Apache 2.4.52

*) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
   multipart content in mod_lua of Apache HTTP Server 2.4.51 and
   earlier (cve.mitre.org)
   A carefully crafted request body can cause a buffer overflow in
   the mod_lua multipart parser (r:parsebody() called from Lua
   scripts).
   The Apache httpd team is not aware of an exploit for the
   vulnerabilty though it might be possible to craft one.
   This issue affects Apache HTTP Server 2.4.51 and earlier.
   Credits: Chamal

*) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
   forward proxy configurations in Apache HTTP Server 2.4.51 and
   earlier (cve.mitre.org)
   A crafted URI sent to httpd configured as a forward proxy
   (ProxyRequests on) can cause a crash (NULL pointer dereference)
   or, for configurations mixing forward and reverse proxy
   declarations, can allow for requests to be directed to a
   declared Unix Domain Socket endpoint (Server Side Request
   Forgery).
   This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
   (included).
   Credits: 漂亮éź
   TengMA(@Te3t123)

*) http: Enforce that fully qualified uri-paths not to be forward-proxied
   have an http(s) scheme, and that the ones to be forward proxied have a
   hostname, per HTTP specifications.

*) OpenSSL autoconf detection improvement: pick up openssl.pc in the
   specified openssl path.

*) mod_proxy_connect, mod_proxy: Do not change the status code after we
   already sent it to the client.

*) mod_http: Correctly sent a 100 Continue status code when sending an interim
   response as result of an Expect: 100-Continue in the request and not the
   current status code of the request.

*) mod_dav: Some DAV extensions, like CalDAV, specify both document
   elements and property elements that need to be taken into account
   when generating a property. The document element and property element
   are made available in the dav_liveprop_elem structure by calling
   dav_get_liveprop_element().

*) mod_dav: Add utility functions dav_validate_root_ns(),
   dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
   dav_find_attr() so that other modules get to play too.

*) mpm_event: Restart stopping of idle children after a load peak.

*) mod_http2: fixes 2 regressions in server limit handling.
   1. When reaching server limits, such as MaxRequestsPerChild, the
      HTTP/2 connection send a GOAWAY frame much too early on new
      connections, leading to invalid protocol state and a client
      failing the request.
      The module now initializes the HTTP/2 protocol correctly and
      allows the client to submit one request before the shutdown
      via a GOAWAY frame is being announced.
   2. A regression in v1.15.24 was fixed that could lead to httpd
      child processes not being terminated on a graceful reload or
      when reaching MaxConnectionsPerChild. When unprocessed h2
      requests were queued at the time, these could stall.
      See <https://github.com/icing/mod_h2/issues/212>.

*) mod_ssl: Add build support for OpenSSL v3.

*) mod_proxy_connect: Honor the smallest of the backend or client timeout
   while tunneling.

*) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
   half-close forwarding when tunneling protocols.

*) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
   a third-party module.

*) mod_md: Fix memory leak in case of failures to load the private key.

*) mod_md: adding v2.4.8 with the following changes
  - Added support for ACME External Account Binding (EAB).
    Use the new directive `MDExternalAccountBinding` to provide the
    server with the value for key identifier and hmac as provided by
    your CA.
    While working on some servers, EAB handling is not uniform
    across CAs. First tests with a Sectigo Certificate Manager in
    demo mode are successful. But ZeroSSL, for example, seems to
    regard EAB values as a one-time-use-only thing, which makes them
    fail if you create a seconde account or retry the creation of the
    first account with the same EAB.
  - The directive 'MDCertificateAuthority' now checks if its parameter
    is a http/https url or one of a set of known names. Those are
    'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
    for now and they are not case-sensitive.
    The default of LetsEncrypt is unchanged.
  - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
    section.
  - Treating 401 HTTP status codes for orders like 403, since some ACME
    servers seem to prefer that for accessing oders from other accounts.
  - When retrieving certificate chains, try to read the repsonse even
    if the HTTP Content-Type is unrecognized.
  - Fixed a bug that reset the error counter of a certificate renewal
    and prevented the increasing delays in further attempts.
  - Fixed the renewal process giving up every time on an already existing
    order with some invalid domains. Now, if such are seen in a previous
    order, a new order is created for a clean start over again.
    See <https://github.com/icing/mod_md/issues/268>
  - Fixed a mixup in md-status handler when static certificate files
    and renewal was configured at the same time.

*) mod_md: values for External Account Binding (EAB) can
   now also be configured to be read from a separate JSON
   file. This allows to keep server configuration permissions
   world readable without exposing secrets.

*) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.

Log message:
revbump for icu and libffi

Log message:
apache: let the RC script work unprivileged

This takes advantage of the introduction of the SYSCONFBASE variable.
Tested on NetBSD/amd64.

Bumps PKGREVISION.

Log message:
www: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Not committed (merge conflicts):
www/nghttp2/distinfo

Unfetchable distfiles (almost certainly fetched conditionally...):
./www/nginx-devel/distinfo array-var-nginx-module-0.05.tar.gz
./www/nginx-devel/distinfo echo-nginx-module-0.62.tar.gz
./www/nginx-devel/distinfo encrypted-session-nginx-module-0.08.tar.gz
./www/nginx-devel/distinfo form-input-nginx-module-0.12.tar.gz
./www/nginx-devel/distinfo headers-more-nginx-module-0.33.tar.gz
./www/nginx-devel/distinfo lua-nginx-module-0.10.19.tar.gz
./www/nginx-devel/distinfo naxsi-1.3.tar.gz
./www/nginx-devel/distinfo nginx-dav-ext-module-3.0.0.tar.gz
./www/nginx-devel/distinfo nginx-rtmp-module-1.2.2.tar.gz
./www/nginx-devel/distinfo nginx_http_push_module-1.2.10.tar.gz
./www/nginx-devel/distinfo ngx_cache_purge-2.5.1.tar.gz
./www/nginx-devel/distinfo ngx_devel_kit-0.3.1.tar.gz
./www/nginx-devel/distinfo ngx_http_geoip2_module-3.3.tar.gz
./www/nginx-devel/distinfo njs-0.5.0.tar.gz
./www/nginx-devel/distinfo set-misc-nginx-module-0.32.tar.gz
./www/nginx/distinfo array-var-nginx-module-0.05.tar.gz
./www/nginx/distinfo echo-nginx-module-0.62.tar.gz
./www/nginx/distinfo encrypted-session-nginx-module-0.08.tar.gz
./www/nginx/distinfo form-input-nginx-module-0.12.tar.gz
./www/nginx/distinfo headers-more-nginx-module-0.33.tar.gz
./www/nginx/distinfo lua-nginx-module-0.10.19.tar.gz
./www/nginx/distinfo naxsi-1.3.tar.gz
./www/nginx/distinfo nginx-dav-ext-module-3.0.0.tar.gz
./www/nginx/distinfo nginx-rtmp-module-1.2.2.tar.gz
./www/nginx/distinfo nginx_http_push_module-1.2.10.tar.gz
./www/nginx/distinfo ngx_cache_purge-2.5.1.tar.gz
./www/nginx/distinfo ngx_devel_kit-0.3.1.tar.gz
./www/nginx/distinfo ngx_http_geoip2_module-3.3.tar.gz
./www/nginx/distinfo njs-0.5.0.tar.gz
./www/nginx/distinfo set-misc-nginx-module-0.32.tar.gz

Log message:
apache24: updated to 2.4.51

Changes with Apache 2.4.51

*) SECURITY: CVE-2021-42013: Path Traversal and Remote Code
   Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete
   fix of CVE-2021-41773) (cve.mitre.org)
   It was found that the fix for CVE-2021-41773 in Apache HTTP
   Server 2.4.50 was insufficient.  An attacker could use a path
   traversal attack to map URLs to files outside the directories
   configured by Alias-like directives.
   If files outside of these directories are not protected by the
   usual default configuration "require all denied", these requests
   can succeed. If CGI scripts are also enabled for these aliased
   pathes, this could allow for remote code execution.
   This issue only affects Apache 2.4.49 and Apache 2.4.50 and not
   earlier versions.

*) core: Add ap_unescape_url_ex() for better decoding control, and deprecate
   unused AP_NORMALIZE_DROP_PARAMETERS flag.

Log message:
www: Remove SHA1 hashes for distfiles

Log message:
apache24: updated to 2.4.50

Changes with Apache 2.4.50

*) SECURITY: CVE-2021-41773: Path traversal and file disclosure
   vulnerability in Apache HTTP Server 2.4.49 (cve.mitre.org)
   A flaw was found in a change made to path normalization in
   Apache HTTP Server 2.4.49. An attacker could use a path
   traversal attack to map URLs to files outside the expected
   document root.
   If files outside of the document root are not protected by
   "require all denied" these requests can succeed. Additionally
   this flaw could leak the source of interpreted files like CGI
   scripts.
   This issue is known to be exploited in the wild.
   This issue only affects Apache 2.4.49 and not earlier versions.
   Credits: This issue was reported by Ash Daulton along with the
   cPanel Security Team

*) SECURITY: CVE-2021-41524: null pointer dereference in h2 fuzzing
   (cve.mitre.org)
   While fuzzing the 2.4.49 httpd, a new null pointer dereference
   was detected during HTTP/2 request processing,
   allowing an external source to DoS the server. This requires a
   specially crafted request.
   The vulnerability was recently introduced in version 2.4.49. No
   exploit is known to the project.
   Credits: Apache httpd team would like to thank LI ZHI XIN from
   NSFocus Security Team for reporting this issue.

*) core: AP_NORMALIZE_DECODE_UNRESERVED should normalize the second dot in
   the uri-path when it's preceded by a dot.

*) mod_md: when MDMessageCmd for a 'challenge-setup:<type>:<dnsname>'
   fails (!= 0 exit), the renewal process is aborted and an error is
   reported for the MDomain. This provides scripts that distribute
   information in a cluster to abort early with bothering an ACME
   server to validate a dns name that will not work. The common
   retry logic will make another attempt in the future, as with
   other failures.
   Fixed a bug when adding private key specs to an already working
   MDomain, see <https://github.com/icing/mod_md/issues/260>.

*) mod_proxy: Handle UDS URIs with empty hostname ("unix:///...") as \ 
if they
   had no hostname ("unix:/...").

*) mod_md: fixed a bug in handling multiple parallel OCSP requests. These could
   run into an assertion which terminated (and restarted) the child process where
   the task was running. Eventually, all OCSP responses were collected, but not
   in the way that things are supposed to work.
   See also <https://bz.apache.org/bugzilla/show_bug.cgi?id=65567>.
   The bug was possibly triggered when more than one OCSP status needed updating
   at the same time. For example for several renewed certificates after a server
   reload.

*) mod_rewrite: Fix UDS ("unix:") scheme for

*) event mpm: Correctly count active child processes in parent process if
   child process dies due to MaxConnectionsPerChild.

*) mod_http2: when a server is restarted gracefully, any idle h2 worker
   threads are shut down immediately.
   Also, change OpenSSL API use for deprecations in OpenSSL 3.0.
   Adds all other, never proposed code changes to make a clean
   sync of http2 sources.

*) mod_dav: Correctly handle errors returned by dav providers on REPORT
   requests.

*) core: do not install core input/output filters on secondary
   connections.

*) core: Add ap_pre_connection() as a wrapper to ap_run_pre_connection()
   and use it to prevent that failures in running the pre_connection
   hook cause crashes afterwards.

*) mod_speling: Add CheckBasenameMatch.

Log message:
revbump for boost-libs

Log message:
apache24: Support GCC >= 10.

Log message:
apache24: updated to 2.4.49

Changes with Apache 2.4.49

*) SECURITY: CVE-2021-40438 (cve.mitre.org)
   mod_proxy: Server Side Request Forgery (SSRF) vulnerabilty [Yann Ylavic]

*) SECURITY: CVE-2021-39275 (cve.mitre.org)
   core: ap_escape_quotes buffer overflow

*) SECURITY: CVE-2021-36160 (cve.mitre.org)
   mod_proxy_uwsgi: Out of bound read vulnerability [Yann Ylavic]

*) SECURITY: CVE-2021-34798 (cve.mitre.org)
   core: null pointer dereference on malformed request

*) SECURITY: CVE-2021-33193 (cve.mitre.org)
   mod_http2: Request splitting vulnerability with mod_proxy [Stefan Eissing]

*) core/mod_proxy/mod_ssl:
   Adding `outgoing` flag to conn_rec, indicating a connection is
   initiated by the server to somewhere, in contrast to incoming
   connections from clients.
   Adding 'ap_ssl_bind_outgoing()` function that marks a connection
   as outgoing and is used by mod_proxy instead of the previous
   optional function `ssl_engine_set`. This enables other SSL
   module to secure proxy connections.
   The optional functions `ssl_engine_set`, `ssl_engine_disable` and
   `ssl_proxy_enable` are now provided by the core to have backward
   compatibility with non-httpd modules that might use them. mod_ssl
   itself no longer registers these functions, but keeps them in its
   header for backward compatibility.
   The core provided optional function wrap any registered function
   like it was done for `ssl_is_ssl`.
   [Stefan Eissing]

*) mod_ssl: Support logging private key material for use with
   wireshark via log file given by SSLKEYLOGFILE environment
   variable.  Requires OpenSSL 1.1.1.  PR 63391.  [Joe Orton]

*) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and
   "ProxyPassInterpolateEnv On" are configured.  PR 65549.
   [Joel Self <joelself gmail.com>]

*) mpm_event: Fix children processes possibly not stopped on graceful
   restart.  PR 63169.  [Joel Self <joelself gmail.com>]

*) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d)
   protocols from mod_proxy_http, and a timeout triggering falsely when
   using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with
   upgrade= setting.  PRs 65521 and 65519.  [Yann Ylavic]

*) mod_unique_id: Reduce the time window where duplicates may be generated
   PR 65159
   [Christophe Jaillet]

*) mpm_prefork: Block signals for child_init hooks to prevent potential
   threads created from there to catch MPM's signals.
   [Ruediger Pluem, Yann Ylavic]

*) Revert "mod_unique_id: Fix potential duplicated ID generation under \ 
heavy load.
   PR 65159" added in 2.4.47.
   This causes issue on Windows.
   [Christophe Jaillet]

*) mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker.  [Yann Ylavic]

*) mod_md: Certificate/keys pairs are verified as matching before a renewal is \ 
accepted
   as successful or a staged renewal is replacing the existing certificates.
   This avoid potential mess ups in the md store file system to render the active
   certificates non-working. [@mkauf]

*) mod_proxy: Faster unix socket path parsing in the "proxy:" URL.
   [Yann Ylavic]

*) mod_ssl: tighten the handling of ALPN for outgoing (proxy)
   connections. If ALPN protocols are provided and sent to the
   remote server, the received protocol selected is inspected
   and checked for a match. Without match, the peer handshake
   fails.
   An exception is the proposal of "http/1.1" where it is
   accepted if the remote server did not answer ALPN with
   a selected protocol. This accomodates for hosts that do
   not observe/support ALPN and speak http/1.x be default.

*) mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances
   with others when their URLs contain a '$' substitution.  PR 65419 + 65429.
   [Yann Ylavic]

*) mod_dav: Add method_precondition hook. WebDAV extensions define
   conditions that must exist before a WebDAV method can be executed.
   This hook allows a WebDAV extension to verify these preconditions.
   [Graham Leggett]

*) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other
   modules apart from versioning implementations to handle the REPORT method.
   [Graham Leggett]

*) Add dav_get_provider(), dav_open_lockdb(), dav_close_lockdb() and
   dav_get_resource() to mod_dav.h. [Graham Leggett]

*) core: fix ap_escape_quotes substitution logic. [Eric Covener]

*) Easy patches: synch 2.4.x and trunk
   - mod_auth_basic: Use ap_cstr_casecmp instead of strcasecmp.
   - mod_ldap: log and abort locking errors.
   - mod_ldap: style fix for r1831165
   - mod_ldap: build break fix for r1831165
   - mod_deflate: Avoid hard-coded "%ld" format strings in \ 
mod_deflate's logging statements
   - mod_deflate: Use apr_uint64_t instead of uint64_t (follow up to r1849590)
   - mod_forensic: Follow up to r1856490: missing one mod_log_forensic \ 
test_char_table case.
   - mod_rewrite: Save a few cycles.
   - mod_request: Fix a comment (missing '_' in 'keep_body') and some style issues
   - core: remove extra whitespace in HTTP_NOT_IMPLEMENTED
  [Christophe Jaillet]

*) core/mpm: add hook 'child_stopping` that gets called when the MPM is
   stopping a child process. The additional `graceful` parameter allows
   registered hooks to free resources early during a graceful shutdown.
   [Yann Ylavic, Stefan Eissing]

*) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the
   balancer-manager, which can lead to a crash.  [Yann Ylavic]

*) mpm_event: Fix graceful stop/restart of children processes if connections
   are in lingering close for too long.  [Yann Ylavic]

*) mod_md: fixed a potential null pointer dereference if ACME/OCSP
   server returned 2xx responses without content type. Reported by chuangwen.
   [chuangwen, Stefan Eissing]

*) mod_md:
   - Domain names in `<MDomain ...>` can now appear in quoted form.
   - Fixed a failure in ACME challenge selection that aborted further searches
     when the tls-alpn-01 method did not seem to be suitable.
   - Changed the tls-alpn-01 setup to only become unsuitable when none of the
     dns names showed support for a configured 'Protocols ... acme-tls/1'. This
     allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
   [Stefan Eissing]

*) Add CPING to health check logic. [Jean-Frederic Clere]

*) core: Split ap_create_request() from ap_read_request(). [Graham Leggett]

*) core, h2: common ap_parse_request_line() and ap_check_request_header()
   code. [Yann Ylavic]

*) core: Add StrictHostCheck to allow unconfigured hostnames to be
   rejected. [Eric Covener]

*) htcacheclean: Improve help messages.  [Christophe Jaillet]