Log Message:
Pullup ticket #5903 - requested by taca
www/apache24: security fix

Revisions pulled up:
- www/apache24/Makefile                                         1.76
- www/apache24/distinfo                                         1.39

---
   Module Name:	pkgsrc
   Committed By:	adam
   Date:		Wed Jan 23 12:04:18 UTC 2019

   Modified Files:
   	pkgsrc/www/apache24: Makefile distinfo

   Log Message:
   apache24: updated to 2.4.38

   Changes with Apache 2.4.38
   *) SECURITY: CVE-2018-17199 (cve.mitre.org)
      mod_session: mod_session_cookie does not respect expiry time allowing
      sessions to be reused.
   *) SECURITY: CVE-2018-17189 (cve.mitre.org)
      mod_http2: fixes a DoS attack vector. By sending slow request bodies
      to resources not consuming them, httpd cleanup code occupies a server
      thread unnecessarily. This was changed to an immediate stream reset
      which discards all stream state and incoming data.
   *) SECURITY: CVE-2019-0190 (cve.mitre.org)
      mod_ssl: Fix infinite loop triggered by a client-initiated
      renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
      later.
   *) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
   *) mod_negotiation: Treat LanguagePriority as case-insensitive to match
      AddLanguage behavior and HTTP specification.
   *) mod_md: incorrect behaviour when synchronizing ongoing ACME challenges
      have been fixed.
   *) mod_setenvif: We can have expressions that become true if a regex pattern
      in the expression does NOT match. In this case val is NULL
      and we should just set the value for the environment variable
      like in the pattern case.
   *) mod_session: Always decode session attributes early.
   *) core: Incorrect values for environment variables are substituted when
      multiple environment variables are specified in a directive.
   *) mod_rewrite: Only create the global mutex used by "RewriteMap \ 
prg:" when
      this type of map is present in the configuration.
   *) mod_dav: Fix invalid Location header when a resource is created by
      passing an absolute URI on the request line
   *) mod_session_cookie: avoid duplicate Set-Cookie header in the response.
   *) mod_ssl: clear *SSL errors before loading certificates and checking
      afterwards. Otherwise errors are reported when other SSL using modules
      are in play.
   *) mod_ssl: Fix the error code returned in an error path of
      'ssl_io_filter_handshake()'. This messes-up error handling performed
      in 'ssl_io_filter_error()'
   *) mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix
      authz provider so "Require ssl" works correctly in HTTP/2.
   *) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
      redirects, subsequent ProxyPassReverse statements, whether they are
      relative or absolute, may fail.
   *) mod_lua: Now marked as a stable module