Log message:
apache24: updated to 2.4.41

Changes with Apache 2.4.41

  *) SECURITY: CVE-2019-10081 (cve.mitre.org)
     mod_http2: HTTP/2 very early pushes, for example configured with \ 
"H2PushResource",
     could lead to an overwrite of memory in the pushing request's pool,
     leading to crashes. The memory copied is that of the configured push
     link header values, not data supplied by the client.

  *) SECURITY: CVE-2019-9517 (cve.mitre.org)
     mod_http2: a malicious client could perform a DoS attack by flooding
     a connection with requests and basically never reading responses
     on the TCP connection. Depending on h2 worker dimensioning, it was
     possible to block those with relatively few connections.

  *) SECURITY: CVE-2019-10098 (cve.mitre.org)
     rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
     matches and substitutions with encoded line break characters.

  *) SECURITY: CVE-2019-10092 (cve.mitre.org)
     Remove HTML-escaped URLs from canned error responses to prevent misleading
     text/links being displayed via crafted links.

  *) SECURITY: CVE-2019-10097 (cve.mitre.org)
     mod_remoteip: Fix stack buffer overflow and NULL pointer deference
     when reading the PROXY protocol header.

  *) SECURITY: CVE-2019-10082 (cve.mitre.org)
     mod_http2: Using fuzzed network input, the http/2 session
     handling could be made to read memory after being freed,
     during connection shutdown.

  *) mod_proxy_balancer: Improve balancer-manager protection against
     XSS/XSRF attacks from trusted users.

  *) mod_session: Introduce SessionExpiryUpdateInterval which allows to
     configure the session/cookie expiry's update interval.

  *) modules/filters: Fix broken compilation when using old GCC (<4.2.x).

  *) mod_ssl: Fix startup failure in 2.4.40 with SSLCertificateChainFile
     configured for a domain managed by mod_md.

Log message:
Bump PKGREVISIONs for perl 5.30.0

Log message:
apache24: Extend SunOS C99 compilers list to gcc-5.

Should fix PR#54385 from Hiroshi Hakoyama.

Log message:
Recursive revbump from boost-1.70.0

Log message:
apache24: Add mod_brotli option

The mod_brotli module provides the BROTLI_COMPRESS output filter that
allows output from your server to be compressed using the brotli
compression format before being sent to the client over the network.

Log message:
all: replace SUBST_SED with the simpler SUBST_VARS

pkglint -Wall -r --only "substitution command" -F

With manual review and indentation fixes since pkglint doesn't get that
part correct in every case.

Log message:
apache24: Make xml support optional, defaulting to on.

Allows mod_proxy_html to be supported again.  Based on a pull request from
vec4f in joyent/pkgsrc#169.

Log message:
apache24: updated to 2.4.39

Changes with Apache 2.4.39

*) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend
   connection is recycled/reused to avoid a possible crash with some SSLProxy
   configurations in <Location> or <Proxy> context.

*) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.

*) mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host

*) mod_socache_redis: Support for Redis as socache storage provider.

*) core: new configuration option 'MergeSlashes on|off' that controls handling of
   multiple, consecutive slash ('/') characters in the path component of the \ 
request URL.

*) mod_http2: when SSL renegotiation is inhibited and a 403 ErrorDocument is
   in play, the proper HTTP/2 stream reset did not trigger with \ 
H2_ERR_HTTP_1_1_REQUIRED.

*) mod_http2: new configuration directive: `H2Padding numbits` to control
   padding of HTTP/2 payload frames. 'numbits' is a number from 0-8,
   controlling the range of padding bytes added to a frame. The actual number
   added is chosen randomly per frame. This applies to HEADERS, DATA and PUSH_PROMISE
   frames equally. The default continues to be 0, e.g. no padding.

*) mod_http2: ripping out all the h2_req_engine internal features now that \ 
mod_proxy_http2
   has no more need for it. Optional functions are still declared but no longer \ 
implemented.
   While previous mod_proxy_http2 will work with this, it is recommeneded to run \ 
the matching
   versions of both modules.

*) mod_proxy_http2: changed mod_proxy_http2 implementation and fixed several \ 
bugs which
   resolve bug 63170. The proxy module does now a single h2 request on the (reused)
   connection and returns.

*) mod_http2/mod_proxy_http2: proxy_http2 checks correct master connection \ 
aborted status
   to trigger immediate shutdown of backend connections. This is now always signalled
   by mod_http2 when the the session is being released.
   proxy_http2 now only sends a PING frame to the backend when there is not \ 
already one
   in flight.

*) mod_proxy_http2: fixed an issue where a proxy_http2 handler entered an infinite
   loop when encountering certain errors on the backend connection.

*) mod_http2: Configuration directives H2Push and H2Upgrade can now be specified per
   Location/Directory, e.g. disabling PUSH for a specific set of resources.

*) mod_http2: HEAD requests to some module such as mod_cgid caused the stream to
   terminate improperly and cause a HTTP/2 PROTOCOL_ERROR.

*) http: Fix possible empty response with mod_ratelimit for HEAD requests.

*) mod_cache_socache: Avoid reallocations and be safe with outgoing data
   lifetime.

*) MPMs unix: bind the bucket number of each child to its slot number, for a
   more efficient per bucket maintenance.

*) mod_auth_digest: Fix a race condition. Authentication with valid
   credentials could be refused in case of concurrent accesses from
   different users.

*) mod_http2: enable re-use of slave connections again. Fixed slave connection
   keepalives counter.

*) mod_reqtimeout: Allow to configure (TLS-)handshake timeouts.

*) mod_proxy_wstunnel: Fix websocket proxy over UDS.

*) mod_ssl: Don't unset FIPS mode on restart unless it's forced by
   configuration (SSLFIPS on) and not active by default in OpenSSL.

Log message:
apache24: updated to 2.4.38

Changes with Apache 2.4.38
*) SECURITY: CVE-2018-17199 (cve.mitre.org)
   mod_session: mod_session_cookie does not respect expiry time allowing
   sessions to be reused.
*) SECURITY: CVE-2018-17189 (cve.mitre.org)
   mod_http2: fixes a DoS attack vector. By sending slow request bodies
   to resources not consuming them, httpd cleanup code occupies a server
   thread unnecessarily. This was changed to an immediate stream reset
   which discards all stream state and incoming data.
*) SECURITY: CVE-2019-0190 (cve.mitre.org)
   mod_ssl: Fix infinite loop triggered by a client-initiated
   renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
   later.
*) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
*) mod_negotiation: Treat LanguagePriority as case-insensitive to match
   AddLanguage behavior and HTTP specification.
*) mod_md: incorrect behaviour when synchronizing ongoing ACME challenges
   have been fixed.
*) mod_setenvif: We can have expressions that become true if a regex pattern
   in the expression does NOT match. In this case val is NULL
   and we should just set the value for the environment variable
   like in the pattern case.
*) mod_session: Always decode session attributes early.
*) core: Incorrect values for environment variables are substituted when
   multiple environment variables are specified in a directive.
*) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when
   this type of map is present in the configuration.
*) mod_dav: Fix invalid Location header when a resource is created by
   passing an absolute URI on the request line
*) mod_session_cookie: avoid duplicate Set-Cookie header in the response.
*) mod_ssl: clear *SSL errors before loading certificates and checking
   afterwards. Otherwise errors are reported when other SSL using modules
   are in play.
*) mod_ssl: Fix the error code returned in an error path of
   'ssl_io_filter_handshake()'. This messes-up error handling performed
   in 'ssl_io_filter_error()'
*) mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix
   authz provider so "Require ssl" works correctly in HTTP/2.
*) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
   redirects, subsequent ProxyPassReverse statements, whether they are
   relative or absolute, may fail.
*) mod_lua: Now marked as a stable module

Log message:
revbump for boost 1.69.0