Log message:
apache24: updated to 2.4.57

Changes with Apache 2.4.57

*) mod_proxy: Check before forwarding that a nocanon path has not been
   rewritten with spaces during processing.

*) mod_proxy: In case that AllowEncodedSlashes is set to NoDecode do not
   double encode encoded slashes in the URL sent by the reverse proxy to the
   backend.

*) mod_http2: fixed a crash during connection termination.

*) mod_rewrite: Fix a 2.4.56 regression for substitutions ending
   in a question mark.

*) mod_rewrite: Add "BCTLS" and "BNE" RewriteRule flags. \ 
Re-allow encoded
   characters on redirections without the "NE" flag.

*) mod_proxy: Fix double encoding of the uri-path of the request forwarded
   to the origin server, when using mapping=encoded|servlet.

*) mod_mime: Do not match the extention against possible query string
   parameters in case ProxyPass was used with the nocanon option.

Log message:
apache24: updated to 2.4.56

Changes with Apache 2.4.56

*) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
   HTTP response splitting (cve.mitre.org)
   HTTP Response Smuggling vulnerability in Apache HTTP Server via
   mod_proxy_uwsgi. This issue affects Apache HTTP Server: from
   2.4.30 through 2.4.55.
   Special characters in the origin response header can
   truncate/split the response forwarded to the client.
   Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)

*) SECURITY: CVE-2023-25690: HTTP request splitting with
   mod_rewrite and mod_proxy (cve.mitre.org)
   Some mod_proxy configurations on Apache HTTP Server versions
   2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
   Configurations are affected when mod_proxy is enabled along with
   some form of RewriteRule
   or ProxyPassMatch in which a non-specific pattern matches
   some portion of the user-supplied request-target (URL) data and
   is then
   re-inserted into the proxied request-target using variable
   substitution. For example, something like:
   RewriteEngine on
   RewriteRule "^/here/(.*)" "
   http://example.com:8080/elsewhere?$1"
   http://example.com:8080/elsewhere ; [P]
   ProxyPassReverse /here/  http://example.com:8080/
   http://example.com:8080/
   Request splitting/smuggling could result in bypass of access
   controls in the proxy server, proxying unintended URLs to
   existing origin servers, and cache poisoning.
   Credits: Lars Krapf of Adobe

*) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
   truncated without the initial logfile being truncated.  [Eric Covener]

*) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
   allow connections of any age to be reused. Up to now, a negative value
   was handled as an error when parsing the configuration file.
   [nailyk <bzapache nailyk.fr>, Christophe Jaillet]

*) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
   of headers. [Ruediger Pluem]

*) mod_md:
   - Enabling ED25519 support and certificate transparency information when
     building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
   - MDChallengeDns01 can now be configured for individual domains.
     Thanks to JĂŠrĂ´me Billiras (@bilhackmac) for the initial PR.
   - Fixed a bug found by JĂŠrĂ´me Billiras (@bilhackmac) that caused the \ 
challenge
     teardown not being invoked as it should.
   [Stefan Eissing]

*) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
   reported in access logs and error documents. The processing of the
   reset was correct, only unneccesary reporting was caused.
   [Stefan Eissing]

*) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
   [Yann Ylavic]

Log message:
apache24: updated to 2.4.55

Changes with Apache 2.4.55

  *) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to
     2.4.55 allows a backend to trigger HTTP response splitting
     (cve.mitre.org)
     Prior to Apache HTTP Server 2.4.55, a malicious backend can
     cause the response headers to be truncated early, resulting in
     some headers being incorporated into the response body. If the
     later headers have any security purpose, they will not be
     interpreted by the client.
     Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)

  *) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp
     Possible request smuggling (cve.mitre.org)
     Inconsistent Interpretation of HTTP Requests ('HTTP Request
     Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
     allows an attacker to smuggle requests to the AJP server it
     forwards requests to.  This issue affects Apache HTTP Server
     Apache HTTP Server 2.4 version 2.4.54 and prior versions.
     Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec
     at Qi'anxin Group

  *) SECURITY: CVE-2006-20001: mod_dav out of  bounds read, or write
     of zero byte (cve.mitre.org)
     A carefully crafted If: request header can cause a memory read,
     or write of a single zero byte, in a pool (heap) memory location
     beyond the header value sent. This could cause the process to
     crash.
     This issue affects Apache HTTP Server 2.4.54 and earlier.

  *) mod_dav: Open the lock database read-only when possible.

  *) mod_proxy_http2: apply the standard httpd content type handling
     to responses from the backend, as other proxy modules do.

  *) mod_dav: mod_dav overrides dav_fs response on PUT failure.

  *) mod_proxy_hcheck: Honor worker timeout settings.  [Yann Ylavic]

  *) mod_http2: version 2.0.10 of the module, synchronizing changes
     with the gitgub version. This is a partial rewrite of how connections
     and streams are handled.
     - an APR pollset and pipes (where supported) are used to monitor
       the main connection and react to IO for request/response handling.
       This replaces the stuttered timed waits of earlier versions.
     - H2SerializeHeaders directive still exists, but has no longer an effect.
     - Clients that seemingly misbehave still get less resources allocated,
       but ongoing requests are no longer disrupted.
     - Fixed an issue since 1.15.24 that "Server" headers in proxied \ 
requests
       were overwritten instead of preserved.
     - A regression in v1.15.24 was fixed that could lead to httpd child
       processes not being terminated on a graceful reload or when reaching
       MaxConnectionsPerChild. When unprocessed h2 requests were queued at
       the time, these could stall.
     - Improved information displayed in 'server-status' for H2 connections when
       Extended Status is enabled. Now one can see the last request that IO
       operations happened on and transferred IO stats are updated as well.
     - When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 \ 
connection
       send a GOAWAY frame much too early on new connections, leading to invalid
       protocol state and a client failing the request.
       The module now initializes the HTTP/2 protocol correctly and allows the
       client to submit one request before the shutdown via a GOAWAY frame
       is being announced.
     - :scheme pseudo-header values, not matching the
       connection scheme, are forwarded via absolute uris to the
       http protocol processing to preserve semantics of the request.
       Checks on combinations of pseudo-headers values/absence
       have been added as described in RFC 7540. Fixes #230.
     - A bug that prevented trailers (e.g. HEADER frame at the end) to be
       generated in certain cases was fixed. See #233 where it prevented
       gRPC responses to be properly generated.
     - Request and response header values are automatically stripped of leading
       and trialing space/tab characters. This is equivalent behaviour to what
       Apache httpd's http/1.1 parser does.
       The checks for this in nghttp2 v1.50.0+ are disabled.
     - Extensive testing in production done by Alessandro Bianchi (@alexskynet)
       on the v2.0.x versions for stability. Many thanks!
  *) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when
     request ':authority' is known. Improved test case that did not catch that
     the previous 'fix' was incorrect.

  *) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests
     using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski]

  *) mod_proxy: The AH03408 warning for a forcibly closed backend
     connection is now logged at INFO level.  [Yann Ylavic]

  *) mod_ssl: When dumping the configuration, the existence of
     certificate/key files is no longer tested.  [Joe Orton]

  *) mod_authn_core: Add expression support to AuthName and AuthType.
     [Graham Leggett]

  *) mod_ssl: when a proxy connection had handled a request using SSL, an
     error was logged when "SSLProxyEngine" was only configured in the
     location/proxy section and not the overall server. The connection
     continued to work, the error log was in error.

  *) mod_proxy_hcheck: Re-enable workers in standard ERROR state.

  *) mod_proxy_hcheck: Detect AJP/CPING support correctly.

  *) mod_http2: Export mod_http2.h as public header. [Stefan Eissing]

  *) mod_md: a new directive `MDStoreLocks` can be used on cluster
     setups with a shared file system for `MDStoreDir` to order
     activation of renewed certificates when several cluster nodes are
     restarted at the same time. Store locks are not enabled by default.
     Restored curl_easy cleanup behaviour from v2.4.14 and refactored
     the use of curl_multi for OCSP requests to work with that.
     Fixes <https://github.com/icing/mod_md/issues/293>.

  *) core: Avoid an overflow on large inputs in ap_is_matchexp.

  *) mod_heartmonitor: Allow "HeartbeatMaxServers 0" to use file based
     storage instead of slotmem. Needed after setting
     HeartbeatMaxServers default to the documented value 10 in 2.4.54.

  *) mod_dav: DAVlockDiscovery option to disable WebDAV lock discovery
     This is a game changer for performances if client use PROPFIND a lot.

Log message:
massive revision bump after textproc/icu update

Log message:
*: bump PKGREVISION for libunistring shlib major bump

Log message:
*: recursive bump for perl 5.36

Log message:
apache24: updated to 2.4.54

Changes with Apache 2.4.54

*) SECURITY: CVE-2022-31813: mod_proxy X-Forwarded-For dropped by
   hop-by-hop mechanism (cve.mitre.org)
   Apache HTTP Server 2.4.53 and earlier may not send the
   X-Forwarded-* headers to the origin server based on client side
   Connection header hop-by-hop mechanism.
   This may be used to bypass IP based authentication on the origin
   server/application.
   Credits: The Apache HTTP Server project would like to thank
   Gaetan Ferry (Synacktiv) for reporting this issue

*) SECURITY: CVE-2022-30556: Information Disclosure in mod_lua with
   websockets (cve.mitre.org)
   Apache HTTP Server 2.4.53 and earlier may return lengths to
   applications calling r:wsread() that point past the end of the
   storage allocated for the buffer.
   Credits: The Apache HTTP Server project would like to thank
   Ronald Crane (Zippenhop LLC) for reporting this issue

*) SECURITY: CVE-2022-30522: mod_sed denial of service
   (cve.mitre.org)
   If Apache HTTP Server 2.4.53 is configured to do transformations
   with mod_sed in contexts where the input to mod_sed may be very
   large, mod_sed may make excessively large memory allocations and
   trigger an abort.
   Credits: This issue was found by Brian Moussalli from the JFrog
   Security Research team

*) SECURITY: CVE-2022-29404: Denial of service in mod_lua
   r:parsebody (cve.mitre.org)
   In Apache HTTP Server 2.4.53 and earlier, a malicious request to
   a lua script that calls r:parsebody(0) may cause a denial of
   service due to no default limit on possible input size.
   Credits: The Apache HTTP Server project would like to thank
   Ronald Crane (Zippenhop LLC) for reporting this issue

*) SECURITY: CVE-2022-28615: Read beyond bounds in
   ap_strcmp_match() (cve.mitre.org)
   Apache HTTP Server 2.4.53 and earlier may crash or disclose
   information due to a read beyond bounds in ap_strcmp_match()
   when provided with an extremely large input buffer.  While no
   code distributed with the server can be coerced into such a
   call, third-party modules or lua scripts that use
   ap_strcmp_match() may hypothetically be affected.
   Credits: The Apache HTTP Server project would like to thank
   Ronald Crane (Zippenhop LLC) for reporting this issue

*) SECURITY: CVE-2022-28614: read beyond bounds via ap_rwrite()
   (cve.mitre.org)
   The ap_rwrite() function in Apache HTTP Server 2.4.53 and
   earlier may read unintended memory if an attacker can cause the
   server to reflect very large input using ap_rwrite() or
   ap_rputs(), such as with mod_luas r:puts() function.
   Credits: The Apache HTTP Server project would like to thank
   Ronald Crane (Zippenhop LLC) for reporting this issue

*) SECURITY: CVE-2022-28330: read beyond bounds in mod_isapi
   (cve.mitre.org)
   Apache HTTP Server 2.4.53 and earlier on Windows may read beyond
   bounds when configured to process requests with the mod_isapi
   module.
   Credits: The Apache HTTP Server project would like to thank
   Ronald Crane (Zippenhop LLC) for reporting this issue

*) SECURITY: CVE-2022-26377: mod_proxy_ajp: Possible request
   smuggling (cve.mitre.org)
   Inconsistent Interpretation of HTTP Requests ('HTTP Request
   Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
   allows an attacker to smuggle requests to the AJP server it
   forwards requests to.  This issue affects Apache HTTP Server
   Apache HTTP Server 2.4 version 2.4.53 and prior versions.
   Credits: Ricter Z @ 360 Noah Lab

*) mod_ssl: SSLFIPS compatible with OpenSSL 3.0.

*) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.

*) mod_md:  a bug was fixed that caused very large MDomains
   with the combined DNS names exceeding ~7k to fail, as
   request bodies would contain partially wrong data from
   uninitialized memory. This would have appeared as failure
   in signing-up/renewing such configurations.

*) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.

*) MPM event: Restart children processes killed before idle maintenance.

*) ab: Allow for TLSv1.3 when the SSL library supports it.

*) core: Disable TCP_NOPUSH optimization on OSX since it might introduce
   transmission delays.

*) MPM event: Fix accounting of active/total processes on ungraceful restart,

*) core: make ap_escape_quotes() work correctly on strings
   with more than MAX_INT/2 characters, counting quotes double.
   Credit to <generalbugs@zippenhop.com> for finding this.

*) mod_md: the `MDCertificateAuthority` directive can take more than one URL/name of
   an ACME CA. This gives a failover for renewals when several consecutive attempts
   to get a certificate failed.
   A new directive was added: `MDRetryDelay` sets the delay of retries.
   A new directive was added: `MDRetryFailover` sets the number of errored
   attempts before an alternate CA is selected for certificate renewals.

*) mod_http2: remove unused and insecure code.

*) mod_proxy: Add backend port to log messages to
   ease identification of involved service.

*) mod_http2: removing unscheduling of ongoing tasks when
   connection shows potential abuse by a client. This proved
   counter-productive and the abuse detection can false flag
   requests using server-side-events.
   Fixes <https://github.com/icing/mod_h2/issues/231>.

*) mod_md: Implement full auto status ("key: value" type status output).
   Especially not only status summary counts for certificates and
   OCSP stapling but also lists. Auto status format is similar to
   what was used for mod_proxy_balancer.

*) mod_md: fixed a bug leading to failed transfers for OCSP
   stapling information when more than 6 certificates needed
   updates in the same run.

*) mod_proxy: Set a status code of 502 in case the backend just closed the
   connection in reply to our forwarded request.

*) mod_md: a possible NULL pointer deref was fixed in
   the JSON code for persisting time periods (start+end).
   Fixes #282 on mod_md's github.
   Thanks to @marcstern for finding this.

*) mod_heartmonitor: Set the documented default value
   "10" for HeartbeatMaxServers instead of "0". With \ 
"0"
   no shared memory slotmem was initialized.

*) mod_md: added support for managing certificates via a
   local tailscale daemon for users of that secure networking.
   This gives trusted certificates for tailscale assigned
   domain names in the *.ts.net space.

Log message:
revbump for textproc/icu update

Log message:
apache24: updated to 2.4.53

Changes with Apache 2.4.53

*) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds
   (cve.mitre.org)
   Out-of-bounds Write vulnerability in mod_sed of Apache HTTP
   Server allows an attacker to overwrite heap memory with possibly
   attacker provided data.
   This issue affects Apache HTTP Server 2.4 version 2.4.52 and
   prior versions.

*) SECURITY: CVE-2022-22721: core: Possible buffer overflow with
   very large or unlimited LimitXMLRequestBody (cve.mitre.org)
   If LimitXMLRequestBody is set to allow request bodies larger
   than 350MB (defaults to 1M) on 32 bit systems an integer
   overflow happens which later causes out of bounds writes.
   This issue affects Apache HTTP Server 2.4.52 and earlier.
   Credits: Anonymous working with Trend Micro Zero Day Initiative

*) SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability
   in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org)
   Apache HTTP Server 2.4.52 and earlier fails to close inbound
   connection when errors are encountered discarding the request
   body, exposing the server to HTTP Request Smuggling

*) SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of
   in r:parsebody (cve.mitre.org)
   A carefully crafted request body can cause a read to a random
   memory area which could cause the process to crash.
   This issue affects Apache HTTP Server 2.4.52 and earlier.

*) core: Make sure and check that LimitXMLRequestBody fits in system memory.

*) core: Simpler connection close logic if discarding the request body fails.

*) mod_http2: preserve the port number given in a HTTP/1.1
   request that was Upgraded to HTTP/2.

*) mod_proxy: Allow for larger worker name.

*) dbm: Split the loading of a dbm driver from the opening of a dbm file. When
   an attempt to load a dbm driver fails, log clearly which driver triggered
   the error (not "default"), and what the error was.

*) mod_proxy: Use the maxium of front end and backend timeouts instead of the
   minimum when tunneling requests (websockets, CONNECT requests).
   Backend timeouts can be configured more selectively (per worker if needed)
   as front end timeouts and typically the backend timeouts reflect the
   application requirements better.

*) ap_regex: Use Thread Local Storage (TLS) to recycle ap_regexec() buffers
   when an efficient TLS implementation is available.

*) core, mod_info: Add compiled and loaded PCRE versions to version
   number display.

*) mod_md: do not interfere with requests to /.well-known/acme-challenge/
   resources if challenge type 'http-01' is not configured for a domain.
   Fixes <https://github.com/icing/mod_md/issues/279>.

*) mod_dav: Fix regression when gathering properties which could lead to huge
   memory consumption proportional to the number of resources.

*) Support pcre2 (10.x) library in place of the now end-of-life pcre (8.x)
   for regular expression evaluation. This depends on locating pcre2-config.

*) Add the ldap function to the expression API, allowing LDAP filters and
   distinguished names based on expressions to be escaped correctly to
   guard against LDAP injection.

*) mod_md: the status description in MDomain's JSON, exposed in the
   md-status handler (if configured) did sometimes not carry the correct
   message when certificates needed renew.

*) mpm_event: Fix a possible listener deadlock on heavy load when restarting
   and/or reaching MaxConnectionsPerChild.

Log message:
apache24: updated to 2.4.52

Changes with Apache 2.4.52

*) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
   multipart content in mod_lua of Apache HTTP Server 2.4.51 and
   earlier (cve.mitre.org)
   A carefully crafted request body can cause a buffer overflow in
   the mod_lua multipart parser (r:parsebody() called from Lua
   scripts).
   The Apache httpd team is not aware of an exploit for the
   vulnerabilty though it might be possible to craft one.
   This issue affects Apache HTTP Server 2.4.51 and earlier.
   Credits: Chamal

*) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
   forward proxy configurations in Apache HTTP Server 2.4.51 and
   earlier (cve.mitre.org)
   A crafted URI sent to httpd configured as a forward proxy
   (ProxyRequests on) can cause a crash (NULL pointer dereference)
   or, for configurations mixing forward and reverse proxy
   declarations, can allow for requests to be directed to a
   declared Unix Domain Socket endpoint (Server Side Request
   Forgery).
   This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
   (included).
   Credits: 漂亮éź
   TengMA(@Te3t123)

*) http: Enforce that fully qualified uri-paths not to be forward-proxied
   have an http(s) scheme, and that the ones to be forward proxied have a
   hostname, per HTTP specifications.

*) OpenSSL autoconf detection improvement: pick up openssl.pc in the
   specified openssl path.

*) mod_proxy_connect, mod_proxy: Do not change the status code after we
   already sent it to the client.

*) mod_http: Correctly sent a 100 Continue status code when sending an interim
   response as result of an Expect: 100-Continue in the request and not the
   current status code of the request.

*) mod_dav: Some DAV extensions, like CalDAV, specify both document
   elements and property elements that need to be taken into account
   when generating a property. The document element and property element
   are made available in the dav_liveprop_elem structure by calling
   dav_get_liveprop_element().

*) mod_dav: Add utility functions dav_validate_root_ns(),
   dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
   dav_find_attr() so that other modules get to play too.

*) mpm_event: Restart stopping of idle children after a load peak.

*) mod_http2: fixes 2 regressions in server limit handling.
   1. When reaching server limits, such as MaxRequestsPerChild, the
      HTTP/2 connection send a GOAWAY frame much too early on new
      connections, leading to invalid protocol state and a client
      failing the request.
      The module now initializes the HTTP/2 protocol correctly and
      allows the client to submit one request before the shutdown
      via a GOAWAY frame is being announced.
   2. A regression in v1.15.24 was fixed that could lead to httpd
      child processes not being terminated on a graceful reload or
      when reaching MaxConnectionsPerChild. When unprocessed h2
      requests were queued at the time, these could stall.
      See <https://github.com/icing/mod_h2/issues/212>.

*) mod_ssl: Add build support for OpenSSL v3.

*) mod_proxy_connect: Honor the smallest of the backend or client timeout
   while tunneling.

*) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
   half-close forwarding when tunneling protocols.

*) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
   a third-party module.

*) mod_md: Fix memory leak in case of failures to load the private key.

*) mod_md: adding v2.4.8 with the following changes
  - Added support for ACME External Account Binding (EAB).
    Use the new directive `MDExternalAccountBinding` to provide the
    server with the value for key identifier and hmac as provided by
    your CA.
    While working on some servers, EAB handling is not uniform
    across CAs. First tests with a Sectigo Certificate Manager in
    demo mode are successful. But ZeroSSL, for example, seems to
    regard EAB values as a one-time-use-only thing, which makes them
    fail if you create a seconde account or retry the creation of the
    first account with the same EAB.
  - The directive 'MDCertificateAuthority' now checks if its parameter
    is a http/https url or one of a set of known names. Those are
    'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
    for now and they are not case-sensitive.
    The default of LetsEncrypt is unchanged.
  - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
    section.
  - Treating 401 HTTP status codes for orders like 403, since some ACME
    servers seem to prefer that for accessing oders from other accounts.
  - When retrieving certificate chains, try to read the repsonse even
    if the HTTP Content-Type is unrecognized.
  - Fixed a bug that reset the error counter of a certificate renewal
    and prevented the increasing delays in further attempts.
  - Fixed the renewal process giving up every time on an already existing
    order with some invalid domains. Now, if such are seen in a previous
    order, a new order is created for a clean start over again.
    See <https://github.com/icing/mod_md/issues/268>
  - Fixed a mixup in md-status handler when static certificate files
    and renewal was configured at the same time.

*) mod_md: values for External Account Binding (EAB) can
   now also be configured to be read from a separate JSON
   file. This allows to keep server configuration permissions
   world readable without exposing secrets.

*) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.