Log message:
apache24: updated to 2.4.63

Changes with Apache 2.4.63

*) mod_dav: Update redirect-carefully example BrowserMatch config
   to match more recent client versions.

*) mod_cache_socache: Fix possible crash on error path.

*) mod_ssl: Fail cleanly at startup if OpenSSL initialization fails.

*) mod_md: update to version 2.4.31
   - Improved error reporting when waiting for ACME server to verify domains
     or finalizing the order fails, e.g. times out.
   - Increasing the timeouts to wait for ACME server to verify domain names
     and issue the certificate from 30 seconds to 5 minutes.
   - Change a log level from error to debug when Stapling is enabled but a
     certificate carries no OCSP responder URL.

*) mod_proxy_balancer: Fix the handling of the stickysession configuration
   parameter by the balancer manager.

*) Add the ldap-search option to mod_authnz_ldap, allowing authorization
   to be based on arbitrary expressions that do not include the username.
   Make sure that when ldap searches are too long, we explicitly log the
   error.

*) mod_proxy: Honor parameters of ProxyPassMatch workers with substitution
   in the host name or port.

*) mod_log_config: Fix merging for the "LogFormat" directive.

*) mod_lua: Make r.ap_auth_type writable.

*) mod_md: update to version 2.4.29
   - Fixed HTTP-01 challenges to not carry a final newline, as some ACME
     server fail to ignore it.
   - Fixed missing label+newline in server-status plain text output when
     MDStapling is enabled.

*) mod_ssl: Restore support for loading PKCS#11 keys via ENGINE
   without "SSLCryptoDevice" configured.

*) mod_authnz_ldap: Fix possible memory corruption if the
   AuthLDAPSubGroupAttribute directive is configured.

*) mod_proxy_fcgi: Don't re-encode SCRIPT_FILENAME when set via SetHandler.

*) mod_rewrite, mod_proxy: mod_proxy to canonicalize rewritten
   including "unix:" ones.

*) mod_rewrite: Error out in case a RewriteRule in directory context uses the
   proxy, but mod_proxy is not loaded.

*) http: Remove support for Request-Range header sent by Navigator 2-3 and
   MSIE 3.

*) mod_rewrite: Don't require
   added by applying the perdir prefix to the substitution.

*) Windows: Restore the ability to "Include" configuration files on UNC
   paths.

*) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs
   in <Location> (incomplete fix in 2.4.62).

*) mod_md: update to version 2.4.28
   - When the server starts, it looks for new, staged certificates to
     activate. If the staged set of files in 'md/staging/<domain>' is messed
     up, this could prevent further renewals to happen. Now, when the staging
     set is present, but could not be activated due to an error, purge the
     whole directory.
   - Fix certificate retrieval on ACME renewal to not require a 'Location:'
     header returned by the ACME CA. This was the way it was done in ACME
     before it became an IETF standard. Let's Encrypt still supports this,
     but other CAs do not.
   - Restore compatibility with OpenSSL < 1.1.

*) mod_tls: removed the experimental module. It now is availble standalone
   from https://github.com/icing/mod_tls. The rustls provided API is not
   stable and does not align with the httpd release cycle.

*) mod_rewrite: Better question mark tracking to avoid UnsafeAllow3F.

*) mod_http2: Return connection monitoring to the event MPM when blocking
   on client updates.

Log message:
*: recursive bump for icu 76 shlib major version bump

Log message:
*: revbump for icu downgrade

Log message:
*: recursive bump for icu 76.1 shlib bump

Log message:
apache: update to 2.4.62.

Changes with Apache 2.4.62

  *) mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for
     "balancer:" URLs set via SetHandler, also allowing for \ 
"unix:" sockets
     with BalancerMember(s).  [Yann Ylavic]

  *) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs.
     [Yann Ylavic]

  *) mod_ssl: Fix crashes in PKCS#11 ENGINE support with OpenSSL 3.2.
     [Joe Orton]

  *) mod_ssl: Add support for loading certs/keys from pkcs11: URIs
     via OpenSSL 3.x providers.  [Ingo Franzki <ifranzki linux.ibm.com>]

  *) mod_ssl: Restore SSL dumping on trace7 loglevel with OpenSSL >= 3.0.
     [Ruediger Pluem, Yann Ylavic]

  *) mpm_worker: Fix possible warning (AH00045) about children processes not
     terminating timely.  [Yann Ylavic]

Log message:
www/apache24: update to 2.4.61

Apache HTTP Server 2.4.61 contains one security fix.

Fixed in Apache HTTP Server 2.4.61

important: Apache HTTP Server: source code disclosure with handlers configured \ 
via AddType (CVE-2024-39884)

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of
the legacy content-type based configuration of handlers.  "AddType" and
similar configuration, under some circumstances where files are requested
indirectly, result in source code disclosure of local content.  For example,
PHP scripts may be served instead of interpreted.

Users are recommended to upgrade to version 2.4.61, which fixes this issue.

Reported to security team	2024-07-01
Update 2.4.61 released		2024-07-03
Affects				2.4.60

Log message:
apache24: updated to 2.4.60

Changes with Apache 2.4.60

*) SECURITY: CVE-2024-39573: Apache HTTP Server: mod_rewrite proxy
   handler substitution (cve.mitre.org)
   Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and
   earlier allows an attacker to cause unsafe RewriteRules to
   unexpectedly setup URL's to be handled by mod_proxy.
   Credits: Orange Tsai (@orange_8361) from DEVCORE

*) SECURITY: CVE-2024-38477: Apache HTTP Server: Crash resulting in
   Denial of Service in mod_proxy via a malicious request
   (cve.mitre.org)
   null pointer dereference in mod_proxy in Apache HTTP Server
   2.4.59 and earlier allows an attacker to crash the server via a
   malicious request.
   Credits: Orange Tsai (@orange_8361) from DEVCORE

*) SECURITY: CVE-2024-38476: Apache HTTP Server may use
   exploitable/malicious backend application output to run local
   handlers via internal redirect (cve.mitre.org)
   Vulnerability in core of Apache HTTP Server 2.4.59 and earlier
   are vulnerably to information disclosure, SSRF or local script
   execution via backend applications whose response headers are
   malicious or exploitable.

   Note: Some legacy uses of the 'AddType' directive to connect a
   request to a handler must be ported to 'SetHandler' after this fix.

   Credits: Orange Tsai (@orange_8361) from DEVCORE

*) SECURITY: CVE-2024-38475: Apache HTTP Server weakness in
   mod_rewrite when first segment of substitution matches
   filesystem path. (cve.mitre.org)
   Improper escaping of output in mod_rewrite in Apache HTTP Server
   2.4.59 and earlier allows an attacker to map URLs to filesystem
   locations that are permitted to be served by the server but are
   not intentionally/directly reachable by any URL, resulting in
   code execution or source code disclosure.
   Substitutions in server context that use a backreferences or
   variables as the first segment of the substitution are affected.
   Some unsafe RewiteRules will be broken by this change and the
   rewrite flag "UnsafePrefixStat" can be used to opt back in once
   ensuring the substitution is appropriately constrained.
   Credits: Orange Tsai (@orange_8361) from DEVCORE

*) SECURITY: CVE-2024-38474: Apache HTTP Server weakness with
   encoded question marks in backreferences (cve.mitre.org)
   Substitution encoding issue in mod_rewrite in Apache HTTP Server
   2.4.59 and earlier allows attacker to execute scripts in
   directories permitted by the configuration but not directly
   reachable by any URL or source disclosure of scripts meant to
   only to be executed as CGI.

   Note: Some RewriteRules that capture and substitute unsafely will now
   fail unless rewrite flag "UnsafeAllow3F" is specified.

   Credits: Orange Tsai (@orange_8361) from DEVCORE

*) SECURITY: CVE-2024-38473: Apache HTTP Server proxy encoding
   problem (cve.mitre.org)
   Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and
   earlier allows request URLs with incorrect encoding to be sent
   to backend services, potentially bypassing authentication via
   crafted requests.
   Credits: Orange Tsai (@orange_8361) from DEVCORE

*) SECURITY: CVE-2024-38472: Apache HTTP Server on WIndows UNC SSRF
   (cve.mitre.org)
   SSRF in Apache HTTP Server on Windows allows to potentially leak
   NTML hashes to a malicious server via SSRF and malicious
   requests or content

   Note: Existing configurations that access UNC paths
   will have to configure new directive "UNCList" to allow access
   during request processing.

   Credits: Orange Tsai (@orange_8361) from DEVCORE

*) SECURITY: CVE-2024-36387: Apache HTTP Server: DoS by Null
   pointer in websocket over HTTP/2 (cve.mitre.org)
   Serving WebSocket protocol upgrades over a HTTP/2 connection
   could result in a Null Pointer dereference, leading to a crash
   of the server process, degrading performance.
   Credits: Marc Stern (<marc.stern approach.be>)

*) mod_proxy: Fix DNS requests and connections closed before the
   configured addressTTL.

*) core: On Linux, log the real thread ID in error logs.  [Joe Orton]

*) core: Support zone/scope in IPv6 link-local addresses in Listen and
   VirtualHost directives (requires APR 1.7.x or later).
   [Joe Orton]

*) mod_ssl: Reject client-initiated renegotiation with a TLS alert
   (rather than connection closure).  [Joe Orton, Yann Ylavic]

*) Updated mime.types.  [Mohamed Akram <mohd.akram outlook.com>,
   Adam Silverstein <adamsilverstein earthboundhosting.com>]

*) mod_ssl: Fix a regression that causes the default DH parameters for a key
   no longer set and thus effectively disabling DH ciphers when no explicit
   DH parameters are set.

*) mod_cgid: Optional support for file descriptor passing, fixing
   error log handling (configure --enable-cgid-fdpassing) on Unix
   platforms.

*) mod_cgid/mod_cgi: Distinguish script stderr output clearly in
   error logs.

*) mod_tls: update version of rustls-ffi to v0.13.0.
   [Daniel McCarney (@cpu}]

*) mod_md:
   - Using OCSP stapling information to trigger certificate renewals. Proposed
     by @frasertweedale.
   - Added directive `MDCheckInterval` to control how often the server checks
     for detected revocations. Added proposals for configurations in the
     README.md chapter "Revocations".
   - OCSP stapling: accept OCSP responses without a `nextUpdate` entry which is
     allowed in RFC 6960. Treat those as having an update interval of 12 hours.
     Added by @frasertweedale.
   - Adapt OpenSSL usage to changes in their API. By Yann Ylavic.

Log message:
revbump after icu and protobuf updates

Log message:
*: recursive bump for gnutls p11-kit option

(existing installations need the bl3.mk included, but it's now only
optionally included)

Log message:
apache24: updated to 2.4.59

Changes with Apache 2.4.59

*) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by
   memory exhaustion on endless continuation frames (cve.mitre.org)
   HTTP/2 incoming headers exceeding the limit are temporarily
   buffered in nghttp2 in order to generate an informative HTTP 413
   response. If a client does not stop sending headers, this leads
   to memory exhaustion.
   Credits: Bartek Nowotarski (https://nowotarski.info/)

*) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response
   Splitting in multiple modules (cve.mitre.org)
   HTTP Response splitting in multiple modules in Apache HTTP
   Server allows an attacker that can inject malicious response
   headers into backend applications to cause an HTTP
   desynchronization attack.
   Users are recommended to upgrade to version 2.4.59, which fixes
   this issue.
   Credits: Keran Mu, Tsinghua University and Zhongguancun
   Laboratory.

*) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response
   splitting (cve.mitre.org)
   Faulty input validation in the core of Apache allows malicious
   or exploitable backend/content generators to split HTTP
   responses.
   This issue affects Apache HTTP Server: through 2.4.58.
   Credits: Orange Tsai (@orange_8361) from DEVCORE

*) mod_deflate: Fixes and better logging for handling various
   error and edge cases. [Eric Covener, Yann Ylavic, Joe Orton,
   Eric Norris <enorris etsy.com>]

*) Add CGIScriptTimeout to mod_cgi. [Eric Covener]

*) mod_xml2enc: Tolerate libxml2 2.12.0 and later.
   [ttachi <tachihara AT hotmail.com>]

*) mod_slotmem_shm: Use ap_os_is_path_absolute() to make it portable.
   [Jean-Frederic Clere]

*) mod_ssl: Use OpenSSL-standard functions to assemble CA
   name lists for SSLCACertificatePath/SSLCADNRequestPath.
   Names will now be consistently sorted.
   [Joe Orton]

*) mod_xml2enc: Update check to accept any text/ media type
   or any XML media type per RFC 7303, avoiding
   corruption of Microsoft OOXML formats.
   [Joseph Heenan <joseph.heenan fintechlabs.io>, Joe Orton]

*) mod_http2: v2.0.26 with the following fixes:
   - Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes
     <https://github.com/icing/mod_h2/issues/272>.
   - Fixed small memory leak in h2 header bucket free. Thanks to
     Michael Kaufmann for finding this and providing the fix.

*) htcacheclean: In -a/-A mode, list all files per subdirectory
   rather than only one.
   [Artem Egorenkov <aegorenkov.91 gmail.com>]

*) mod_ssl: SSLProxyMachineCertificateFile/Path may reference files
   which include CA certificates; those CA certs are treated as if
   configured with SSLProxyMachineCertificateChainFile.  [Joe Orton]

*) htpasswd, htdbm, dbmmanage: Update help&docs to refer to
   "hashing", rather than "encrypting" passwords.
   [Michele Preziuso <mpreziuso kaosdynamics.com>]

*) mod_ssl: Fix build with LibreSSL 2.0.7+.
   [Giovanni Bechis, Yann Ylavic]

*) htpasswd: Add support for passwords using SHA-2.  [Joe Orton,
   Yann Ylavic]

*) core: Allow mod_env to override system environment vars. [Joe Orton]

*) Allow mod_dav_fs to tolerate race conditions between PROPFIND and an
   operation which removes a directory/file between apr_dir_read() and
   apr_stat(). Current behaviour is to abort the connection which seems
   inferior to tolerating (and logging) the error. [Joe Orton]

*) mod_ldap: HTML-escape data in the ldap-status handler.
   [Eric Covener, Chamal De Silva]

*) mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set.
   Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available,
   notably with OpenSSL >= 3.  [Yann Ylavic, Joe Orton]

*) mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings about
   deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting while defaulting
   to compatibitily with version 1.1.1 (including ENGINEs / SSLCryptoDevice).
   [Yann Ylavic]

*) mod_ssl: release memory to the OS when needed. [Giovanni Bechis]

*) mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when
   some dollar substitution (backreference) happens in the hostname or port
   part of the URL.  [Yann Ylavic]

*) mod_proxy: Allow to set a TTL for how long DNS resolutions to backend
   systems are cached. [Yann Ylavic]

*) mod_proxy: Add optional third argument for ProxyRemote, which
   configures Basic authentication credentials to pass to the remote
   proxy.