---
- branch: MAIN
  date: Mon Jan 16 14:34:42 UTC 2017
  files:
  - new: '1.111'
    old: '1.110'
    path: pkgsrc/www/apache22/Makefile
    pathrev: pkgsrc/www/apache22/Makefile@1.111
    type: modified
  - new: '1.66'
    old: '1.65'
    path: pkgsrc/www/apache22/distinfo
    pathrev: pkgsrc/www/apache22/distinfo@1.66
    type: modified
  - new: '0'
    old: '1.1'
    path: pkgsrc/www/apache22/patches/patch-include_ap_mmn.h
    pathrev: pkgsrc/www/apache22/patches/patch-include_ap_mmn.h@0
    type: deleted
  - new: '0'
    old: '1.1'
    path: pkgsrc/www/apache22/patches/patch-modules_proxy_mod_proxy.h
    pathrev: pkgsrc/www/apache22/patches/patch-modules_proxy_mod_proxy.h@0
    type: deleted
  - new: '0'
    old: '1.1'
    path: pkgsrc/www/apache22/patches/patch-modules_proxy_proxy_util.c
    pathrev: pkgsrc/www/apache22/patches/patch-modules_proxy_proxy_util.c@0
    type: deleted
  - new: '0'
    old: '1.1'
    path: pkgsrc/www/apache22/patches/patch-server_util__script.c
    pathrev: pkgsrc/www/apache22/patches/patch-server_util__script.c@0
    type: deleted
  - new: '0'
    old: '1.3'
    path: pkgsrc/www/apache22/patches/patch-modules_proxy_mod_proxy.c
    pathrev: pkgsrc/www/apache22/patches/patch-modules_proxy_mod_proxy.c@0
    type: deleted
  id: 20170116T143442Z.a133d205448fb7cd647f54a8504b2a1c0974bcaf
  log: |
    Changes with Apache 2.2.32

      *) SECURITY: CVE-2016-8743 (cve.mitre.org)
         Enforce HTTP request grammar corresponding to RFC7230 for request lines
         and request headers, to prevent response splitting and cache pollution by
         malicious clients or downstream proxies.

      *) Validate HTTP response header grammar defined by RFC7230, resulting
         in a 500 error in the event that invalid response header contents are
         detected when serving the response, to avoid response splitting and cache
         pollution by malicious clients, upstream servers or faulty modules.

      *) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.

      *) core: Avoid a possible truncation of the faulty header included in the
         HTML response when LimitRequestFieldSize is reached.

      *) core: Enforce LimitRequestFieldSize after multiple headers with the same
         name have been merged.

      *) core: Drop Content-Length header and message-body from HTTP 204 responses.

      *) core: Permit unencoded ';' characters to appear in proxy requests and
         Location: response headers. Corresponds to modern browser behavior.

      *) core: ap_rgetline_core now pulls from r->proto_input_filters.

      *) core: Correctly parse an IPv6 literal host specification in an absolute
         URL in the request line.

      *) core: New directive RegisterHttpMethod for registering non-standard
         HTTP methods.

      *) core: Limit to ten the number of tolerated empty lines between request.

      *) core: reject NULLs in request line or request headers.

      *) mod_proxy: Use the correct server name for SNI in case the backend
         SSL connection itself is established via a proxy server.

      *) Fix potential rejection of valid MaxMemFree and ThreadStackSize
         directives.

      *) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3.

      *) mod_proxy: Correctly consider error response codes by the backend when
         processing failonstatus.

      *) mod_proxy: Play/restore the TLS-SNI on new backend connections which
         had to be issued because the remote closed the previous/reusable one
         during idle (keep-alive) time.

      *) mod_ssl: Fix a possible memory leak on restart for custom [EC]DH params.

      *) mod_proxy: Fix a regression with 2.2.31 that caused inherited workers to
         use a different scoreboard slot then the original one.

      *) mod_proxy: Fix a race condition that caused a failed worker to be retried
         before the retry period is over.

      *) mod_proxy: don't recyle backend announced "Connection: close" connections
         to avoid reusing it should the close be effective after some new request
         is ready to be sent.

      *) mod_mem_cache: Fix concurrent removal of stale entries which could lead
         to a crash.

      *) mime.types: add common extension "m4a" for MPEG 4 Audio.

      *) mod_substitute: Allow to configure the patterns merge order with the new
         SubstituteInheritBefore on|off directive.

      *) mod_mem_cache: Don't cache incomplete responses when the client
         connection is aborted before the body is fully read.

      *) abs: Include OPENSSL_Applink when compiling on Windows, to resolve
         failures under Visual Studio 2015 and other mismatched MSVCRT flavors.

      *) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes.
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/www/apache22'
  unixtime: '1484577282'
  user: adam