apache24: updated to 2.4.49

Changes with Apache 2.4.49

*) SECURITY: CVE-2021-40438 (cve.mitre.org)
   mod_proxy: Server Side Request Forgery (SSRF) vulnerabilty [Yann Ylavic]

*) SECURITY: CVE-2021-39275 (cve.mitre.org)
   core: ap_escape_quotes buffer overflow

*) SECURITY: CVE-2021-36160 (cve.mitre.org)
   mod_proxy_uwsgi: Out of bound read vulnerability [Yann Ylavic]

*) SECURITY: CVE-2021-34798 (cve.mitre.org)
   core: null pointer dereference on malformed request

*) SECURITY: CVE-2021-33193 (cve.mitre.org)
   mod_http2: Request splitting vulnerability with mod_proxy [Stefan Eissing]

*) core/mod_proxy/mod_ssl:
   Adding `outgoing` flag to conn_rec, indicating a connection is
   initiated by the server to somewhere, in contrast to incoming
   connections from clients.
   Adding 'ap_ssl_bind_outgoing()` function that marks a connection
   as outgoing and is used by mod_proxy instead of the previous
   optional function `ssl_engine_set`. This enables other SSL
   module to secure proxy connections.
   The optional functions `ssl_engine_set`, `ssl_engine_disable` and
   `ssl_proxy_enable` are now provided by the core to have backward
   compatibility with non-httpd modules that might use them. mod_ssl
   itself no longer registers these functions, but keeps them in its
   header for backward compatibility.
   The core provided optional function wrap any registered function
   like it was done for `ssl_is_ssl`.
   [Stefan Eissing]

*) mod_ssl: Support logging private key material for use with
   wireshark via log file given by SSLKEYLOGFILE environment
   variable.  Requires OpenSSL 1.1.1.  PR 63391.  [Joe Orton]

*) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and
   "ProxyPassInterpolateEnv On" are configured.  PR 65549.
   [Joel Self <joelself gmail.com>]

*) mpm_event: Fix children processes possibly not stopped on graceful
   restart.  PR 63169.  [Joel Self <joelself gmail.com>]

*) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d)
   protocols from mod_proxy_http, and a timeout triggering falsely when
   using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with
   upgrade= setting.  PRs 65521 and 65519.  [Yann Ylavic]

*) mod_unique_id: Reduce the time window where duplicates may be generated
   PR 65159
   [Christophe Jaillet]

*) mpm_prefork: Block signals for child_init hooks to prevent potential
   threads created from there to catch MPM's signals.
   [Ruediger Pluem, Yann Ylavic]

*) Revert "mod_unique_id: Fix potential duplicated ID generation under heavy load.
   PR 65159" added in 2.4.47.
   This causes issue on Windows.
   [Christophe Jaillet]

*) mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker.  [Yann Ylavic]

*) mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted
   as successful or a staged renewal is replacing the existing certificates.
   This avoid potential mess ups in the md store file system to render the active
   certificates non-working. [@mkauf]

*) mod_proxy: Faster unix socket path parsing in the "proxy:" URL.
   [Yann Ylavic]

*) mod_ssl: tighten the handling of ALPN for outgoing (proxy)
   connections. If ALPN protocols are provided and sent to the
   remote server, the received protocol selected is inspected
   and checked for a match. Without match, the peer handshake
   fails.
   An exception is the proposal of "http/1.1" where it is
   accepted if the remote server did not answer ALPN with
   a selected protocol. This accomodates for hosts that do
   not observe/support ALPN and speak http/1.x be default.

*) mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances
   with others when their URLs contain a '$' substitution.  PR 65419 + 65429.
   [Yann Ylavic]

*) mod_dav: Add method_precondition hook. WebDAV extensions define
   conditions that must exist before a WebDAV method can be executed.
   This hook allows a WebDAV extension to verify these preconditions.
   [Graham Leggett]

*) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other
   modules apart from versioning implementations to handle the REPORT method.
   [Graham Leggett]

*) Add dav_get_provider(), dav_open_lockdb(), dav_close_lockdb() and
   dav_get_resource() to mod_dav.h. [Graham Leggett]

*) core: fix ap_escape_quotes substitution logic. [Eric Covener]

*) Easy patches: synch 2.4.x and trunk
   - mod_auth_basic: Use ap_cstr_casecmp instead of strcasecmp.
   - mod_ldap: log and abort locking errors.
   - mod_ldap: style fix for r1831165
   - mod_ldap: build break fix for r1831165
   - mod_deflate: Avoid hard-coded "%ld" format strings in mod_deflate's logging statements
   - mod_deflate: Use apr_uint64_t instead of uint64_t (follow up to r1849590)
   - mod_forensic: Follow up to r1856490: missing one mod_log_forensic test_char_table case.
   - mod_rewrite: Save a few cycles.
   - mod_request: Fix a comment (missing '_' in 'keep_body') and some style issues
   - core: remove extra whitespace in HTTP_NOT_IMPLEMENTED
  [Christophe Jaillet]

*) core/mpm: add hook 'child_stopping` that gets called when the MPM is
   stopping a child process. The additional `graceful` parameter allows
   registered hooks to free resources early during a graceful shutdown.
   [Yann Ylavic, Stefan Eissing]

*) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the
   balancer-manager, which can lead to a crash.  [Yann Ylavic]

*) mpm_event: Fix graceful stop/restart of children processes if connections
   are in lingering close for too long.  [Yann Ylavic]

*) mod_md: fixed a potential null pointer dereference if ACME/OCSP
   server returned 2xx responses without content type. Reported by chuangwen.
   [chuangwen, Stefan Eissing]

*) mod_md:
   - Domain names in `<MDomain ...>` can now appear in quoted form.
   - Fixed a failure in ACME challenge selection that aborted further searches
     when the tls-alpn-01 method did not seem to be suitable.
   - Changed the tls-alpn-01 setup to only become unsuitable when none of the
     dns names showed support for a configured 'Protocols ... acme-tls/1'. This
     allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
   [Stefan Eissing]

*) Add CPING to health check logic. [Jean-Frederic Clere]

*) core: Split ap_create_request() from ap_read_request(). [Graham Leggett]

*) core, h2: common ap_parse_request_line() and ap_check_request_header()
   code. [Yann Ylavic]

*) core: Add StrictHostCheck to allow unconfigured hostnames to be
   rejected. [Eric Covener]

*) htcacheclean: Improve help messages.  [Christophe Jaillet]

2 files changed, 7 insertions, 7 deletions

diff --git a/www/apache24/Makefile b/www/apache24/Makefile
index 908249a0028..730e3b481dc 100644
--- a/www/apache24/Makefile
+++ b/www/apache24/Makefile
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.100 2021/06/04 09:47:15 wiz Exp $
+# $NetBSD: Makefile,v 1.101 2021/09/17 12:49:57 adam Exp $
 #
 # When updating this package, make sure that no strings like
 # "PR 12345" are in the commit message. Upstream likes
 # to reference their own PRs this way, but this ends up
 # in NetBSD GNATS.
 
-DISTNAME=	httpd-2.4.48
+DISTNAME=	httpd-2.4.49
 PKGNAME=	${DISTNAME:S/httpd/apache/}
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_APACHE:=httpd/}
diff --git a/www/apache24/distinfo b/www/apache24/distinfo
index 8e1cb050529..d9dc31ea47a 100644
--- a/www/apache24/distinfo
+++ b/www/apache24/distinfo
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.45 2021/06/04 09:47:15 wiz Exp $
+$NetBSD: distinfo,v 1.46 2021/09/17 12:49:57 adam Exp $
 
-SHA1 (httpd-2.4.48.tar.bz2) = 834876db80fc290e531f0e088d255434828b81b5
-RMD160 (httpd-2.4.48.tar.bz2) = ea98eeb29aacefb2a71e046bfc13dc3b6e88f2fc
-SHA512 (httpd-2.4.48.tar.bz2) = 6c250626f1e7d10428a92d984fd48ff841effcc8705f7816ab71b681bbd51d0012ad158dcd13763fe7d630311f2de258b27574603140d648be42796ab8326724
-Size (httpd-2.4.48.tar.bz2) = 7194385 bytes
+SHA1 (httpd-2.4.49.tar.bz2) = 17e8efc1b178ce677202d71678e380459594f697
+RMD160 (httpd-2.4.49.tar.bz2) = 73c3e94bdb0da77c833590334a4ac288d782424c
+SHA512 (httpd-2.4.49.tar.bz2) = 418e277232cf30a81d02b8554e31aaae6433bbea842bdb81e47a609469395cc4891183fb6ee02bd669edb2392c2007869b19da29f5998b8fd5c7d3142db310dd
+Size (httpd-2.4.49.tar.bz2) = 7199599 bytes
 SHA1 (patch-aa) = 9a66685f1d2e4710ab464beda98cbaad632aebf9
 SHA1 (patch-ab) = a3edcc20b7654e0446c7d442cda1510b23e5d324
 SHA1 (patch-ac) = 9f86d845df30316d22bce677a4b176f51007ba0d