19:31 ohauer 

- update to version 2.2.24
- move mpm itk patches to itk-mpm/files dir
- add sshd to REQUIRE line in the rc script to prevent boot
  issues in case a SSL cert is password protected [1]

Changes with Apache 2.2.24
 SECURITY: CVE-2012-3499 (cve.mitre.org) Various XSS flaws due to
 unescaped hostnames and URIs HTML output in mod_info, mod_status,
 mod_imagemap, mod_ldap, and mod_proxy_ftp.  [Jim Jagielski, Stefan
 Fritsch, Niels Heinen <heinenn google com>]

 SECURITY: CVE-2012-4558 (cve.mitre.org)
 XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
 Niels Heinen <heinenn google com>]

 mod_rewrite: Stop merging RewriteBase down to subdirectories
 unless new option 'RewriteOptions MergeBase' is configured.
 Merging RewriteBase was unconditionally turned on in 2.2.23.
 PR 53963. [Eric Covener]

 mod_ssl: Send the error message for speaking http to an https port using
 HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when
 using SNI. PR 50823. [Stefan Fritsch]

 mod_ssl: log revoked certificates at level INFO
 instead of DEBUG. PR 52162. [Stefan Fritsch]

 mod_proxy_ajp: Support unknown HTTP methods. PR 54416.
 [Rainer Jung]

 mod_dir: Add support for the value 'disabled' in FallbackResource.
 [Vincent Deffontaines]

 mod_ldap: Fix regression in handling "server unavailable" errors on
 Windows.  PR 54140.  [Eric Covener]

 mod_ssl: fix a regression with the string rendering of the "UID" RDN
 introduced in 2.2.15. PR 54510. [Kaspar Brand]

 ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
 to more accurately report the negotiated protocol. PR 53916.
 [Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand]

 mod_cache: Explicitly allow cache implementations to cache a 206 Partial
 Response if they so choose to do so. Previously an attempt to cache a 206
 was arbitrarily allowed if the response contained an Expires or
 Cache-Control header, and arbitrarily denied if both headers were missing
 Currently the disk and memory cache providers do not cache 206 Partial
 Responses. [Graham Leggett]

 core: Remove unintentional APR 1.3 dependency introduced with
 Apache 2.2.22. [Eric Covener]

 core: Use a TLS 1.0 close_notify alert for internal dummy connection if
 the chosen listener is configured for https. [Joe Orton]

 mod_ssl: Add new directive SSLCompression to disable TLS-level
   compression. PR 53219.

[1] requested by Andrew Filonov
    (freebsd-apache/2012-September/002962.html)

with head apache@

 

17:00 ohauer 

 - update Apache 2 ITK MPM patch to version 20110321-01 [1]
 - add additional patch for mpm-itk [2]
 - add mod_substitute to apache22 [3]
 - add some documentation into the mpm-itk* patches
 - bump portrevision

 Changes:
 [1] apache2.2-mpm-itk 2.2.17-01, released 2011-03-21:
  * Fixed CVE-2011-1176: If NiceValue was set, the default with no
    AssignUserID was to run as root:root instead of the default Apache user
    and group, due to the configuration merger having an incorrect default
    configuration.
  * Rebase against Apache 2.2.17.
  * Fix an issue where users can sometimes get spurious 403s on persistent
    connections, if the .htaccess files are not world readable.

(Only the first 15 lines of the commit message are shown above )