Update to 2.4.38

Changelog:
  *) SECURITY: CVE-2018-17199 (cve.mitre.org)
     mod_session: mod_session_cookie does not respect expiry time allowing
     sessions to be reused.  [Hank Ibell]

  *) SECURITY: CVE-2018-17189 (cve.mitre.org)
     mod_http2: fixes a DoS attack vector. By sending slow request bodies
     to resources not consuming them, httpd cleanup code occupies a server
     thread unnecessarily. This was changed to an immediate stream reset
     which discards all stream state and incoming data.  [Stefan Eissing]

  *) SECURITY: CVE-2019-0190 (cve.mitre.org)
     mod_ssl: Fix infinite loop triggered by a client-initiated
     renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
     later.  PR 63052.  [Joe Orton]

  *) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
     PR 63052 [Joe Orton]

  *) mod_negotiation: Treat LanguagePriority as case-insensitive to match
     AddLanguage behavior and HTTP specification. PR 39730 [Christophe Jaillet]

  *) mod_md: incorrect behaviour when synchronizing ongoing ACME challenges
     have been fixed. [Michael Kaufmann, Stefan Eissing]

  *) mod_setenvif: We can have expressions that become true if a regex pattern
     in the expression does NOT match. In this case val is NULL
     and we should just set the value for the environment variable
     like in the pattern case. [Ruediger Pluem]

  *) mod_session: Always decode session attributes early. [Hank Ibell]

  *) core: Incorrect values for environment variables are substituted when
     multiple environment variables are specified in a directive. [Hank Ibell]

  *) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when
     this type of map is present in the configuration.  PR62311.
     [Hank Ibell <hwibell gmail.com>]

  *) mod_dav: Fix invalid Location header when a resource is created by
     passing an absolute URI on the request line [Jim Jagielski]

  *) mod_session_cookie: avoid duplicate Set-Cookie header in the response.
     [Emmanuel Dreyfus <manu@netbsd.org>, Luca Toscano]

  *) mod_ssl: clear *SSL errors before loading certificates and checking
     afterwards. Otherwise errors are reported when other SSL using modules
     are in play. Fixes PR 62880. [Michael Kaufmann]

  *) mod_ssl: Fix the error code returned in an error path of
     'ssl_io_filter_handshake()'. This messes-up error handling performed
     in 'ssl_io_filter_error()' [Yann Ylavic]

  *) mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix
     authz provider so "Require ssl" works correctly in HTTP/2.
     PR 61519, 62654.  [Joe Orton, Stefan Eissing]

  *) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
     redirects, subsequent ProxyPassReverse statements, whether they are
     relative or absolute, may fail.  PR 60408.  [Peter Haworth <pmh1wheel gmail.com>]

  *) mod_lua: Now marked as a stable module [https://s.apache.org/Xnh1]

MFH:		2019Q1
Security:	eb888ce5-1f19-11e9-be05-4c72b94353b5
Sponsored by:	Netzkommune GmbH

2 files changed, 4 insertions, 4 deletions

diff --git a/www/apache24/Makefile b/www/apache24/Makefile
index cc9f6b9aefff..031b7cfb4317 100644
--- a/www/apache24/Makefile
+++ b/www/apache24/Makefile
@@ -1,7 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	apache24
-PORTVERSION=	2.4.37
+PORTVERSION=	2.4.38
 CATEGORIES=	www ipv6
 MASTER_SITES=	APACHE_HTTPD
 DISTNAME=	httpd-${PORTVERSION}
diff --git a/www/apache24/distinfo b/www/apache24/distinfo
index 35b9b9493fc5..3d6e36cf9484 100644
--- a/www/apache24/distinfo
+++ b/www/apache24/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1540301506
-SHA256 (apache24/httpd-2.4.37.tar.bz2) = 3498dc5c6772fac2eb7307dc7963122ffe243b5e806e0be4fb51974ff759d726
-SIZE (apache24/httpd-2.4.37.tar.bz2) = 7031632
+TIMESTAMP = 1548149918
+SHA256 (apache24/httpd-2.4.38.tar.bz2) = 7dc65857a994c98370dc4334b260101a7a04be60e6e74a5c57a6dee1bc8f394a
+SIZE (apache24/httpd-2.4.38.tar.bz2) = 7035030