So 2.4.32 went away after I sent out my update diff, and yesterday 2.4.33 arrived in its place. Not much changed since 2.4.32 from which I've already had some positive test reports. (If my understanding of their process is correct they have a couple of releases with separate version numbers which would be similar to what many would do as an rc, then when happy they push one more publically as "the version people should use").
Opinions on updating now please? Push for release or hold off until stable? It's one of those things that typically only gets limited testing on ports@ but it feels like it's something more likely to be used by people who only run release.. Quite a roll of security fixes though most are unusual configs/hard to trigger. Info in https://www.apache.org/dist/httpd/CHANGES_2.4.33. CVE-2018-1301: Possible out of bound access after failure in reading the HTTP request CVE-2018-1303: Possible out of bound read in mod_cache_socache CVE-2018-1283: Tampering of mod_session data for CGI applications CVE-2018-1302: Possible write of after free on HTTP/2 stream shutdown CVE-2017-15715: <FilesMatch> bypass with a trailing newline in the file name CVE-2018-1312: Weak Digest auth nonce generation in mod_auth_digest CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values Index: Makefile =================================================================== RCS file: /cvs/ports/www/apache-httpd/Makefile,v retrieving revision 1.88 diff -u -p -r1.88 Makefile --- Makefile 14 Feb 2018 16:06:54 -0000 1.88 +++ Makefile 24 Mar 2018 12:46:14 -0000 @@ -3,8 +3,7 @@ COMMENT-main= apache HTTP server COMMENT-common= /var/www files for Apache HTTPd -V= 2.4.29 -REVISION-main= 0 +V= 2.4.33 DISTNAME= httpd-${V} PKGNAME= apache-httpd-${V} @@ -19,8 +18,9 @@ HOMEPAGE= https://httpd.apache.org/ # Apache 2.0 PERMIT_PACKAGE_CDROM= Yes -WANTLIB-main += apr-1 aprutil-1 c crypto db expat iconv -WANTLIB-main += lzma m nghttp2 pcre pthread ssl xml2 z +WANTLIB-main += apr-1 aprutil-1 brotlicommon brotlienc c crypto curl +WANTLIB-main += db expat iconv jansson lzma m nghttp2 pcre pthread ssl +WANTLIB-main += xml2 z MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} @@ -30,8 +30,11 @@ MULTI_PACKAGES= -main -common RUN_DEPENDS-main= www/apache-httpd,-common -LIB_DEPENDS-main= archivers/xz \ +LIB_DEPENDS-main= archivers/brotli \ + archivers/xz \ + devel/jansson \ devel/pcre \ + net/curl \ textproc/libxml \ www/nghttp2 Index: distinfo =================================================================== RCS file: /cvs/ports/www/apache-httpd/distinfo,v retrieving revision 1.27 diff -u -p -r1.27 distinfo --- distinfo 12 Jan 2018 22:11:41 -0000 1.27 +++ distinfo 24 Mar 2018 12:46:14 -0000 @@ -1,2 +1,2 @@ -SHA256 (httpd-2.4.29.tar.gz) = lI5KESeKWVRpi4gLMPQBsemrdDcT7ixygKVN1N3YcIU= -SIZE (httpd-2.4.29.tar.gz) = 8638793 +SHA256 (httpd-2.4.33.tar.gz) = zTRjbK8DyaiX3fySj8hmyWXyPZCblhKIBWOnrQ0afls= +SIZE (httpd-2.4.33.tar.gz) = 9076901 Index: patches/patch-config_layout =================================================================== RCS file: /cvs/ports/www/apache-httpd/patches/patch-config_layout,v retrieving revision 1.8 diff -u -p -r1.8 patch-config_layout --- patches/patch-config_layout 18 Jul 2015 00:33:53 -0000 1.8 +++ patches/patch-config_layout 24 Mar 2018 12:46:14 -0000 @@ -1,7 +1,8 @@ $OpenBSD: patch-config_layout,v 1.8 2015/07/18 00:33:53 ajacoutot Exp $ ---- config.layout.orig Tue Apr 17 16:01:41 2012 -+++ config.layout Sat Jul 18 02:20:52 2015 -@@ -229,25 +229,25 @@ +Index: config.layout +--- config.layout.orig ++++ config.layout +@@ -253,25 +253,25 @@ # OpenBSD Layout <Layout OpenBSD> prefix: /var/www Index: patches/patch-configure =================================================================== RCS file: /cvs/ports/www/apache-httpd/patches/patch-configure,v retrieving revision 1.15 diff -u -p -r1.15 patch-configure --- patches/patch-configure 18 Feb 2018 20:38:15 -0000 1.15 +++ patches/patch-configure 24 Mar 2018 12:46:14 -0000 @@ -2,7 +2,7 @@ $OpenBSD: patch-configure,v 1.15 2018/02 Index: configure --- configure.orig +++ configure -@@ -3425,7 +3425,7 @@ do +@@ -3445,7 +3445,7 @@ do ap_last="${ap_cur}" ap_cur=`eval "echo ${ap_cur}"` done @@ -11,7 +11,7 @@ Index: configure APACHE_VAR_SUBST="$APACHE_VAR_SUBST exp_sysconfdir" -@@ -4631,7 +4631,7 @@ APR_INCLUDEDIR=`$apr_config --includedir` +@@ -4651,7 +4651,7 @@ APR_INCLUDEDIR=`$apr_config --includedir` APR_INCLUDES=`$apr_config --includes` APR_VERSION=`$apr_config --version` apr_major_version=`echo ${APR_VERSION} | sed 's,\..*,,'` Index: patches/patch-modules_md_md_crypt_c =================================================================== RCS file: patches/patch-modules_md_md_crypt_c diff -N patches/patch-modules_md_md_crypt_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-modules_md_md_crypt_c 24 Mar 2018 12:46:14 -0000 @@ -0,0 +1,15 @@ +$OpenBSD$ + +Index: modules/md/md_crypt.c +--- modules/md/md_crypt.c.orig ++++ modules/md/md_crypt.c +@@ -471,7 +471,8 @@ apr_status_t md_pkey_gen(md_pkey_t **ppkey, apr_pool_t + } + } + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ ++ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL) + + #ifndef NID_tlsfeature + #define NID_tlsfeature 1020 Index: patches/patch-modules_ssl_ssl_engine_init_c =================================================================== RCS file: /cvs/ports/www/apache-httpd/patches/patch-modules_ssl_ssl_engine_init_c,v retrieving revision 1.11 diff -u -p -r1.11 patch-modules_ssl_ssl_engine_init_c --- patches/patch-modules_ssl_ssl_engine_init_c 18 Feb 2018 21:02:45 -0000 1.11 +++ patches/patch-modules_ssl_ssl_engine_init_c 24 Mar 2018 12:46:14 -0000 @@ -3,7 +3,7 @@ $OpenBSD: patch-modules_ssl_ssl_engine_i Index: modules/ssl/ssl_engine_init.c --- modules/ssl/ssl_engine_init.c.orig +++ modules/ssl/ssl_engine_init.c -@@ -47,7 +47,8 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, ini +@@ -48,7 +48,8 @@ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, ini #define KEYTYPES "RSA or DSA" #endif Index: patches/patch-support_rotatelogs_c =================================================================== RCS file: /cvs/ports/www/apache-httpd/patches/patch-support_rotatelogs_c,v retrieving revision 1.5 diff -u -p -r1.5 patch-support_rotatelogs_c --- patches/patch-support_rotatelogs_c 15 May 2015 08:08:04 -0000 1.5 +++ patches/patch-support_rotatelogs_c 24 Mar 2018 12:46:14 -0000 @@ -1,7 +1,8 @@ $OpenBSD: patch-support_rotatelogs_c,v 1.5 2015/05/15 08:08:04 stsp Exp $ ---- support/rotatelogs.c.orig Thu Apr 17 11:00:36 2014 -+++ support/rotatelogs.c Sat Jan 10 15:07:45 2015 -@@ -123,7 +123,7 @@ static void usage(const char *argv0, const char *reaso +Index: support/rotatelogs.c +--- support/rotatelogs.c.orig ++++ support/rotatelogs.c +@@ -129,7 +129,7 @@ static void usage(const char *argv0, const char *reaso "or \n\nTransferLog \"|%s /some/where 5M\"\n\n", argv0); #endif fprintf(stderr, Index: pkg/PLIST-main =================================================================== RCS file: /cvs/ports/www/apache-httpd/pkg/PLIST-main,v retrieving revision 1.17 diff -u -p -r1.17 PLIST-main --- pkg/PLIST-main 12 Jan 2018 22:11:41 -0000 1.17 +++ pkg/PLIST-main 24 Mar 2018 12:46:14 -0000 @@ -96,6 +96,7 @@ lib/apache2/mod_authz_host.so lib/apache2/mod_authz_owner.so lib/apache2/mod_authz_user.so lib/apache2/mod_autoindex.so +lib/apache2/mod_brotli.so lib/apache2/mod_buffer.so lib/apache2/mod_cache.so lib/apache2/mod_cache_disk.so @@ -133,6 +134,7 @@ lib/apache2/mod_log_debug.so lib/apache2/mod_log_forensic.so lib/apache2/mod_logio.so lib/apache2/mod_macro.so +lib/apache2/mod_md.so lib/apache2/mod_mime.so lib/apache2/mod_mime_magic.so lib/apache2/mod_mpm_event.so @@ -151,6 +153,7 @@ lib/apache2/mod_proxy_hcheck.so lib/apache2/mod_proxy_html.so lib/apache2/mod_proxy_http.so lib/apache2/mod_proxy_scgi.so +lib/apache2/mod_proxy_uwsgi.so lib/apache2/mod_proxy_wstunnel.so lib/apache2/mod_ratelimit.so lib/apache2/mod_reflector.so @@ -807,6 +810,8 @@ share/doc/apache2/mod/mod_lua.html.fr share/doc/apache2/mod/mod_macro.html share/doc/apache2/mod/mod_macro.html.en share/doc/apache2/mod/mod_macro.html.fr +share/doc/apache2/mod/mod_md.html +share/doc/apache2/mod/mod_md.html.en share/doc/apache2/mod/mod_mime.html share/doc/apache2/mod/mod_mime.html.en share/doc/apache2/mod/mod_mime.html.fr @@ -865,6 +870,8 @@ share/doc/apache2/mod/mod_proxy_http2.ht share/doc/apache2/mod/mod_proxy_scgi.html share/doc/apache2/mod/mod_proxy_scgi.html.en share/doc/apache2/mod/mod_proxy_scgi.html.fr +share/doc/apache2/mod/mod_proxy_uwsgi.html +share/doc/apache2/mod/mod_proxy_uwsgi.html.en share/doc/apache2/mod/mod_proxy_wstunnel.html share/doc/apache2/mod/mod_proxy_wstunnel.html.en share/doc/apache2/mod/mod_ratelimit.html
