www/apache24: Update to 2.4.56

Changes with Apache 2.4.56

  *) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi
     HTTP response splitting (cve.mitre.org)
     HTTP Response Smuggling vulnerability in Apache HTTP Server via
     mod_proxy_uwsgi. This issue affects Apache HTTP Server: from
     2.4.30 through 2.4.55.
     Special characters in the origin response header can
     truncate/split the response forwarded to the client.
     Credits: Dimas Fariski Setyawan Putra (nyxsorcerer)

  *) SECURITY: CVE-2023-25690: HTTP request splitting with
     mod_rewrite and mod_proxy (cve.mitre.org)
     Some mod_proxy configurations on Apache HTTP Server versions
     2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
     Configurations are affected when mod_proxy is enabled along with
     some form of RewriteRule
     or ProxyPassMatch in which a non-specific pattern matches
     some portion of the user-supplied request-target (URL) data and
     is then
     re-inserted into the proxied request-target using variable
     substitution. For example, something like:
     RewriteEngine on
     RewriteRule "^/here/(.*)" "
     http://example.com:8080/elsewhere?$1"
     http://example.com:8080/elsewhere ; [P]
     ProxyPassReverse /here/  http://example.com:8080/
     http://example.com:8080/
     Request splitting/smuggling could result in bypass of access
     controls in the proxy server, proxying unintended URLs to
     existing origin servers, and cache poisoning.
     Credits: Lars Krapf of Adobe

  *) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
     truncated without the initial logfile being truncated.  [Eric Covener]

  *) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
     allow connections of any age to be reused. Up to now, a negative value
     was handled as an error when parsing the configuration file.  PR 66421.
     [nailyk <bzapache nailyk.fr>, Christophe Jaillet]

  *) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
     of headers. [Ruediger Pluem]

  *) mod_md:
     - Enabling ED25519 support and certificate transparency information when
       building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
     - MDChallengeDns01 can now be configured for individual domains.
       Thanks to Jérôme Billiras (@bilhackmac) for the initial PR.
     - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
       teardown not being invoked as it should.
     [Stefan Eissing]

  *) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
     reported in access logs and error documents. The processing of the
     reset was correct, only unneccesary reporting was caused.
     [Stefan Eissing]

  *) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
     [Yann Ylavic]

PR:	270037
Reported by:	Fabian Wenk <fabian@wenks.ch>
Sponsored by:	Netzkommune GmbH

2 files changed, 4 insertions, 4 deletions

diff --git a/www/apache24/Makefile b/www/apache24/Makefile
index 1305859d1044..fcc570c74818 100644
--- a/www/apache24/Makefile
+++ b/www/apache24/Makefile
@@ -1,5 +1,5 @@
 PORTNAME=	apache24
-PORTVERSION=	2.4.55
+PORTVERSION=	2.4.56
 CATEGORIES=	www
 MASTER_SITES=	APACHE_HTTPD
 DISTNAME=	httpd-${PORTVERSION}
diff --git a/www/apache24/distinfo b/www/apache24/distinfo
index 50ec0cfd8ba9..47dd1a9258c2 100644
--- a/www/apache24/distinfo
+++ b/www/apache24/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1673987660
-SHA256 (apache24/httpd-2.4.55.tar.bz2) = 11d6ba19e36c0b93ca62e47e6ffc2d2f2884942694bce0f23f39c71bdc5f69ac
-SIZE (apache24/httpd-2.4.55.tar.bz2) = 7456187
+TIMESTAMP = 1678526025
+SHA256 (apache24/httpd-2.4.56.tar.bz2) = d8d45f1398ba84edd05bb33ca7593ac2989b17cb9c7a0cafe5442d41afdb2d7c
+SIZE (apache24/httpd-2.4.56.tar.bz2) = 7456418