- fixed CVE-2022-22720 httpd: HTTP request smuggling

- fixed missing APR_HAS_THREADS check on mod_proxy 
  2.2.34 official patch

- security issues
  . CVD-2017-9798
    Corrupted or freed memory access. <Limit[Except]> must now be used in the
    main configuration file (httpd.conf) to register HTTP methods before the
    .htaccess files.

- update 2.2.34
  http://www.apache.org/dist/httpd/CHANGES_2.2.34
- security issues:
  . CVE-2017-7668
    The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
    bug in token list parsing, which allows ap_find_token() to search past
    the end of its input string. By maliciously crafting a sequence of
    request headers, an attacker may be able to cause a segmentation fault,
    or to force ap_find_token() to return an incorrect value.
  . CVE-2017-3169
    mod_ssl may dereference a NULL pointer when third-party modules call
    ap_hook_process_connection() during an HTTP request to an HTTPS port.
  . CVE-2017-3167
    Use of the ap_get_basic_auth_pw() by third-party modules outside of the
    authentication phase may lead to authentication requirements being
    bypassed.
  . CVE-2017-7679
    mod_mime can read one byte past the end of a buffer when sending a
    malicious Content-Type response header.

- update 2.2.32
  http://www.apache.org/dist/httpd/CHANGES_2.2.32
- security issues:
  . CVE-2016-8743
    Enforce HTTP request grammar corresponding to RFC7230 for request lines
    and request headers, to prevent response splitting and cache pollution by
    malicious clients or downstream proxies.

- security issues:
  . CVE-2016-5387
    The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and
    therefore does not protect applications from the presence of untrusted
    client data in the HTTP_PROXY environment variable, which might allow
    remote attackers to redirect an application's outbound HTTP traffic to an
    arbitrary proxy server via a crafted Proxy header in an HTTP request, aka
    an "httpoxy" issue.

- update 2.2.31
- security issues:
  . CVE-2015-3183
    Remove apr_brigade_flatten(), buffering and duplicated code from
    the HTTP_IN filter, parse chunks in a single pass with zero copy.
    Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
    authorized characters

- security issues:
  . CVE-2013-5704
    The mod_headers module in the Apache HTTP Server 2.2.22 allows
	remote attackers to bypass "RequestHeader unset" directives by
	placing a header in the trailer portion of data sent with chunked
	transfer coding.

- security issues:
  . CVE-2014-0118
    The deflate_in_filter function in mod_deflate.c in the mod_deflate
    module in the Apache HTTP Server before 2.4.10, when request body
    decompression is enabled, allows remote attackers to cause a denial
    of service (resource consumption) via crafted request data that
    decompresses to a much larger size.

  . CVE-2014-0226
    Race condition in the mod_status module in the Apache HTTP Server
    before 2.4.10 allows remote attackers to cause a denial of service
    (heap-based buffer overflow), or possibly obtain sensitive credential
    information or execute arbitrary code, via a crafted request that
    triggers improper scoreboard handling within the status_handler
    function in modules/generators/mod_status.c and the
    lua_ap_scoreboard_worker function in modules/lua/lua_request.c.

  . CVE-2014-0231
    The mod_cgid module in the Apache HTTP Server before 2.4.10 does not
    have a timeout mechanism, which allows remote attackers to cause a
    denial of service (process hang) via a request to a CGI script that
    does not read from its stdin file descriptor.

- update 2.2.27
  . see also http://www.apache.org/dist/httpd/CHANGES_2.2.27

- support NPN on mod_ssl

- security issues:
  . CVE-2014-0098
    Clean up cookie logging with fewer redundant string parsing passes.
    Log only cookies with a value assignment. Prevents segfaults when
    logging truncated cookies.

  . CVE-2013-6438
    mod_dav: Keep track of length of cdata properly when removing
    leading spaces. Eliminates a potential denial of service from
    specifically crafted DAV WRITE requests

- update 2.2.26
  . see also http://www.apache.org/dist/httpd/CHANGES_2.2.26

- update 2.2.25
  . see also http://www.apache.org/dist/httpd/CHANGES_2.2.25

- security issues:
  . CVE-2013-1862
    mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server
    2.2.x before 2.2.25 writes data to a log file without sanitizing
    non-printable characters, which might allow remote attackers to
    execute arbitrary commands via an HTTP request containing an escape
    sequence for a terminal emulator.

- update 2.2.24
  . see also http://www.apache.org/dist/httpd/CHANGES_2.2.24

- security issues:
  . CVE-2012-3499
    Various XSS flaws due to unescaped hostnames and URIs HTML output in
    mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.

  . CVE-2012-4558
    XSS in mod_proxy_balancer manager interface.

- fixed work binary

- update 2.2.23
- fixed CVE-2012-0883
- fixed CVE-2012-2687

- momve to /var/log/httpd to httpd-conf package

- fixed broken echo hangul variable on ssi

- update 2.2.22