Log message:
www/apache24: update to 2.4.66
Apache 2.4.66 (2025-12-04)
Security changes with Apache 2.4.66:
  *) SECURITY: CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec
     bypass via AllowOverride FileInfo (cve.mitre.org)
     mod_userdir+suexec bypass via AllowOverride FileInfo
     vulnerability in Apache HTTP Server. Users with access to use
     the RequestHeader directive in htaccess can cause some CGI
     scripts to run under an unexpected userid.
     This issue affects Apache HTTP Server: from 2.4.7 through
     2.4.65.
     Users are recommended to upgrade to version 2.4.66, which fixes
     the issue.
     Credits: Mattias Åsander (Umeå University)
  *) SECURITY: CVE-2025-65082: Apache HTTP Server: CGI environment
     variable override (cve.mitre.org)
     Improper Neutralization of Escape, Meta, or Control Sequences
     vulnerability in Apache HTTP Server through environment
     variables set via the Apache configuration unexpectedly
     superseding variables calculated by the server for CGI programs.
     This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.
     Users are recommended to upgrade to version 2.4.66 which fixes
     the issue.
     Credits: Mattias Åsander (Umeå University)
  *) SECURITY: CVE-2025-59775: Apache HTTP Server: NTLM Leakage on
     Windows through UNC SSRF (cve.mitre.org)
     Server-Side Request Forgery (SSRF) vulnerability
     Â in Apache HTTP Server on Windows
     with AllowEncodedSlashes On and MergeSlashes Off  allows to
     potentially leak NTLM
     hashes to a malicious server via SSRF and malicious requests or
     content
     Users are recommended to upgrade to version 2.4.66, which fixes
     the issue.
     Credits: Orange Tsai (@orange_8361) from DEVCORE
  *) SECURITY: CVE-2025-58098: Apache HTTP Server: Server Side
     Includes adds query string to #exec cmd=... (cve.mitre.org)
     Apache HTTP Server 2.4.65 and earlier with Server Side Includes
     (SSI) enabled and mod_cgid (but not mod_cgi) passes the
     shell-escaped query string to #exec cmd="..." directives.
     This issue affects Apache HTTP Server before 2.4.66.
     Users are recommended to upgrade to version 2.4.66, which fixes
     the issue.
     Credits: Anthony Parfenov (United Rentals, Inc.)
  *) SECURITY: CVE-2025-55753: Apache HTTP Server: mod_md (ACME),
     unintended retry intervals (cve.mitre.org)
     An integer overflow in the case of failed ACME certificate
     renewal leads, after a number of failures (~30 days in default
     configurations), to the backoff timer becoming 0. Attempts to
     renew the certificate then are repeated without delays until it
     succeeds.
     This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66.
     Users are recommended to upgrade to version 2.4.66, which fixes
     the issue.
     Credits: Aisle Research

Log message:
*: recursive bump for pcre2
Running an old binary against the new pcre doesn't work:
/usr/pkg/lib/libpcre2-8.so.0: version PCRE2_10.47 required by \ 
/usr/pkg/lib/libglib-2.0.so.0 not defined

Log message:
*: rev bump for curl

Log message:
apache24: updated to 2.4.65
Changes with Apache 2.4.65
*) SECURITY: CVE-2025-54090: Apache HTTP Server: 'RewriteCond expr'
   always evaluates to true in 2.4.64 (cve.mitre.org)
   A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond
   expr ..." tests evaluating as "true".
   Users are recommended to upgrade to version 2.4.65, which fixes
   the issue.

Log message:
apache24: updated to 2.4.64
Changes with Apache 2.4.64
  *) SECURITY: CVE-2025-53020: Apache HTTP Server: HTTP/2 DoS by
     Memory Increase (cve.mitre.org)
     Late Release of Memory after Effective Lifetime vulnerability in
     Apache HTTP Server.
     This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63.
     Users are recommended to upgrade to version 2.4.64, which fixes
     the issue.
     Credits: Gal Bar Nahum
  *) SECURITY: CVE-2025-49812: Apache HTTP Server: mod_ssl TLS
     upgrade attack (cve.mitre.org)
     In some mod_ssl configurations on Apache HTTP Server versions
     through to 2.4.63, an HTTP desynchronisation attack allows a
     man-in-the-middle attacker to hijack an HTTP session via a TLS
     upgrade.
     Only configurations using "SSLEngine optional" to enable TLS
     upgrades are affected. Users are recommended to upgrade to
     version 2.4.64, which removes support for TLS upgrade.
     Credits: Robert Merget (Technology Innovation Institute)
  *) SECURITY: CVE-2025-49630: Apache HTTP Server: mod_proxy_http2
     denial of service (cve.mitre.org)
     In certain proxy configurations, a denial of service attack
     against Apache HTTP Server versions 2.4.26 through to 2.4.63
     can be triggered by untrusted clients causing an assertion in
     mod_proxy_http2.
     Configurations affected are a reverse proxy is configured for an
     HTTP/2 backend, with ProxyPreserveHost set to "on".
     Credits: Anthony CORSIEZ
  *) SECURITY: CVE-2025-23048: Apache HTTP Server: mod_ssl access
     control bypass with session resumption (cve.mitre.org)
     In some mod_ssl configurations on Apache HTTP Server 2.4.35
     through to 2.4.62, an access control bypass by trusted clients
     is possible using TLS 1.3 session resumption.
     Configurations are affected when mod_ssl is configured for
     multiple virtual hosts, with each restricted to a different set
     of trusted client certificates (for example with a different
     SSLCACertificateFile/Path setting). In such a case, a client
     trusted to access one virtual host may be able to access another
     virtual host, if SSLStrictSNIVHostCheck is not enabled in either
     virtual host.
     Credits: Sven Hebrok, Felix Cramer, Tim Storm, Maximilian Radoy,
     and Juraj Somorovsky at Paderborn University
  *) SECURITY: CVE-2024-47252: Apache HTTP Server: mod_ssl error log
     variable escaping (cve.mitre.org)
     Insufficient escaping of user-supplied data in mod_ssl in Apache
     HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS
     client to insert escape characters into log files in some
     configurations.
     In a logging configuration where CustomLog is used with
     "%{varname}x" or "%{varname}c" to log variables provided by
     mod_ssl such as SSL_TLS_SNI, no escaping is performed by either
     mod_log_config or mod_ssl and unsanitized data provided by the
     client may appear in log files.
     Credits: John Runyon
  *) SECURITY: CVE-2024-43394: Apache HTTP Server: SSRF on Windows
     due to UNC paths (cve.mitre.org)
     Server-Side Request Forgery (SSRF) in Apache HTTP Server on
     Windows allows to potentially leak NTLM hashes to a malicious
     server via
     mod_rewrite or apache expressions that pass unvalidated request
     input.
     This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63.
     Note:  The Apache HTTP Server Project will be setting a higher
     bar for accepting vulnerability reports regarding SSRF via UNC
     paths.
     The server offers limited protection against administrators
     directing the server to open UNC paths.
     Windows servers should limit the hosts they will connect over
     via SMB based on the nature of NTLM authentication.
     Credits: Kainan Zhang (@4xpl0r3r) from Fortinet
  *) SECURITY: CVE-2024-43204: Apache HTTP Server: SSRF with
     mod_headers setting Content-Type header (cve.mitre.org)
     SSRF in Apache HTTP Server with mod_proxy loaded allows an
     attacker to send outbound proxy requests to a URL controlled by
     the attacker.  Requires an unlikely configuration where
     mod_headers is configured to modify the Content-Type request or
     response header with a value provided in the HTTP request.
     Users are recommended to upgrade to version 2.4.64 which fixes
     this issue.
     Credits: \ 
xiaojunjie@安恒信息杭州市滨江区技č? \ 
?˝ĺ¤§ĺ¸ˆĺˇĽä˝œĺŽ¤
  *) SECURITY: CVE-2024-42516: Apache HTTP Server: HTTP response
     splitting (cve.mitre.org)
     HTTP response splitting in the core of Apache HTTP Server allows
     an attacker who can manipulate the Content-Type response headers
     of applications hosted or proxied by the server can split the
     HTTP response.
     This vulnerability was described as CVE-2023-38709 but the patch
     included in Apache HTTP Server 2.4.59 did not address the issue.
     Users are recommended to upgrade to version 2.4.64, which fixes
     this issue.
  *) mod_proxy_ajp: Use iobuffersize set on worker level for the IO buffer
     size.
  *) mod_ssl: Drop $SSLKEYLOGFILE handling internally for OpenSSL 3.5
     builds which enable it in libssl natively.  [Joe Orton]
  *) mod_asis: Fix the log level of the message AH01236.
  *) mod_session_dbd: ensure format used with SessionDBDCookieName and
     SessionDBDCookieName2 are correct.
  *) mod_headers: 'RequestHeader set|edit|edit_r Content-Type X' could
     inadvertently modify the Content-Type _response_ header. Applies to
     Content-Type only and likely to only affect static file responses.
     [Eric Covener]
  *) mod_ssl: Remove warning over potential uninitialised value
     for ssl protocol prior to protocol selection.
     [Graham Leggett]
  *) mod_proxy: Reuse ProxyRemote connections when possible, like prior
     to 2.4.59.  [Jean-Frederic Clere, Yann Ylavic]
  *) mod_systemd: Add systemd socket activation support.  [Paul Querna,
     Jan Kaluza, Lubos Uhliarik <luhliari redhat.com>, Joe Orton]
  *) mod_systemd: Log the SELinux context at startup if available and
     enabled.  [Joe Orton]
  *) mod_http2: update to version 2.0.32
     The code setting the connection window size was set wrong,
     preventing `H2WindowSize` to work.
     Fixed <https://github.com/icing/mod_h2/issues/300>.
     [Stefan Eissing, Michael Kaufmann]
  *) mod_http2: update to version 2.0.30
     - Fixed bug in handling over long response headers. When the 64 KB limit
       of nghttp2 was exceeded, the request was not reset and the client was
       left hanging, waiting for it. Now the stream is reset.
     - Added new directive `H2MaxHeaderBlockLen` to set the limit on response
       header sizes.
     - Fixed handling of Timeout vs. KeepAliveTimeout when first request on a
       connection was reset.
  *) mod_lua: Fix memory handling in LuaOutputFilter.
  * mod_proxy_http2: revert r1912193 for detecting broken backend connections
    as this interferes with backend selection who a node is unresponsive.
  *) mod_proxy_balancer: Fix a regression that caused stickysession keys no
     longer be recognized if they are provided as query parameter in the URL.
  *) mod_md: update to version 2.5.2
     - Fixed TLS-ALPN-01 challenges when multiple `MDPrivateKeys` are specified
       with EC keys before RSA ones.
     - Fixed missing newlines in the status page output. [Andreas Groth]
  *) mod_dav: Add API to expose DavBasePath setting.  [Joe Orton]
  *) mod_md: update to version 2.5.1
     - Added support for ACME profiles with new directives MDProfile and
       MDProfileMandatory.
     - When installing a custom CA file via `MDCACertificateFile`, also set the
       libcurl option CURLSSLOPT_NO_REVOKE that suppresses complains by Schannel
       (when curl is linked with it) about missing CRL/OCSP in certificates.
     - Fixed handling of corrupted httpd.json and added test 300_30 for it.
       File is removed on error and written again.
     - Added explanation in log for how to proceed when md_store.json could not be
       parsed and prevented the server start.
     - restored fixed to 336 and 337 which got lost in a sync with Apache svn
     - Add Issue Name/Uris to certificate information in md-status handler
     - MDomains with static certificate files have MDRenewMode \ 
"manual", unless
       "always" is configured.
  *) core: Report invalid Options= argument when parsing AllowOverride
     directives.
  *) scoreboard/mod_http2: record durations of HTTP/2 requests.

Log message:
apache24: remove Interix support

Log message:
*: recursive bump for default Kerberos implementation switch

Log message:
*: recursive bump for icu 77 and libxml2 2.14