* SECURITY UPDATE: mod_sed may make excessively large memory allocations and trigger an abort - debian/patches/CVE-2022-30522.patch: limit mod_sed memory usage - CVE-2022-30522 * SECURITY UPDATE: HTTP request smuggling in mod_proxy_ajp - debian/patches/CVE-2022-26377.patch: parse request headers in the way so Transfer-Encoding has precedence over Content-Length - CVE-2022-26377 * SECURITY UPDATE: possible out-of-bounds read in ap_strcmp_match() with an extremely large input buffer - debian/patches/CVE-2022-28615.patch: use apr_size_t (e.g. long) for array indexing - CVE-2022-28615 * SECURITY UPDATE: mod_lua r:wsread() may return length that points past the end of the storage allocated for the buffer - debian/patches/CVE-2022-30556.patch: consistently use lua_websocket_readbytes() and check the return value - CVE-2022-30556 * SECURITY UPDATE: mod_proxy may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism - debian/patches/CVE-2022-31813.patch: preserve original request headers so an upstream knows what the original request hostname was - CVE-2022-31813