*) SECURITY: CVE-2018-17199 (cve.mitre.org)
   mod_session: mod_session_cookie does not respect expiry time allowing
   sessions to be reused.  [Hank Ibell]

*) SECURITY: CVE-2018-17189 (cve.mitre.org)
   mod_http2: fixes a DoS attack vector. By sending slow request bodies
   to resources not consuming them, httpd cleanup code occupies a server
   thread unnecessarily. This was changed to an immediate stream reset
   which discards all stream state and incoming data.  [Stefan Eissing]

*) SECURITY: CVE-2019-0190 (cve.mitre.org)
   mod_ssl: Fix infinite loop triggered by a client-initiated
   renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
   later.  PR 63052.  [Joe Orton]

*) mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
   PR 63052 [Joe Orton]

*) mod_negotiation: Treat LanguagePriority as case-insensitive to match
   AddLanguage behavior and HTTP specification. PR 39730 [Christophe Jaillet]

*) mod_md: incorrect behaviour when synchronizing ongoing ACME challenges
   have been fixed. [Michael Kaufmann, Stefan Eissing]

*) mod_setenvif: We can have expressions that become true if a regex pattern
   in the expression does NOT match. In this case val is NULL
   and we should just set the value for the environment variable
   like in the pattern case. [Ruediger Pluem]

*) mod_session: Always decode session attributes early. [Hank Ibell]

*) core: Incorrect values for environment variables are substituted when
   multiple environment variables are specified in a directive. [Hank Ibell]

*) mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when
   this type of map is present in the configuration.  PR62311.
   [Hank Ibell <hwibell gmail.com>]

*) mod_dav: Fix invalid Location header when a resource is created by
   passing an absolute URI on the request line [Jim Jagielski]

*) mod_session_cookie: avoid duplicate Set-Cookie header in the response.
   [Emmanuel Dreyfus <manu@netbsd.org>, Luca Toscano]

*) mod_ssl: clear *SSL errors before loading certificates and checking
   afterwards. Otherwise errors are reported when other SSL using modules
   are in play. Fixes PR 62880. [Michael Kaufmann]

*) mod_ssl: Fix the error code returned in an error path of
   'ssl_io_filter_handshake()'. This messes-up error handling performed
   in 'ssl_io_filter_error()' [Yann Ylavic]

*) mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix
   authz provider so "Require ssl" works correctly in HTTP/2.
   PR 61519, 62654.  [Joe Orton, Stefan Eissing]

*) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
   redirects, subsequent ProxyPassReverse statements, whether they are
   relative or absolute, may fail.  PR 60408.  [Peter Haworth <pmh1wheel gmail.com>]

*) mod_lua: Now marked as a stable module [https://s.apache.org/Xnh1]