You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@apr.apache.org by William A Rowe Jr <wr...@apache.org> on 2017/10/23 18:32:45 UTC
Re: svn commit: r22638 - in /release/apr: Announcement1.x.html Announcement1.x.txt
APR team,
I tried to be considerably less wordy, and drop previously
communicated details which are unlikely to affect a typical admin who
is simply updating these components. Developer/users were given the
big changes in the first apr-1.6 announcement.
Further edits to the staging/draft copies in
https://dist.apache.org/repos/dist/dev/apr/ are welcome. TIA!
I've also started two JIRAs... one for help updating our site from xml
to mdtext and the ASF CMS. The second for help mass-updating the
Release Service table of apr releases from n.n.n format to apr-n.n.n
(and then mass include apr-util-n.n.n and apr-iconv-n.n.n) entries.
On Mon, Oct 23, 2017 at 12:35 PM, <wr...@apache.org> wrote:
> Author: wrowe
> Date: Mon Oct 23 17:35:57 2017
> New Revision: 22638
>
> Log:
> Update .html to 1.6 current, .txt to latest release
>
> Modified:
> release/apr/Announcement1.x.html
> release/apr/Announcement1.x.txt
>
> Modified: release/apr/Announcement1.x.html
> ==============================================================================
> --- release/apr/Announcement1.x.html (original)
> +++ release/apr/Announcement1.x.html Mon Oct 23 17:35:57 2017
> @@ -9,53 +9,92 @@
> <p><a href="http://apr.apache.org/"><img src="http://apr.apache.org/images/apr_logo_wide.png" alt="The Apache Portable Runtime Project" border="0"/></a></p>
>
> <h1>
> - Apache Portable Runtime library 1.5.2 Released
> + Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and APR-iconv 1.2.2
> + Released
> </h1>
>
> <p>
> The Apache Software Foundation and the Apache Portable Runtime
> Project are proud to announce the General Availability of version
> - 1.5.2 of the Apache Portable Runtime library.
> + 1.6.3 of the Apache Portable Runtime library (APR), as well as
> + version 1.6.1 of the APR Utility library (APR-util) and version
> + 1.2.2 of the APR iconv library (APR-iconv).
> </p>
>
> <p>
> - APR 1.5.2 resolves an important issue on the Windows platform
> - that can result in vulnerabilities in APR applications which use
> - APR pipes; this issue is tracked by CVE-2015-1829.
> + APR 1.6.1 release addresses one security vulnerability;
> </p>
> +<ul>
> + <li>CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.
> + <br />
> + APR-util 1.6.0 and prior failed to validate the integrity of SDBM
> + database files used by apr_sdbm*() functions, resulting in a
> + possible out of bound read access. A local user with write access
> + to the database can make a program or process using these functions
> + crash, and cause a denial of service.
> + </li>
> +</ul>
>
> <p>
> - APR 1.5.2 fixes a number of additional run-time and build-time bugs
> - affecting multiple platforms. See CHANGES-APR-1.5 for more
> - information.
> + APR-util 1.6.3 release addresses one security vulnerability;
> </p>
>
> -<p>
> - Version 1.5.4 of the Apache Portable Runtime Utility library remains
> - current.
> -</p>
> +<ul>
> + <li>CVE-2017-12613; Out-of-bounds array deref in apr_time_exp*() functions
> + <br />
> + When apr_exp_time*() or apr_os_exp_time*() functions are invoked
> + with an invalid month field value in APR 1.6.2 and prior, out of
> + bounds memory may be accessed in converting this value to an
> + apr_time_exp_t value, potentially revealing the contents of a
> + different static heap value or resulting in program termination,
> + and may represent an information disclosure or denial of service
> + vulnerability to applications which call these APR functions with
> + unvalidated external input.
> + </li>
> +</ul>
>
> <p>
> - Version 1.2.1 of the companion APR-iconv library, an alternative
> - portable implementation of the 'iconv' library, remains current.
> + There are a number of specific changes in how APR is deployed
> + and how APR-util deals with external dependencies in their 1.6
> + releases, which may be disruptive to existing build strategies:
> </p>
>
> +<ul>
> + <li>Expat sources are no longer bundled, this is now an external
> + dependency. Install libexpat runtime (usually installed by
> + default) and development packages using your system's package
> + manager, or from <a href="https://libexpat.github.io/"
> + >https://libexpat.github.io/</a>.<br />
> + </li>
> + <li>MySQL support is updated as advised by the MySQL developers.
> + MySQL versions older than 5.5 should not be used. If you do
> + use an old MySQL version, use the thread-safe libmysqlclient_r
> + version of the library.<br />
> + </li>
> + <li>FreeTDS partial and incomplete support has been dropped.
> + Users of MSSQL and SYBASE databases are recommended to use
> + the ODBC driver instead.
> + </li>
> +</ul>
> <p>
> - As announced previously, the 0.9.x branches of Apache Portable Runtime
> - library, Apache Portable Runtime Utility library, and the companion
> - APR-iconv library have been retired. No further bug or security
> - fixes will be available for these branches.
> + APR 1.6.3, APR-util 1.6.1, and APR-iconv 1.2.2 releases also fix
> + a number of run-time and build-time issues; For details, see;
> </p>
> -
> +<dl>
> + <dd><a href="http://www.apache.org/dist/apr/CHANGES-APR-1.6"
> + >http://www.apache.org/dist/apr/CHANGES-APR-1.6</a></dd>
> + <dd><a href="http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.6"
> + >http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.6</a></dd>
> + <dd><a href="http://www.apache.org/dist/apr/CHANGES-APR-ICONV-1.2"
> + >http://www.apache.org/dist/apr/CHANGES-APR-ICONV-1.2</a></dd>
> +</dl>
> <p>
> APR is available for download from:
> </p>
> -
> <dl>
> <dd><a href="http://apr.apache.org/download.cgi"
> >http://apr.apache.org/download.cgi</a></dd>
> </dl>
> -
> <p>
> The mission of the Apache Portable Runtime Project is to create
> and maintain software libraries that provide a predictable and
> @@ -63,76 +102,11 @@
> implementations. The primary goal is to provide an API to
> which software developers may code and be assured of predictable
> if not identical behavior regardless of the platform on which
> - their software is built, relieving them of the need to code
> - special-case conditions to work around or take advantage of
> - platform-specific deficiencies or features.
> -</p>
> -
> -<p>
> - APR and its companion libraries are implemented entirely in C
> - and provide a common programming interface across a wide variety
> - of operating system platforms without sacrificing performance.
> - Currently supported platforms include:
> -</p>
> -
> -<ul>
> - <li>UNIX variants
> - <li>Windows
> - <li>Netware
> - <li>Mac OS X
> - <li>OS/2
> -</ul>
> -
> -<p>
> - To give a brief overview, the primary core
> - subsystems of APR 1.x include the following:
> -</p>
> -
> -<ul>
> - <li>Atomic operations
> - <li>Dynamic Shared Object loading
> - <li>File I/O
> - <li>Locks (mutexes, condition variables, etc)
> - <li>Memory management (high performance allocators)
> - <li>Memory-mapped files
> - <li>Multicast Sockets
> - <li>Network I/O
> - <li>Shared memory
> - <li>Thread and Process management
> - <li>Various data structures (tables, hashes, priority queues, etc)
> -</ul>
> -
> -<p>For a more complete list, please refer to the following URLs:</p>
> -
> -<dl>
> - <dd><a href="http://apr.apache.org/docs/apr/modules.html"
> - >http://apr.apache.org/docs/apr/modules.html</a></dd>
> - <dd><a href="http://apr.apache.org/docs/apr-util/modules.html"
> - >http://apr.apache.org/docs/apr-util/modules.html</a></dd>
> -</dl>
> -
> -<p>
> - Users of APR 0.9 should be aware that migrating to the APR 1.x
> - programming interfaces may require some adjustments; APR 1.x is
> - neither source nor binary compatible with earlier APR 0.9 releases.
> - Users of APR 1.x can expect consistent interfaces and binary backwards
> - compatibility throughout the entire APR 1.x release cycle, as defined
> - in our versioning rules:
> -</p>
> -
> -<dl>
> - <dd><a href="http://apr.apache.org/versioning.html"
> - >http://apr.apache.org/versioning.html</a></dd>
> -</dl>
> -
> -<p>
> - APR is already used extensively by the Apache HTTP Server
> - version 2 and the Subversion revision control system, to
> - name but a few. We list all known projects using APR at
> - http://apr.apache.org/projects.html -- so please let us know
> + their software is built. We list all known projects using APR
> + at http://apr.apache.org/projects.html - so please let us know
> if you find our libraries useful in your own projects!
> -</p>
>
> +</p>
> </body>
> </html>
>
>
> Modified: release/apr/Announcement1.x.txt
> ==============================================================================
> --- release/apr/Announcement1.x.txt (original)
> +++ release/apr/Announcement1.x.txt Mon Oct 23 17:35:57 2017
> @@ -1,29 +1,61 @@
> - Apache Portable Runtime library 1.5.2 Released
> + Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and APR-iconv 1.2.2
> + Released
>
> The Apache Software Foundation and the Apache Portable Runtime
> Project are proud to announce the General Availability of version
> - 1.5.2 of the Apache Portable Runtime library.
> + 1.6.3 of the Apache Portable Runtime library (APR), as well as
> + version 1.6.1 of the APR Utility library (APR-util) and version
> + 1.2.2 of the APR iconv library (APR-iconv).
> +
> + APR 1.6.1 release addresses one security vulnerability;
> +
> + CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.
> +
> + APR-util 1.6.0 and prior failed to validate the integrity of SDBM
> + database files used by apr_sdbm*() functions, resulting in a
> + possible out of bound read access. A local user with write access
> + to the database can make a program or process using these functions
> + crash, and cause a denial of service.
> +
> + APR-util 1.6.3 release addresses one security vulnerability;
> +
> + CVE-2017-12613; Out-of-bounds array deref in apr_time_exp*() functions
> +
> + When apr_exp_time*() or apr_os_exp_time*() functions are invoked
> + with an invalid month field value in APR 1.6.2 and prior, out of
> + bounds memory may be accessed in converting this value to an
> + apr_time_exp_t value, potentially revealing the contents of a
> + different static heap value or resulting in program termination,
> + and may represent an information disclosure or denial of service
> + vulnerability to applications which call these APR functions with
> + unvalidated external input.
> +
> + There are a number of specific changes in how APR is deployed
> + and how APR-util deals with external dependencies in their 1.6
> + releases, which may be disruptive to existing build strategies:
> +
> + - Expat sources are no longer bundled, this is now an external
> + dependency. Install libexpat runtime (usually installed by
> + default) and development packages using your system's package
> + manager, or from <https://libexpat.github.io/>.
> +
> + - MySQL support is updated as advised by the MySQL developers.
> + MySQL versions older than 5.5 should not be used. If you do
> + use an old MySQL version, use the thread-safe libmysqlclient_r
> + version of the library.
> +
> + - FreeTDS partial and incomplete support has been dropped.
> + Users of MSSQL and SYBASE databases are recommended to use
> + the ODBC driver instead.
> +
> + APR 1.6.3, APR-util 1.6.1, and APR-iconv 1.2.2 releases also fix
> + a number of run-time and build-time issues; For details, see;
> +
> + http://www.apache.org/dist/apr/CHANGES-APR-1.6
> + http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.6
> + http://www.apache.org/dist/apr/CHANGES-APR-ICONV-1.2
>
> - APR 1.5.2 resolves an important issue on the Windows platform
> - that can result in vulnerabilities in APR applications which use
> - APR pipes; this issue is tracked by CVE-2015-1829.
> -
> - APR 1.5.2 fixes a number of additional run-time and build-time bugs
> - affecting multiple platforms. See CHANGES-APR-1.5 for more
> - information.
> -
> - Version 1.5.4 of the Apache Portable Runtime Utility library remains
> - current.
> -
> - Version 1.2.1 of the companion APR-iconv library, an alternative
> - portable implementation of the 'iconv' library, remains current.
> -
> - As announced previously, the 0.9.x branches of Apache Portable Runtime
> - library, Apache Portable Runtime Utility library, and the companion
> - APR-iconv library have been retired. No further bug or security
> - fixes will be available for these branches.
> -
> - APR is available for download from:
> + APR, APR-util and APR-iconv are available for download from:
>
> http://apr.apache.org/download.cgi
>
> @@ -33,53 +65,7 @@
> implementations. The primary goal is to provide an API to
> which software developers may code and be assured of predictable
> if not identical behavior regardless of the platform on which
> - their software is built, relieving them of the need to code
> - special-case conditions to work around or take advantage of
> - platform-specific deficiencies or features.
> -
> - APR and its companion libraries are implemented entirely in C
> - and provide a common programming interface across a wide variety
> - of operating system platforms without sacrificing performance.
> - Currently supported platforms include:
> -
> - UNIX variants
> - Windows
> - Netware
> - Mac OS X
> - OS/2
> -
> - To give a brief overview, the primary core
> - subsystems of APR 1.x include the following:
> -
> - Atomic operations
> - Dynamic Shared Object loading
> - File I/O
> - Locks (mutexes, condition variables, etc)
> - Memory management (high performance allocators)
> - Memory-mapped files
> - Multicast Sockets
> - Network I/O
> - Shared memory
> - Thread and Process management
> - Various data structures (tables, hashes, priority queues, etc)
> -
> - For a more complete list, please refer to the following URLs:
> -
> - http://apr.apache.org/docs/apr/modules.html
> - http://apr.apache.org/docs/apr-util/modules.html
> -
> - Users of APR 0.9 should be aware that migrating to the APR 1.x
> - programming interfaces may require some adjustments; APR 1.x is
> - neither source nor binary compatible with earlier APR 0.9 releases.
> - Users of APR 1.x can expect consistent interfaces and binary backwards
> - compatibility throughout the entire APR 1.x release cycle, as defined
> - in our versioning rules:
> -
> - http://apr.apache.org/versioning.html
> -
> - APR is already used extensively by the Apache HTTP Server
> - version 2 and the Subversion revision control system, to
> - name but a few. We list all known projects using APR at
> - http://apr.apache.org/projects.html -- so please let us know
> + their software is built. We list all known projects using APR
> + at http://apr.apache.org/projects.html - so please let us know
> if you find our libraries useful in your own projects!
>
>
>