You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apr.apache.org by wr...@apache.org on 2017/10/23 17:29:54 UTC
svn commit: r22637 - in /dev/apr: Announcement1.x.html Announcement1.x.txt
Author: wrowe
Date: Mon Oct 23 17:29:54 2017
New Revision: 22637
Log:
Resync Ann.html to Ann.txt contents, this was apparently forgotten after
the .txt edit-review cycle.
Update to this week's announcements.
Modified:
dev/apr/Announcement1.x.html
dev/apr/Announcement1.x.txt
Modified: dev/apr/Announcement1.x.html
==============================================================================
--- dev/apr/Announcement1.x.html (original)
+++ dev/apr/Announcement1.x.html Mon Oct 23 17:29:54 2017
@@ -9,53 +9,92 @@
<p><a href="http://apr.apache.org/"><img src="http://apr.apache.org/images/apr_logo_wide.png" alt="The Apache Portable Runtime Project" border="0"/></a></p>
<h1>
- Apache Portable Runtime library 1.5.2 Released
+ Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and APR-iconv 1.2.2
+ Released
</h1>
<p>
The Apache Software Foundation and the Apache Portable Runtime
Project are proud to announce the General Availability of version
- 1.5.2 of the Apache Portable Runtime library.
+ 1.6.3 of the Apache Portable Runtime library (APR), as well as
+ version 1.6.1 of the APR Utility library (APR-util) and version
+ 1.2.2 of the APR iconv library (APR-iconv).
</p>
<p>
- APR 1.5.2 resolves an important issue on the Windows platform
- that can result in vulnerabilities in APR applications which use
- APR pipes; this issue is tracked by CVE-2015-1829.
+ APR 1.6.1 release addresses one security vulnerability;
</p>
+<ul>
+ <li>CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.
+ <br />
+ APR-util 1.6.0 and prior failed to validate the integrity of SDBM
+ database files used by apr_sdbm*() functions, resulting in a
+ possible out of bound read access. A local user with write access
+ to the database can make a program or process using these functions
+ crash, and cause a denial of service.
+ </li>
+</ul>
<p>
- APR 1.5.2 fixes a number of additional run-time and build-time bugs
- affecting multiple platforms. See CHANGES-APR-1.5 for more
- information.
+ APR-util 1.6.3 release addresses one security vulnerability;
</p>
-<p>
- Version 1.5.4 of the Apache Portable Runtime Utility library remains
- current.
-</p>
+<ul>
+ <li>CVE-2017-12613; Out-of-bounds array deref in apr_time_exp*() functions
+ <br />
+ When apr_exp_time*() or apr_os_exp_time*() functions are invoked
+ with an invalid month field value in APR 1.6.2 and prior, out of
+ bounds memory may be accessed in converting this value to an
+ apr_time_exp_t value, potentially revealing the contents of a
+ different static heap value or resulting in program termination,
+ and may represent an information disclosure or denial of service
+ vulnerability to applications which call these APR functions with
+ unvalidated external input.
+ </li>
+</ul>
<p>
- Version 1.2.1 of the companion APR-iconv library, an alternative
- portable implementation of the 'iconv' library, remains current.
+ There are a number of specific changes in how APR is deployed
+ and how APR-util deals with external dependencies in their 1.6
+ releases, which may be disruptive to existing build strategies:
</p>
+<ul>
+ <li>Expat sources are no longer bundled, this is now an external
+ dependency. Install libexpat runtime (usually installed by
+ default) and development packages using your system's package
+ manager, or from <a href="https://libexpat.github.io/"
+ >https://libexpat.github.io/</a>.<br />
+ </li>
+ <li>MySQL support is updated as advised by the MySQL developers.
+ MySQL versions older than 5.5 should not be used. If you do
+ use an old MySQL version, use the thread-safe libmysqlclient_r
+ version of the library.<br />
+ </li>
+ <li>FreeTDS partial and incomplete support has been dropped.
+ Users of MSSQL and SYBASE databases are recommended to use
+ the ODBC driver instead.
+ </li>
+</ul>
<p>
- As announced previously, the 0.9.x branches of Apache Portable Runtime
- library, Apache Portable Runtime Utility library, and the companion
- APR-iconv library have been retired. No further bug or security
- fixes will be available for these branches.
+ APR 1.6.3, APR-util 1.6.1, and APR-iconv 1.2.2 releases also fix
+ a number of run-time and build-time issues; For details, see;
</p>
-
+<dl>
+ <dd><a href="http://www.apache.org/dist/apr/CHANGES-APR-1.6"
+ >http://www.apache.org/dist/apr/CHANGES-APR-1.6</a></dd>
+ <dd><a href="http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.6"
+ >http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.6</a></dd>
+ <dd><a href="http://www.apache.org/dist/apr/CHANGES-APR-ICONV-1.2"
+ >http://www.apache.org/dist/apr/CHANGES-APR-ICONV-1.2</a></dd>
+</dl>
<p>
APR is available for download from:
</p>
-
<dl>
<dd><a href="http://apr.apache.org/download.cgi"
>http://apr.apache.org/download.cgi</a></dd>
</dl>
-
<p>
The mission of the Apache Portable Runtime Project is to create
and maintain software libraries that provide a predictable and
@@ -63,76 +102,11 @@
implementations. The primary goal is to provide an API to
which software developers may code and be assured of predictable
if not identical behavior regardless of the platform on which
- their software is built, relieving them of the need to code
- special-case conditions to work around or take advantage of
- platform-specific deficiencies or features.
-</p>
-
-<p>
- APR and its companion libraries are implemented entirely in C
- and provide a common programming interface across a wide variety
- of operating system platforms without sacrificing performance.
- Currently supported platforms include:
-</p>
-
-<ul>
- <li>UNIX variants
- <li>Windows
- <li>Netware
- <li>Mac OS X
- <li>OS/2
-</ul>
-
-<p>
- To give a brief overview, the primary core
- subsystems of APR 1.x include the following:
-</p>
-
-<ul>
- <li>Atomic operations
- <li>Dynamic Shared Object loading
- <li>File I/O
- <li>Locks (mutexes, condition variables, etc)
- <li>Memory management (high performance allocators)
- <li>Memory-mapped files
- <li>Multicast Sockets
- <li>Network I/O
- <li>Shared memory
- <li>Thread and Process management
- <li>Various data structures (tables, hashes, priority queues, etc)
-</ul>
-
-<p>For a more complete list, please refer to the following URLs:</p>
-
-<dl>
- <dd><a href="http://apr.apache.org/docs/apr/modules.html"
- >http://apr.apache.org/docs/apr/modules.html</a></dd>
- <dd><a href="http://apr.apache.org/docs/apr-util/modules.html"
- >http://apr.apache.org/docs/apr-util/modules.html</a></dd>
-</dl>
-
-<p>
- Users of APR 0.9 should be aware that migrating to the APR 1.x
- programming interfaces may require some adjustments; APR 1.x is
- neither source nor binary compatible with earlier APR 0.9 releases.
- Users of APR 1.x can expect consistent interfaces and binary backwards
- compatibility throughout the entire APR 1.x release cycle, as defined
- in our versioning rules:
-</p>
-
-<dl>
- <dd><a href="http://apr.apache.org/versioning.html"
- >http://apr.apache.org/versioning.html</a></dd>
-</dl>
-
-<p>
- APR is already used extensively by the Apache HTTP Server
- version 2 and the Subversion revision control system, to
- name but a few. We list all known projects using APR at
- http://apr.apache.org/projects.html -- so please let us know
+ their software is built. We list all known projects using APR
+ at http://apr.apache.org/projects.html - so please let us know
if you find our libraries useful in your own projects!
-</p>
+</p>
</body>
</html>
Modified: dev/apr/Announcement1.x.txt
==============================================================================
--- dev/apr/Announcement1.x.txt (original)
+++ dev/apr/Announcement1.x.txt Mon Oct 23 17:29:54 2017
@@ -1,54 +1,61 @@
- Apache Portable Runtime and Utilities 1.6 released
+ Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and APR-iconv 1.2.2
+ Released
The Apache Software Foundation and the Apache Portable Runtime
Project are proud to announce the General Availability of version
- 1.6.2 of the Apache Portable Runtime library, and version 1.6.0
- of the Apache Portable Runtime Utility library
+ 1.6.3 of the Apache Portable Runtime library (APR), as well as
+ version 1.6.1 of the APR Utility library (APR-util) and version
+ 1.2.2 of the APR iconv library (APR-iconv).
+
+ APR 1.6.1 release addresses one security vulnerability;
+
+ CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.
+
+ APR-util 1.6.0 and prior failed to validate the integrity of SDBM
+ database files used by apr_sdbm*() functions, resulting in a
+ possible out of bound read access. A local user with write access
+ to the database can make a program or process using these functions
+ crash, and cause a denial of service.
+
+ APR-util 1.6.3 release addresses one security vulnerability;
+
+ CVE-2017-12613; Out-of-bounds array deref in apr_time_exp*() functions
+
+ When apr_exp_time*() or apr_os_exp_time*() functions are invoked
+ with an invalid month field value in APR 1.6.2 and prior, out of
+ bounds memory may be accessed in converting this value to an
+ apr_time_exp_t value, potentially revealing the contents of a
+ different static heap value or resulting in program termination,
+ and may represent an information disclosure or denial of service
+ vulnerability to applications which call these APR functions with
+ unvalidated external input.
+
+ There are a number of specific changes in how APR is deployed
+ and how APR-util deals with external dependencies in their 1.6
+ releases, which may be disruptive to existing build strategies:
+
+ - Expat sources are no longer bundled, this is now an external
+ dependency. Install libexpat runtime (usually installed by
+ default) and development packages using your system's package
+ manager, or from <https://libexpat.github.io/>.
+
+ - MySQL support is updated as advised by the MySQL developers.
+ MySQL versions older than 5.5 should not be used. If you do
+ use an old MySQL version, use the thread-safe libmysqlclient_r
+ version of the library.
- APR 1.6.2 and APR-util 1.6.0 fix a number of additional run-time
- and build-time bugs affecting multiple platforms, and introduce
- several new features. See CHANGES-APR-1.6 and CHANGES-APR-UTIL 1.6
- for more information.
-
- Version 1.2.1 of the companion APR-iconv library, an alternative
- portable implementation of the 'iconv' library, remains current.
-
- Most notably there are a number of changes in how APR is deployed
- and how APR-util deals with external dependencies, which may be
- disruptive to existing build strategies:
-
- - Build files find_apr.m4, find_apu.m4 and apr_common.m4 are now
- exported for the benefit of packagers.
-
- - XML:
-
- Expat sources are no longer bundled, this is now an external
- dependency. You must install expat on your system to build
- or deploy APR-UTIL (expat is installed as standard on most
- systems). Deploy expat (2.x recommended) development and
- runtime packages using your system's package management schema
- or obtain and build expat 2.2 (or more recent) source from
- https://libexpat.github.io/ - note that 2.2 addressed some
- security vulnerabilities of earlier libexpat project releases.
-
- - CRYPTO:
-
- OpenSSL support is updated to support OpenSSL version 1.1.
-
- Apple's CommonCrypto is supported for Mac and IOS platforms.
-
- - DATABASE:
-
- MySQL support has been updated as advised by the MySQL developers.
- MySQL versions older than 5.5 should not be used. Or if you
- do use an old MySQL version, you will need to hack the build
- to use the thread-safe libmysqlclient_r version of the library.
-
- FreeTDS partial and incomplete support has been dropped.
+ - FreeTDS partial and incomplete support has been dropped.
Users of MSSQL and SYBASE databases are recommended to use
the ODBC driver instead.
- APR is available for download from:
+ APR 1.6.3, APR-util 1.6.1, and APR-iconv 1.2.2 releases also fix
+ a number of run-time and build-time issues; For details, see;
+
+ http://www.apache.org/dist/apr/CHANGES-APR-1.6
+ http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.6
+ http://www.apache.org/dist/apr/CHANGES-APR-ICONV-1.2
+
+ APR, APR-util and APR-iconv are available for download from:
http://apr.apache.org/download.cgi
@@ -58,53 +65,7 @@
implementations. The primary goal is to provide an API to
which software developers may code and be assured of predictable
if not identical behavior regardless of the platform on which
- their software is built, relieving them of the need to code
- special-case conditions to work around or take advantage of
- platform-specific deficiencies or features.
-
- APR and its companion libraries are implemented entirely in C
- and provide a common programming interface across a wide variety
- of operating system platforms without sacrificing performance.
- Currently supported platforms include:
-
- UNIX variants
- Windows
- Netware
- Mac OS X
- OS/2
-
- To give a brief overview, the primary core
- subsystems of APR 1.x include the following:
-
- Atomic operations
- Dynamic Shared Object loading
- File I/O
- Locks (mutexes, condition variables, etc)
- Memory management (high performance allocators)
- Memory-mapped files
- Multicast Sockets
- Network I/O
- Shared memory
- Thread and Process management
- Various data structures (tables, hashes, priority queues, etc)
-
- For a more complete list, please refer to the following URLs:
-
- http://apr.apache.org/docs/apr/modules.html
- http://apr.apache.org/docs/apr-util/modules.html
-
- Users of APR 0.9 should be aware that migrating to the APR 1.x
- programming interfaces may require some adjustments; APR 1.x is
- neither source nor binary compatible with earlier APR 0.9 releases.
- Users of APR 1.x can expect consistent interfaces and binary backwards
- compatibility throughout the entire APR 1.x release cycle, as defined
- in our versioning rules:
-
- http://apr.apache.org/versioning.html
-
- APR is already used extensively by the Apache HTTP Server
- version 2 and the Subversion revision control system, to
- name but a few. We list all known projects using APR at
- http://apr.apache.org/projects.html -- so please let us know
+ their software is built. We list all known projects using APR
+ at http://apr.apache.org/projects.html - so please let us know
if you find our libraries useful in your own projects!