You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apr.apache.org by wr...@apache.org on 2009/06/05 18:50:42 UTC
svn commit: r782061 - in /apr/site/trunk/dist: Announcement0.9.html
Announcement0.9.txt Announcement1.3.html Announcement1.3.txt
Author: wrowe
Date: Fri Jun 5 16:50:42 2009
New Revision: 782061
URL: http://svn.apache.org/viewvc?rev=782061&view=rev
Log:
announcements
Modified:
apr/site/trunk/dist/Announcement0.9.html
apr/site/trunk/dist/Announcement0.9.txt
apr/site/trunk/dist/Announcement1.3.html
apr/site/trunk/dist/Announcement1.3.txt
Modified: apr/site/trunk/dist/Announcement0.9.html
URL: http://svn.apache.org/viewvc/apr/site/trunk/dist/Announcement0.9.html?rev=782061&r1=782060&r2=782061&view=diff
==============================================================================
--- apr/site/trunk/dist/Announcement0.9.html (original)
+++ apr/site/trunk/dist/Announcement0.9.html Fri Jun 5 16:50:42 2009
@@ -3,21 +3,22 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<meta name="author" content="APR" /><meta name="email" content="dev@apr.apache.org" />
- <title>Apache Portable Runtime 0.9.17 Released</title>
+ <title>Apache Portable Runtime 0.9.18 Released</title>
</head>
<body bgcolor="#ffffff" text="#000000" link="#525D76">
<p><a href="http://apr.apache.org/"><img src="http://apr.apache.org/images/apr_logo_wide.png" alt="The Apache Portable Runtime Project" border="0"/></a></p>
-<h1>Apache Portable Runtime 0.9.17 Released</h1>
+<h1>Apache Portable Runtime 0.9.18 and APR Utility 0.9.17 Released</h1>
<p>The Apache Software Foundation and the Apache Portable Runtime
Project are proud to announce the General Availability of
- version 0.9.17 of the APR Apache Portable Runtime library.</p>
-
-<p>The corresponding version of the companion libraries APR-util
- version 0.9.15, the Apache Portable Utility library, and APR-iconv
- version 0.9.7, an alternative portable implementation of the 'iconv'
- library remain current.</p>
+ version 0.9.18 of the APR Apache Portable Runtime library, and
+ version 0.9.17 of the companion APR-util Apache Portable Utility
+ library.</p>
+
+<p>The corresponding version 0.9.7 of the companion APR-iconv library,
+ an alternative portable implementation of the 'iconv' library,
+ remains current.</p>
<p>APR is available for download from:</p>
@@ -26,14 +27,36 @@
>http://apr.apache.org/download.cgi</a></dd>
</dl>
-<p>This version of APR is principally a bug fix release, and is
+<p>This version of APR is a security and bug fix release, and is
provided only for users requiring APR 0.9 compatibility. Most
developers are encouraged to adopt the latest APR 1.x version
to ensure the most comprehensive support and access to the latest
features and enhancements. For example, the Apache HTTP Server
Project's httpd 2.0 release uses APR 0.9 for binary compatibility,
- while later httpd 2.2 releases require APR 1.2 for better support
- and additional features.</p>
+ while later httpd 2.2 releases require APR 1.2 or later for better
+ support and additional features.</p>
+
+<p>The security fixes in the APR-util library release 0.9.17 must be
+ evaluated in the context of how APR-consuming applications use them
+ to determine if the application provides untrusted input to these
+ specific functions, to determine if they represent vulnerabilities
+ to the specific application. Refer questions to such APR-consuming
+ projects for further guidance. These fixes (which are similarly
+ corrected in the concurrent APR-util 1.3.7 release) include;</p>
+
+<ul>
+ <li>Fixed a denial of service attack against the apr_xml_* interface
+ using the "billion laughs" entity expansion technique.
+ [Joe Orton]
+ </li>
+ <li>CVE-2009-0023 (cve.mitre.org);
+ Fixed an underflow from the match pattern to apr_strmatch_precompile.
+ [Matthew Palmer <mpalmer debian.org>]
+ </li>
+ <li>Fixed an off by one overflow in apr_brigade_vprintf.
+ [C. Michael Pilato <cmpilato collab.net>]
+ </li>
+</ul>
<p>The mission of the Apache Portable Runtime Project is to create
and maintain software libraries that provide a predictable and
Modified: apr/site/trunk/dist/Announcement0.9.txt
URL: http://svn.apache.org/viewvc/apr/site/trunk/dist/Announcement0.9.txt?rev=782061&r1=782060&r2=782061&view=diff
==============================================================================
--- apr/site/trunk/dist/Announcement0.9.txt (original)
+++ apr/site/trunk/dist/Announcement0.9.txt Fri Jun 5 16:50:42 2009
@@ -1,26 +1,46 @@
- Apache Portable Runtime 0.9.17 Released
+ Apache Portable Runtime 0.9.18 and APR Utility 0.9.17 Released
The Apache Software Foundation and the Apache Portable Runtime
Project are proud to announce the General Availability of
- version 0.9.17 of the APR Apache Portable Runtime library.
-
- The corresponding version of the companion libraries APR-util
- version 0.9.15, the Apache Portable Utility library, and APR-iconv
- version 0.9.7, an alternative portable implementation of the 'iconv'
- library remain current.
+ version 0.9.18 of the APR Apache Portable Runtime library, and
+ version 0.9.17 of the companion APR-util Apache Portable Utility
+ library.
+
+ The corresponding version 0.9.7 of the companion APR-iconv library,
+ an alternative portable implementation of the 'iconv' library,
+ remains current.
APR is available for download from:
http://apr.apache.org/download.cgi
- This version of APR is principally a bug fix release, and is
+ This version of APR is a security and bug fix release, and is
provided only for users requiring APR 0.9 compatibility. Most
developers are encouraged to adopt the latest APR 1.x version
to ensure the most comprehensive support and access to the latest
features and enhancements. For example, the Apache HTTP Server
Project's httpd 2.0 release uses APR 0.9 for binary compatibility,
- while later httpd 2.2 releases use APR 1.2 for better support
- and additional features.
+ while later httpd 2.2 releases require APR 1.2 or later for better
+ support and additional features.
+
+ The security fixes in the APR-util library release 0.9.17 must be
+ evaluated in the context of how APR-consuming applications use them
+ to determine if the application provides untrusted input to these
+ specific functions, to determine if they represent vulnerabilities
+ to the specific application. Refer questions to such APR-consuming
+ projects for further guidance. These fixes (which are similarly
+ corrected in the concurrent APR-util 1.3.7 release) include;
+
+ * Fixed a denial of service attack against the apr_xml_* interface
+ using the "billion laughs" entity expansion technique.
+ [Joe Orton]
+
+ * CVE-2009-0023 (cve.mitre.org);
+ Fixed an underflow from the match pattern to apr_strmatch_precompile.
+ [Matthew Palmer <mpalmer debian.org>]
+
+ * Fixed an off by one overflow in apr_brigade_vprintf.
+ [C. Michael Pilato <cmpilato collab.net>]
The mission of the Apache Portable Runtime Project is to create
and maintain software libraries that provide a predictable and
Modified: apr/site/trunk/dist/Announcement1.3.html
URL: http://svn.apache.org/viewvc/apr/site/trunk/dist/Announcement1.3.html?rev=782061&r1=782060&r2=782061&view=diff
==============================================================================
--- apr/site/trunk/dist/Announcement1.3.html (original)
+++ apr/site/trunk/dist/Announcement1.3.html Fri Jun 5 16:50:42 2009
@@ -8,16 +8,17 @@
<body bgcolor="#ffffff" text="#000000" link="#525D76">
<p><a href="http://apr.apache.org/"><img src="http://apr.apache.org/images/apr_logo_wide.png" alt="The Apache Portable Runtime Project" border="0"/></a></p>
-<h1>Apache Portable Runtime 1.3.3 Released</h1>
+<h1>Apache Portable Runtime 1.3.5 and APR-Utility 1.3.7 Released</h1>
<p>The Apache Software Foundation and the Apache Portable Runtime
Project are proud to announce the General Availability of
- version 1.3.3 of the APR Apache Portable Runtime library.</p>
-
-<p>The Project further announces the General Availability of APR-util
- version 1.3.4, the companion Apache Portable Utility library. The
- original APR-iconv version 1.2.1 release, an alternative portable
- implementation of the 'iconv' library, remains current.</p>
+ version 1.3.5 of the APR Apache Portable Runtime library, and
+ version 1.3.7 of the companion APR-util Apache Portable Utility
+ library.</p>
+
+<p>The corresponding version 1.2.1 of the companion APR-iconv library,
+ an alternative portable implementation of the 'iconv' library,
+ remains current.</p>
<p>APR is available for download from:</p>
@@ -26,12 +27,34 @@
>http://apr.apache.org/download.cgi</a></dd>
</dl>
-<p>This version of APR is principally a bug fix release, including
+<p>This version of APR is a security and bug fix release, including
fixes for specific platforms' configuration, feature detection,
and run time behavior. Most developers and users are encouraged
to adopt the latest APR 1.x version to ensure the most comprehensive
support and access to the latest features and enhancements.</p>
+<p>The security fixes in the APR-util library release 1.3.7 must be
+ evaluated in the context of how APR-consuming applications use them
+ to determine if the application provides untrusted input to these
+ specific functions, to determine if they represent vulnerabilities
+ to the specific application. Refer questions to such APR-consuming
+ projects for further guidance. These fixes (which are similarly
+ corrected in the concurrent APR-util 0.9.17 release) include;</p>
+
+<ul>
+ <li>Fixed a denial of service attack against the apr_xml_* interface
+ using the "billion laughs" entity expansion technique.
+ [Joe Orton]
+ </li>
+ <li>CVE-2009-0023 (cve.mitre.org);
+ Fixed an underflow from the match pattern to apr_strmatch_precompile.
+ [Matthew Palmer <mpalmer debian.org>]
+ </li>
+ <li>Fixed an off by one overflow in apr_brigade_vprintf.
+ [C. Michael Pilato <cmpilato collab.net>]
+ </li>
+</ul>
+
<p>The mission of the Apache Portable Runtime Project is to create
and maintain software libraries that provide a predictable and
consistent interface to underlying platform-specific
Modified: apr/site/trunk/dist/Announcement1.3.txt
URL: http://svn.apache.org/viewvc/apr/site/trunk/dist/Announcement1.3.txt?rev=782061&r1=782060&r2=782061&view=diff
==============================================================================
--- apr/site/trunk/dist/Announcement1.3.txt (original)
+++ apr/site/trunk/dist/Announcement1.3.txt Fri Jun 5 16:50:42 2009
@@ -1,24 +1,44 @@
- Apache Portable Runtime 1.3.3 Released
+ Apache Portable Runtime 1.3.5 and APR-Utility 1.3.7 Released
The Apache Software Foundation and the Apache Portable Runtime
Project are proud to announce the General Availability of
- version 1.3.3 of the APR Apache Portable Runtime library.
-
- The Project further announces the General Availability of APR-util
- version 1.3.4, the companion Apache Portable Utility library. The
- original APR-iconv version 1.2.1 release, an alternative portable
- implementation of the 'iconv' library, remains current.
+ version 1.3.5 of the APR Apache Portable Runtime library, and
+ version 1.3.7 of the companion APR-util Apache Portable Utility
+ library.
+
+ The corresponding version 1.2.1 of the companion APR-iconv library,
+ an alternative portable implementation of the 'iconv' library,
+ remains current.
APR is available for download from:
http://apr.apache.org/download.cgi
- This version of APR is principally a bug fix release, including
+ This version of APR is a security and bug fix release, including
fixes for specific platforms' configuration, feature detection,
- and run time behavior. Most developers and users are encouraged
+ and run time behavior. Most developers and users are encouraged
to adopt the latest APR 1.x version to ensure the most comprehensive
support and access to the latest features and enhancements.
+ The security fixes in the APR-util library release 1.3.7 must be
+ evaluated in the context of how APR-consuming applications use them
+ to determine if the application provides untrusted input to these
+ specific functions, to determine if they represent vulnerabilities
+ to the specific application. Refer questions to such APR-consuming
+ projects for further guidance. These fixes (which are similarly
+ corrected in the concurrent APR-util 0.9.17 release) include;
+
+ * Fixed a denial of service attack against the apr_xml_* interface
+ using the "billion laughs" entity expansion technique.
+ [Joe Orton]
+
+ * CVE-2009-0023 (cve.mitre.org);
+ Fixed an underflow from the match pattern to apr_strmatch_precompile.
+ [Matthew Palmer <mpalmer debian.org>]
+
+ * Fixed an off by one overflow in apr_brigade_vprintf.
+ [C. Michael Pilato <cmpilato collab.net>]
+
The mission of the Apache Portable Runtime Project is to create
and maintain software libraries that provide a predictable and
consistent interface to underlying platform-specific