You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apr.apache.org by wr...@apache.org on 2009/06/05 18:50:42 UTC

svn commit: r782061 - in /apr/site/trunk/dist: Announcement0.9.html Announcement0.9.txt Announcement1.3.html Announcement1.3.txt

Author: wrowe
Date: Fri Jun  5 16:50:42 2009
New Revision: 782061

URL: http://svn.apache.org/viewvc?rev=782061&view=rev
Log:
announcements

Modified:
    apr/site/trunk/dist/Announcement0.9.html
    apr/site/trunk/dist/Announcement0.9.txt
    apr/site/trunk/dist/Announcement1.3.html
    apr/site/trunk/dist/Announcement1.3.txt

Modified: apr/site/trunk/dist/Announcement0.9.html
URL: http://svn.apache.org/viewvc/apr/site/trunk/dist/Announcement0.9.html?rev=782061&r1=782060&r2=782061&view=diff
==============================================================================
--- apr/site/trunk/dist/Announcement0.9.html (original)
+++ apr/site/trunk/dist/Announcement0.9.html Fri Jun  5 16:50:42 2009
@@ -3,21 +3,22 @@
  <head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
        <meta name="author" content="APR" /><meta name="email" content="dev@apr.apache.org" />
-    <title>Apache Portable Runtime 0.9.17 Released</title>
+    <title>Apache Portable Runtime 0.9.18 Released</title>
  </head>
  <body bgcolor="#ffffff" text="#000000" link="#525D76">
 <p><a href="http://apr.apache.org/"><img src="http://apr.apache.org/images/apr_logo_wide.png" alt="The Apache Portable Runtime Project" border="0"/></a></p>
 
-<h1>Apache Portable Runtime 0.9.17 Released</h1>
+<h1>Apache Portable Runtime 0.9.18 and APR Utility 0.9.17 Released</h1>
 
 <p>The Apache Software Foundation and the Apache Portable Runtime
    Project are proud to announce the General Availability of
-   version 0.9.17 of the APR Apache Portable Runtime library.</p>
-
-<p>The corresponding version of the companion libraries APR-util
-   version 0.9.15, the Apache Portable Utility library, and APR-iconv
-   version 0.9.7, an alternative portable implementation of the 'iconv'
-   library remain current.</p>
+   version 0.9.18 of the APR Apache Portable Runtime library, and
+   version 0.9.17 of the companion APR-util Apache Portable Utility
+   library.</p>
+
+<p>The corresponding version 0.9.7 of the companion APR-iconv library,
+   an alternative portable implementation of the 'iconv' library,
+   remains current.</p>
 
 <p>APR is available for download from:</p>
 
@@ -26,14 +27,36 @@
     >http://apr.apache.org/download.cgi</a></dd>
 </dl>
 
-<p>This version of APR is principally a bug fix release, and is
+<p>This version of APR is a security and bug fix release, and is
    provided only for users requiring APR 0.9 compatibility.  Most
    developers are encouraged to adopt the latest APR 1.x version
    to ensure the most comprehensive support and access to the latest
    features and enhancements.  For example, the Apache HTTP Server
    Project's httpd 2.0 release uses APR 0.9 for binary compatibility,
-   while later httpd 2.2 releases require APR 1.2 for better support
-   and additional features.</p>
+   while later httpd 2.2 releases require APR 1.2 or later for better
+   support and additional features.</p>
+
+<p>The security fixes in the APR-util library release 0.9.17 must be
+   evaluated  in the context of how APR-consuming applications use them
+   to determine if the application provides untrusted input to these
+   specific functions, to determine if they represent vulnerabilities
+   to the specific application.  Refer questions to such APR-consuming
+   projects for further guidance.  These fixes (which are similarly
+   corrected in the concurrent APR-util 1.3.7 release) include;</p>
+
+<ul>
+  <li>Fixed a denial of service attack against the apr_xml_* interface
+      using the "billion laughs" entity expansion technique.
+      [Joe Orton]
+  </li>
+  <li>CVE-2009-0023 (cve.mitre.org);
+      Fixed an underflow from the match pattern to apr_strmatch_precompile.
+      [Matthew Palmer <mpalmer debian.org>]
+  </li>
+  <li>Fixed an off by one overflow in apr_brigade_vprintf.
+      [C. Michael Pilato <cmpilato collab.net>]
+  </li>
+</ul>
 
 <p>The mission of the Apache Portable Runtime Project is to create
    and maintain software libraries that provide a predictable and

Modified: apr/site/trunk/dist/Announcement0.9.txt
URL: http://svn.apache.org/viewvc/apr/site/trunk/dist/Announcement0.9.txt?rev=782061&r1=782060&r2=782061&view=diff
==============================================================================
--- apr/site/trunk/dist/Announcement0.9.txt (original)
+++ apr/site/trunk/dist/Announcement0.9.txt Fri Jun  5 16:50:42 2009
@@ -1,26 +1,46 @@
-   Apache Portable Runtime 0.9.17 Released
+   Apache Portable Runtime 0.9.18 and APR Utility 0.9.17 Released
 
    The Apache Software Foundation and the Apache Portable Runtime
    Project are proud to announce the General Availability of
-   version 0.9.17 of the APR Apache Portable Runtime library.
-
-   The corresponding version of the companion libraries APR-util
-   version 0.9.15, the Apache Portable Utility library, and APR-iconv
-   version 0.9.7, an alternative portable implementation of the 'iconv'
-   library remain current.
+   version 0.9.18 of the APR Apache Portable Runtime library, and
+   version 0.9.17 of the companion APR-util Apache Portable Utility
+   library.
+
+   The corresponding version 0.9.7 of the companion APR-iconv library,
+   an alternative portable implementation of the 'iconv' library,
+   remains current.
 
    APR is available for download from:
 
      http://apr.apache.org/download.cgi
 
-   This version of APR is principally a bug fix release, and is
+   This version of APR is a security and bug fix release, and is
    provided only for users requiring APR 0.9 compatibility.  Most
    developers are encouraged to adopt the latest APR 1.x version
    to ensure the most comprehensive support and access to the latest
    features and enhancements.  For example, the Apache HTTP Server
    Project's httpd 2.0 release uses APR 0.9 for binary compatibility,
-   while later httpd 2.2 releases use APR 1.2 for better support
-   and additional features.
+   while later httpd 2.2 releases require APR 1.2 or later for better
+   support and additional features.
+
+   The security fixes in the APR-util library release 0.9.17 must be
+   evaluated  in the context of how APR-consuming applications use them
+   to determine if the application provides untrusted input to these
+   specific functions, to determine if they represent vulnerabilities
+   to the specific application.  Refer questions to such APR-consuming
+   projects for further guidance.  These fixes (which are similarly
+   corrected in the concurrent APR-util 1.3.7 release) include;
+
+    * Fixed a denial of service attack against the apr_xml_* interface
+      using the "billion laughs" entity expansion technique.
+      [Joe Orton]
+
+    * CVE-2009-0023 (cve.mitre.org);
+      Fixed an underflow from the match pattern to apr_strmatch_precompile.
+      [Matthew Palmer <mpalmer debian.org>]
+
+    * Fixed an off by one overflow in apr_brigade_vprintf.
+      [C. Michael Pilato <cmpilato collab.net>]
 
    The mission of the Apache Portable Runtime Project is to create
    and maintain software libraries that provide a predictable and

Modified: apr/site/trunk/dist/Announcement1.3.html
URL: http://svn.apache.org/viewvc/apr/site/trunk/dist/Announcement1.3.html?rev=782061&r1=782060&r2=782061&view=diff
==============================================================================
--- apr/site/trunk/dist/Announcement1.3.html (original)
+++ apr/site/trunk/dist/Announcement1.3.html Fri Jun  5 16:50:42 2009
@@ -8,16 +8,17 @@
  <body bgcolor="#ffffff" text="#000000" link="#525D76">
 <p><a href="http://apr.apache.org/"><img src="http://apr.apache.org/images/apr_logo_wide.png" alt="The Apache Portable Runtime Project" border="0"/></a></p>
 
-<h1>Apache Portable Runtime 1.3.3 Released</h1>
+<h1>Apache Portable Runtime 1.3.5 and APR-Utility 1.3.7 Released</h1>
 
 <p>The Apache Software Foundation and the Apache Portable Runtime
    Project are proud to announce the General Availability of
-   version 1.3.3 of the APR Apache Portable Runtime library.</p>
-
-<p>The Project further announces the General Availability of APR-util
-   version 1.3.4, the companion Apache Portable Utility library.  The
-   original APR-iconv version 1.2.1 release, an alternative portable
-   implementation of the 'iconv' library, remains current.</p>
+   version 1.3.5 of the APR Apache Portable Runtime library, and
+   version 1.3.7 of the companion APR-util Apache Portable Utility
+   library.</p>
+
+<p>The corresponding version 1.2.1 of the companion APR-iconv library,
+   an alternative portable implementation of the 'iconv' library,
+   remains current.</p>
 
 <p>APR is available for download from:</p>
 
@@ -26,12 +27,34 @@
     >http://apr.apache.org/download.cgi</a></dd>
 </dl>
 
-<p>This version of APR is principally a bug fix release, including
+<p>This version of APR is a security and bug fix release, including
    fixes for specific platforms' configuration, feature detection,
    and run time behavior.  Most developers and users are encouraged
    to adopt the latest APR 1.x version to ensure the most comprehensive 
    support and access to the latest features and enhancements.</p>
 
+<p>The security fixes in the APR-util library release 1.3.7 must be
+   evaluated  in the context of how APR-consuming applications use them
+   to determine if the application provides untrusted input to these
+   specific functions, to determine if they represent vulnerabilities
+   to the specific application.  Refer questions to such APR-consuming
+   projects for further guidance.  These fixes (which are similarly
+   corrected in the concurrent APR-util 0.9.17 release) include;</p>
+
+<ul>
+  <li>Fixed a denial of service attack against the apr_xml_* interface
+      using the "billion laughs" entity expansion technique.
+      [Joe Orton]
+  </li>
+  <li>CVE-2009-0023 (cve.mitre.org);
+      Fixed an underflow from the match pattern to apr_strmatch_precompile.
+      [Matthew Palmer <mpalmer debian.org>]
+  </li>
+  <li>Fixed an off by one overflow in apr_brigade_vprintf.
+      [C. Michael Pilato <cmpilato collab.net>]
+  </li>
+</ul>
+
 <p>The mission of the Apache Portable Runtime Project is to create
    and maintain software libraries that provide a predictable and
    consistent interface to underlying platform-specific

Modified: apr/site/trunk/dist/Announcement1.3.txt
URL: http://svn.apache.org/viewvc/apr/site/trunk/dist/Announcement1.3.txt?rev=782061&r1=782060&r2=782061&view=diff
==============================================================================
--- apr/site/trunk/dist/Announcement1.3.txt (original)
+++ apr/site/trunk/dist/Announcement1.3.txt Fri Jun  5 16:50:42 2009
@@ -1,24 +1,44 @@
-   Apache Portable Runtime 1.3.3 Released
+   Apache Portable Runtime 1.3.5 and APR-Utility 1.3.7 Released
 
    The Apache Software Foundation and the Apache Portable Runtime
    Project are proud to announce the General Availability of
-   version 1.3.3 of the APR Apache Portable Runtime library.
-
-   The Project further announces the General Availability of APR-util
-   version 1.3.4, the companion Apache Portable Utility library.  The
-   original APR-iconv version 1.2.1 release, an alternative portable
-   implementation of the 'iconv' library, remains current.
+   version 1.3.5 of the APR Apache Portable Runtime library, and
+   version 1.3.7 of the companion APR-util Apache Portable Utility
+   library.
+
+   The corresponding version 1.2.1 of the companion APR-iconv library,
+   an alternative portable implementation of the 'iconv' library,
+   remains current.
 
    APR is available for download from:
 
      http://apr.apache.org/download.cgi
 
-   This version of APR is principally a bug fix release, including
+   This version of APR is a security and bug fix release, including
    fixes for specific platforms' configuration, feature detection,
-   and run time behavior.  Most developers and users are encouraged 
+   and run time behavior.  Most developers and users are encouraged
    to adopt the latest APR 1.x version to ensure the most comprehensive 
    support and access to the latest features and enhancements.
 
+   The security fixes in the APR-util library release 1.3.7 must be
+   evaluated  in the context of how APR-consuming applications use them
+   to determine if the application provides untrusted input to these
+   specific functions, to determine if they represent vulnerabilities
+   to the specific application.  Refer questions to such APR-consuming
+   projects for further guidance.  These fixes (which are similarly
+   corrected in the concurrent APR-util 0.9.17 release) include;
+
+    * Fixed a denial of service attack against the apr_xml_* interface
+      using the "billion laughs" entity expansion technique.
+      [Joe Orton]
+
+    * CVE-2009-0023 (cve.mitre.org);
+      Fixed an underflow from the match pattern to apr_strmatch_precompile.
+      [Matthew Palmer <mpalmer debian.org>]
+
+    * Fixed an off by one overflow in apr_brigade_vprintf.
+      [C. Michael Pilato <cmpilato collab.net>]
+
    The mission of the Apache Portable Runtime Project is to create
    and maintain software libraries that provide a predictable and
    consistent interface to underlying platform-specific