You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apr.apache.org by wr...@apache.org on 2011/05/10 21:38:47 UTC
svn commit: r284 - in /release/apr: Announcement1.x.html Announcement1.x.txt
CHANGES-APR-1.4
Author: wrowe
Date: Tue May 10 19:38:45 2011
New Revision: 284
Log:
Indicate CVE, call out security fix
Modified:
release/apr/Announcement1.x.html (contents, props changed)
release/apr/Announcement1.x.txt (contents, props changed)
release/apr/CHANGES-APR-1.4
Modified: release/apr/Announcement1.x.html
==============================================================================
--- release/apr/Announcement1.x.html (original)
+++ release/apr/Announcement1.x.html Tue May 10 19:38:45 2011
@@ -23,6 +23,24 @@
</p>
<p>
+ Note especially a security fix to APR 1.4.4, stack overflow
+ was possible due to unconstrained, recursive invocation of
+ apr_fnmatch, as apr_fnmatch processed '*' wildcards.
+</p>
+
+<ul><li>
+ Security: CVE-2011-0419 (http://cve.mitre.org)<br />
+ Reimplement apr_fnmatch() from scratch using a non-recursive
+ algorithm; now has improved compliance with the fnmatch() spec.
+ [William Rowe]
+</li></ul>
+
+<p>
+ The APR Project thanks Maksymilian Arciemowicz of SecurityReason
+ for his research and reporting of this issue.
+</p>
+
+<p>
(See CHANGES-APR-1.4 and CHANGES-APR-UTIL-1.3 for more information.)
</p>
Propchange: release/apr/Announcement1.x.html
------------------------------------------------------------------------------
svn:eol-style = native
Modified: release/apr/Announcement1.x.txt
==============================================================================
--- release/apr/Announcement1.x.txt (original)
+++ release/apr/Announcement1.x.txt Tue May 10 19:38:45 2011
@@ -8,6 +8,18 @@
These are bug fix releases. Users of previous versions are
encouraged to update to these releases.
+ Note especially a security fix to APR 1.4.4, stack overflow
+ was possible due to unconstrained, recursive invocation of
+ apr_fnmatch, as apr_fnmatch processed '*' wildcards.
+
+ * Security: CVE-2011-0419 (http://cve.mitre.org)
+ Reimplement apr_fnmatch() from scratch using a non-recursive
+ algorithm; now has improved compliance with the fnmatch() spec.
+ [William Rowe]
+
+ The APR Project thanks Maksymilian Arciemowicz of SecurityReason
+ for his research and reporting of this issue.
+
(See CHANGES-APR-1.4 and CHANGES-APR-UTIL-1.3 for more information.)
Version 1.2.1 of the companion APR-iconv library, an alternative
Propchange: release/apr/Announcement1.x.txt
------------------------------------------------------------------------------
svn:eol-style = native
Modified: release/apr/CHANGES-APR-1.4
==============================================================================
--- release/apr/CHANGES-APR-1.4 (original)
+++ release/apr/CHANGES-APR-1.4 Tue May 10 19:38:45 2011
@@ -1,11 +1,12 @@
- -*- coding: utf-8 -*-
+ -*- coding: utf-8 -*-
Changes for APR 1.4.4
*) Windows: Fix command-line builds. [William Rowe]
Changes for APR 1.4.3
- *) Reimplement apr_fnmatch() from scratch using a non-recursive
+ *) Security: CVE-2011-0419
+ Reimplement apr_fnmatch() from scratch using a non-recursive
algorithm; now has improved compliance with the fnmatch() spec.
[William Rowe]