You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apr.apache.org by wr...@apache.org on 2011/05/10 21:38:47 UTC
svn commit: r284 - in /release/apr: Announcement1.x.html Announcement1.x.txt CHANGES-APR-1.4

Author: wrowe
Date: Tue May 10 19:38:45 2011
New Revision: 284

Log:
Indicate CVE, call out security fix

Modified:
    release/apr/Announcement1.x.html   (contents, props changed)
    release/apr/Announcement1.x.txt   (contents, props changed)
    release/apr/CHANGES-APR-1.4

Modified: release/apr/Announcement1.x.html
==============================================================================
--- release/apr/Announcement1.x.html (original)
+++ release/apr/Announcement1.x.html Tue May 10 19:38:45 2011
@@ -23,6 +23,24 @@
 </p>
 
 <p>
+   Note especially a security fix to APR 1.4.4, stack overflow 
+   was possible due to unconstrained, recursive invocation of 
+   apr_fnmatch, as apr_fnmatch processed '*' wildcards.
+</p>
+
+<ul><li>
+     Security: CVE-2011-0419 (http://cve.mitre.org)<br />
+     Reimplement apr_fnmatch() from scratch using a non-recursive
+     algorithm; now has improved compliance with the fnmatch() spec.
+     [William Rowe]
+</li></ul>
+     
+<p>
+   The APR Project thanks Maksymilian Arciemowicz of SecurityReason
+   for his research and reporting of this issue.
+</p>
+
+<p>
    (See CHANGES-APR-1.4 and CHANGES-APR-UTIL-1.3 for more information.)
 </p>
 

Propchange: release/apr/Announcement1.x.html
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: release/apr/Announcement1.x.txt
==============================================================================
--- release/apr/Announcement1.x.txt (original)
+++ release/apr/Announcement1.x.txt Tue May 10 19:38:45 2011
@@ -8,6 +8,18 @@
    These are bug fix releases.  Users of previous versions are
    encouraged to update to these releases.
 
+   Note especially a security fix to APR 1.4.4, stack overflow 
+   was possible due to unconstrained, recursive invocation of 
+   apr_fnmatch, as apr_fnmatch processed '*' wildcards.
+
+   * Security: CVE-2011-0419 (http://cve.mitre.org)
+     Reimplement apr_fnmatch() from scratch using a non-recursive
+     algorithm; now has improved compliance with the fnmatch() spec.
+     [William Rowe]
+     
+   The APR Project thanks Maksymilian Arciemowicz of SecurityReason
+   for his research and reporting of this issue.
+
    (See CHANGES-APR-1.4 and CHANGES-APR-UTIL-1.3 for more information.)
 
    Version 1.2.1 of the companion APR-iconv library, an alternative 

Propchange: release/apr/Announcement1.x.txt
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: release/apr/CHANGES-APR-1.4
==============================================================================
--- release/apr/CHANGES-APR-1.4 (original)
+++ release/apr/CHANGES-APR-1.4 Tue May 10 19:38:45 2011
@@ -1,11 +1,12 @@
-                                                     -*- coding: utf-8 -*-
+ï»¿                                                     -*- coding: utf-8 -*-
 Changes for APR 1.4.4
 
   *) Windows: Fix command-line builds.  [William Rowe]
 
 Changes for APR 1.4.3
 
-  *) Reimplement apr_fnmatch() from scratch using a non-recursive
+  *) Security: CVE-2011-0419
+     Reimplement apr_fnmatch() from scratch using a non-recursive
      algorithm; now has improved compliance with the fnmatch() spec.
      [William Rowe]