You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apr.apache.org by wr...@apache.org on 2017/10/26 23:54:48 UTC
svn commit: r22692 - /dev/apr/Announcement1.x.html
/dev/apr/Announcement1.x.txt /release/apr/Announcement1.x.html
/release/apr/Announcement1.x.txt
Author: wrowe
Date: Thu Oct 26 23:54:47 2017
New Revision: 22692
Log:
As pointed out by Craig Young... these two were transposed. The APR is 1.6.3
and it's defect was originally attributed to APR-util, and visa versa, where
APR-util is in fact 1.6.1.
Modified:
dev/apr/Announcement1.x.html
dev/apr/Announcement1.x.txt
release/apr/Announcement1.x.html
release/apr/Announcement1.x.txt
Modified: dev/apr/Announcement1.x.html
==============================================================================
--- dev/apr/Announcement1.x.html (original)
+++ dev/apr/Announcement1.x.html Thu Oct 26 23:54:47 2017
@@ -22,24 +22,9 @@
</p>
<p>
- APR 1.6.1 release addresses one security vulnerability;
+ APR 1.6.3 release addresses one security vulnerability;
</p>
<ul>
- <li>CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.
- <br />
- APR-util 1.6.0 and prior failed to validate the integrity of SDBM
- database files used by apr_sdbm*() functions, resulting in a
- possible out of bound read access. A local user with write access
- to the database can make a program or process using these functions
- crash, and cause a denial of service.
- </li>
-</ul>
-
-<p>
- APR-util 1.6.3 release addresses one security vulnerability;
-</p>
-
-<ul>
<li>CVE-2017-12613; Out-of-bounds array deref in apr_time_exp*() functions
<br />
When apr_exp_time*() or apr_os_exp_time*() functions are invoked
@@ -53,6 +38,20 @@
</li>
</ul>
+<p>
+ APR-util 1.6.1 release addresses one security vulnerability;
+</p>
+<ul>
+ <li>CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.
+ <br />
+ APR-util 1.6.0 and prior failed to validate the integrity of SDBM
+ database files used by apr_sdbm*() functions, resulting in a
+ possible out of bound read access. A local user with write access
+ to the database can make a program or process using these functions
+ crash, and cause a denial of service.
+ </li>
+</ul>
+
<p>
There are a number of specific changes in how APR is deployed
and how APR-util deals with external dependencies in their 1.6
Modified: dev/apr/Announcement1.x.txt
==============================================================================
--- dev/apr/Announcement1.x.txt (original)
+++ dev/apr/Announcement1.x.txt Thu Oct 26 23:54:47 2017
@@ -7,17 +7,7 @@
version 1.6.1 of the APR Utility library (APR-util) and version
1.2.2 of the APR iconv library (APR-iconv).
- APR 1.6.1 release addresses one security vulnerability;
-
- CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.
-
- APR-util 1.6.0 and prior failed to validate the integrity of SDBM
- database files used by apr_sdbm*() functions, resulting in a
- possible out of bound read access. A local user with write access
- to the database can make a program or process using these functions
- crash, and cause a denial of service.
-
- APR-util 1.6.3 release addresses one security vulnerability;
+ APR 1.6.3 release addresses one security vulnerability;
CVE-2017-12613; Out-of-bounds array deref in apr_time_exp*() functions
@@ -30,6 +20,16 @@
vulnerability to applications which call these APR functions with
unvalidated external input.
+ APR-util 1.6.1 release addresses one security vulnerability;
+
+ CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.
+
+ APR-util 1.6.0 and prior failed to validate the integrity of SDBM
+ database files used by apr_sdbm*() functions, resulting in a
+ possible out of bound read access. A local user with write access
+ to the database can make a program or process using these functions
+ crash, and cause a denial of service.
+
There are a number of specific changes in how APR is deployed
and how APR-util deals with external dependencies in their 1.6
releases, which may be disruptive to existing build strategies:
Modified: release/apr/Announcement1.x.html
==============================================================================
--- release/apr/Announcement1.x.html (original)
+++ release/apr/Announcement1.x.html Thu Oct 26 23:54:47 2017
@@ -22,24 +22,9 @@
</p>
<p>
- APR 1.6.1 release addresses one security vulnerability;
+ APR 1.6.3 release addresses one security vulnerability;
</p>
<ul>
- <li>CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.
- <br />
- APR-util 1.6.0 and prior failed to validate the integrity of SDBM
- database files used by apr_sdbm*() functions, resulting in a
- possible out of bound read access. A local user with write access
- to the database can make a program or process using these functions
- crash, and cause a denial of service.
- </li>
-</ul>
-
-<p>
- APR-util 1.6.3 release addresses one security vulnerability;
-</p>
-
-<ul>
<li>CVE-2017-12613; Out-of-bounds array deref in apr_time_exp*() functions
<br />
When apr_exp_time*() or apr_os_exp_time*() functions are invoked
@@ -53,6 +38,20 @@
</li>
</ul>
+<p>
+ APR-util 1.6.1 release addresses one security vulnerability;
+</p>
+<ul>
+ <li>CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.
+ <br />
+ APR-util 1.6.0 and prior failed to validate the integrity of SDBM
+ database files used by apr_sdbm*() functions, resulting in a
+ possible out of bound read access. A local user with write access
+ to the database can make a program or process using these functions
+ crash, and cause a denial of service.
+ </li>
+</ul>
+
<p>
There are a number of specific changes in how APR is deployed
and how APR-util deals with external dependencies in their 1.6
Modified: release/apr/Announcement1.x.txt
==============================================================================
--- release/apr/Announcement1.x.txt (original)
+++ release/apr/Announcement1.x.txt Thu Oct 26 23:54:47 2017
@@ -7,17 +7,7 @@
version 1.6.1 of the APR Utility library (APR-util) and version
1.2.2 of the APR iconv library (APR-iconv).
- APR 1.6.1 release addresses one security vulnerability;
-
- CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.
-
- APR-util 1.6.0 and prior failed to validate the integrity of SDBM
- database files used by apr_sdbm*() functions, resulting in a
- possible out of bound read access. A local user with write access
- to the database can make a program or process using these functions
- crash, and cause a denial of service.
-
- APR-util 1.6.3 release addresses one security vulnerability;
+ APR 1.6.3 release addresses one security vulnerability;
CVE-2017-12613; Out-of-bounds array deref in apr_time_exp*() functions
@@ -30,6 +20,16 @@
vulnerability to applications which call these APR functions with
unvalidated external input.
+ APR-util 1.6.1 release addresses one security vulnerability;
+
+ CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.
+
+ APR-util 1.6.0 and prior failed to validate the integrity of SDBM
+ database files used by apr_sdbm*() functions, resulting in a
+ possible out of bound read access. A local user with write access
+ to the database can make a program or process using these functions
+ crash, and cause a denial of service.
+
There are a number of specific changes in how APR is deployed
and how APR-util deals with external dependencies in their 1.6
releases, which may be disruptive to existing build strategies: