You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apr.apache.org by wr...@apache.org on 2018/09/14 18:39:35 UTC
svn commit: r29393 - in /release/apr: Announcement1.x.html
Announcement1.x.txt
Author: wrowe
Date: Fri Sep 14 18:39:35 2018
New Revision: 29393
Log:
Update Announce
Modified:
release/apr/Announcement1.x.html
release/apr/Announcement1.x.txt
Modified: release/apr/Announcement1.x.html
==============================================================================
--- release/apr/Announcement1.x.html (original)
+++ release/apr/Announcement1.x.html Fri Sep 14 18:39:35 2018
@@ -3,56 +3,24 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<meta name="author" content="APR" /><meta name="email" content="dev@apr.apache.org" />
- <title>Apache Portable Runtime library 1.5.2 Released</title>
+ <title>Apache Portable Runtime library 1.6.5 Released</title>
</head>
<body bgcolor="#ffffff" text="#000000" link="#525D76">
<p><a href="http://apr.apache.org/"><img src="http://apr.apache.org/images/apr_logo_wide.png" alt="The Apache Portable Runtime Project" border="0"/></a></p>
<h1>
- Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and APR-iconv 1.2.2
- Released
+ Apache Portable Runtime APR 1.6.5 Released
</h1>
<p>
The Apache Software Foundation and the Apache Portable Runtime
Project are proud to announce the General Availability of version
- 1.6.3 of the Apache Portable Runtime library (APR), as well as
- version 1.6.1 of the APR Utility library (APR-util) and version
- 1.2.2 of the APR iconv library (APR-iconv).
+ 1.6.5 of the Apache Portable Runtime library (APR). Version 1.6.1
+ of the APR Utility library (APR-util) and version 1.2.2 of the
+ APR iconv library (APR-iconv) remain current.
</p>
<p>
- APR 1.6.3 release addresses one security vulnerability;
-</p>
-<ul>
- <li>CVE-2017-12613; Out-of-bounds array deref in apr_time_exp*() functions
- <br />
- When apr_time_exp_t or apr_os_exp_time_t arguments are passed
- with an invalid month field value in APR 1.6.2 and prior, out of
- bounds memory may be accessed in converting this value to an
- apr_time_exp_t value, potentially revealing the contents of a
- different static heap value or resulting in program termination,
- and may represent an information disclosure or denial of service
- vulnerability to applications which call these APR functions with
- unvalidated external input.
- </li>
-</ul>
-
-<p>
- APR-util 1.6.1 release addresses one security vulnerability;
-</p>
-<ul>
- <li>CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.
- <br />
- APR-util 1.6.0 and prior failed to validate the integrity of SDBM
- database files used by apr_sdbm*() functions, resulting in a
- possible out of bound read access. A local user with write access
- to the database can make a program or process using these functions
- crash, and cause a denial of service.
- </li>
-</ul>
-
-<p>
There are a number of specific changes in how APR is deployed
and how APR-util deals with external dependencies in their 1.6
releases, which may be disruptive to existing build strategies:
@@ -76,8 +44,9 @@
</li>
</ul>
<p>
- APR 1.6.3, APR-util 1.6.1, and APR-iconv 1.2.2 releases also fix
- a number of run-time and build-time issues; For details, see;
+ APR 1.6.5, APR-util 1.6.1, and APR-iconv 1.2.2 fix a number
+ of security vulnerabilities, run-time and build-time issues.
+ For details, see;
</p>
<dl>
<dd><a href="http://www.apache.org/dist/apr/CHANGES-APR-1.6"
@@ -104,8 +73,6 @@
their software is built. We list all known projects using APR
at http://apr.apache.org/projects.html - so please let us know
if you find our libraries useful in your own projects!
-
</p>
</body>
</html>
-
Modified: release/apr/Announcement1.x.txt
==============================================================================
--- release/apr/Announcement1.x.txt (original)
+++ release/apr/Announcement1.x.txt Fri Sep 14 18:39:35 2018
@@ -1,34 +1,10 @@
- Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and APR-iconv 1.2.2
- Released
+ Apache Portable Runtime APR 1.6.5 Released
The Apache Software Foundation and the Apache Portable Runtime
Project are proud to announce the General Availability of version
- 1.6.3 of the Apache Portable Runtime library (APR), as well as
- version 1.6.1 of the APR Utility library (APR-util) and version
- 1.2.2 of the APR iconv library (APR-iconv).
-
- APR 1.6.3 release addresses one security vulnerability;
-
- CVE-2017-12613; Out-of-bounds array deref in apr_time_exp*() functions
-
- When apr_time_exp_t or apr_os_exp_time_t arguments are passed
- with an invalid month field value in APR 1.6.2 and prior, out of
- bounds memory may be accessed in converting this value to an
- apr_time_exp_t value, potentially revealing the contents of a
- different static heap value or resulting in program termination,
- and may represent an information disclosure or denial of service
- vulnerability to applications which call these APR functions with
- unvalidated external input.
-
- APR-util 1.6.1 release addresses one security vulnerability;
-
- CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.
-
- APR-util 1.6.0 and prior failed to validate the integrity of SDBM
- database files used by apr_sdbm*() functions, resulting in a
- possible out of bound read access. A local user with write access
- to the database can make a program or process using these functions
- crash, and cause a denial of service.
+ 1.6.5 of the Apache Portable Runtime library (APR). Version 1.6.1
+ of the APR Utility library (APR-util) and version 1.2.2 of the
+ APR iconv library (APR-iconv) remain current.
There are a number of specific changes in how APR is deployed
and how APR-util deals with external dependencies in their 1.6
@@ -48,8 +24,9 @@
Users of MSSQL and SYBASE databases are recommended to use
the ODBC driver instead.
- APR 1.6.3, APR-util 1.6.1, and APR-iconv 1.2.2 releases also fix
- a number of run-time and build-time issues; For details, see;
+ APR 1.6.5, APR-util 1.6.1, and APR-iconv 1.2.2 fix a number
+ of security vulnerabilities, run-time and build-time issues.
+ For details, see;
http://www.apache.org/dist/apr/CHANGES-APR-1.6
http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.6