You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@httpd.apache.org by jo...@apache.org on 2006/02/12 20:52:38 UTC

[ANNOUNCE] libapreq2-2.07 Released

        libapreq2-2.07 Released

The Apache Software Foundation and The Apache HTTP Server Project
are pleased to announce the 2.07 release of libapreq2.  This
Announcement notes significant changes introduced by this release.

libapreq2-2.07 is released under the Apache License
version 2.0.  It is now available through the ASF mirrors

      http://httpd.apache.org/apreq/download.cgi

and has entered the CPAN as 

  file: $CPAN/authors/id/J/JO/JOESUF/libapreq2-2.07.tar.gz
  size: 787249 bytes
   md5: 6f2e5e4a14e8b190dead0fe91fc13080


libapreq2 is an APR-based shared library used for parsing HTTP cookies,
query-strings and POST data.  This package provides

    1) version 2.5.7 of the libapreq2 library,

    2) mod_apreq2, a filter module necessary for using libapreq2
       within the Apache HTTP Server,

    3) the Apache2::Request, Apache2::Cookie, and Apache2::Upload
       perl modules for using libapreq2 with mod_perl2.

This release contains an important security bugfix which impacts all 
previous developer releases of libapreq2. The Common Vulnerabilities 
and Exposures project assigned the name CVE-2006-0042 to this issue.


========================================================================

Changes with libapreq2-2.07 (released February 12, 2006)


- C API [joes]
  SECURITY: CVE-2006-0042 (cve.mitre.org)
  Eliminate potential quadratic behavior in apreq_parse_headers() and
  apreq_parse_urlencoded().

- Perl API [Philip M. Gollucci]
  Fix Apache2::Cookie->cookies() to comply with its documentation

- C API [Philip M. Gollucci]
  Use the APREQ_DEFAULT_READ_LIMIT constant for the read_limit

- C API [Ville Skyttä, Dirk Nehring]
  Add explicit cast in apreq_escape()/apreq_util.h to keep
  C++ compilers happy.

- C API [joes]
  Protect against arbitrary recursion depth in apreq_parse_multipart()
  by adding a reasonable compile-time MAX_LEVEL limit.

- C API [joes]
  Clean up end-of-file parsing for apreq_parse_multipart(), 
  conforming to rfc-2046 § 5.1.1.

- Perl API [joes]
  Move APR::Request::Param::Table and APR::Request::Cookie::Table
  packages to APR::Request module.

- Perl XS [Steve Hay]
  Fix compile problems on Win32 without PERL_IMPLICIT_SYS
  related to link being an unresolved symbol.

- Perl API [joes]
  APR::Request::Cookie::thaw() isn't a class method.

- C API [joes]
  Fix off-by-one bug in the continuation-lines portion of the
  header parser.

- Perl API [joes]
  Move APR::Request::upload to APR::Request, where it belongs.

- Perl XS [Nikolay Ananiev]
  Use MP_STATIC declarations to allow Cygwin builds.

- Perl API [joes]
  encode()/decode() were busted with zero-length args.  This caused
  Apache2::Cookie::new() to segfault on cookie value of "".

- C API [joes]
  Add apreq_charset_divine() and eliminate charset offset from return
  value of apreq_decode(v).

- C API [joes]
  Improve the cp1252-charset heuristics for apreq_decode(v).

- C API [Ralph Mattes]
  Add explicit casts for apreq_param_charset_* to keep c++ compilers happy.