You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apr.apache.org by tr...@apache.org on 2015/04/29 02:40:12 UTC
svn commit: r8742 - in /release/apr: Announcement1.x.html
Announcement1.x.txt CHANGES-APR-1.5 HEADER.html README.html
Author: trawick
Date: Wed Apr 29 00:40:12 2015
New Revision: 8742
Log:
For the APR 1.5.2 release...
Modified:
release/apr/Announcement1.x.html
release/apr/Announcement1.x.txt
release/apr/CHANGES-APR-1.5
release/apr/HEADER.html
release/apr/README.html
Modified: release/apr/Announcement1.x.html
==============================================================================
--- release/apr/Announcement1.x.html (original)
+++ release/apr/Announcement1.x.html Wed Apr 29 00:40:12 2015
@@ -3,29 +3,35 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<meta name="author" content="APR" /><meta name="email" content="dev@apr.apache.org" />
- <title>Apache Portable Runtime Utility library 1.5.4 Released</title>
+ <title>Apache Portable Runtime library 1.5.2 Released</title>
</head>
<body bgcolor="#ffffff" text="#000000" link="#525D76">
<p><a href="http://apr.apache.org/"><img src="http://apr.apache.org/images/apr_logo_wide.png" alt="The Apache Portable Runtime Project" border="0"/></a></p>
<h1>
- Apache Portable Runtime Utility library 1.5.4 Released
+ Apache Portable Runtime library 1.5.2 Released
</h1>
<p>
The Apache Software Foundation and the Apache Portable Runtime
Project are proud to announce the General Availability of version
- 1.5.4 of the Apache Portable Runtime Utility library.
+ 1.5.2 of the Apache Portable Runtime library.
</p>
<p>
- APR-util 1.5.4 is a bug fix release, resolving several run-time
- problems as well as several build problems. See CHANGES-APR-UTIL-1.5
- for more information.
+ APR 1.5.2 resolves an important issue on the Windows platform
+ that can result in vulnerabilities in APR applications which use
+ APR pipes; this issue is tracked by CVE-2015-1829.
</p>
<p>
- Version 1.5.1 of the Apache Portable Runtime library remains
+ APR 1.5.2 fixes a number of additional run-time and build-time bugs
+ affecting multiple platforms. See CHANGES-APR-1.5 for more
+ information.
+</p>
+
+<p>
+ Version 1.5.4 of the Apache Portable Runtime Utility library remains
current.
</p>
Modified: release/apr/Announcement1.x.txt
==============================================================================
--- release/apr/Announcement1.x.txt (original)
+++ release/apr/Announcement1.x.txt Wed Apr 29 00:40:12 2015
@@ -1,14 +1,18 @@
- Apache Portable Runtime Utility library 1.5.4 Released
+ Apache Portable Runtime library 1.5.2 Released
The Apache Software Foundation and the Apache Portable Runtime
Project are proud to announce the General Availability of version
- 1.5.4 of the Apache Portable Runtime Utility library.
+ 1.5.2 of the Apache Portable Runtime library.
- APR-util 1.5.4 is a bug fix release, resolving several run-time
- problems as well as several build problems. See CHANGES-APR-UTIL-1.5
- for more information.
+ APR 1.5.2 resolves an important issue on the Windows platform
+ that can result in vulnerabilities in APR applications which use
+ APR pipes; this issue is tracked by CVE-2015-1829.
- Version 1.5.1 of the Apache Portable Runtime library remains
+ APR 1.5.2 fixes a number of additional run-time and build-time bugs
+ affecting multiple platforms. See CHANGES-APR-1.5 for more
+ information.
+
+ Version 1.5.4 of the Apache Portable Runtime Utility library remains
current.
Version 1.2.1 of the companion APR-iconv library, an alternative
Modified: release/apr/CHANGES-APR-1.5
==============================================================================
--- release/apr/CHANGES-APR-1.5 (original)
+++ release/apr/CHANGES-APR-1.5 Wed Apr 29 00:40:12 2015
@@ -1,4 +1,68 @@
-*- coding: utf-8 -*-
+Changes for APR 1.5.2
+
+ *) SECURITY: CVE-2015-1829 (cve.mitre.org)
+ APR applications using APR named pipe support on Windows can be
+ vulnerable to a pipe squatting attack from a local process; the extent
+ of the vulnerability, when present, depends on the application.
+ Initial analysis and report was provided by John Hernandez of Casaba
+ Security via HP SSRT Security Alert. [Yann Ylavic]
+
+ *) Potential Windows build consideration: The increased use of
+ UuidCreate() in APR may introduce a link error for applications
+ which link with apr-1.lib. Include the Windows library rpcrt4 if
+ linking fails with an unresolved reference to UuidCreate().
+
+ *) apr_atomic: Fix errors when building on Visual Studio 2013 while
+ maintaining the ability to build on Visual Studio 6 with Windows
+ Server 2003 R2 SDK. PR 57191. [Gregg Smith]
+
+ *) Switch to generic atomics for early/unpatched Solaris 10 not exporting
+ some atomic functions. PR 55418. [Yann Ylavic]
+
+ *) apr_file_mktemp() on HP-UX: Remove limitation of 26 temporary files
+ per process. PR 57677. [Jeff Trawick]
+
+ *) apr_escape: Correctly calculate the size of the returned string in
+ apr_escape_path and set the correct return value in case we actually
+ escape the string. [<aduryagin gmail.com>] PR 57230.
+
+ *) pollcb on Windows: Handle calls with no file/socket descriptors.
+ Follow up to PR 49882. [Jeff Trawick, Yann Ylavic]
+
+ *) apr_poll(cb): fix error paths returned values and leaks. [Yann Ylavic]
+
+ *) apr_thread_cond_*wait() on BeOS: Fix broken logic. PR 45800.
+ [Jochen Voss (no e-mail)]
+
+ *) apr_skiplist: Optimize the number of allocations by reusing pooled or
+ malloc()ed nodes for the lifetime of the skiplist. [Yann Ylavic]
+
+ *) apr_skiplist: Fix possible multiple-free() on the same value in
+ apr_skiplist_remove_all(). [Yann Ylavic]
+
+ *) apr_pollset: On z/OS, threadsafe apr_pollset_poll() may return
+ "EDC8102I Operation would block" under load.
+ [Pat Odonnell <patod us.ibm.com>]
+
+ *) On z/OS, apr_sockaddr_info_get() with family == APR_UNSPEC was not
+ returning IPv4 addresses if any IPv6 addresses were returned.
+ [Eric Covener]
+
+ *) Windows cmake build: Fix an incompatibility with cmake 2.8.12 and
+ later. [Jeff Trawick]
+
+ *) apr_global_mutex/apr_proc_mutex: Resolve failures with the
+ POSIX sem implementation in environments which receive signals.
+ [Jeff Trawick]
+
+ *) apr_skiplist: Fix potential corruption of skiplists leading to
+ results or crashes. [Takashi Sato <takashi tks st>, Eric Covener]
+ PR 56654.
+
+ *) Improve platform detection by updating config.guess and config.sub.
+ [Rainer Jung]
+
Changes for APR 1.5.1
*) apr_os_proc_mutex_get() on Unix: Avoid segfault for cross-
@@ -37,8 +101,8 @@ Changes for APR 1.5.1
*) Correct a regression in 1.5.0 which affected out-of-tree
builds on Unix. [Rainer Jung]
- *) Improve platform detection for bundled expat by updating
- config.guess and config.sub. [Rainer Jung]
+ *) Improve platform detection by updating config.guess and config.sub.
+ [Rainer Jung]
Changes for APR 1.5.0
Modified: release/apr/HEADER.html
==============================================================================
--- release/apr/HEADER.html (original)
+++ release/apr/HEADER.html Wed Apr 29 00:40:12 2015
@@ -11,7 +11,7 @@
<ul>
<li><a href="#mirrors">Download from your nearest mirror site!</a></li>
-<li><a href="#apr">APR 1.5.1 is the latest available version</a></li>
+<li><a href="#apr">APR 1.5.2 is the latest available version</a></li>
<li><a href="#aprutil">APR-util 1.5.4 is the latest available version</a></li>
<li><a href="#apriconv">APR-iconv 1.2.1 is the latest available version</a></li>
<li><a href="#apr09">APR 0.9.20 is also available</a></li>
Modified: release/apr/README.html
==============================================================================
--- release/apr/README.html (original)
+++ release/apr/README.html Wed Apr 29 00:40:12 2015
@@ -8,17 +8,23 @@
here to find your nearest mirror.</a>
</p>
-<h2><a name="apr">APR 1.5.1 is the latest available version</a></h2>
+<h2><a name="apr">APR 1.5.2 is the latest available version</a></h2>
<p>
- APR 1.5.1 has been released, and should be considered
+ APR 1.5.2 has been released, and should be considered
"general availability".
</p>
<p>
- APR 1.4.4 and earlier versions had vulnerabilities affecting some
- applications. Users of 1.4.4 and previous releases are cautioned
- to upgrade to the latest version.
+ APR 1.5.1 and earlier versions had vulnerabilities affecting some
+ applications on the Windows platform. Users of those releases are
+ cautioned to upgrade to the latest version.
+</p>
+
+<p>
+ APR 1.4.5 and earlier versions had vulnerabilities affecting some
+ applications on all platforms. Users of 1.4.5 and previous releases
+ are cautioned to upgrade to the latest version.
</p>
<h2><a name="aprutil">APR-util 1.5.4 is the latest available version</a></h2>