You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apr.apache.org by tr...@apache.org on 2015/04/29 02:40:12 UTC

svn commit: r8742 - in /release/apr: Announcement1.x.html Announcement1.x.txt CHANGES-APR-1.5 HEADER.html README.html

Author: trawick
Date: Wed Apr 29 00:40:12 2015
New Revision: 8742

Log:
For the APR 1.5.2 release...

Modified:
    release/apr/Announcement1.x.html
    release/apr/Announcement1.x.txt
    release/apr/CHANGES-APR-1.5
    release/apr/HEADER.html
    release/apr/README.html

Modified: release/apr/Announcement1.x.html
==============================================================================
--- release/apr/Announcement1.x.html (original)
+++ release/apr/Announcement1.x.html Wed Apr 29 00:40:12 2015
@@ -3,29 +3,35 @@
  <head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
        <meta name="author" content="APR" /><meta name="email" content="dev@apr.apache.org" />
-    <title>Apache Portable Runtime Utility library 1.5.4 Released</title>
+    <title>Apache Portable Runtime library 1.5.2 Released</title>
  </head>
  <body bgcolor="#ffffff" text="#000000" link="#525D76">
 <p><a href="http://apr.apache.org/"><img src="http://apr.apache.org/images/apr_logo_wide.png" alt="The Apache Portable Runtime Project" border="0"/></a></p>
 
 <h1>
-   Apache Portable Runtime Utility library 1.5.4 Released
+   Apache Portable Runtime library 1.5.2 Released
 </h1>
 
 <p>
    The Apache Software Foundation and the Apache Portable Runtime
    Project are proud to announce the General Availability of version
-   1.5.4 of the Apache Portable Runtime Utility library.
+   1.5.2 of the Apache Portable Runtime library.
 </p>
 
 <p>
-   APR-util 1.5.4 is a bug fix release, resolving several run-time
-   problems as well as several build problems.  See CHANGES-APR-UTIL-1.5
-   for more information.
+   APR 1.5.2 resolves an important issue on the Windows platform
+   that can result in vulnerabilities in APR applications which use
+   APR pipes; this issue is tracked by CVE-2015-1829.
 </p>
 
 <p>
-   Version 1.5.1 of the Apache Portable Runtime library remains
+   APR 1.5.2 fixes a number of additional run-time and build-time bugs
+   affecting multiple platforms.  See CHANGES-APR-1.5 for more 
+   information.
+</p>
+
+<p>
+   Version 1.5.4 of the Apache Portable Runtime Utility library remains
    current.
 </p>
 

Modified: release/apr/Announcement1.x.txt
==============================================================================
--- release/apr/Announcement1.x.txt (original)
+++ release/apr/Announcement1.x.txt Wed Apr 29 00:40:12 2015
@@ -1,14 +1,18 @@
-   Apache Portable Runtime Utility library 1.5.4 Released
+   Apache Portable Runtime library 1.5.2 Released
 
    The Apache Software Foundation and the Apache Portable Runtime
    Project are proud to announce the General Availability of version
-   1.5.4 of the Apache Portable Runtime Utility library.
+   1.5.2 of the Apache Portable Runtime library.
 
-   APR-util 1.5.4 is a bug fix release, resolving several run-time
-   problems as well as several build problems.  See CHANGES-APR-UTIL-1.5
-   for more information.
+   APR 1.5.2 resolves an important issue on the Windows platform
+   that can result in vulnerabilities in APR applications which use
+   APR pipes; this issue is tracked by CVE-2015-1829.
 
-   Version 1.5.1 of the Apache Portable Runtime library remains
+   APR 1.5.2 fixes a number of additional run-time and build-time bugs
+   affecting multiple platforms.  See CHANGES-APR-1.5 for more 
+   information.
+
+   Version 1.5.4 of the Apache Portable Runtime Utility library remains
    current.
 
    Version 1.2.1 of the companion APR-iconv library, an alternative 

Modified: release/apr/CHANGES-APR-1.5
==============================================================================
--- release/apr/CHANGES-APR-1.5 (original)
+++ release/apr/CHANGES-APR-1.5 Wed Apr 29 00:40:12 2015
@@ -1,4 +1,68 @@
                                                      -*- coding: utf-8 -*-
+Changes for APR 1.5.2
+
+  *) SECURITY: CVE-2015-1829 (cve.mitre.org)
+     APR applications using APR named pipe support on Windows can be 
+     vulnerable to a pipe squatting attack from a local process; the extent
+     of the vulnerability, when present, depends on the application.
+     Initial analysis and report was provided by John Hernandez of Casaba 
+     Security via HP SSRT Security Alert.  [Yann Ylavic]
+
+  *) Potential Windows build consideration: The increased use of 
+     UuidCreate() in APR may introduce a link error for applications
+     which link with apr-1.lib.  Include the Windows library rpcrt4 if
+     linking fails with an unresolved reference to UuidCreate().
+     
+  *) apr_atomic: Fix errors when building on Visual Studio 2013 while
+     maintaining the ability to build on Visual Studio 6 with Windows
+     Server 2003 R2 SDK. PR 57191. [Gregg Smith]
+
+  *) Switch to generic atomics for early/unpatched Solaris 10 not exporting
+     some atomic functions.  PR 55418.  [Yann Ylavic]
+
+  *) apr_file_mktemp() on HP-UX: Remove limitation of 26 temporary files
+     per process.  PR 57677.  [Jeff Trawick]
+
+  *) apr_escape: Correctly calculate the size of the returned string in
+     apr_escape_path and set the correct return value in case we actually
+     escape the string. [<aduryagin gmail.com>] PR 57230.
+
+  *) pollcb on Windows: Handle calls with no file/socket descriptors.
+     Follow up to PR 49882. [Jeff Trawick, Yann Ylavic]
+
+  *) apr_poll(cb): fix error paths returned values and leaks.  [Yann Ylavic]
+
+  *) apr_thread_cond_*wait() on BeOS: Fix broken logic.  PR 45800.
+     [Jochen Voss (no e-mail)]
+
+  *) apr_skiplist: Optimize the number of allocations by reusing pooled or
+     malloc()ed nodes for the lifetime of the skiplist.  [Yann Ylavic]
+
+  *) apr_skiplist: Fix possible multiple-free() on the same value in
+     apr_skiplist_remove_all().  [Yann Ylavic]
+
+  *) apr_pollset: On z/OS, threadsafe apr_pollset_poll() may return
+     "EDC8102I Operation would block" under load.
+     [Pat Odonnell <patod us.ibm.com>]
+
+  *) On z/OS, apr_sockaddr_info_get() with family == APR_UNSPEC was not 
+     returning IPv4 addresses if any IPv6 addresses were returned. 
+     [Eric Covener]
+
+  *) Windows cmake build: Fix an incompatibility with cmake 2.8.12 and
+     later.  [Jeff Trawick]
+
+  *) apr_global_mutex/apr_proc_mutex: Resolve failures with the 
+     POSIX sem implementation in environments which receive signals.
+     [Jeff Trawick]
+
+  *) apr_skiplist: Fix potential corruption of skiplists leading to 
+     results or crashes. [Takashi Sato <takashi tks st>, Eric Covener]
+     PR 56654.
+
+  *) Improve platform detection by updating config.guess and config.sub.
+     [Rainer Jung]
+
 Changes for APR 1.5.1
 
   *) apr_os_proc_mutex_get() on Unix:  Avoid segfault for cross-
@@ -37,8 +101,8 @@ Changes for APR 1.5.1
   *) Correct a regression in 1.5.0 which affected out-of-tree
      builds on Unix.  [Rainer Jung]
 
-  *) Improve platform detection for bundled expat by updating
-     config.guess and config.sub. [Rainer Jung]
+  *) Improve platform detection by updating config.guess and config.sub.
+     [Rainer Jung]
 
 Changes for APR 1.5.0
 

Modified: release/apr/HEADER.html
==============================================================================
--- release/apr/HEADER.html (original)
+++ release/apr/HEADER.html Wed Apr 29 00:40:12 2015
@@ -11,7 +11,7 @@
 
 <ul>
 <li><a href="#mirrors">Download from your nearest mirror site!</a></li>
-<li><a href="#apr">APR 1.5.1 is the latest available version</a></li>
+<li><a href="#apr">APR 1.5.2 is the latest available version</a></li>
 <li><a href="#aprutil">APR-util 1.5.4 is the latest available version</a></li>
 <li><a href="#apriconv">APR-iconv 1.2.1 is the latest available version</a></li>
 <li><a href="#apr09">APR 0.9.20 is also available</a></li>

Modified: release/apr/README.html
==============================================================================
--- release/apr/README.html (original)
+++ release/apr/README.html Wed Apr 29 00:40:12 2015
@@ -8,17 +8,23 @@
       here to find your nearest mirror.</a>
 </p>
 
-<h2><a name="apr">APR 1.5.1 is the latest available version</a></h2>
+<h2><a name="apr">APR 1.5.2 is the latest available version</a></h2>
 
 <p>
-    APR 1.5.1 has been released, and should be considered
+    APR 1.5.2 has been released, and should be considered
     "general availability".
 </p>
 
 <p>
-    APR 1.4.4 and earlier versions had vulnerabilities affecting some
-    applications.  Users of 1.4.4 and previous releases are cautioned
-    to upgrade to the latest version.
+    APR 1.5.1 and earlier versions had vulnerabilities affecting some
+    applications on the Windows platform.  Users of those releases are
+    cautioned to upgrade to the latest version.
+</p>
+
+<p>
+    APR 1.4.5 and earlier versions had vulnerabilities affecting some
+    applications on all platforms.  Users of 1.4.5 and previous releases
+    are cautioned to upgrade to the latest version.
 </p>
 
 <h2><a name="aprutil">APR-util 1.5.4 is the latest available version</a></h2>