You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apr.apache.org by tr...@apache.org on 2011/09/15 05:45:07 UTC
svn commit: r403 - in /release/apr: Announcement0.9.html Announcement0.9.txt
CHANGES-APR-0.9 HEADER.html README.html
Author: trawick
Date: Thu Sep 15 03:45:05 2011
New Revision: 403
Log:
update mirrored text for the release of APR 0.9.20
Modified:
release/apr/Announcement0.9.html
release/apr/Announcement0.9.txt
release/apr/CHANGES-APR-0.9
release/apr/HEADER.html
release/apr/README.html
Modified: release/apr/Announcement0.9.html
==============================================================================
--- release/apr/Announcement0.9.html (original)
+++ release/apr/Announcement0.9.html Thu Sep 15 03:45:05 2011
@@ -3,22 +3,21 @@
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<meta name="author" content="APR" /><meta name="email" content="dev@apr.apache.org" />
- <title>Apache Portable Runtime 0.9.19 and APR Utility 0.9.19 Released</title>
+ <title>Apache Portable Runtime 0.9.20 Released</title>
</head>
<body bgcolor="#ffffff" text="#000000" link="#525D76">
<p><a href="http://apr.apache.org/"><img src="http://apr.apache.org/images/apr_logo_wide.png" alt="The Apache Portable Runtime Project" border="0"/></a></p>
-<h1>Apache Portable Runtime 0.9.19 and APR Utility 0.9.19 Released</h1>
+<h1>Apache Portable Runtime 0.9.20 Released</h1>
<p>The Apache Software Foundation and the Apache Portable Runtime
Project are proud to announce the General Availability of
- version 0.9.19 of the APR Apache Portable Runtime library, and
- version 0.9.19 of the companion APR-util Apache Portable Utility
- library.</p>
-
-<p>The corresponding version 0.9.7 of the companion APR-iconv library,
- an alternative portable implementation of the 'iconv' library,
- remains current.</p>
+ version 0.9.20 of the APR Apache Portable Runtime library.</p>
+
+<p>The corresponding version 0.9.19 of the companion APR-util
+ Apache Portable Utility library and version 0.9.7 of the companion
+ APR-iconv library, an alternative portable implementation of the
+ 'iconv' library, remain current.</p>
<p>APR is available for download from:</p>
@@ -36,32 +35,22 @@
while later httpd 2.2 releases require APR 1.2 or later for better
support and additional features.</p>
-<p>The security fixes in the APR library release 0.9.19 and APR-util
- library release 0.9.19 must be evaluated in the context of how
- APR-consuming applications use them to determine if the application
- provides untrusted input to these specific functions, to determine
- if they represent vulnerabilities to the specific application.
+<p>The security fix in the APR library release 0.9.20 must be
+ evaluated in the context of how APR-consuming applications use the
+ related function, to determine if they represent vulnerabilities
+ to the specific application. Often the determination is whether
+ or not the application provides untrusted input to the APR function.
Refer questions to such APR-consuming projects for further
- guidance. These fixes, which are also included in the current APR
- and APR-util 1.x releases announced previously, include:</p>
+ guidance.</p>
+
+<p>This fix, which is also included in the current APR 1.x release
+ announced previously, is:</p>
<ul>
- <li>APR: SECURITY: CVE-2009-2412 (cve.mitre.org)<br>
- Fix overflow in pools and rmm, where size alignment was taking place.
- [Matt Lewis <ma...@google.com>, Sander Striker, William Rowe]
- </li>
- <li>APR-util: SECURITY: CVE-2010-1623 (cve.mitre.org)</br>
- Fix a denial of service attack against apr_brigade_split_line().
- [Stefan Fritsch]
- </li>
- <li>APR-util: SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org)</br>
- Fix two buffer over-read flaws in the bundled copy of expat which
- could cause applications to crash while parsing specially-crafted
- XML documents. [Joe Orton, Rainer Jung]
- </li>
- <li>APR-util: SECURITY: CVE-2009-2412 (cve.mitre.org)</br>
- Fix overflow in rmm, where size alignment was taking place.
- [Matt Lewis <ma...@google.com>, Sander Striker]
+ <li>APR: SECURITY: CVE-2011-0419 (cve.mitre.org)<br>
+ Reimplement apr_fnmatch() from scratch using a non-recursive
+ algorithm; now has improved compliance with the fnmatch() spec.
+ [William Rowe]
</li>
</ul>
Modified: release/apr/Announcement0.9.txt
==============================================================================
--- release/apr/Announcement0.9.txt (original)
+++ release/apr/Announcement0.9.txt Thu Sep 15 03:45:05 2011
@@ -1,14 +1,13 @@
- Apache Portable Runtime 0.9.19 and APR Utility 0.9.19 Released
+ Apache Portable Runtime 0.9.20 Released
The Apache Software Foundation and the Apache Portable Runtime
Project are proud to announce the General Availability of
- version 0.9.19 of the APR Apache Portable Runtime library, and
- version 0.9.19 of the companion APR-util Apache Portable Utility
- library.
-
- The corresponding version 0.9.7 of the companion APR-iconv library,
- an alternative portable implementation of the 'iconv' library,
- remains current.
+ version 0.9.20 of the APR Apache Portable Runtime library.
+
+ The corresponding version 0.9.19 of the companion APR-util
+ Apache Portable Utility library and version 0.9.7 of the companion
+ APR-iconv library, an alternative portable implementation of the
+ 'iconv' library, remain current.
APR is available for download from:
@@ -23,31 +22,20 @@
while later httpd 2.2 releases require APR 1.2 or later for better
support and additional features.
- The security fixes in the APR library release 0.9.19 and APR-util
- library release 0.9.19 must be evaluated in the context of how
- APR-consuming applications use them to determine if the application
- provides untrusted input to these specific functions, to determine
- if they represent vulnerabilities to the specific application.
- Refer questions to such APR-consuming projects for further
- guidance. These fixes, which are also included in the current APR
- and APR-util 1.x releases announced previously, include:
-
- * APR: SECURITY: CVE-2009-2412 (cve.mitre.org)
- Fix overflow in pools and rmm, where size alignment was taking place.
- [Matt Lewis <ma...@google.com>, Sander Striker, William Rowe]
-
- * APR-util: SECURITY: CVE-2010-1623 (cve.mitre.org)
- Fix a denial of service attack against apr_brigade_split_line().
- [Stefan Fritsch]
-
- * APR-util: SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org)
- Fix two buffer over-read flaws in the bundled copy of expat which
- could cause applications to crash while parsing specially-crafted
- XML documents. [Joe Orton, Rainer Jung]
-
- * APR-util: SECURITY: CVE-2009-2412 (cve.mitre.org)
- Fix overflow in rmm, where size alignment was taking place.
- [Matt Lewis <ma...@google.com>, Sander Striker]
+ The security fix in the APR library release 0.9.20 must be
+ evaluated in the context of how APR-consuming applications use the
+ related function, to determine if they represent vulnerabilities
+ to the specific application. Often the determination is whether
+ or not the application provides untrusted input to the APR function.
+ Refer questions to such APR-consuming projects for further guidance.
+
+ This fix, which is also included in the current APR 1.x release
+ announced previously, is:
+
+ *) Security: CVE-2011-0419
+ Reimplement apr_fnmatch() from scratch using a non-recursive
+ algorithm; now has improved compliance with the fnmatch() spec.
+ [William Rowe]
The mission of the Apache Portable Runtime Project is to create
and maintain software libraries that provide a predictable and
Modified: release/apr/CHANGES-APR-0.9
==============================================================================
--- release/apr/CHANGES-APR-0.9 (original)
+++ release/apr/CHANGES-APR-0.9 Thu Sep 15 03:45:05 2011
@@ -1,4 +1,16 @@
-*- coding: utf-8 -*-
+Changes with APR 0.9.20
+
+ *) Security: CVE-2011-0419
+ Reimplement apr_fnmatch() from scratch using a non-recursive
+ algorithm; now has improved compliance with the fnmatch() spec.
+ [William Rowe]
+
+ *) Updated config.guess and config.sub. [Rainer Jung]
+
+ *) Fix flag character '#' in combination with format character 'x' in
+ apr snprintf implementations. [Rainer Jung]
+
Changes with APR 0.9.19
*) SECURITY: CVE-2009-2412 (cve.mitre.org)
Modified: release/apr/HEADER.html
==============================================================================
--- release/apr/HEADER.html (original)
+++ release/apr/HEADER.html Thu Sep 15 03:45:05 2011
@@ -14,7 +14,7 @@
<li><a href="#apr">APR 1.4.5 is the latest available version</a></li>
<li><a href="#aprutil">APR-util 1.3.12 is the latest available version</a></li>
<li><a href="#apriconv">APR-iconv 1.2.1 is the latest available version</a></li>
-<li><a href="#apr09">APR 0.9.19 is also available</a></li>
+<li><a href="#apr09">APR 0.9.20 is also available</a></li>
<li><a href="#aprutil09">APR-util 0.9.19 is also available</a></li>
<li><a href="#apriconv09">APR-iconv 0.9.7 is also available</a></li>
<li><a href="#sig">PGP/GPG Signatures</a></li>
Modified: release/apr/README.html
==============================================================================
--- release/apr/README.html (original)
+++ release/apr/README.html Thu Sep 15 03:45:05 2011
@@ -41,15 +41,15 @@
"general availability".
</p>
-<h2><a name="apr09">APR 0.9.19 is also available</a></h2>
+<h2><a name="apr09">APR 0.9.20 is also available</a></h2>
<p>
- APR 0.9.19 has also been released. This is primarily a
- a bug-fix release for users requiring API or binary compatibility
+ APR 0.9.20 has also been released. This is primarily a
+ bug-fix release for users requiring API or binary compatibility
with previous APR 0.9 releases.
</p>
<p>
- Note that APR 0.9.19 corrected a potential security issue, and
+ Note that APR 0.9.20 corrected a potential security issue, and
users of all previous versions are cautioned to upgrade to this release,
or version 1.4.2 or later.
</p>