You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Jeff Trawick <tr...@apache.org> on 2010/10/17 23:17:54 UTC
[ANNOUNCE] Apache Portable Runtime 0.9.19 and APR Utility 0.9.19 Released
The Apache Software Foundation and the Apache Portable Runtime
Project are proud to announce the General Availability of
version 0.9.19 of the APR Apache Portable Runtime library, and
version 0.9.19 of the companion APR-util Apache Portable Utility
library.
The corresponding version 0.9.7 of the companion APR-iconv library,
an alternative portable implementation of the 'iconv' library,
remains current.
APR is available for download from:
http://apr.apache.org/download.cgi
This version of APR is a security and bug fix release, and is
provided only for users requiring APR 0.9 compatibility. Most
developers are encouraged to adopt the latest APR 1.x version
to ensure the most comprehensive support and access to the latest
features and enhancements. For example, the Apache HTTP Server
Project's httpd 2.0 release uses APR 0.9 for binary compatibility,
while later httpd 2.2 releases require APR 1.2 or later for better
support and additional features.
The security fixes in the APR library release 0.9.19 and APR-util
library release 0.9.19 must be evaluated in the context of how
APR-consuming applications use them to determine if the application
provides untrusted input to these specific functions, to determine
if they represent vulnerabilities to the specific application.
Refer questions to such APR-consuming projects for further
guidance. These fixes, which are also included in the current APR
and APR-util 1.x releases announced previously, include:
* APR: SECURITY: CVE-2009-2412 (cve.mitre.org)
Fix overflow in pools and rmm, where size alignment was taking place.
[Matt Lewis <ma...@google.com>, Sander Striker, William Rowe]
* APR-util: SECURITY: CVE-2010-1623 (cve.mitre.org)
Fix a denial of service attack against apr_brigade_split_line().
[Stefan Fritsch]
* APR-util: SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org)
Fix two buffer over-read flaws in the bundled copy of expat which
could cause applications to crash while parsing specially-crafted
XML documents. [Joe Orton, Rainer Jung]
* APR-util: SECURITY: CVE-2009-2412 (cve.mitre.org)
Fix overflow in rmm, where size alignment was taking place.
[Matt Lewis <ma...@google.com>, Sander Striker]
The mission of the Apache Portable Runtime Project is to create
and maintain software libraries that provide a predictable and
consistent interface to underlying platform-specific
implementations. The primary goal is to provide an API to
which software developers may code and be assured of predictable
if not identical behavior regardless of the platform on which
their software is built, relieving them of the need to code
special-case conditions to work around or take advantage of
platform-specific deficiencies or features.
APR and its companion libraries are implemented entirely in C
and provide a common programming interface across a wide variety
of operating system platforms without sacrificing performance.
Currently supported platforms include:
UNIX variants
Windows
Netware
Mac OS X
OS/2
To give a brief overview, the primary core
subsystems of APR 0.9 include the following:
Atomic operations
Dynamic Shared Object loading
File I/O
Locks (mutexes, condition variables, etc)
Memory management (high performance allocators)
Memory-mapped files
Network I/O
Shared memory
Thread and Process management
Various data structures (tables, hashes, priority queues, etc)
For a more complete list, please refer to the following URLs:
http://apr.apache.org/docs/apr/modules.html
http://apr.apache.org/docs/apr-util/modules.html
Users of APR 0.9 should be aware that migrating to the APR 1.x
programming interfaces may require some adjustments; APR 1.x is
neither source nor binary compatible with earlier APR 0.9 releases.
Users of APR 1.x can expect consistent interfaces and binary backwards
compatibility throughout the entire APR 1.x release cycle, as defined
in our versioning rules:
http://apr.apache.org/versioning.html
APR is already used extensively by the Apache HTTP Server
version 2 and the Subversion revision control system, to
name but a few. We list all known projects using APR at
http://apr.apache.org/projects.html -- so please let us know
if you find our libraries useful in your own projects!