You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Jeff Trawick <tr...@apache.org> on 2010/10/17 23:17:54 UTC

[ANNOUNCE] Apache Portable Runtime 0.9.19 and APR Utility 0.9.19 Released

   The Apache Software Foundation and the Apache Portable Runtime
   Project are proud to announce the General Availability of
   version 0.9.19 of the APR Apache Portable Runtime library, and
   version 0.9.19 of the companion APR-util Apache Portable Utility
   library.

   The corresponding version 0.9.7 of the companion APR-iconv library,
   an alternative portable implementation of the 'iconv' library,
   remains current.

   APR is available for download from:

     http://apr.apache.org/download.cgi

   This version of APR is a security and bug fix release, and is
   provided only for users requiring APR 0.9 compatibility.  Most
   developers are encouraged to adopt the latest APR 1.x version
   to ensure the most comprehensive support and access to the latest
   features and enhancements.  For example, the Apache HTTP Server
   Project's httpd 2.0 release uses APR 0.9 for binary compatibility,
   while later httpd 2.2 releases require APR 1.2 or later for better
   support and additional features.

   The security fixes in the APR library release 0.9.19 and APR-util
   library release 0.9.19 must be evaluated in the context of how
   APR-consuming applications use them to determine if the application
   provides untrusted input to these specific functions, to determine
   if they represent vulnerabilities to the specific application.
   Refer questions to such APR-consuming projects for further
   guidance.  These fixes, which are also included in the current APR
   and APR-util 1.x releases announced previously, include:

   * APR: SECURITY: CVE-2009-2412 (cve.mitre.org)
     Fix overflow in pools and rmm, where size alignment was taking place.
     [Matt Lewis <ma...@google.com>, Sander Striker, William Rowe]

   * APR-util: SECURITY: CVE-2010-1623 (cve.mitre.org)
     Fix a denial of service attack against apr_brigade_split_line().
     [Stefan Fritsch]

   * APR-util: SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org)
     Fix two buffer over-read flaws in the bundled copy of expat which
     could cause applications to crash while parsing specially-crafted
     XML documents.  [Joe Orton, Rainer Jung]

   * APR-util: SECURITY: CVE-2009-2412 (cve.mitre.org)
     Fix overflow in rmm, where size alignment was taking place.
     [Matt Lewis <ma...@google.com>, Sander Striker]

   The mission of the Apache Portable Runtime Project is to create
   and maintain software libraries that provide a predictable and
   consistent interface to underlying platform-specific
   implementations. The primary goal is to provide an API to
   which software developers may code and be assured of predictable
   if not identical behavior regardless of the platform on which
   their software is built, relieving them of the need to code
   special-case conditions to work around or take advantage of
   platform-specific deficiencies or features.

   APR and its companion libraries are implemented entirely in C
   and provide a common programming interface across a wide variety
   of operating system platforms without sacrificing performance.
   Currently supported platforms include:

     UNIX variants
     Windows
     Netware
     Mac OS X
     OS/2

   To give a brief overview, the primary core
   subsystems of APR 0.9 include the following:

     Atomic operations
     Dynamic Shared Object loading
     File I/O
     Locks (mutexes, condition variables, etc)
     Memory management (high performance allocators)
     Memory-mapped files
     Network I/O
     Shared memory
     Thread and Process management
     Various data structures (tables, hashes, priority queues, etc)

   For a more complete list, please refer to the following URLs:

     http://apr.apache.org/docs/apr/modules.html
     http://apr.apache.org/docs/apr-util/modules.html

   Users of APR 0.9 should be aware that migrating to the APR 1.x
   programming interfaces may require some adjustments; APR 1.x is
   neither source nor binary compatible with earlier APR 0.9 releases.
   Users of APR 1.x can expect consistent interfaces and binary backwards
   compatibility throughout the entire APR 1.x release cycle, as defined
   in our versioning rules:

     http://apr.apache.org/versioning.html

   APR is already used extensively by the Apache HTTP Server
   version 2 and the Subversion revision control system, to
   name but a few.  We list all known projects using APR at
   http://apr.apache.org/projects.html -- so please let us know
   if you find our libraries useful in your own projects!