You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@apr.apache.org by William A Rowe Jr <wr...@rowe-clan.net> on 2017/10/23 18:27:59 UTC
[Announce] Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and
APR-iconv 1.2.2 Released
[Announce] Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and
APR-iconv 1.2.2 Released
The Apache Software Foundation and the Apache Portable Runtime
Project are proud to announce the General Availability of version
1.6.3 of the Apache Portable Runtime library (APR), as well as
version 1.6.1 of the APR Utility library (APR-util) and version
1.2.2 of the APR iconv library (APR-iconv).
APR 1.6.1 release addresses one security vulnerability;
CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.
APR-util 1.6.0 and prior failed to validate the integrity of SDBM
database files used by apr_sdbm*() functions, resulting in a
possible out of bound read access. A local user with write access
to the database can make a program or process using these functions
crash, and cause a denial of service.
APR-util 1.6.3 release addresses one security vulnerability;
CVE-2017-12613; Out-of-bounds array deref in apr_time_exp*() functions
When apr_exp_time*() or apr_os_exp_time*() functions are invoked
with an invalid month field value in APR 1.6.2 and prior, out of
bounds memory may be accessed in converting this value to an
apr_time_exp_t value, potentially revealing the contents of a
different static heap value or resulting in program termination,
and may represent an information disclosure or denial of service
vulnerability to applications which call these APR functions with
unvalidated external input.
There are a number of specific changes in how APR is deployed
and how APR-util deals with external dependencies in their 1.6
releases, which may be disruptive to existing build strategies:
- Expat sources are no longer bundled, this is now an external
dependency. Install libexpat runtime (usually installed by
default) and development packages using your system's package
manager, or from <https://libexpat.github.io/>.
- MySQL support is updated as advised by the MySQL developers.
MySQL versions older than 5.5 should not be used. If you do
use an old MySQL version, use the thread-safe libmysqlclient_r
version of the library.
- FreeTDS partial and incomplete support has been dropped.
Users of MSSQL and SYBASE databases are recommended to use
the ODBC driver instead.
APR 1.6.3, APR-util 1.6.1, and APR-iconv 1.2.2 releases also fix
a number of run-time and build-time issues; For details, see;
http://www.apache.org/dist/apr/CHANGES-APR-1.6
http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.6
http://www.apache.org/dist/apr/CHANGES-APR-ICONV-1.2
APR, APR-util and APR-iconv are available for download from:
http://apr.apache.org/download.cgi
The mission of the Apache Portable Runtime Project is to create
and maintain software libraries that provide a predictable and
consistent interface to underlying platform-specific
implementations. The primary goal is to provide an API to
which software developers may code and be assured of predictable
if not identical behavior regardless of the platform on which
their software is built. We list all known projects using APR
at http://apr.apache.org/projects.html - so please let us know
if you find our libraries useful in your own projects!
Re: [Announce] Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and
APR-iconv 1.2.2 Released
Posted by Stefan Sperling <st...@stsp.name>.
On Wed, Nov 01, 2017 at 01:07:34PM +0100, Rainer Jung wrote:
> Am 01.11.2017 um 12:22 schrieb Stefan Sperling:
> > On Mon, Oct 23, 2017 at 01:27:59PM -0500, William A Rowe Jr wrote:
> > > CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.
> > >
> > > APR-util 1.6.0 and prior failed to validate the integrity of SDBM
> > > database files used by apr_sdbm*() functions, resulting in a
> > > possible out of bound read access. A local user with write access
> > > to the database can make a program or process using these functions
> > > crash, and cause a denial of service.
> >
> > I am looking for the patch which fixed the above issue.
> >
> > Where can I find it?
> >
> > Was it r1809394? All of it? Some of it?
> >
> > Rationale: APR-util 1.6.3 added a shared library symbol:
> >
> > No dynamic export changes
> > PLT added:
> > apr_xml_parser_done
> >
> > I want to figure out a way to patch this security issue in
> > OpenBSD 6.2-stable, without changing unrelated library symbols.
>
> Yes, it should be r1809394 or even better the 1.6.x backport r1809395.
>
> Regards,
>
> Rainer
Thank you, Rainer. I have committed this fix to OpenBSD.
Re: [Announce] Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and
APR-iconv 1.2.2 Released
Posted by Rainer Jung <ra...@kippdata.de>.
Am 01.11.2017 um 12:22 schrieb Stefan Sperling:
> On Mon, Oct 23, 2017 at 01:27:59PM -0500, William A Rowe Jr wrote:
>> CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.
>>
>> APR-util 1.6.0 and prior failed to validate the integrity of SDBM
>> database files used by apr_sdbm*() functions, resulting in a
>> possible out of bound read access. A local user with write access
>> to the database can make a program or process using these functions
>> crash, and cause a denial of service.
>
> I am looking for the patch which fixed the above issue.
>
> Where can I find it?
>
> Was it r1809394? All of it? Some of it?
>
> Rationale: APR-util 1.6.3 added a shared library symbol:
>
> No dynamic export changes
> PLT added:
> apr_xml_parser_done
>
> I want to figure out a way to patch this security issue in
> OpenBSD 6.2-stable, without changing unrelated library symbols.
Yes, it should be r1809394 or even better the 1.6.x backport r1809395.
Regards,
Rainer
Re: [Announce] Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and
APR-iconv 1.2.2 Released
Posted by Stefan Sperling <st...@apache.org>.
On Mon, Oct 23, 2017 at 01:27:59PM -0500, William A Rowe Jr wrote:
> CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.
>
> APR-util 1.6.0 and prior failed to validate the integrity of SDBM
> database files used by apr_sdbm*() functions, resulting in a
> possible out of bound read access. A local user with write access
> to the database can make a program or process using these functions
> crash, and cause a denial of service.
I am looking for the patch which fixed the above issue.
Where can I find it?
Was it r1809394? All of it? Some of it?
Rationale: APR-util 1.6.3 added a shared library symbol:
No dynamic export changes
PLT added:
apr_xml_parser_done
I want to figure out a way to patch this security issue in
OpenBSD 6.2-stable, without changing unrelated library symbols.
Thanks,
Stefan