APR team, I tried to be considerably less wordy, and drop previously communicated details which are unlikely to affect a typical admin who is simply updating these components. Developer/users were given the big changes in the first apr-1.6 announcement.
Further edits to the staging/draft copies in https://dist.apache.org/repos/dist/dev/apr/ are welcome. TIA! I've also started two JIRAs... one for help updating our site from xml to mdtext and the ASF CMS. The second for help mass-updating the Release Service table of apr releases from n.n.n format to apr-n.n.n (and then mass include apr-util-n.n.n and apr-iconv-n.n.n) entries. On Mon, Oct 23, 2017 at 12:35 PM, <wr...@apache.org> wrote: > Author: wrowe > Date: Mon Oct 23 17:35:57 2017 > New Revision: 22638 > > Log: > Update .html to 1.6 current, .txt to latest release > > Modified: > release/apr/Announcement1.x.html > release/apr/Announcement1.x.txt > > Modified: release/apr/Announcement1.x.html > ============================================================================== > --- release/apr/Announcement1.x.html (original) > +++ release/apr/Announcement1.x.html Mon Oct 23 17:35:57 2017 > @@ -9,53 +9,92 @@ > <p><a href="http://apr.apache.org/";><img > src="http://apr.apache.org/images/apr_logo_wide.png"; alt="The Apache Portable > Runtime Project" border="0"/></a></p> > > <h1> > - Apache Portable Runtime library 1.5.2 Released > + Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and APR-iconv 1.2.2 > + Released > </h1> > > <p> > The Apache Software Foundation and the Apache Portable Runtime > Project are proud to announce the General Availability of version > - 1.5.2 of the Apache Portable Runtime library. > + 1.6.3 of the Apache Portable Runtime library (APR), as well as > + version 1.6.1 of the APR Utility library (APR-util) and version > + 1.2.2 of the APR iconv library (APR-iconv). > </p> > > <p> > - APR 1.5.2 resolves an important issue on the Windows platform > - that can result in vulnerabilities in APR applications which use > - APR pipes; this issue is tracked by CVE-2015-1829. > + APR 1.6.1 release addresses one security vulnerability; > </p> > +<ul> > + <li>CVE-2017-12618; Out-of-bounds access in corrupted SDBM database. > + <br /> > + APR-util 1.6.0 and prior failed to validate the integrity of SDBM > + database files used by apr_sdbm*() functions, resulting in a > + possible out of bound read access. A local user with write access > + to the database can make a program or process using these functions > + crash, and cause a denial of service. > + </li> > +</ul> > > <p> > - APR 1.5.2 fixes a number of additional run-time and build-time bugs > - affecting multiple platforms. See CHANGES-APR-1.5 for more > - information. > + APR-util 1.6.3 release addresses one security vulnerability; > </p> > > -<p> > - Version 1.5.4 of the Apache Portable Runtime Utility library remains > - current. > -</p> > +<ul> > + <li>CVE-2017-12613; Out-of-bounds array deref in apr_time_exp*() functions > + <br /> > + When apr_exp_time*() or apr_os_exp_time*() functions are invoked > + with an invalid month field value in APR 1.6.2 and prior, out of > + bounds memory may be accessed in converting this value to an > + apr_time_exp_t value, potentially revealing the contents of a > + different static heap value or resulting in program termination, > + and may represent an information disclosure or denial of service > + vulnerability to applications which call these APR functions with > + unvalidated external input. > + </li> > +</ul> > > <p> > - Version 1.2.1 of the companion APR-iconv library, an alternative > - portable implementation of the 'iconv' library, remains current. > + There are a number of specific changes in how APR is deployed > + and how APR-util deals with external dependencies in their 1.6 > + releases, which may be disruptive to existing build strategies: > </p> > > +<ul> > + <li>Expat sources are no longer bundled, this is now an external > + dependency. Install libexpat runtime (usually installed by > + default) and development packages using your system's package > + manager, or from <a href="https://libexpat.github.io/"; > + >https://libexpat.github.io/</a>.<br /> > + </li> > + <li>MySQL support is updated as advised by the MySQL developers. > + MySQL versions older than 5.5 should not be used. If you do > + use an old MySQL version, use the thread-safe libmysqlclient_r > + version of the library.<br /> > + </li> > + <li>FreeTDS partial and incomplete support has been dropped. > + Users of MSSQL and SYBASE databases are recommended to use > + the ODBC driver instead. > + </li> > +</ul> > <p> > - As announced previously, the 0.9.x branches of Apache Portable Runtime > - library, Apache Portable Runtime Utility library, and the companion > - APR-iconv library have been retired. No further bug or security > - fixes will be available for these branches. > + APR 1.6.3, APR-util 1.6.1, and APR-iconv 1.2.2 releases also fix > + a number of run-time and build-time issues; For details, see; > </p> > - > +<dl> > + <dd><a href="http://www.apache.org/dist/apr/CHANGES-APR-1.6"; > + >http://www.apache.org/dist/apr/CHANGES-APR-1.6</a></dd> > + <dd><a href="http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.6"; > + >http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.6</a></dd> > + <dd><a href="http://www.apache.org/dist/apr/CHANGES-APR-ICONV-1.2"; > + >http://www.apache.org/dist/apr/CHANGES-APR-ICONV-1.2</a></dd> > +</dl> > <p> > APR is available for download from: > </p> > - > <dl> > <dd><a href="http://apr.apache.org/download.cgi"; > >http://apr.apache.org/download.cgi</a></dd> > </dl> > - > <p> > The mission of the Apache Portable Runtime Project is to create > and maintain software libraries that provide a predictable and > @@ -63,76 +102,11 @@ > implementations. The primary goal is to provide an API to > which software developers may code and be assured of predictable > if not identical behavior regardless of the platform on which > - their software is built, relieving them of the need to code > - special-case conditions to work around or take advantage of > - platform-specific deficiencies or features. > -</p> > - > -<p> > - APR and its companion libraries are implemented entirely in C > - and provide a common programming interface across a wide variety > - of operating system platforms without sacrificing performance. > - Currently supported platforms include: > -</p> > - > -<ul> > - <li>UNIX variants > - <li>Windows > - <li>Netware > - <li>Mac OS X > - <li>OS/2 > -</ul> > - > -<p> > - To give a brief overview, the primary core > - subsystems of APR 1.x include the following: > -</p> > - > -<ul> > - <li>Atomic operations > - <li>Dynamic Shared Object loading > - <li>File I/O > - <li>Locks (mutexes, condition variables, etc) > - <li>Memory management (high performance allocators) > - <li>Memory-mapped files > - <li>Multicast Sockets > - <li>Network I/O > - <li>Shared memory > - <li>Thread and Process management > - <li>Various data structures (tables, hashes, priority queues, etc) > -</ul> > - > -<p>For a more complete list, please refer to the following URLs:</p> > - > -<dl> > - <dd><a href="http://apr.apache.org/docs/apr/modules.html"; > - >http://apr.apache.org/docs/apr/modules.html</a></dd> > - <dd><a href="http://apr.apache.org/docs/apr-util/modules.html"; > - >http://apr.apache.org/docs/apr-util/modules.html</a></dd> > -</dl> > - > -<p> > - Users of APR 0.9 should be aware that migrating to the APR 1.x > - programming interfaces may require some adjustments; APR 1.x is > - neither source nor binary compatible with earlier APR 0.9 releases. > - Users of APR 1.x can expect consistent interfaces and binary backwards > - compatibility throughout the entire APR 1.x release cycle, as defined > - in our versioning rules: > -</p> > - > -<dl> > - <dd><a href="http://apr.apache.org/versioning.html"; > - >http://apr.apache.org/versioning.html</a></dd> > -</dl> > - > -<p> > - APR is already used extensively by the Apache HTTP Server > - version 2 and the Subversion revision control system, to > - name but a few. We list all known projects using APR at > - http://apr.apache.org/projects.html -- so please let us know > + their software is built. We list all known projects using APR > + at http://apr.apache.org/projects.html - so please let us know > if you find our libraries useful in your own projects! > -</p> > > +</p> > </body> > </html> > > > Modified: release/apr/Announcement1.x.txt > ============================================================================== > --- release/apr/Announcement1.x.txt (original) > +++ release/apr/Announcement1.x.txt Mon Oct 23 17:35:57 2017 > @@ -1,29 +1,61 @@ > - Apache Portable Runtime library 1.5.2 Released > + Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and APR-iconv 1.2.2 > + Released > > The Apache Software Foundation and the Apache Portable Runtime > Project are proud to announce the General Availability of version > - 1.5.2 of the Apache Portable Runtime library. > + 1.6.3 of the Apache Portable Runtime library (APR), as well as > + version 1.6.1 of the APR Utility library (APR-util) and version > + 1.2.2 of the APR iconv library (APR-iconv). > + > + APR 1.6.1 release addresses one security vulnerability; > + > + CVE-2017-12618; Out-of-bounds access in corrupted SDBM database. > + > + APR-util 1.6.0 and prior failed to validate the integrity of SDBM > + database files used by apr_sdbm*() functions, resulting in a > + possible out of bound read access. A local user with write access > + to the database can make a program or process using these functions > + crash, and cause a denial of service. > + > + APR-util 1.6.3 release addresses one security vulnerability; > + > + CVE-2017-12613; Out-of-bounds array deref in apr_time_exp*() functions > + > + When apr_exp_time*() or apr_os_exp_time*() functions are invoked > + with an invalid month field value in APR 1.6.2 and prior, out of > + bounds memory may be accessed in converting this value to an > + apr_time_exp_t value, potentially revealing the contents of a > + different static heap value or resulting in program termination, > + and may represent an information disclosure or denial of service > + vulnerability to applications which call these APR functions with > + unvalidated external input. > + > + There are a number of specific changes in how APR is deployed > + and how APR-util deals with external dependencies in their 1.6 > + releases, which may be disruptive to existing build strategies: > + > + - Expat sources are no longer bundled, this is now an external > + dependency. Install libexpat runtime (usually installed by > + default) and development packages using your system's package > + manager, or from <https://libexpat.github.io/>. > + > + - MySQL support is updated as advised by the MySQL developers. > + MySQL versions older than 5.5 should not be used. If you do > + use an old MySQL version, use the thread-safe libmysqlclient_r > + version of the library. > + > + - FreeTDS partial and incomplete support has been dropped. > + Users of MSSQL and SYBASE databases are recommended to use > + the ODBC driver instead. > + > + APR 1.6.3, APR-util 1.6.1, and APR-iconv 1.2.2 releases also fix > + a number of run-time and build-time issues; For details, see; > + > + http://www.apache.org/dist/apr/CHANGES-APR-1.6 > + http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.6 > + http://www.apache.org/dist/apr/CHANGES-APR-ICONV-1.2 > > - APR 1.5.2 resolves an important issue on the Windows platform > - that can result in vulnerabilities in APR applications which use > - APR pipes; this issue is tracked by CVE-2015-1829. > - > - APR 1.5.2 fixes a number of additional run-time and build-time bugs > - affecting multiple platforms. See CHANGES-APR-1.5 for more > - information. > - > - Version 1.5.4 of the Apache Portable Runtime Utility library remains > - current. > - > - Version 1.2.1 of the companion APR-iconv library, an alternative > - portable implementation of the 'iconv' library, remains current. > - > - As announced previously, the 0.9.x branches of Apache Portable Runtime > - library, Apache Portable Runtime Utility library, and the companion > - APR-iconv library have been retired. No further bug or security > - fixes will be available for these branches. > - > - APR is available for download from: > + APR, APR-util and APR-iconv are available for download from: > > http://apr.apache.org/download.cgi > > @@ -33,53 +65,7 @@ > implementations. The primary goal is to provide an API to > which software developers may code and be assured of predictable > if not identical behavior regardless of the platform on which > - their software is built, relieving them of the need to code > - special-case conditions to work around or take advantage of > - platform-specific deficiencies or features. > - > - APR and its companion libraries are implemented entirely in C > - and provide a common programming interface across a wide variety > - of operating system platforms without sacrificing performance. > - Currently supported platforms include: > - > - UNIX variants > - Windows > - Netware > - Mac OS X > - OS/2 > - > - To give a brief overview, the primary core > - subsystems of APR 1.x include the following: > - > - Atomic operations > - Dynamic Shared Object loading > - File I/O > - Locks (mutexes, condition variables, etc) > - Memory management (high performance allocators) > - Memory-mapped files > - Multicast Sockets > - Network I/O > - Shared memory > - Thread and Process management > - Various data structures (tables, hashes, priority queues, etc) > - > - For a more complete list, please refer to the following URLs: > - > - http://apr.apache.org/docs/apr/modules.html > - http://apr.apache.org/docs/apr-util/modules.html > - > - Users of APR 0.9 should be aware that migrating to the APR 1.x > - programming interfaces may require some adjustments; APR 1.x is > - neither source nor binary compatible with earlier APR 0.9 releases. > - Users of APR 1.x can expect consistent interfaces and binary backwards > - compatibility throughout the entire APR 1.x release cycle, as defined > - in our versioning rules: > - > - http://apr.apache.org/versioning.html > - > - APR is already used extensively by the Apache HTTP Server > - version 2 and the Subversion revision control system, to > - name but a few. We list all known projects using APR at > - http://apr.apache.org/projects.html -- so please let us know > + their software is built. We list all known projects using APR > + at http://apr.apache.org/projects.html - so please let us know > if you find our libraries useful in your own projects! > > >
![http://apr.apache.org/images/apr_logo_wide.png"](http://apr.apache.org/images/apr_logo_wide.png"){kind=link}