apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject [vote] release apr 1.3.8, apr-util 1.3.9?
Date Tue, 04 Aug 2009 22:07:04 GMT
As you now know, a vulnerability was reported to the APR project.
Downstream developers are already working on closing a still(?)
undisclosed vulnerability in their package.

Based on the fact that APR makes DoS vulnerable code more vulnerable
to other possible exploits, we are moving ahead with a release that
incorporates the patches at http://apr.apache.org/dist/apr/patches/
... note that programmers in general will not be affected but due to
the widely-adopted nature of APR, we believe it's best to get this
fix out promptly.

Candidates in the usual location, already synced.  Will let this vote
initially run for 24 hours and would hope to find enough feedback to
release by then, given the security implications.

 [  ]  Release apr 1.3.8 as GA
 [  ]  Release apr-util 1.3.9 as GA

View raw message