From dev-return-24151-apmail-apr-dev-archive=apr.apache.org@apr.apache.org Thu May 19 17:19:01 2011 Return-Path: X-Original-To: apmail-apr-dev-archive@www.apache.org Delivered-To: apmail-apr-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 160EB468D for ; Thu, 19 May 2011 17:19:01 +0000 (UTC) Received: (qmail 20710 invoked by uid 500); 19 May 2011 17:18:58 -0000 Delivered-To: apmail-apr-dev-archive@apr.apache.org Received: (qmail 20603 invoked by uid 500); 19 May 2011 17:18:58 -0000 Mailing-List: contact dev-help@apr.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Id: Delivered-To: mailing list dev@apr.apache.org Received: (qmail 20565 invoked by uid 99); 19 May 2011 17:18:58 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 May 2011 17:18:58 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [173.201.192.109] (HELO p3plsmtpa06-08.prod.phx3.secureserver.net) (173.201.192.109) by apache.org (qpsmtpd/0.29) with SMTP; Thu, 19 May 2011 17:18:48 +0000 Received: (qmail 18611 invoked from network); 19 May 2011 17:18:27 -0000 Received: from unknown (76.252.112.72) by p3plsmtpa06-08.prod.phx3.secureserver.net (173.201.192.109) with ESMTP; 19 May 2011 17:18:26 -0000 Message-ID: <4DD550C0.2000003@rowe-clan.net> Date: Thu, 19 May 2011 12:17:52 -0500 From: "William A. Rowe Jr." User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko/20110414 Lightning/1.0b2 Thunderbird/3.1.10 MIME-Version: 1.0 To: dev@httpd.apache.org, users@httpd.apache.org, APR Developer List Subject: [Announce] Regressions in httpd 2.2.18, apr 1.4.4, and apr-util 1.3.11 References: <4DD3F433.1070809@apache.org> <4DD5481B.1090301@rowe-clan.net> In-Reply-To: <4DD5481B.1090301@rowe-clan.net> Content-Type: multipart/mixed; boundary="------------000500050806000206030101" X-Virus-Checked: Checked by ClamAV on apache.org This is a multi-part message in MIME format. --------------000500050806000206030101 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit New releases are in progress for each of these projects and are expected to be available in the coming days. The upcoming httpd 2.2.19 will bundle new releases of apr and apr-util which correct the regressions described below. An announcement of these releases will be broadcast. Note: httpd 2.2.18 bundles apr 1.4.4 and apr-util 1.3.11. Summary of regressions: httpd 2.2.18: The ap_unescape_url_keep2f() function signature was changed. This breaks binary compatibility of a number of third-party modules. In addition, a regression in apr 1.4.4 (see below) could cause httpd to hang. apr 1.4.4: A fix in apr 1.4.4 apr_fnmatch() to address CVE-2011-0419 introduced a new vulnerability. A patch is attached and should be used if httpd workers enter a hung state (100% cpu utilization) after updating to httpd 2.2.18 or apr-util 1.4.4, or if hangs are seen in other apr applications which use apr_fnmatch(). apr-util 1.3.11: A fix to LDAP support in apr-util 1.3.11 could cause crashes with httpd's mod_authnz_ldap in some situations. --------------000500050806000206030101 Content-Type: text/plain; name="apr-1.4.4-fnmatch.patch" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="apr-1.4.4-fnmatch.patch" LS0tIHNyY2xpYlxhcHJcc3RyaW5nc1xhcHJfZm5tYXRjaC5vcmlnCU1vbiBNYXkgMDIgMjM6 NTE6MjQgMjAxMQorKysgc3JjbGliXGFwclxzdHJpbmdzXGFwcl9mbm1hdGNoLmMJV2VkIE1h eSAxOCAxMzowOTo1MiAyMDExCkBAIC0xOTYsNyArMTk2LDEwIEBACiAgICAgY29uc3QgY2hh ciAqbWlzbWF0Y2ggPSBOVUxMOwogICAgIGludCBtYXRjaGxlbiA9IDA7CiAKLSAgICB3aGls ZSAoKnBhdHRlcm4pCisgICAgaWYgKCpwYXR0ZXJuID09ICcqJykKKyAgICAgICAgZ290byBm aXJzdHNlZ21lbnQ7CisKKyAgICB3aGlsZSAoKnBhdHRlcm4gJiYgKnN0cmluZykKICAgICB7 CiAgICAgICAgIC8qIE1hdGNoIGJhbGFuY2VkIHNsYXNoZXMsIHN0YXJ0aW5nIGEgbmV3IHNl Z21lbnQgcGF0dGVybgogICAgICAgICAgKi8KQEAgLTIwNyw2ICsyMTAsNyBAQAogICAgICAg ICAgICAgKytzdHJpbmc7CiAgICAgICAgIH0gICAgICAgICAgICAKIAorZmlyc3RzZWdtZW50 OgogICAgICAgICAvKiBBdCB0aGUgYmVnaW5uaW5nIG9mIGVhY2ggc2VnbWVudCwgdmFsaWRh dGUgbGVhZGluZyBwZXJpb2QgYmVoYXZpb3IuCiAgICAgICAgICAqLwogICAgICAgICBpZiAo KGZsYWdzICYgQVBSX0ZOTV9QRVJJT0QpICYmICgqc3RyaW5nID09ICcuJykpCkBAIC0zNjEs OSArMzY1LDkgQEAKICAgICAgICAgICAgIHJldHVybiBBUFJfRk5NX05PTUFUQ0g7CiAgICAg fQogCi0gICAgLyogcGF0dGVybiBpcyBhdCBFT1M7IGlmIHN0cmluZyBpcyBhbHNvLCBkZWNs YXJlIHN1Y2Nlc3MKKyAgICAvKiBXaGVyZSBib3RoIHBhdHRlcm4gYW5kIHN0cmluZyBhcmUg YXQgRU9TLCBkZWNsYXJlIHN1Y2Nlc3MKICAgICAgKi8KLSAgICBpZiAoISpzdHJpbmcpCisg ICAgaWYgKCEqc3RyaW5nICYmICEqcGF0dGVybikKICAgICAgICAgcmV0dXJuIDA7CiAKICAg ICAvKiBwYXR0ZXJuIGRpZG4ndCBtYXRjaCB0byB0aGUgZW5kIG9mIHN0cmluZyAqLwo= --------------000500050806000206030101--