Return-Path: X-Original-To: apmail-httpd-announce-archive@www.apache.org Delivered-To: apmail-httpd-announce-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 132E54A58 for ; Thu, 19 May 2011 17:19:48 +0000 (UTC) Received: (qmail 22676 invoked by uid 500); 19 May 2011 17:19:11 -0000 Delivered-To: apmail-httpd-announce-archive@httpd.apache.org Received: (qmail 22629 invoked by uid 500); 19 May 2011 17:19:11 -0000 Mailing-List: contact announce-help@httpd.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list announce@httpd.apache.org Delivered-To: moderator for announce@httpd.apache.org Received: (qmail 18239 invoked by uid 99); 19 May 2011 17:17:41 -0000 Message-ID: <4DD55092.3030403@apache.org> Date: Thu, 19 May 2011 12:17:06 -0500 From: "William A. Rowe Jr." User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko/20110414 Lightning/1.0b2 Thunderbird/3.1.10 MIME-Version: 1.0 To: announce@httpd.apache.org Subject: [Announce] Regressions in httpd 2.2.18, apr 1.4.4, and apr-util 1.3.11 References: <4DD3F433.1070809@apache.org> <4DD5481B.1090301@rowe-clan.net> In-Reply-To: <4DD5481B.1090301@rowe-clan.net> X-Enigmail-Version: 1.1.1 Content-Type: multipart/mixed; boundary="------------090309020004060803010304" This is a multi-part message in MIME format. --------------090309020004060803010304 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit New releases are in progress for each of these projects and are expected to be available in the coming days. The upcoming httpd 2.2.19 will bundle new releases of apr and apr-util which correct the regressions described below. An announcement of these releases will be broadcast. Note: httpd 2.2.18 bundles apr 1.4.4 and apr-util 1.3.11. Summary of regressions: httpd 2.2.18: The ap_unescape_url_keep2f() function signature was changed. This breaks binary compatibility of a number of third-party modules. In addition, a regression in apr 1.4.4 (see below) could cause httpd to hang. apr 1.4.4: A fix in apr 1.4.4 apr_fnmatch() to address CVE-2011-0419 introduced a new vulnerability. A patch is attached and should be used if httpd workers enter a hung state (100% cpu utilization) after updating to httpd 2.2.18 or apr-util 1.4.4, or if hangs are seen in other apr applications which use apr_fnmatch(). apr-util 1.3.11: A fix to LDAP support in apr-util 1.3.11 could cause crashes with httpd's mod_authnz_ldap in some situations. --------------090309020004060803010304 Content-Type: text/plain; name="apr-1.4.4-fnmatch.patch" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="apr-1.4.4-fnmatch.patch" LS0tIHNyY2xpYlxhcHJcc3RyaW5nc1xhcHJfZm5tYXRjaC5vcmlnCU1vbiBNYXkgMDIgMjM6 NTE6MjQgMjAxMQorKysgc3JjbGliXGFwclxzdHJpbmdzXGFwcl9mbm1hdGNoLmMJV2VkIE1h eSAxOCAxMzowOTo1MiAyMDExCkBAIC0xOTYsNyArMTk2LDEwIEBACiAgICAgY29uc3QgY2hh ciAqbWlzbWF0Y2ggPSBOVUxMOwogICAgIGludCBtYXRjaGxlbiA9IDA7CiAKLSAgICB3aGls ZSAoKnBhdHRlcm4pCisgICAgaWYgKCpwYXR0ZXJuID09ICcqJykKKyAgICAgICAgZ290byBm aXJzdHNlZ21lbnQ7CisKKyAgICB3aGlsZSAoKnBhdHRlcm4gJiYgKnN0cmluZykKICAgICB7 CiAgICAgICAgIC8qIE1hdGNoIGJhbGFuY2VkIHNsYXNoZXMsIHN0YXJ0aW5nIGEgbmV3IHNl Z21lbnQgcGF0dGVybgogICAgICAgICAgKi8KQEAgLTIwNyw2ICsyMTAsNyBAQAogICAgICAg ICAgICAgKytzdHJpbmc7CiAgICAgICAgIH0gICAgICAgICAgICAKIAorZmlyc3RzZWdtZW50 OgogICAgICAgICAvKiBBdCB0aGUgYmVnaW5uaW5nIG9mIGVhY2ggc2VnbWVudCwgdmFsaWRh dGUgbGVhZGluZyBwZXJpb2QgYmVoYXZpb3IuCiAgICAgICAgICAqLwogICAgICAgICBpZiAo KGZsYWdzICYgQVBSX0ZOTV9QRVJJT0QpICYmICgqc3RyaW5nID09ICcuJykpCkBAIC0zNjEs OSArMzY1LDkgQEAKICAgICAgICAgICAgIHJldHVybiBBUFJfRk5NX05PTUFUQ0g7CiAgICAg fQogCi0gICAgLyogcGF0dGVybiBpcyBhdCBFT1M7IGlmIHN0cmluZyBpcyBhbHNvLCBkZWNs YXJlIHN1Y2Nlc3MKKyAgICAvKiBXaGVyZSBib3RoIHBhdHRlcm4gYW5kIHN0cmluZyBhcmUg YXQgRU9TLCBkZWNsYXJlIHN1Y2Nlc3MKICAgICAgKi8KLSAgICBpZiAoISpzdHJpbmcpCisg ICAgaWYgKCEqc3RyaW5nICYmICEqcGF0dGVybikKICAgICAgICAgcmV0dXJuIDA7CiAKICAg ICAvKiBwYXR0ZXJuIGRpZG4ndCBtYXRjaCB0byB0aGUgZW5kIG9mIHN0cmluZyAqLwo= --------------090309020004060803010304--