perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ryan Perry <>
Subject Re: More on httpd2.2, libapreq2, apr and mod_perl2 not playing nice
Date Mon, 13 Feb 2006 07:21:40 GMT
Yes.  2.07 has been released.

 From apreq List:

         libapreq2-2.07 Released

The Apache Software Foundation and The Apache HTTP Server Project
are pleased to announce the 2.07 release of libapreq2.  This
Announcement notes significant changes introduced by this release.

libapreq2-2.07 is released under the Apache License
version 2.0.  It is now available through the ASF mirrors

and has entered the CPAN as

   file: $CPAN/authors/id/J/JO/JOESUF/libapreq2-2.07.tar.gz
   size: 787249 bytes
    md5: 6f2e5e4a14e8b190dead0fe91fc13080

libapreq2 is an APR-based shared library used for parsing HTTP cookies,
query-strings and POST data.  This package provides

     1) version 2.5.7 of the libapreq2 library,

     2) mod_apreq2, a filter module necessary for using libapreq2
        within the Apache HTTP Server,

     3) the Apache2::Request, Apache2::Cookie, and Apache2::Upload
        perl modules for using libapreq2 with mod_perl2.

This release contains an important security bugfix which impacts all
previous developer releases of libapreq2. The Common Vulnerabilities
and Exposures project assigned the name CVE-2006-0042 to this issue.


Changes with libapreq2-2.07 (released February 12, 2006)

- C API [joes]
   SECURITY: CVE-2006-0042 (
   Eliminate potential quadratic behavior in apreq_parse_headers() and

- Perl API [Philip M. Gollucci]
   Fix Apache2::Cookie->cookies() to comply with its documentation

- C API [Philip M. Gollucci]
   Use the APREQ_DEFAULT_READ_LIMIT constant for the read_limit

- C API [Ville Skyttä, Dirk Nehring]
   Add explicit cast in apreq_escape()/apreq_util.h to keep
   C++ compilers happy.

- C API [joes]
   Protect against arbitrary recursion depth in apreq_parse_multipart()
   by adding a reasonable compile-time MAX_LEVEL limit.

- C API [joes]
   Clean up end-of-file parsing for apreq_parse_multipart(),
   conforming to rfc-2046 § 5.1.1.

- Perl API [joes]
   Move APR::Request::Param::Table and APR::Request::Cookie::Table
   packages to APR::Request module.

- Perl XS [Steve Hay]
   Fix compile problems on Win32 without PERL_IMPLICIT_SYS
   related to link being an unresolved symbol.

- Perl API [joes]
   APR::Request::Cookie::thaw() isn't a class method.

- C API [joes]
   Fix off-by-one bug in the continuation-lines portion of the
   header parser.

- Perl API [joes]
   Move APR::Request::upload to APR::Request, where it belongs.

- Perl XS [Nikolay Ananiev]
   Use MP_STATIC declarations to allow Cygwin builds.

- Perl API [joes]
   encode()/decode() were busted with zero-length args.  This caused
   Apache2::Cookie::new() to segfault on cookie value of "".

- C API [joes]
   Add apreq_charset_divine() and eliminate charset offset from return
   value of apreq_decode(v).

- C API [joes]
   Improve the cp1252-charset heuristics for apreq_decode(v).

- C API [Ralph Mattes]
   Add explicit casts for apreq_param_charset_* to keep c++ compilers  

On Feb 12, 2006, at 9:07 PM, Foo Ji-Haw wrote:

> Is 2.07 out already? still lists  
> it as
> 2.06-dev
> ----- Original Message -----
> From: "Ryan Perry" <>
> To: "ben syverson" <>
> Cc: <>
> Sent: Monday, February 13, 2006 5:44 AM
> Subject: Re: More on httpd2.2, libapreq2, apr and mod_perl2 not  
> playing nice
>> FYI,
>> Problems I've been having with Apache2 on FreeBSD 6.0 seem to have
>> been resolved by installing the new libapreq2-2.07
>> Thanks!

View raw message