Re: [VOTE] release apr-util-1.6.2-rc2 as apr-util 1.6.2

RC2 is abandoned in favor of RC3 On Fri, Jan 27, 2023 at 8:45 AM Eric Covener wrote: > > > I would be in favor of hearing further opinions on whether backporting this > > to APR-UTIL 1.6 complies with our versioning rules. > > If it does we should do so and release apr-util 1.6.2 with it. > >

Re: [VOTE] release apr-1.6.2-rc3 as APR 1.6.2

On Mon, Jan 30, 2023 at 9:23 AM Eric Covener wrote: > > On Fri, Jan 27, 2023 at 8:42 AM Eric Covener wrote: > > > > 1.6.2-rc3 is here: > > > > https://apr.apache.org/dev/dist/ > > > > For the release of apr-util-1.6.2 > > [ ] +1 looks great > > [ ] -1 something is broken > > > > +1

CVE-2022-24963: Apache Portable Runtime (APR): out-of-bound writes in the apr_encode family of functions

Severity: moderate Description: Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime (APR) version 1.7.0. Credit: Ronald Crane (Zippenhop LLC)

Fwd: CVE-2022-25147: Apache Portable Runtime (APR): out-of-bounds writes in the apr_base64 family of functions

-- Forwarded message - From: Eric Covener Date: Tue, Jan 31, 2023 at 10:13 AM Subject: CVE-2022-25147: Apache Portable Runtime (APR): out-of-bounds writes in the apr_base64 family of functions To: , Severity: moderate Description: Integer Overflow or Wraparound vulnerability

CVE-2022-28331: Apache Portable Runtime (APR): Windows out-of-bounds write in apr_socket_sendv function

Severity: moderate Description: On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond the end of a stack based buffer in apr_socket_sendv(). This is a result of integer overflow. Credit: Ronald Crane (Zippenhop LLC) (finder) References: https://apr.apache.org/

Re: [VOTE] apr 1.7.2 and apr-util 1.6.3

> For the release of apr-1.7.2 AND apr-util-1.6.3 > [x] +1 looks great > [ ] -1 something is broken +1 for both

Re: [VOTE] release apr-1.6.2-rc3 as APR 1.6.2

Many thanks Eric. On 31/01/2023 23:35, Eric Covener wrote: Vote passes with three binding +1 (ylavic, rpluem, covener), i will [slowly] proceed on APR and APU. -- Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore at all times

Re: [VOTE] apr 1.7.2 and apr-util 1.6.3

On 2/1/23 8:32 AM, Ruediger Pluem wrote: > > > On 1/31/23 10:22 PM, Eric Covener wrote: >> I hosed 1.7.1/1.6.2 and the archives have -rcX in them at the top >> level. I would like to call for an expedited vote to replace them >> with version bumps. I will proceed once we get 3 binding +1.

bad dir structure in recent releases

It was reported to me that the recent APR/APU uploads have the -rcX prefix in the source archive. I think it's too confusing to replace the source zips. Should I just roll a replacement with a new version bump and call a short vote? -- Eric Covener cove...@gmail.com

[VOTE] apr 1.7.2 and apr-util 1.6.3

I hosed 1.7.1/1.6.2 and the archives have -rcX in them at the top level. I would like to call for an expedited vote to replace them with version bumps. I will proceed once we get 3 binding +1. I have re-tagged because I think the consensus will be that updating the tarballs and signatures is

Re: [VOTE] apr 1.7.2 and apr-util 1.6.3

On 1/31/23 10:22 PM, Eric Covener wrote: > I hosed 1.7.1/1.6.2 and the archives have -rcX in them at the top > level. I would like to call for an expedited vote to replace them > with version bumps. I will proceed once we get 3 binding +1. > > I have re-tagged because I think the consensus