RC2 is abandoned in favor of RC3
On Fri, Jan 27, 2023 at 8:45 AM Eric Covener wrote:
>
> > I would be in favor of hearing further opinions on whether backporting this
> > to APR-UTIL 1.6 complies with our versioning rules.
> > If it does we should do so and release apr-util 1.6.2 with it.
>
>
On Mon, Jan 30, 2023 at 9:23 AM Eric Covener wrote:
>
> On Fri, Jan 27, 2023 at 8:42 AM Eric Covener wrote:
> >
> > 1.6.2-rc3 is here:
> >
> > https://apr.apache.org/dev/dist/
> >
> > For the release of apr-util-1.6.2
> > [ ] +1 looks great
> > [ ] -1 something is broken
> >
>
> +1
Severity: moderate
Description:
Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache
Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.
This issue affects Apache Portable Runtime (APR) version 1.7.0.
Credit:
Ronald Crane (Zippenhop LLC)
-- Forwarded message -
From: Eric Covener
Date: Tue, Jan 31, 2023 at 10:13 AM
Subject: CVE-2022-25147: Apache Portable Runtime (APR): out-of-bounds
writes in the apr_base64 family of functions
To: ,
Severity: moderate
Description:
Integer Overflow or Wraparound vulnerability
Severity: moderate
Description:
On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond the end
of a stack based buffer in apr_socket_sendv(). This is a result of integer
overflow.
Credit:
Ronald Crane (Zippenhop LLC) (finder)
References:
https://apr.apache.org/
> For the release of apr-1.7.2 AND apr-util-1.6.3
> [x] +1 looks great
> [ ] -1 something is broken
+1 for both
Many thanks Eric.
On 31/01/2023 23:35, Eric Covener wrote:
Vote passes with three binding +1 (ylavic, rpluem, covener), i will
[slowly] proceed on APR and APU.
--
Regards,
Noel Butler
This Email, including attachments, may contain legally privileged
information, therefore at all times
On 2/1/23 8:32 AM, Ruediger Pluem wrote:
>
>
> On 1/31/23 10:22 PM, Eric Covener wrote:
>> I hosed 1.7.1/1.6.2 and the archives have -rcX in them at the top
>> level. I would like to call for an expedited vote to replace them
>> with version bumps. I will proceed once we get 3 binding +1.
It was reported to me that the recent APR/APU uploads have the -rcX
prefix in the source archive.
I think it's too confusing to replace the source zips.
Should I just roll a replacement with a new version bump and call a short vote?
--
Eric Covener
cove...@gmail.com
I hosed 1.7.1/1.6.2 and the archives have -rcX in them at the top
level. I would like to call for an expedited vote to replace them
with version bumps. I will proceed once we get 3 binding +1.
I have re-tagged because I think the consensus will be that updating
the tarballs and signatures is
On 1/31/23 10:22 PM, Eric Covener wrote:
> I hosed 1.7.1/1.6.2 and the archives have -rcX in them at the top
> level. I would like to call for an expedited vote to replace them
> with version bumps. I will proceed once we get 3 binding +1.
>
> I have re-tagged because I think the consensus
11 matches
Mail list logo