The Apache Software Foundation and the Apache Portable Runtime Project are proud to announce the General Availability of version 1.6.3 of the Apache Portable Runtime library (APR), as well as version 1.6.1 of the APR Utility library (APR-util) and version 1.2.2 of the APR iconv library (APR-iconv).
APR 1.6.1 release addresses one security vulnerability; CVE-2017-12618; Out-of-bounds access in corrupted SDBM database. APR-util 1.6.0 and prior failed to validate the integrity of SDBM database files used by apr_sdbm*() functions, resulting in a possible out of bound read access. A local user with write access to the database can make a program or process using these functions crash, and cause a denial of service. APR-util 1.6.3 release addresses one security vulnerability; CVE-2017-12613; Out-of-bounds array deref in apr_time_exp*() functions When apr_exp_time*() or apr_os_exp_time*() functions are invoked with an invalid month field value in APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input. There are a number of specific changes in how APR is deployed and how APR-util deals with external dependencies in their 1.6 releases, which may be disruptive to existing build strategies: - Expat sources are no longer bundled, this is now an external dependency. Install libexpat runtime (usually installed by default) and development packages using your system's package manager, or from <https://libexpat.github.io/>. - MySQL support is updated as advised by the MySQL developers. MySQL versions older than 5.5 should not be used. If you do use an old MySQL version, use the thread-safe libmysqlclient_r version of the library. - FreeTDS partial and incomplete support has been dropped. Users of MSSQL and SYBASE databases are recommended to use the ODBC driver instead. APR 1.6.3, APR-util 1.6.1, and APR-iconv 1.2.2 releases also fix a number of run-time and build-time issues; For details, see; http://www.apache.org/dist/apr/CHANGES-APR-1.6 http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.6 http://www.apache.org/dist/apr/CHANGES-APR-ICONV-1.2 APR, APR-util and APR-iconv are available for download from: http://apr.apache.org/download.cgi The mission of the Apache Portable Runtime Project is to create and maintain software libraries that provide a predictable and consistent interface to underlying platform-specific implementations. The primary goal is to provide an API to which software developers may code and be assured of predictable if not identical behavior regardless of the platform on which their software is built. We list all known projects using APR at http://apr.apache.org/projects.html - so please let us know if you find our libraries useful in your own projects! --------------------------------------------------------------------- This message was sent via the Apache Announcement mailing list To unsubscribe, e-mail: announce-unsubscr...@apache.org For additional commands, e-mail: announce-h...@apache.org