The Apache Software Foundation and the Apache Portable Runtime
Project are proud to announce the General Availability of
version 1.3.5 of the APR Apache Portable Runtime library, and
version 1.3.7 of the companion APR-util Apache Portable Utility
library.
The corresponding version 1.2.1 of the companion APR-iconv library,
an alternative portable implementation of the 'iconv' library,
remains current.
APR is available for download from:
http://apr.apache.org/download.cgi
This version of APR is a security and bug fix release, including
fixes for specific platforms' configuration, feature detection,
and run time behavior. Most developers and users are encouraged
to adopt the latest APR 1.x version to ensure the most comprehensive
support and access to the latest features and enhancements.
The security fixes in the APR-util library release 1.3.7 must be
evaluated in the context of how APR-consuming applications use them
to determine if the application provides untrusted input to these
specific functions, to determine if they represent vulnerabilities
to the specific application. Refer questions to such APR-consuming
projects for further guidance. These fixes (which are similarly
corrected in the concurrent APR-util 0.9.17 release) include;
* Fixed a denial of service attack against the apr_xml_* interface
using the "billion laughs" entity expansion technique.
[Joe Orton]
* CVE-2009-0023 (cve.mitre.org);
Fixed an underflow from the match pattern to apr_strmatch_precompile.
[Matthew Palmer <mpalmer debian.org>]
* Fixed an off by one overflow in apr_brigade_vprintf.
[C. Michael Pilato <cmpilato collab.net>]
The mission of the Apache Portable Runtime Project is to create
and maintain software libraries that provide a predictable and
consistent interface to underlying platform-specific
implementations. The primary goal is to provide an API to
which software developers may code and be assured of predictable
if not identical behavior regardless of the platform on which
their software is built, relieving them of the need to code
special-case conditions to work around or take advantage of
platform-specific deficiencies or features.
APR and its companion libraries are implemented entirely in C
and provide a common programming interface across a wide variety
of operating system platforms without sacrificing performance.
Currently supported platforms include:
UNIX variants
Windows
Netware
Mac OS X
OS/2
To give a brief overview, the primary core
subsystems of APR 1.3 include the following:
Atomic operations
Dynamic Shared Object loading
File I/O
Locks (mutexes, condition variables, etc)
Memory management (high performance allocators)
Memory-mapped files
Multicast Sockets
Network I/O
Shared memory
Thread and Process management
Various data structures (tables, hashes, priority queues, etc)
For a more complete list, please refer to the following URLs:
http://apr.apache.org/docs/apr/modules.html
http://apr.apache.org/docs/apr-util/modules.html
Users of APR 0.9 should be aware that migrating to the APR 1.x
programming interfaces may require some adjustments; APR 1.x is
neither source nor binary compatible with earlier APR 0.9 releases.
Users of APR 1.x can expect consistent interfaces and binary backwards
compatibility throughout the entire APR 1.x release cycle, as defined
in our versioning rules:
http://apr.apache.org/versioning.html
APR is already used extensively by the Apache HTTP Server
version 2 and the Subversion revision control system, to
name but a few. We list all known projects using APR at
http://apr.apache.org/projects.html -- so please let us know
if you find our libraries useful in your own projects!
