As you now know, a vulnerability was reported to the APR project. Downstream developers are already working on closing a still(?) undisclosed vulnerability in their package.
Based on the fact that APR makes DoS vulnerable code more vulnerable to other possible exploits, we are moving ahead with a release that incorporates the patches at http://apr.apache.org/dist/apr/patches/ ... note that programmers in general will not be affected but due to the widely-adopted nature of APR, we believe it's best to get this fix out promptly. Candidates in the usual location, already synced. Will let this vote initially run for 24 hours and would hope to find enough feedback to release by then, given the security implications. +/-1 [ ] Release apr 1.3.8 as GA [ ] Release apr-util 1.3.9 as GA
