Users; Please note the following clarification to the APR 1.4.4 release.
Whether this represents a security flaw to *your* application depends on untrusted fnmatch patterns being applied to very long name strings, the default stack size, and the impact of a stack overflow to the app. Modified: release/apr/Announcement1.x.txt ============================================================================== --- release/apr/Announcement1.x.txt (original) +++ release/apr/Announcement1.x.txt Tue May 10 19:38:45 2011 @@ -8,6 +8,18 @@ These are bug fix releases. Users of previous versions are encouraged to update to these releases. + Note especially a security fix to APR 1.4.4, stack overflow + was possible due to unconstrained, recursive invocation of + apr_fnmatch, as apr_fnmatch processed '*' wildcards. + + * Security: CVE-2011-0419 (http://cve.mitre.org) + Reimplement apr_fnmatch() from scratch using a non-recursive + algorithm; now has improved compliance with the fnmatch() spec. + [William Rowe] + + The APR Project thanks Maksymilian Arciemowicz of SecurityReason + for his research and reporting of this issue. +