On 3/6/2010 6:52 AM, Jeff Trawick wrote: >> --- dev/httpd/Announcement2.2.html (original) >> +++ dev/httpd/Announcement2.2.html Sat Mar 6 07:41:31 2010 >> @@ -68,7 +68,8 @@ >> APR-util library version 1.3.9, bundled with the tar and zip >> distributions. >> The APR libraries libapr and libaprutil (and on Win32, libapriconv) must >> all be updated to ensure binary compatibility and address many known >> - security and platform bugs. >> + security and platform bugs. Apache Portable Runtime (APR) version 1.3 >> + continues to be supported; the latest release, 1.3.12, should be used. > > This reference to binary compatibility isn't strictly true for > existing users of httpd 2.2. (They don't need to upgrade APR* for > binary compatibility.) Here's a long-winded way to separate APR* > MAJ.MIN compatibility from the need for bug fixes.
Good point... > Apache HTTP Server 2.2.15 is compatible with Apache Portable Runtime > (APR) versions 1.3 and 1.4, APR-util library version 1.3, and > APR-iconv library version 1.2. Generally, the latest releases should > be used to address known security and platform bugs. At this time, > the recommended releases are > > * Apache Portable Runtime (APR) versions 1.4.2 (bundled with httpd > 2.2.15) and 1.3.12 (available separately) > * APR-util library version 1.3.9 (bundled with httpd 2.2.15) > * APR-iconv library version 1.2.1 (bundled with httpd 2.2.15 for Windows) > > Other releases of these libraries have known vulnerabilities or other > defects affecting httpd. Borrowed with some small edits, thanks for working this through! I'm usually accused of being too wordy, but the information here is worth adding to the announcement, IMHO.
