From owner-freebsd-apache@FreeBSD.ORG Thu May 19 17:30:05 2011 Return-Path: Delivered-To: apache@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 24C2E106566B; Thu, 19 May 2011 17:30:05 +0000 (UTC) (envelope-from mike.jakubik@intertainservices.com) Received: from mail.intertainservices.com (mail.intertainservices.com [69.77.177.114]) by mx1.freebsd.org (Postfix) with ESMTP id BA1568FC0C; Thu, 19 May 2011 17:30:04 +0000 (UTC) Received: from [172.16.10.154] (unknown [172.16.10.154]) by mail.intertainservices.com (Postfix) with ESMTPA id B77D056691; Thu, 19 May 2011 13:29:58 -0400 (EDT) From: Mike Jakubik To: ports@freebsd.org Date: Thu, 19 May 2011 13:29:58 -0400 Message-ID: <1305826198.1850.1.camel@mjakubik-laptop> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 X-intertainservices-MailScanner-Information: Please contact the ISP for more information X-intertainservices-MailScanner-ID: B77D056691.AE3DF X-intertainservices-MailScanner: Found to be clean X-intertainservices-MailScanner-From: mike.jakubik@intertainservices.com X-Spam-Status: No Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: apache@freebsd.org Subject: [Fwd: [Announce] Regressions in httpd 2.2.18, apr 1.4.4, and apr-util 1.3.11] X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 May 2011 17:30:05 -0000 FYI. -------- Forwarded Message -------- From: William A. Rowe Jr. To: dev@httpd.apache.org, users@httpd.apache.org, APR Developer List Subject: [Announce] Regressions in httpd 2.2.18, apr 1.4.4, and apr-util 1.3.11 Date: Thu, 19 May 2011 12:17:52 -0500 New releases are in progress for each of these projects and are expected to be available in the coming days. The upcoming httpd 2.2.19 will bundle new releases of apr and apr-util which correct the regressions described below. An announcement of these releases will be broadcast. Note: httpd 2.2.18 bundles apr 1.4.4 and apr-util 1.3.11. Summary of regressions: httpd 2.2.18: The ap_unescape_url_keep2f() function signature was changed. This breaks binary compatibility of a number of third-party modules. In addition, a regression in apr 1.4.4 (see below) could cause httpd to hang. apr 1.4.4: A fix in apr 1.4.4 apr_fnmatch() to address CVE-2011-0419 introduced a new vulnerability. A patch is attached and should be used if httpd workers enter a hung state (100% cpu utilization) after updating to httpd 2.2.18 or apr-util 1.4.4, or if hangs are seen in other apr applications which use apr_fnmatch(). apr-util 1.3.11: A fix to LDAP support in apr-util 1.3.11 could cause crashes with httpd's mod_authnz_ldap in some situations.