Date: Thu, 19 May 2011 17:20:55 +0000 From: "Philip M. Gollucci" <pgollucci@taximagic.com> To: apache@FreeBSD.org Subject: Fwd: [Announce] Regressions in httpd 2.2.18, apr 1.4.4, and apr-util 1.3.11 Message-ID: <4DD55177.7060806@taximagic.com>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------070901080803090700090003 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit -------- Original Message -------- Subject: [Announce] Regressions in httpd 2.2.18, apr 1.4.4, and apr-util 1.3.11 Resent-Date: Thu, 19 May 2011 10:19:28 -0700 (PDT) Resent-From: <philip@taximagic.com> Date: Thu, 19 May 2011 12:17:06 -0500 From: William A. Rowe Jr. <wrowe@apache.org> To: <announce@httpd.apache.org> New releases are in progress for each of these projects and are expected to be available in the coming days. The upcoming httpd 2.2.19 will bundle new releases of apr and apr-util which correct the regressions described below. An announcement of these releases will be broadcast. Note: httpd 2.2.18 bundles apr 1.4.4 and apr-util 1.3.11. Summary of regressions: httpd 2.2.18: The ap_unescape_url_keep2f() function signature was changed. This breaks binary compatibility of a number of third-party modules. In addition, a regression in apr 1.4.4 (see below) could cause httpd to hang. apr 1.4.4: A fix in apr 1.4.4 apr_fnmatch() to address CVE-2011-0419 introduced a new vulnerability. A patch is attached and should be used if httpd workers enter a hung state (100% cpu utilization) after updating to httpd 2.2.18 or apr-util 1.4.4, or if hangs are seen in other apr applications which use apr_fnmatch(). apr-util 1.3.11: A fix to LDAP support in apr-util 1.3.11 could cause crashes with httpd's mod_authnz_ldap in some situations. --------------070901080803090700090003 Content-Type: text/plain; name="apr-1.4.4-fnmatch.patch" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="apr-1.4.4-fnmatch.patch" LS0tIHNyY2xpYlxhcHJcc3RyaW5nc1xhcHJfZm5tYXRjaC5vcmlnCU1vbiBNYXkgMDIgMjM6 NTE6MjQgMjAxMQorKysgc3JjbGliXGFwclxzdHJpbmdzXGFwcl9mbm1hdGNoLmMJV2VkIE1h eSAxOCAxMzowOTo1MiAyMDExCkBAIC0xOTYsNyArMTk2LDEwIEBACiAgICAgY29uc3QgY2hh ciAqbWlzbWF0Y2ggPSBOVUxMOwogICAgIGludCBtYXRjaGxlbiA9IDA7CiAKLSAgICB3aGls ZSAoKnBhdHRlcm4pCisgICAgaWYgKCpwYXR0ZXJuID09ICcqJykKKyAgICAgICAgZ290byBm aXJzdHNlZ21lbnQ7CisKKyAgICB3aGlsZSAoKnBhdHRlcm4gJiYgKnN0cmluZykKICAgICB7 CiAgICAgICAgIC8qIE1hdGNoIGJhbGFuY2VkIHNsYXNoZXMsIHN0YXJ0aW5nIGEgbmV3IHNl Z21lbnQgcGF0dGVybgogICAgICAgICAgKi8KQEAgLTIwNyw2ICsyMTAsNyBAQAogICAgICAg ICAgICAgKytzdHJpbmc7CiAgICAgICAgIH0gICAgICAgICAgICAKIAorZmlyc3RzZWdtZW50 OgogICAgICAgICAvKiBBdCB0aGUgYmVnaW5uaW5nIG9mIGVhY2ggc2VnbWVudCwgdmFsaWRh dGUgbGVhZGluZyBwZXJpb2QgYmVoYXZpb3IuCiAgICAgICAgICAqLwogICAgICAgICBpZiAo KGZsYWdzICYgQVBSX0ZOTV9QRVJJT0QpICYmICgqc3RyaW5nID09ICcuJykpCkBAIC0zNjEs OSArMzY1LDkgQEAKICAgICAgICAgICAgIHJldHVybiBBUFJfRk5NX05PTUFUQ0g7CiAgICAg fQogCi0gICAgLyogcGF0dGVybiBpcyBhdCBFT1M7IGlmIHN0cmluZyBpcyBhbHNvLCBkZWNs YXJlIHN1Y2Nlc3MKKyAgICAvKiBXaGVyZSBib3RoIHBhdHRlcm4gYW5kIHN0cmluZyBhcmUg YXQgRU9TLCBkZWNsYXJlIHN1Y2Nlc3MKICAgICAgKi8KLSAgICBpZiAoISpzdHJpbmcpCisg ICAgaWYgKCEqc3RyaW5nICYmICEqcGF0dGVybikKICAgICAgICAgcmV0dXJuIDA7CiAKICAg ICAvKiBwYXR0ZXJuIGRpZG4ndCBtYXRjaCB0byB0aGUgZW5kIG9mIHN0cmluZyAqLwo= --------------070901080803090700090003--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4DD55177.7060806>