X-Recipient: archive-cygwin AT delorie DOT com X-SWARE-Spam-Status: No, hits=-4.3 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 X-Spam-Check-By: sourceware.org X-SWARE-Spam-Status: No, hits=1.3 required=5.0 tests=AWL,BAYES_00,BOTNET Message-Id: Date: Sun, 07 Jun 2009 13:20:35 -0700 From: David Rothenberger User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.21) Gecko/20090302 Thunderbird/2.0.0.21 Mnenhy/0.7.6.666 MIME-version: 1.0 To: cygwin AT cygwin DOT com Subject: [ANNOUNCEMENT] Updated: {aprutil1,libaprutil1,libaprutil1-devel}-1.3.4-3 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-IsSubscribed: yes Reply-To: cygwin AT cygwin DOT com Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com A new version the Apache Portable Runtime utilities library is now available for download. NEWS: ===== This release addresses two security vulnerabilities by applying patches from Debian. "kcope" discovered a flaw in the handling of internal XML entities in the apr_xml_* interface that can be exploited to use all available memory. This denial of service can be triggered remotely in the Apache mod_dav and mod_dav_svn modules. (No CVE id yet) Matthew Palmer discovered an underflow flaw in the apr_strmatch_precompile function that can be exploited to cause a daemon crash. The vulnerability can be triggered (1) remotely in mod_dav_svn for Apache if the "SVNMasterURI"directive is in use, (2) remotely in mod_apreq2 for Apache or other applications using libapreq2, or (3) locally in Apache by a crafted ".htaccess" file. (CVE-2009-0023) Other exploit paths in other applications using libaprutil1 may exist. If you use Apache, or if you use svnserve in standalone mode, you need to restart the services after you upgraded the libaprutil1 package. This package includes plugins for ldap, PostgreSQL, and SQLite3. It is still linked against libdb4.2. DESCRIPTION: ============ The mission of the Apache Portable Runtime (APR) project is to create and maintain software libraries that provide a predictable and consistent interface to underlying platform-specific implementations. The primary goal is to provide an API to which software developers may code and be assured of predictable if not identical behaviour regardless of the platform on which their software is built, relieving them of the need to code special-case conditions to work around or take advantage of platform-specific deficiencies or features. DOWNLOAD: ========= Note that downloads from sourceware.org (aka cygwin.com) aren't allowed due to bandwidth limitations. This means that you will need to find a mirror which has this update, please choose the one nearest to you: http://cygwin.com/mirrors.html QUESTIONS: ========== If you want to make a point or ask a question the Cygwin mailing list is the appropriate place. CYGWIN-ANNOUNCE UNSUBSCRIBE INFO: ================================= To unsubscribe to the cygwin-announce mailing list, look at the "List-Unsubscribe: " tag in the email header of this message. Send email to the address specified there. It will be in the format: cygwin-announce-unsubscribe-YOU=YOURDOMAIN DOT COM AT cygwin DOT com If you need more information on unsubscribing, start reading here: http://cygwin.com/lists.html Please read *all* of the information on unsubscribing that is available starting at this URL. -- David Rothenberger ---- daveroth AT acm DOT org -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/