X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:to:from:subject:message-id:date:mime-version :content-type:content-transfer-encoding:reply-to; q=dns; s= default; b=CKPC7V4O+x5a4ti3KMQfjTGgfCbojO62RsT/xwAG/DUrIcC+34gPa g2Xzlooxw6LRhafyG6KuwMcOD0rCBQm/qat5C32wV/cxPhB/lyW1ebUjGGfGQpWR D72r7Q9BZc+NmRdnRDvMJ/M3uA7DVduOfVoP+ST8gbEKMzGc/cEr8o= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:to:from:subject:message-id:date:mime-version :content-type:content-transfer-encoding:reply-to; s=default; bh= udB6vtNX9hdvLd601LbQA0kf5bc=; b=iil6EgvH17y5RU3YJr8EHlWQ+UAGO3PU PIBNVzYczoe6ugaJ6GCTSyQ9FSKWerS0NdgvV7o60k72scXOlbS71qKR500cbL4x oqo/mYNnlrKovHjcozDi74u9auH8YVKiJ2mPHzlR5eaorHHyUqMewPnVVhgyHj5O jbCh85g8jSc= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-7.9 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,GIT_PATCH_2 autolearn=ham version=3.3.2 spammy= X-HELO: localhost.localdomain Authentication-Results: sourceware.org; auth=none X-Virus-Found: No To: cygwin AT cygwin DOT com From: David Rothenberger Subject: [ANNOUNCEMENT] [SECURITY] Updated: {apr1,libapr1,libapr1-devel}-1.6.3-1 Message-Id: Date: Mon, 23 Oct 2017 16:51:11 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-CMAE-Envelope: MS4wfN7jm0nQx3AYprcF2J+N6xtLBiLMP03pjRemckQkkxACAy8e6le8LNr/CPXEBsxzu72uzKum/oQS+GaQBQN1Hzyv2MSPUYebc9dbcRcBXF5muBXvRSJm GxMgt9zx34eZMsiOKNOGHX5TTuGdgbJZc/i0sBSUO8S9GBZL30QLZiJGZCpPhGw9ngayznV6m+bnaw== X-IsSubscribed: yes Reply-To: cygwin AT cygwin DOT com SECURITY: ========= APR 1.6.3 release addresses one security vulnerability; CVE-2017-12613; Out-of-bounds array deref in apr_time_exp*() functions When apr_exp_time*() or apr_os_exp_time*() functions are invoked with an invalid month field value in APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input.f service. CYGWIN NEWS: ============ The library was built with TCP_NOPUSH support disabled. Cygwin defines TCP_NOPUSH, but returns "protocol not defined" when it's used. According to http://msdn.microsoft.com/en-us/library/ms738596%28v=vs.85%29.aspx this is because Windows doesn't support it. NEWS: ===== Please see http://www.apache.org/dist/apr/CHANGES-APR-1.6 for more details about the upstream changes DESCRIPTION: ============ The mission of the Apache Portable Runtime (APR) project is to create and maintain software libraries that provide a predictable and consistent interface to underlying platform-specific implementations. The primary goal is to provide an API to which software developers may code and be assured of predictable if not identical behaviour regardless of the platform on which their software is built, relieving them of the need to code special-case conditions to work around or take advantage of platform-specific deficiencies or features. QUESTIONS: ========== If you want to make a point or ask a question the Cygwin mailing list is the appropriate place. -- David Rothenberger ---- daveroth AT acm DOT org -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple