[SECURITY] Updated: {apr1,libapr1,libapr1-devel}-1.6.3-1

David Rothenberger daveroth@acm.org
Mon Oct 23 23:55:00 GMT 2017

APR 1.6.3 release addresses one security vulnerability;

  CVE-2017-12613; Out-of-bounds array deref in apr_time_exp*()

  When apr_exp_time*() or apr_os_exp_time*() functions are invoked
  with an invalid month field value in APR 1.6.2 and prior, out of
  bounds memory may be accessed in converting this value to an
  apr_time_exp_t value, potentially revealing the contents of a
  different static heap value or resulting in program termination,
  and may represent an information disclosure or denial of service
  vulnerability to applications which call these APR functions with
  unvalidated external input.f service.

The library was built with TCP_NOPUSH support disabled. Cygwin
defines TCP_NOPUSH, but returns "protocol not defined" when it's
used. According to


this is because Windows doesn't support it.

Please see


for more details about the upstream changes

The mission of the Apache Portable Runtime (APR) project is to
create and maintain software libraries that provide a predictable
and consistent interface to underlying platform-specific
implementations. The primary goal is to provide an API to which
software developers may code and be assured of predictable if not
identical behaviour regardless of the platform on which their
software is built, relieving them of the need to code special-case
conditions to work around or take advantage of platform-specific
deficiencies or features.

If you want to make a point or ask a question the Cygwin mailing
list is the appropriate place.

David Rothenberger  ----  daveroth@acm.org

More information about the Cygwin-announce mailing list