[ANNOUNCEMENT] [1.7] Updated: {aprutil1,libaprutil1,libaprutil1-devel}-1.3.4-4

David Rothenberger daveroth@acm.org
Sun Jun 7 20:40:00 GMT 2009


A new version the Apache Portable Runtime utilities library is now
available for download. This version is built for Cygwin 1.7.

NEWS:
=====
This release addresses two security vulnerabilities by applying
patches from Debian.

"kcope" discovered a flaw in the handling of internal XML entities
in the apr_xml_* interface that can be exploited to use all
available memory. This denial of service can be triggered remotely
in the Apache mod_dav and mod_dav_svn modules. (No CVE id yet)

Matthew Palmer discovered an underflow flaw in the
apr_strmatch_precompile function that can be exploited to cause a
daemon crash. The vulnerability can be triggered (1) remotely in
mod_dav_svn for Apache if the "SVNMasterURI"directive is in use, (2)
remotely in mod_apreq2 for Apache or other applications using
libapreq2, or (3) locally in Apache by a crafted ".htaccess" file.
(CVE-2009-0023)

Other exploit paths in other applications using libaprutil1 may exist.

If you use Apache, or if you use svnserve in standalone mode, you
need to restart the services after you upgraded the libaprutil1
package.

This package includes plugins for ldap, PostgreSQL, and SQLite3. It
is still linked against libdb4.2.

DESCRIPTION:
============
The mission of the Apache Portable Runtime (APR) project is to
create and maintain software libraries that provide a predictable
and consistent interface to underlying platform-specific
implementations. The primary goal is to provide an API to which
software developers may code and be assured of predictable if not
identical behaviour regardless of the platform on which their
software is built, relieving them of the need to code special-case
conditions to work around or take advantage of platform-specific
deficiencies or features.

DOWNLOAD:
=========
Note that downloads from sourceware.org (aka cygwin.com) aren't
allowed due to bandwidth limitations.  This means that you will need
to find a mirror which has this update, please choose the one
nearest to you: http://cygwin.com/mirrors.html

QUESTIONS:
==========
If you want to make a point or ask a question the Cygwin mailing list is
the appropriate place.

CYGWIN-ANNOUNCE UNSUBSCRIBE INFO:
=================================
To unsubscribe to the cygwin-announce mailing list, look at the
"List-Unsubscribe: " tag in the email header of this message.  Send
email to the address specified there.  It will be in the format:

cygwin-announce-unsubscribe-YOU=YOURDOMAIN.COM@cygwin.com

If you need more information on unsubscribing, start reading here:

http://cygwin.com/lists.html

Please read *all* of the information on unsubscribing that is available
starting at this URL.


-- 
David Rothenberger  ----  daveroth@acm.org



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/



More information about the Cygwin mailing list